Bug 1406295

Summary:	[RFE] Users created via external delegation API don't get usergroups on first login
Product:	Red Hat Satellite	Reporter:	Daniel Lobato Garcia <dlobatog>
Component:	Users & Roles	Assignee:	Daniel Lobato Garcia <dlobatog>
Status:	CLOSED WONTFIX	QA Contact:	Katello QA List <katello-qa-list>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	6.2.4	CC:	bkearney, dhlavacd, jcallaha, mhulan, mjahangi, wpinheir
Target Milestone:	Unspecified	Keywords:	FutureFeature
Target Release:	Unused
Hardware:	Unspecified
OS:	Unspecified
URL:	http://projects.theforeman.org/issues/17794
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-09-04 19:13:38 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Daniel Lobato Garcia 2016-12-20 08:39:34 UTC

Description of problem:

Customer has an user who logs in via external delegation (REMOTE_USER). This user is created automatically upon login. The user is not authenticated using regular Satellite LDAP authentication sources, but through the 'authorized login delegation' setting.

When the user is created in this manner, it will not get its usergroups until the next time the cron job runs, or unless the admin clicks on refresh external user groups.

Version-Release number of selected component (if applicable): 6.2.4, but it shows up in nightly and upstream even.


How reproducible: Always


Steps to Reproduce:
1. Setup some external user groups linked to Satellite user groups
2. Login via external delegation (krb5 ticket, for example)
3. Notice how the users, even if they are in the external user groups, do not get updated.

Expected results:
The user groups should be updated when the user logs in for all Authentication sources where "Usergroup sync" is checked.

Comment 1 Daniel Lobato Garcia 2016-12-20 08:40:49 UTC

Created redmine issue http://projects.theforeman.org/issues/17794 from this bug

Comment 3 Daniel Lobato Garcia 2016-12-20 10:42:05 UTC

*** Bug 1406106 has been marked as a duplicate of this bug. ***

Comment 4 Marek Hulan 2017-11-13 07:32:30 UTC

After a discussion in https://github.com/theforeman/foreman/pull/4119 we came to a conclusion, this is not a bug. Combining external auth source authentication and LDAP auth source can't be combined. The original idea was to load additional information from all existing LDAP sources but while it could solve the problem for this user environment, it would have negative security implication on other. The httpd should be configured per Satellite documentation, the installer does it.

I think we have two options here. Either keep it open as an RFE that would introduce a new link between external auth source and LDAP auth source meaning this LDAP is identity provider for external auth. Or we'll close this as not a bug and requires proper Satellite configuration. I lean towards the first one, but it's blocked by BZ 1448179 and BZ 1336236 and not yet existing BZ that will covert the same for UI. They are being worked on.

Turning into RFE for now.

Comment 6 Bryan Kearney 2017-11-13 13:53:50 UTC

Done.

Comment 7 Bryan Kearney 2018-09-04 19:01:14 UTC

Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.

Comment 8 Bryan Kearney 2018-09-04 19:13:38 UTC

Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.