Clearing flags to make sure it gets triaged.

Created redmine issue http://projects.theforeman.org/issues/13617 from this bug

Moving to POST since upstream bug http://projects.theforeman.org/issues/10340 has been closed
-------------
Vasil Mikhalenya
I have no idea how should it works because we use only one group in AD and use it in ldap filter.
Seems it fails in different way:
I've added group, tried to add mapping to AD it fails with "POST /usergroups/1-admins HTTP/1.1" 500"

Started PUT "/usergroups/1-admins" for 10.128.60.25 at 2015-05-01 08:26:17 +0000
2015-05-01 08:26:17 [I] Processing by UsergroupsController#update as HTML
2015-05-01 08:26:17 [I]   Parameters: {"utf8"=>"✓", "authenticity_token"=>"...............blanked.........................", "usergroup"=>{"name"=>"admins", "user_ids"=>[""], "admin"=>"1", "role_ids"=>["", "9"], "external_usergroups_attributes"=>{"0"=>{"_destroy"=>"false", "name"=>"Server Administration Team", "auth_source_id"=>"2"}, "new_external_usergroups"=>{"_destroy"=>"false", "name"=>"", "auth_source_id"=>"2"}}}, "commit"=>"Submit", "id"=>"1-admins"}
2015-05-01 08:26:17 [I] 

But it had been added because item and button appeared. When I click refresh button - get this
LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException
LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException
app/models/auth_sources/auth_source_ldap.rb:114:in `users_in_group'
app/models/external_usergroup.rb:32:in `users'
app/models/external_usergroup.rb:18:in `refresh'
app/controllers/external_usergroups_controller.rb:5:in `refresh'
app/controllers/concerns/application_shared.rb:13:in `set_timezone'
app/models/concerns/foreman/thread_session.rb:32:in `clear_thread'
lib/middleware/catch_json_parse_errors.rb:9:in `call'

the same for rake task

[v-foreman ~]# foreman-rake ldap:refresh_usergroups
Apipie cache enabled but not present yet. Run apipie:cache rake task to speed up API calls.
Workaround for RbVmomi may not work as ComputeResource is already loaded: ComputeResource
User group Server Administration Team could not be refreshed - LDAP source LDAP-v-dc not available: LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException

-------------
Mathieu Parent
Hello,

This fixes it for me: https://github.com/theforeman/ldap_fluff/pull/43
-------------
Dominic Cleal
https://github.com/theforeman/ldap_fluff/pull/44 contains a further fix I think to prevent the hang.
-------------
Mathieu Parent
The loop has been fixed in https://github.com/theforeman/ldap_fluff/pull/43 and https://github.com/theforeman/ldap_fluff/pull/44.

But this is not the end of the story. If your logins are not lowercase, your groups will be considered empty. this should be solved on the foreman side.

Also, as performance of ActiveDirectory is very low, an option do disable recursive search would be better.

I will try to work on those, but I'm very busy currently.

-------------
Dominic Cleal
Mathieu Parent wrote:
> The loop has been fixed in https://github.com/theforeman/ldap_fluff/pull/43 and https://github.com/theforeman/ldap_fluff/pull/44.
> 
> But this is not the end of the story. If your logins are not lowercase, your groups will be considered empty. this should be solved on the foreman side.

You're in luck, Daniel has just been fixing this.  I think #11428 and #11407 should fix case insensitivity for both groups and logins.

I am also seeing this behavior on Satellite 6.1.7. Active Directory is the server type for the Auth Source.

VERIFIED with sat62-snap6.1


Made sure that "Usergroup Sync" option is enabled under LDAP authentication.

LDAP user was able to access Satellite6 machine and the Sat6 Server didn't hang.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1500