This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1293538 - [RFE] Netgroup LDAP Authentication with Satellite 6.
[RFE] Netgroup LDAP Authentication with Satellite 6.
Status: ON_QA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Users & Roles (Show other bugs)
Unspecified Unspecified
high Severity high (vote)
: GA
: --
Assigned To: Tomas Strachota
Katello QA List
: FutureFeature, PrioBumpField, PrioBumpPM, Triaged
Depends On:
Blocks: 1353215 1479962 1492835
  Show dependency treegraph
Reported: 2015-12-22 00:22 EST by Ashfaqur Rahaman
Modified: 2017-09-22 11:13 EDT (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 16112 None None None 2016-08-15 10:33 EDT

  None (edit)
Description Ashfaqur Rahaman 2015-12-22 00:22:20 EST
>> Description of problem:

Netgroup LDAP Authentication with Satellite 6.

Version-Release number of selected component (if applicable):

>> How reproducible:

A RHEL 7.1 installation with Satellite 6.1.1 configured to use external LDAP authentication (created using hammer)

# hammer auth-source ldap create --name LDAP1 --host --server-type posix --tls yes --port 636 \
--base-dn ou=People,ou=example,o=org,c=au --groups-base ou=netgroup,ou=example,o=org,c=au --attr-login uid

The User Group can then be created and an External Group linked to it (also using hammer)...

# hammer user-group create --name Test 
# hammer user-group external create --auth-source-id 3 --name test-netgroup --user-group Test

>> Actual results:

This returns a "500 Internal Server Error" - but checking in the Web UI the external group is displayed as linked correctly.
Trying to then refresh the display to show the users in the LDAP netgroup does nothing - no users are found within the group.
(Creating the user group and external linking via the Web UI returns NO errors - only via hammer do we get a clue something is wrong)

In the foreman production.log we see the 500 error:

2015-12-09 09:30:19 [I] Processing by Api::V2::ExternalUsergroupsController#create as JSON
2015-12-09 09:30:19 [I]    Parameters: {"external_usergroup"=>{"name"=>"test-netgroup", "auth_source_id"=>"3"}, "apiv"=>"2", "usergroup-id"=>"5"}
2015-12-09 09:30:20 [W] Creating scope :completer_scope. Overwriting existing method Organization.completer_scope.
2015-12-09 09:30:20 [I] Authorized user ggatward(Geoff Gatward)
2015-12-09 09:30:20 [I]   Rendered api/v2/external_usergroups/create.json.rabl (2.3ms)
2015-12-09 09:30:20 [E] Group does not have any members (RuntimeError)
/opt/rh/ruby193/root/usr/share/gems/gems/ldap_fluff-0.3.2/lib/ldap_fluff/generic.rb:47:in 'users_for_gid'
/opt/rh/ruby193/root/usr/share/gems/gems/ldap_fluff-0.3.2/lib/ldap_fluff/ldap_fluff.rb:35:in 'user_list'
/usr/share/foreman/app/models/auth_sources/auth_source_ldap.rb:107:in 'users_in_group'
/usr/share/foreman/app/models/external_usergroup.rb:33:in 'users'
2015-12-09 09:30:20 [I] Completed 500 Internal Server Error in 441ms
2015-12-09 09:30:20 [F]

If we do the same setup but use a posix group from LDAP instead, everything works as expected (no 500 error and users are resolved)

>> Expected results:

everything works as expected (no 500 error)

Additional info:
Comment 2 Bryan Kearney 2016-07-26 11:25:24 EDT
Moving 6.2 bugs out to sat-backlog.
Comment 3 Bryan Kearney 2016-07-26 11:37:34 EDT
Moving 6.2 bugs out to sat-backlog.
Comment 5 Marek Hulan 2016-08-15 10:30:57 EDT
Netgroup grouping is alternative to posix usergroups. It works differently, they are to be found at ou=Netgroup,dc=example,dc=com tree with cn as their name. For association with user, attribute nisNetgroupTriple is defined in this object. Attribute is defined multiple times for each user in a given netgroup. The structure is triple ($server, $user, $domain).

While users can set group base DN today, we hardcode "memberuid" that we use for searching posix groups. We could make this also configurable per LDAP auth source and let ldap_fluff search in this triple.

I'm cancelling the need info as it's not clear what was asked.
Comment 6 Marek Hulan 2016-08-15 10:33:03 EDT
Created redmine issue from this bug
Comment 7 Bryan Kearney 2016-10-18 12:18:43 EDT
Upstream bug assigned to
Comment 10 Ashfaqur Rahaman 2017-02-14 01:38:48 EST

Any update on this bug ?
Comment 24 2017-07-19 08:15:40 EDT
Moving this bug to POST for triage into Satellite 6 since the upstream issue has been resolved.

Note You need to log in before you can comment on or make changes to this bug.