1374242 – Groupsync doesn't work with AD LDS

Bug 1374242 - Groupsync doesn't work with AD LDS

Summary: Groupsync doesn't work with AD LDS

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Users & Roles
Sub Component:
Version:	6.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium vote
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Sanket Jagtap
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-08 10:08 UTC by Sean O'Keeffe
Modified:	2020-03-11 15:15 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-21 16:54:37 UTC
Target Upstream Version:

Attachments	(Terms of Use)
AD LDS user and group (9.85 KB, image/png) 2018-01-19 10:33 UTC, Sanket Jagtap	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	theforeman ldap_fluff pull 54	0	None	closed	added support for AD LDS to groupsync	2020-12-22 20:53:48 UTC

Description Sean O'Keeffe 2016-09-08 10:08:29 UTC

Description of problem:
The groupsync feature doesn't work with AD LDS, authentication does though.


Version-Release number of selected component (if applicable):
ldap_fluff-0.4.3


How reproducible:
100%


Steps to Reproduce:
1. add AD LDS server with Satellite
2. setup groupsync
3. login and the user will have no permissions, because they arent part of a group. 

Actual results:
no permssions

Expected results:
user to have relevant permissions 

Additional info:

Comment 1 Sean O'Keeffe 2016-09-08 10:17:01 UTC

Fixed in https://github.com/theforeman/ldap_fluff/pull/54

Comment 9 Sanket Jagtap 2018-01-08 10:57:39 UTC

Satellite 6.3.0 snap 30

Steps:
1. Created a AD LDS instance 
2. Added the auth source in satellite 
3. Tried to associated the external group with user group

I get the error:

Unable to save
Could not refresh external usergroups: LdapFluff::Generic::UnauthenticatedException - Could not bind to ActiveDirectory user foobar - The authentication source of your external user groups could not connect to LDAP with the provided credentials. Please verify the credentials are still valid.

Tried with admin account same issue

Comment 10 Sean O'Keeffe 2018-01-11 13:28:05 UTC

At a customer we managed to backport this fix to 6.2.x and it worked, though we had no management of their AD server, we were just told it was AD LDS.

Sorry I can't provide any more info right now, I'm no longer on-site with that customer.

Comment 15 Sanket Jagtap 2018-01-19 10:32:51 UTC

Satellite 6.3.0 snap 32

Mhulan, Sean Thank you for looking into this, 

I put some time today and recreated the AD LDS setup,

I am now able to add associate External Group with usergroup and also the user from external user group are able to inhert the permissions from the user group.

Comment 16 Sanket Jagtap 2018-01-19 10:33:38 UTC

Created attachment 1383261 [details]
AD LDS user and group

Comment 18 Marek Hulan 2018-01-19 13:57:14 UTC

out of curiosity, how did you create bindable user in LDS? what needed to be changed? thanks!

Comment 19 Sanket Jagtap 2018-01-19 14:10:40 UTC

The missing thing was the userProxy.ldf user.ldf files which are to be imported when we deploy a LDS instance.
Only then we can create userProxy type objects which are basically objects redirected or binded with any AD user which have the msDS-bindableObject attribute.

Comment 20 Satellite Program 2018-02-21 16:54:37 UTC

Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
> > 
> > For information on the advisory, and where to find the updated files, follow the link below.
> > 
> > If the solution does not work for you, open a new bug report.
> > 
> > https://access.redhat.com/errata/RHSA-2018:0336

Note You need to log in before you can comment on or make changes to this bug.