1387824 – LDAP user groups - role is not assigned automatically

Bug 1387824 - LDAP user groups - role is not assigned automatically

Summary: LDAP user groups - role is not assigned automatically

Keywords:
Status:	CLOSED DUPLICATE of bug 1493703
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Users & Roles
Sub Component:
Version:	6.2.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium vote
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-22 07:18 UTC by Michal Dekan
Modified:	2021-12-10 14:46 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-22 12:36:36 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Michal Dekan 2016-10-22 07:18:11 UTC

Description of problem:

Customer has added two LDAP Sources. One AD and LDAP.
Then the users from AD can log in and they have an external group taken from LDAP which assigns the roles.

Now they have updated to 6.2.2 but still have an issues with the LDAP groups connection.

Here is more information and a test case

1. Create a new LDAP Authentication
Server Type: Active Directory
Enable -> Automatically create accounts in Satellite : True

2. Create a new LDAP Authentication
Server Type: POSIX
Enable -> Usergroup sync

3. Create a new User group
Connect it to a group in the LDAP directory (Created in #2)
Enable role -> Admin

4. Log in as an AD user
This works and the user is created but the user have not got the role Admin

Now do either one of these actions
5.a Login as an administrator
Go to "User Groups"
Click the name of your external group
See that the new user is in the group (On the left side)
Do nothing, just click "submit"

Or
5.b Run cron job found in /etc/cron.d/foreman
# Refreshes ldap usergroups. Can be disabled if you're not using LDAP authentication.
*/30 * * * * foreman /usr/sbin/foreman-rake ldap:refresh_usergroups >>/var/log/foreman/cron.log 2>&1

6. Now the user group is updated and the user is admin (user needs to log out/in again)

Version-Release number of selected component (if applicable):

Satellite 6.2.2

How reproducible:

Described above.

Actual results:

User role from LDAP is not assigned unless user logs out/in to the webui.

Expected results:

User role assigned automatically without login out and login.

Comment 4 Michal Dekan 2016-11-21 08:51:04 UTC

Correction:

Actual results:
User role from LDAP is not assigned unless user logs out/in to the webui.

That is not correct.

Step 5.a has to be performed or wait for 5.b until the user gets the role in the LDAP group.

Comment 8 Daniel Lobato Garcia 2017-11-22 12:36:36 UTC

This is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1493703 . 

The underlying reason is most likely that in when using POSIX LDAP, your auth source needs to provide memberUID for each of the groups. 

Foreman makes 2 types of queries, "users in group X", "groups for user Y". You can find a more detailed explanation in this comment;

https://bugzilla.redhat.com/show_bug.cgi?id=1493703#c4

*** This bug has been marked as a duplicate of bug 1493703 ***

Note You need to log in before you can comment on or make changes to this bug.