1388732 – User permissions don't get assigned via external group mapping with IPA Integration

Bug 1388732 - User permissions don't get assigned via external group mapping with IPA Integration

Summary: User permissions don't get assigned via external group mapping with IPA Integ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Users & Roles
Sub Component:
Version:	6.2.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified vote
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-26 03:49 UTC by Alexey Masolov
Modified:	2020-01-17 16:05 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-28 08:24:30 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Alexey Masolov 2016-10-26 03:49:08 UTC

Description of problem:
Integration with IPA is configured per https://access.redhat.com/documentation/en/red-hat-satellite/6.2/paged/server-administration-guide/92-using-identity-management
If you login with external user to Satellite then the user gets created but permissions from mapped external group are not applied. 

Version-Release number of selected component (if applicable):
Satellite 6.2.2

How reproducible:
100%

Steps to Reproduce:
1. Integrate IPA as in https://access.redhat.com/documentation/en/red-hat-satellite/6.2/paged/server-administration-guide/92-using-identity-management
2. Create a user in IPA, create a group in IPA, create a group in Satellite, check Admin in Roles tab, link the external IPA group to the satellite group
3. Login with the external user to Satellite

Actual results:
1. User will be created but won't be assigned to the organization
2. Admin permissions wont'be granted so the user can't access any functionality on login.


Expected results:
1. The user is assigned to the current organization
2. Group role permissions are assigned to the user

Additional info:

Comment 2 Alexey Masolov 2016-11-06 23:33:48 UTC

Apparently customers are having a similar problem with Active Directory via External LDAP provider as well

Comment 3 Marek Hulan 2016-11-07 08:08:31 UTC

Alexey, could you please better describe what is the issue? The mapping between external user group and internal user group is not related to organizations in any way in 6.2. It only means that if user is in external user group, he will be associated with all internal user groups according to linked external groups. If you add some permissions to these internal groups, user will automatically be granted these permissions based on external groups associations. BZ 1104822 covers automatic organization assignment.

If the issue is that user is not associated to internal user groups even if there's association between this internal group and external group and the user belongs to such external group according to LDAP, please enable debug log level, run "foreman-rake ldap:refresh_usergroups" manually and upload the output as well as foreman-debug output. Thank you.

Comment 4 Alexey Masolov 2016-11-09 01:16:20 UTC

Marek,

Thanks for pointing out on the BZ that covers the problem with automatic organisation assignment.

I'm not able to reproduce the bug in 6.2.3 so I guess we can close this one as resolved.

Comment 5 Marek Hulan 2016-11-09 08:27:18 UTC

Thanks for letting me know, could you make sure that if customers upgrade to 6.2.3, it resolves the issue for them too? Then we can close. Otherwise please ask for logs I mentioned in comment 3.

Comment 6 Alexey Masolov 2016-11-28 00:21:09 UTC

Confirmed that it's gone with Sat 6.2.4.

Note You need to log in before you can comment on or make changes to this bug.