Description of problem: Customer has an user who logs in via external delegation (REMOTE_USER). This user is created automatically upon login. The user is not authenticated using regular Satellite LDAP authentication sources, but through the 'authorized login delegation' setting. When the user is created in this manner, it will not get its usergroups until the next time the cron job runs, or unless the admin clicks on refresh external user groups. Version-Release number of selected component (if applicable): 6.2.4, but it shows up in nightly and upstream even. How reproducible: Always Steps to Reproduce: 1. Setup some external user groups linked to Satellite user groups 2. Login via external delegation (krb5 ticket, for example) 3. Notice how the users, even if they are in the external user groups, do not get updated. Expected results: The user groups should be updated when the user logs in for all Authentication sources where "Usergroup sync" is checked.
Created redmine issue http://projects.theforeman.org/issues/17794 from this bug
*** Bug 1406106 has been marked as a duplicate of this bug. ***
After a discussion in https://github.com/theforeman/foreman/pull/4119 we came to a conclusion, this is not a bug. Combining external auth source authentication and LDAP auth source can't be combined. The original idea was to load additional information from all existing LDAP sources but while it could solve the problem for this user environment, it would have negative security implication on other. The httpd should be configured per Satellite documentation, the installer does it. I think we have two options here. Either keep it open as an RFE that would introduce a new link between external auth source and LDAP auth source meaning this LDAP is identity provider for external auth. Or we'll close this as not a bug and requires proper Satellite configuration. I lean towards the first one, but it's blocked by BZ 1448179 and BZ 1336236 and not yet existing BZ that will covert the same for UI. They are being worked on. Turning into RFE for now.
Done.
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.