Bug 1455822 - [BUG] Cannot register system or query Satellite 6 api using the IDM/IPA user
Summary: [BUG] Cannot register system or query Satellite 6 api using the IDM/IPA user
Status: NEW
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: LDAP
Version: 6.2.8
Hardware: Unspecified
OS: Unspecified
high with 1 vote vote
Target Milestone: Unspecified
Assignee: Daniel Lobato Garcia
QA Contact: Omkar Khatavkar
Depends On:
TreeView+ depends on / blocked
Reported: 2017-05-26 08:31 UTC by vivpatil
Modified: 2020-05-16 01:25 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Foreman Issue Tracker 21765 Normal New Add support for FreeIPA external authentication source to the API 2020-06-02 07:16:52 UTC
Red Hat Bugzilla 1266407 'high' 'NEW' 'IPA (external users) not able to authenticate using hammer CLI: invalid user / SSO failed' 2019-12-09 14:03:45 UTC
Red Hat Bugzilla 1462635 None None None 2019-12-09 14:03:45 UTC

Internal Links: 1266407 1462635

Description vivpatil 2017-05-26 08:31:38 UTC
Description of problem:

When Satellite is integrated for external authentication with IPA using the below guide.


The IPA/IDM users are able to login into the Satellite Web UI . But they cannot register the client using the subscription-manager and is not able query the Satellite api. 

Version-Release number of selected component (if applicable):
Satellite 6.2.8

How reproducible:
Every time

Steps to Reproduce:
1. Configure satellite for external authentication with ipa using the below guide


2. Try to register one of the system using the IPA user . Or try to call the Satellite api using the curl command.

Actual results:
The IPA users are not able to register the client host to Satellite 6 and also use the api.

Expected results:

The IPA users should be able to register to the Satellite 6 using the subscription manager and call the api too.

Additional info:
[A] We see the below error while registering. 
On the client
Registering to: satellite.example.com:443/rhsm
Username: <username>
Unauthorized: Invalid credentials for request.

In Satellite 6 foreman/production.log file
2017-05-26 04:23:07 [app] [I] Started GET "/rhsm/users/<user>/owners" for at 2017-05-26 04:23:07 -0400
2017-05-26 04:23:07 [app] [I] Processing by Katello::Api::Rhsm::CandlepinProxiesController#list_owners as JSON
2017-05-26 04:23:07 [app] [I]   Parameters: {"login"=>"<user>"}
2017-05-26 04:23:07 [katello/cp_proxy] [W] SSO failed
2017-05-26 04:23:07 [app] [I]   Rendered api/v2/errors/unauthorized.json.rabl within api/v2/layouts/error_layout (0.5ms)
2017-05-26 04:23:07 [app] [I] Filter chain halted as :authorize rendered or redirected
2017-05-26 04:23:07 [app] [I] Completed 401 Unauthorized in 7ms (Views: 1.2ms | ActiveRecord: 0.6ms)

[B] Invoking api using curl
# curl -k -u <username>:'<password>' https://sat.example.com/api/hosts

Errors in production log
2017-05-26 04:29:09 [app] [I] Started GET "/api/hosts" for at 2017-05-26 04:29:09 -0400
2017-05-26 04:29:09 [app] [I] Processing by Api::V2::HostsController#index as JSON
2017-05-26 04:29:09 [app] [I]   Parameters: {"apiv"=>"v2"}
2017-05-26 04:29:09 [app] [W] SSO failed
2017-05-26 04:29:09 [app] [I]   Rendered api/v2/errors/unauthorized.json.rabl within api/v2/layouts/error_layout (0.4ms)
2017-05-26 04:29:09 [app] [I] Filter chain halted as :authorize rendered or redirected
2017-05-26 04:29:09 [app] [I] Completed 401 Unauthorized in 4ms (Views: 1.0ms | ActiveRecord: 0.5ms)

Comment 10 Tomer Brisker 2017-11-26 12:45:43 UTC
Connecting redmine issue http://projects.theforeman.org/issues/21765 from this bug

Comment 11 Matt Hyclak 2018-03-02 21:05:39 UTC
Any movement on this? It is making the foreman-maintain upgrade process from 6.2 to 6.3 impossible as well as that expects hammer to work - which is not the case with External Auth enabled.

Comment 12 Bryan Kearney 2018-11-30 15:00:49 UTC
The Satellite Team is attempting to provide an accurate backlog of bugzilla requests which we feel will be resolved in the next few releases. We do not believe this bugzilla will meet that criteria, and have plans to close it out in 1 month. This is not a reflection on the validity of the request, but a reflection of the many priorities for the product. If you have any concerns about this, feel free to contact Rich Jerrido or Bryan Kearney or your account team. If we do not hear from you, we will close this bug out. Thank you.

Comment 14 Bryan Kearney 2018-12-04 17:52:46 UTC
This is related to https://bugzilla.redhat.com/show_bug.cgi?id=1462635, and we will therefore keep it.

Note You need to log in before you can comment on or make changes to this bug.