Description of problem: When Satellite is integrated for external authentication with IPA using the below guide. https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html-single/server_administration_guide/#sect-Red_Hat_Satellite-Server_Administration_Guide-Configuring_External_Authentication-Integrate_IdM_with_Satellite The IPA/IDM users are able to login into the Satellite Web UI . But they cannot register the client using the subscription-manager and is not able query the Satellite api. Version-Release number of selected component (if applicable): Satellite 6.2.8 How reproducible: Every time Steps to Reproduce: 1. Configure satellite for external authentication with ipa using the below guide https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html-single/server_administration_guide/#sect-Red_Hat_Satellite-Server_Administration_Guide-Configuring_External_Authentication-Integrate_IdM_with_Satellite 2. Try to register one of the system using the IPA user . Or try to call the Satellite api using the curl command. Actual results: The IPA users are not able to register the client host to Satellite 6 and also use the api. Expected results: The IPA users should be able to register to the Satellite 6 using the subscription manager and call the api too. Additional info: [A] We see the below error while registering. On the client ==== Registering to: satellite.example.com:443/rhsm Username: <username> Password: Unauthorized: Invalid credentials for request. ==== In Satellite 6 foreman/production.log file ==== 2017-05-26 04:23:07 [app] [I] Started GET "/rhsm/users/<user>/owners" for 192.168.124.100 at 2017-05-26 04:23:07 -0400 2017-05-26 04:23:07 [app] [I] Processing by Katello::Api::Rhsm::CandlepinProxiesController#list_owners as JSON 2017-05-26 04:23:07 [app] [I] Parameters: {"login"=>"<user>"} 2017-05-26 04:23:07 [katello/cp_proxy] [W] SSO failed 2017-05-26 04:23:07 [app] [I] Rendered api/v2/errors/unauthorized.json.rabl within api/v2/layouts/error_layout (0.5ms) 2017-05-26 04:23:07 [app] [I] Filter chain halted as :authorize rendered or redirected 2017-05-26 04:23:07 [app] [I] Completed 401 Unauthorized in 7ms (Views: 1.2ms | ActiveRecord: 0.6ms) ==== [B] Invoking api using curl ==== # curl -k -u <username>:'<password>' https://sat.example.com/api/hosts ==== Errors in production log ==== 2017-05-26 04:29:09 [app] [I] Started GET "/api/hosts" for 192.168.124.100 at 2017-05-26 04:29:09 -0400 2017-05-26 04:29:09 [app] [I] Processing by Api::V2::HostsController#index as JSON 2017-05-26 04:29:09 [app] [I] Parameters: {"apiv"=>"v2"} 2017-05-26 04:29:09 [app] [W] SSO failed 2017-05-26 04:29:09 [app] [I] Rendered api/v2/errors/unauthorized.json.rabl within api/v2/layouts/error_layout (0.4ms) 2017-05-26 04:29:09 [app] [I] Filter chain halted as :authorize rendered or redirected 2017-05-26 04:29:09 [app] [I] Completed 401 Unauthorized in 4ms (Views: 1.0ms | ActiveRecord: 0.5ms) ====
Connecting redmine issue http://projects.theforeman.org/issues/21765 from this bug
Any movement on this? It is making the foreman-maintain upgrade process from 6.2 to 6.3 impossible as well as that expects hammer to work - which is not the case with External Auth enabled.
The Satellite Team is attempting to provide an accurate backlog of bugzilla requests which we feel will be resolved in the next few releases. We do not believe this bugzilla will meet that criteria, and have plans to close it out in 1 month. This is not a reflection on the validity of the request, but a reflection of the many priorities for the product. If you have any concerns about this, feel free to contact Rich Jerrido or Bryan Kearney or your account team. If we do not hear from you, we will close this bug out. Thank you.
This is related to https://bugzilla.redhat.com/show_bug.cgi?id=1462635, and we will therefore keep it.
Is there any update on when or if that has been resolved?
This also blocks Tower inventory script if the user is LDAP user. Just banged my head to wall with this one, until realizing to try local user. Satellite 6.8.4.
Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team. Thank you.
Thank you for your interest in Red Hat Satellite. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this feel free to contact your Red Hat Account Team. Thank you.