Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1293538

Description of problem:¶

Netgroup LDAP Authentication

A RHEL 7.1 installation configured to use external LDAP authentication (created using hammer)

# hammer auth-source ldap create --name LDAP1 --host ldap.example.org --server-type posix --tls yes --port 636 \
--base-dn ou=People,ou=example,o=org,c=au --groups-base ou=netgroup,ou=example,o=org,c=au --attr-login uid

The User Group can then be created and an External Group linked to it (also using hammer)...

# hammer user-group create --name Test 
# hammer user-group external create --auth-source-id 3 --name test-netgroup --user-group Test

Actual results:¶

This returns a "500 Internal Server Error" - but checking in the Web UI the external group is displayed as linked correctly.
Trying to then refresh the display to show the users in the LDAP netgroup does nothing - no users are found within the group.
(Creating the user group and external linking via the Web UI returns NO errors - only via hammer do we get a clue something is wrong)

In the foreman production.log we see the 500 error:

2015-12-09 09:30:19 [I] Processing by Api::V2::ExternalUsergroupsController#create as JSON
2015-12-09 09:30:19 [I]    Parameters: {"external_usergroup"=>{"name"=>"test-netgroup", "auth_source_id"=>"3"}, "apiv"=>"2", "usergroup-id"=>"5"}
2015-12-09 09:30:20 [W] Creating scope :completer_scope. Overwriting existing method Organization.completer_scope.
2015-12-09 09:30:20 [I] Authorized user ggatward(Geoff Gatward)
2015-12-09 09:30:20 [I]   Rendered api/v2/external_usergroups/create.json.rabl (2.3ms)
2015-12-09 09:30:20 [E] Group does not have any members (RuntimeError)
/opt/rh/ruby193/root/usr/share/gems/gems/ldap_fluff-0.3.2/lib/ldap_fluff/generic.rb:47:in 'users_for_gid'
/opt/rh/ruby193/root/usr/share/gems/gems/ldap_fluff-0.3.2/lib/ldap_fluff/ldap_fluff.rb:35:in 'user_list'
/usr/share/foreman/app/models/auth_sources/auth_source_ldap.rb:107:in 'users_in_group'
/usr/share/foreman/app/models/external_usergroup.rb:33:in 'users'
...
...
2015-12-09 09:30:20 [I] Completed 500 Internal Server Error in 441ms
2015-12-09 09:30:20 [F]

If we do the same setup but use a posix group from LDAP instead, everything works as expected (no 500 error and users are resolved)

Expected results:¶

everything works as expected (no 500 error)

Additional info:¶

Netgroup grouping is alternative to posix usergroups. It works differently, they are to be found at ou=Netgroup,dc=example,dc=com tree with cn as their name. For association with user, attribute nisNetgroupTriple is defined in this object. Attribute is defined multiple times for each user in a given netgroup. The structure is triple ($server, $user, $domain).

While users can set group base DN today, we hardcode "memberuid" that we use for searching posix groups. We could make this also configurable per LDAP auth source and let ldap_fluff search in this triple.