Bug #16650
closed
New ldap users end as athorized by: EXTERNAL and not but ldap
Description
When a new ldap user logins into foreman, access is granted but user is asked to fill out missing information. The missing information is mapped in ldap and should be filled automatically.
When looking at the users in foreman, the newly added users ends as authorized by EXTERNAL and not by LDAP.
The ldap server is an freeipa server.
The log gives
2016-09-22T11:22:13 [app] [I] Started GET "/users/extlogin" for 10.235.2.65 at 2016-09-22 11:22:13 +0000
2016-09-22T11:22:13 [app] [I] Processing by UsersController#extlogin as HTML
2016-09-22T11:22:13 [app] [I] Rendered api/v2/reports/create.json.rabl (6.3ms)
2016-09-22T11:22:13 [app] [I] Completed 201 Created in 53ms (Views: 6.7ms | ActiveRecord: 5.6ms)
2016-09-22T11:22:13 [app] [I] Authorized user test002(test002)
2016-09-22T11:22:13 [app] [I] Redirected to https://xxxx/users/28-test002/edit
2016-09-22T11:22:13 [app] [I] Filter chain halted as :require_mail rendered or redirected
2016-09-22T11:22:13 [app] [I] Completed 302 Found in 363ms (ActiveRecord: 27.4ms)
2016-09-22T11:22:13 [app] [I] Started GET "/users/28-test002/edit" for 10.235.2.65 at 2016-09-22 11:22:13 +0000
2016-09-22T11:22:13 [app] [I] Processing by UsersController#edit as HTML
2016-09-22T11:22:13 [app] [I] Parameters: {"id"=>"28-test002"}
2016-09-22T11:22:13 [app] [I] Rendered common/_edit_habtm.html.erb (1.3ms)
2016-09-22T11:22:13 [app] [I] Rendered taxonomies/_loc_org_tabs.html.erb (1.1ms)
2016-09-22T11:22:13 [app] [I] Rendered users/_form.html.erb (101.6ms)
2016-09-22T11:22:13 [app] [I] Rendered users/edit.html.erb within layouts/application (102.6ms)
2016-09-22T11:22:13 [app] [I] Rendered layouts/_application_content.html.erb (0.3ms)
2016-09-22T11:22:13 [app] [I] Rendered home/_user_dropdown.html.erb (2.4ms)
Updated by Dominic Cleal over 7 years ago
- Category set to Authentication
- Status changed from New to Feedback
It looks like the user is using external Kerberos-based authentication because the log shows /users/extlogin, not Foreman's own LDAP authentication via /users/login. When using Kerberos auth, no LDAP connection is made by Foreman itself. Missing attributes may be populated by using the steps in https://theforeman.org/manuals/1.12/index.html#5.7.5Populateusersandattributes.
You would need to unconfigure the changes in https://theforeman.org/manuals/1.12/index.html#5.7.3KerberosSingleSign-On to disable Kerberos logins, add an LDAP auth source to use that instead.
Updated by E E over 7 years ago
Dominic Cleal wrote:
It looks like the user is using external Kerberos-based authentication because the log shows /users/extlogin, not Foreman's own LDAP authentication via /users/login. When using Kerberos auth, no LDAP connection is made by Foreman itself. Missing attributes may be populated by using the steps in https://theforeman.org/manuals/1.12/index.html#5.7.5Populateusersandattributes.
You would need to unconfigure the changes in https://theforeman.org/manuals/1.12/index.html#5.7.3KerberosSingleSign-On to disable Kerberos logins, add an LDAP auth source to use that instead.
You are correct, thanks. Please close the issues.
Updated by Dominic Cleal over 7 years ago
- Status changed from Feedback to Rejected
Thanks for confirming.