I have set up an external LDAP auth source ('ldap.example.com'). The LDAP server uses the rfc2307bis schema so each group has a 'member' attribute with a list of member DNs and each user has a 'memberOf' attribute with a list of groups DNs.

By using 'use-netgroups', 'usergroup-sync' and 'onthefly-register' I am able to authenticate a user and have them log in. However, they are not being added to the group I have defined.

I defined the group using the 'External Groups' tab to auth against the LDAP group name ('ACRC') and auth source ('LDAP-ldap.example.com'). Clicking submit on the user group edit window created the group correctly. I'm confident that it's connecting to LDAP correctly as if I deliberately mistype the LDAP group name (i.e. 'ACRCfooblah'), it refuses to submit but it works with the correctly-typed name.

The ACRC group contains a set of 'member:' attributes like 'member: CN=mw16387,OU=ISYS,ou=ad,dc=example,dc=com' and has objectClass 'groupOfNames' and 'posixGroup'.

When I log on with a user ('mw16387') whose LDAP entry contains a 'memberOf' with an entry 'CN=ACRC,OU=Groups,OU=ACRC,OU=Non-Standard,ou=ad,dc=example,dc=com' it is not being added to the user group. The user is created correctly but has no permissions since it is not in a group.

If, in the user group "External Groups" tab, I press the Refresh button I get the attached production.log output.

It contains a lot of lines like:

Could not log "search.net_ldap" event. LocalJumpError: no block given (yield) [".........

with a long backtrace for each interspersed with the useful output.

Does Foreman LDAP support the schema used for our LDAP server? It works fine with SSSD (as long as the schema is set to rfc2307bis) for example.

Why does the log fail to output information on the events? Is it a problem or can it be ignored?