Project

General

Profile

Bug #27402

The Foreman "forgets" group members after update to 1.22.0

Added by Dirk Heinrichs 5 months ago. Updated 20 days ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Authentication
Target version:
Difficulty:
Triaged:
No
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

I've just updated from 1.21.3 to 1.22.0 and found that users got permission denied messages after logging in, for example because of missing "view_hosts" permissions. After logging in as admin I recognized that the groups didn't have any members anymore. So I added the members again, saved the change, reloaded the group again to verify (members where still there), logged out from admin and logged in as normal user -> No view_hosts permission. Logged back in as admin and saw that the group had no members again.

How reproducible:
always

Steps to Reproduce:
1. Set up LDAP authentication with synchronization enabled
2. Create simple Satellite Usergroup with no external user group link
3. Add users from the LDAP auth source to the Usergroup
4. Log-in as any of the LDAP users aded to the Usergroup

Actual results:
LDAP users are no longer members of the Satellite Usergroup.

Expected results:
No change in the Usergroup memberships.


Related issues

Related to Foreman - Bug #25795: LDAP - When User Group sync is enabled, user wait long time to authenticate / loginClosed

Associated revisions

Revision 1a155135 (diff)
Added by Ondřej Ezr 3 months ago

Fixes #27402 - LDAP usergroup sync (#7045)

History

#1 Updated by Marek Hulán 5 months ago

I assume you use LDAP and you are syncing external user groups in cron, is that correct? Do you see some related changes in Monitor -> Audits?

#2 Updated by Dirk Heinrichs 5 months ago

No. The only entries there are those for when I re-added the members.

#3 Updated by Dirk Heinrichs 5 months ago

It works if I assign the roles to the users directly.

#4 Updated by Dirk Heinrichs 5 months ago

Oh, and yes, I'm using LDAP (synchronized groups manually using the button, though).

#5 Updated by Tomer Brisker 5 months ago

  • Category set to Authentication

#6 Updated by Tomer Brisker 5 months ago

  • Target version set to 1.22.1

#7 Updated by Tomer Brisker 5 months ago

  • Related to Bug #25795: LDAP - When User Group sync is enabled, user wait long time to authenticate / login added

#8 Updated by Tomer Brisker 5 months ago

  • Assignee set to Ondřej Ezr

#9 Updated by Ondřej Ezr 5 months ago

I am unable to reproduce :(
Do I understand correctly you have the `Usergroup Sync` disabled on the ldap definition?
What ldap provider are you using?

#10 Updated by Dirk Heinrichs 5 months ago

Yes, did it manually when configuring the LDAP connection. Groups don't change so often in our environment. The LDAP provider is AD.

#11 Updated by Tomer Brisker 4 months ago

  • Target version deleted (1.22.1)
  • Priority changed from Urgent to High

Could you please provide some more information regarding your setup to help reproduce? do you have any plugins installed or special configuration?
we are having difficulty reproducing this issue.

#12 Updated by Dirk Heinrichs 4 months ago

No, there are no plugins installed and there is no special configuration.

#13 Updated by Ondřej Ezr 3 months ago

Hi Dirk,

I have been able to reproduce an issue where the LDAP users are removed from groups, which are not synced with LDAP (do not have any external user groups).
Is that your setup?

#14 Updated by The Foreman Bot 3 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/7045 added

#15 Updated by Dirk Heinrichs 3 months ago

Not sure what you mean by "LDAP users are removed from groups". Do mean inside Foreman, or in LDAP itself?

#16 Updated by Tomer Brisker 3 months ago

  • Target version set to 1.22.2

#17 Updated by Ondřej Ezr 3 months ago

  • Description updated (diff)

I have specified the reproducer.
Does that describe your issue?

#18 Updated by Ondřej Ezr 3 months ago

  • Bugzilla link set to 1753907

#19 Updated by The Foreman Bot 3 months ago

  • Fixed in Releases 1.24.0 added

#20 Updated by Ondřej Ezr 3 months ago

  • Status changed from Ready For Testing to Closed

#21 Updated by Tomer Brisker 2 months ago

  • Fixed in Releases 1.22.2, 1.23.1 added

#22 Updated by Dirk Heinrichs 20 days ago

Just updated to 1.22.2 and then to 1.23.1. Both releases still have the problem.

Also available in: Atom PDF