Project

General

Profile

Actions

Bug #30940

open

New users can't register with SSO and ldap source

Added by Adam Winberg over 3 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

We use Apache SSO (REMOTE_USER) and ldap auth source for groups. After updating to 2.1 and starting to use Puma (possibly not related) new users no longer get an autocreated account.

After the upgrade the "Authorise login delegation auth source user autocreate" parameter was set to 'External'. So any new user logging in (via Apache SSO) got created in an External auth source instead of our LDAP source. In earlier Foreman versions new users automatically was created based on our LDAP source, since we have enabled 'Automatically Create Accounts In Foreman' there.

Changing the "Authorise login delegation auth source user autocreate" parameter so it points to our LDAP source fixes the auto-creation issue. BUT, now when users sessions expire they no longer can login, getting a 404 message with "User not found". Setting the "Authorise login delegation auth source user autocreate" to nothing resolves this and users has access again. But now autocreation no longer works...

How is this supposed to be setup? Whats the relation between the autocreate setting in 'Settings' and the autocreate setting in the LDAP source?

Actions #1

Updated by Adam Winberg over 3 years ago

I realize now that I've got things mixed up. We use REMOTE_USER in Apache for authentication. Until 2.1 users were able to login and accounts got auto-created based on our LDAP auth source. In 2.1 that stopped working, users got created based on an 'External' authsource and had no permissions, so in an attempt to make it work again I set the value of 'Authorise login delegation auth source user autocreate' to the name of our LDAP auth source. However, this is an LDAP auth source, not an external auth source, so when I did this a new External auth source was created with the same name as my LDAP auth source. The name of the External auth source was not visible in the UI, it only showed that I had two different 'External' auth sources. Looking in the DB later on revealed the actual name set to the auth source. So now autocreated accounts appeared to belong to my LDAP authsource but in reality belonged to my new External authsource with the same name.

The original problem that newly created users lacked permissions was probably because the External auth source was not configured with any Location/Org. Using the LDAP auth source name for the external auth source somehow fixed this, but I still don't know why users could log in and get their accounts created but then not login again after session expired though.

Actions

Also available in: Atom PDF