Project

General

Profile

Bug #32466

Foreman login delegation and usergroup membership

Added by Nacho Barrientos over 1 year ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Hi,

Our Foreman instances are configured to delegate authentication to a front-end, hence they trust the REMOTE_USER HTTP header for both the UI and the API by setting the corresponding configuration variables ("Authorize login delegation" and "Authorize login delegation API"). This is deployed like this because we do Kerberos authentication and a rather custom SSO for which we have existing front-ends configured and well tested.

For this type of delegated authentication to work, it seems that users must be attached to an External authentication source, as per:

https://github.com/theforeman/foreman/blob/2.4.0/app/models/user.rb#L320

On the other hand, we have numerous Usergroups linked to Externalusergroups via an LDAP authentication source. Our users typically belong to one of several of these.

If I read the code correctly, for the Usergroup membership sync to work, the users in question have to be members of the same authentication source as the ExternalUsergroup being synced as per:

https://github.com/theforeman/foreman/blob/2.4.0/app/models/auth_sources/auth_source_ldap.rb#L153

However an AuthSource of type AuthSourceLdap is not considered as External:

irb(main):004:0> AuthSource.find_by_id(3).type 
=> "AuthSourceLdap" 
irb(main):005:0> AuthSource.find_by_id(3).is_a? AuthSourceExternal 
=> false

This creates a situation in which we have to either choose between having a working SSO or a working automatic synchronisation of group membership.

Shouldn't these scenarios being compatible? It makes sense to us to delegate authentication to a front-end (where for instance SSO and/or Kerberos authentication is already implemented) and however rely on Foreman to keep record of what Usergroup a given user belongs to and to maintain this membership up to date using an LDAP server as source of truth.

Older versions of Foreman (aiming at upgrading to 2.4.0) allowed this to happen.

Thanks!

History

#1 Updated by Tomer Brisker over 1 year ago

  • Category set to Authentication

#2 Updated by Nacho Barrientos about 1 year ago

I'm attaching the patch that we've applied locally to circumvent the limitation described in this ticket.

Also available in: Atom PDF