Hi,

Our Foreman instances are configured to delegate authentication to a front-end, hence they trust the REMOTE_USER HTTP header for both the UI and the API by setting the corresponding configuration variables ("Authorize login delegation" and "Authorize login delegation API"). This is deployed like this because we do Kerberos authentication and a rather custom SSO for which we have existing front-ends configured and well tested.

For this type of delegated authentication to work, it seems that users must be attached to an External authentication source, as per:

https://github.com/theforeman/foreman/blob/2.4.0/app/models/user.rb#L320

On the other hand, we have numerous Usergroups linked to Externalusergroups via an LDAP authentication source. Our users typically belong to one of several of these.

If I read the code correctly, for the Usergroup membership sync to work, the users in question have to be members of the same authentication source as the ExternalUsergroup being synced as per:

https://github.com/theforeman/foreman/blob/2.4.0/app/models/auth_sources/auth_source_ldap.rb#L153

However an AuthSource of type AuthSourceLdap is not considered as External:

irb(main):004:0> AuthSource.find_by_id(3).type 
=> "AuthSourceLdap" 
irb(main):005:0> AuthSource.find_by_id(3).is_a? AuthSourceExternal 
=> false

This creates a situation in which we have to either choose between having a working SSO or a working automatic synchronisation of group membership.

Shouldn't these scenarios being compatible? It makes sense to us to delegate authentication to a front-end (where for instance SSO and/or Kerberos authentication is already implemented) and however rely on Foreman to keep record of what Usergroup a given user belongs to and to maintain this membership up to date using an LDAP server as source of truth.

Older versions of Foreman (aiming at upgrading to 2.4.0) allowed this to happen.

Thanks!