Project

General

Profile

Actions

Feature #3696

closed

Populate user or usergroup roles from LDAP or REMOTE_USER_*

Added by Dominic Cleal over 10 years ago. Updated about 10 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Cloned from #3528 specifically for handling roles from LDAP or REMOTE_USER_* (if available).

<hr>

The issue http://projects.theforeman.org/issues/3312 and related pull request https://github.com/theforeman/foreman/pull/967 attempts to make the REMOTE_USER authentication usable for other authentication mechanisms than just HTTP Basic. When the user is populated in Foreman database upon successful logon, they get redirected to add their email address. If the email address of the user is available in the remote authentication service (like FreeIPA), Foreman should populate the database with the data, saving the user manual edits that can lead to errors.

Based on http://www.freeipa.org/page/Environment_Variables#Proposed_Additional_Variables, the proposed environment variables that Foreman could observe besides REMOTE_USER are REMOTE_USER_EMAIL, REMOTE_USER_FIRSTNAME, and REMOTE_USER_LASTNAME for the user, and REMOTE_USER_GROUPS or some similar variable for group membership which could imply roles that the user should get in Foreman.

There is an experimental work going on in sssd which will make it possible to get the values from IPA and get them to the Apache, probably using a mod_lookup_identity module (https://github.com/adelton/mod_lookup_identity/, http://fedorapeople.org/cgit/adelton/public_git/mod_lookup_identity.git/).


Related issues 1 (0 open1 closed)

Copied from Foreman - Feature #3528: When new users are created based on REMOTE_USER authentication, their attributes should be populated as wellClosedJan Pazdziora10/28/2013Actions
Actions #1

Updated by Dominic Cleal over 10 years ago

  • Copied from Feature #3528: When new users are created based on REMOTE_USER authentication, their attributes should be populated as well added
Actions #2

Updated by Anonymous about 10 years ago

  • Target version set to 1.9.0
Actions #3

Updated by Dominic Cleal about 10 years ago

  • Status changed from New to Duplicate
  • Target version deleted (1.9.0)

Replacing with #3892 (duplicate) which has a better explanation.

Actions

Also available in: Atom PDF