Feature #3892
closed
When new users are created based on REMOTE_USER authentication, their roles should be populated as well
Description
The issue http://projects.theforeman.org/issues/3312 made the REMOTE_USER authentication usable for other authentication mechanisms than just HTTP Basic. When the user is populated in Foreman database upon successful logon, the issue http://projects.theforeman.org/issues/3528 made it possible to populate their name and email address based on information in the external identity provider like FreeIPA. The user no longer needs to be redirected to add their email address manually. These two issues have been implemented (as of Foreman 1.4) and are documented at http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb and in Foreman manual http://theforeman.org/manuals/1.4/index.html#5.7SPNEGOauthentication.
Beyond name and email address, another useful information that Foreman can obtain from external identity provider like FreeIPA is group membership which can be used to drive roles for Foreman users.
Based on http://www.freeipa.org/page/Environment_Variables#Proposed_Additional_Variables, we propose to populate group membership of the new user based on the REMOTE_USER_GROUP_N and REMOTE_USER_GROUP_# environment variables.
The current pull request for this feature is https://github.com/theforeman/foreman/pull/1328.
Followup feature is http://projects.theforeman.org/issues/5242 with pull request https://github.com/theforeman/foreman/pull/1391 which will make both user attributes and the group membership up-to-date after every external logon.
Updated by Jan Pazdziora almost 11 years ago
- Copied from Feature #3528: When new users are created based on REMOTE_USER authentication, their attributes should be populated as well added
Updated by Dominic Cleal over 10 years ago
- Related to Feature #813: Support AD group membership for authorization and authentication added
Updated by Daniel Lobato Garcia over 10 years ago
- Assignee set to Daniel Lobato Garcia
Updated by Anonymous over 10 years ago
- Target version changed from 1.9.0 to 1.8.4
Updated by Jan Pazdziora over 10 years ago
Filed pull request https://github.com/theforeman/foreman/pull/1328 which will process output of mod_lookup_identity's
LookupUserGroupsIter REMOTE_USER_GROUPconfiguration.
Updated by Dominic Cleal over 10 years ago
- Status changed from New to Ready For Testing
- Assignee changed from Daniel Lobato Garcia to Jan Pazdziora
Updated by Dominic Cleal over 10 years ago
- Blocks Tracker #5031: External authentication support added
Updated by Jan Pazdziora over 10 years ago
- Blocked by Feature #5241: Add support for external group mapping added
Updated by Anonymous over 10 years ago
- Target version changed from 1.8.4 to 1.8.3
Updated by Anonymous over 10 years ago
- Target version changed from 1.8.3 to 1.8.4
Updated by Anonymous over 10 years ago
- Target version changed from 1.8.4 to 1.8.3
Updated by Jan Pazdziora over 10 years ago
- Blocks Feature #5242: Keeping user's attributes and group membership up-to-date even during subsequent logons added
Updated by Dominic Cleal over 10 years ago
- Translation missing: en.field_release set to 10
Updated by Jan Pazdziora over 10 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset fdc476db9c045ffd6148473e676f77eebae4207e.