LDAP group inheritance not working
There are two issues here. They both seem to be more Foreman related than Katello.
1) Create user group in Foreman (called Foretello Admins), check "Administrator" box.
2) Link an LDAP group to Foretello Admins (LDAP Group: "Admins")
3) Have a user in "Admins" log into the system.
4) User logs in, should have administrator privileges.
4) User logs in, has no permissions.
This isn't a huge deal, since I have so few new users. But I don't run around as the 'admin' user, I stay logged in as 'adavis', with explicit 'administrator' privileges checked for my user.
When step 4 fails, I would open 'Users' from the 'Administer' menu and select the user. But unlike in the past, now the user who failed to log in doesn't appear. I have to log out of adavis and back in as admin in order to see the 'new' user, and assign them permissions.
#2 Updated by Dominic Cleal almost 5 years ago
- Category set to Authorization
Does the user group get assigned to the user, or not? If it doesn't, then the issue is the LDAP group mapping, if not and the user is part of the group, then the 'admin' flag isn't being inherited.
If it doesn't get assigned, could you list a few more details about your LDAP configuration:
- type of LDAP server, and what type you have selected in the LDAP Auth Source configuration
- base and group base DN settings for the auth source
- DN of the group and user
- version of Foreman
#3 Updated by Ashton Davis almost 5 years ago
Sorry Dominic, I forgot to fill out what you asked.
1) Had been backed by a POSIX schema on an OpenLDAP compliant server. Now we're testing with AD. Same issue.
2) BaseDN is just dc=[domain],dc=com, group base DN is the same.
4) Katello 2.1.1 (Foreman 1.7.2)
There are actually TWO issues here, as I've discovered. Though I am logged in as an administrator (as adavis), I can't see users who have logged in for the first time in the users menu, whether I've set a context or not. In order to see users who haven't been assigned a group, I have to sign in as admin and clear my context (no org, no loc) in order to see the users in the list. I suspect the two issues are related.