Feature #3892
Updated by Jan Pazdziora about 10 years ago
The issue http://projects.theforeman.org/issues/3312 made the REMOTE_USER authentication usable for other authentication mechanisms than just HTTP Basic. When the user is populated in Foreman database upon successful logon, the issue http://projects.theforeman.org/issues/3528 made it possible to populate their name and email address based on information in the external identity provider like FreeIPA. The user no longer needs to be they get redirected to add their email address. If the email address manually. These two issues have been implemented (as of Foreman 1.4) and are documented at http://projects.theforeman.org/projects/foreman/wiki/Foreman_and_mod_auth_kerb and the user is available in the remote authentication service (like FreeIPA), Foreman should populate the database with the data, saving the user manual http://theforeman.org/manuals/1.4/index.html#5.7SPNEGOauthentication. Beyond name and email address, another useful information edits that Foreman can obtain from external identity provider like FreeIPA lead to errors. This is group membership which can be used to drive roles for Foreman users. tracked in http://projects.theforeman.org/issues/3528. Based on http://www.freeipa.org/page/Environment_Variables#Proposed_Additional_Variables, we propose to populate group membership the roles of the new user based on the REMOTE_USER_GROUP_N and REMOTE_USER_GROUP_# environment variables. REMOTE_USER_GROUPS or some similar variable for group membership which could imply roles that the user should get in Foreman. The current pull request This work is currently blocked on the similar work being done for this feature is https://github.com/theforeman/foreman/pull/1328. the internal LDAP authentication sources so I'm moving it from http://projects.theforeman.org/issues/3528 to separate issue.