Active Directory Authentication

Hello,

I've running a new install of Foreman 1.9 and am trying to get LDAP
authentication working with Active Directory.
I'd done all the steps needed to get openldap talking to the campus AD,
including downloading the root AD certificate, whitelisting my foreman VM,
and having a service account we use to connect to AD
On the foreman side, I've added our AD as an external LDAP source,
connecting over port 636, assigning the lookup account and setting my base
DN and groups DN.
Lastly, I ensured attribute mappings are correct.

Using ldapsearch, I can query our Active Directory succesfully.

On the user group side, I created a group called admins, and in external
groups - linked to my foreman admins group in AD. Everything thus far works
fine.

When I hit refresh however, nothing get's populated in my users table -
even though the command completes succesfully and the production.log shows
no errors. (I do have create accounts automatically in foreman checked).

When I try logging in with my AD account, I just get Incorrect User Name or
Password.

The log file shows:
[sql] [I] Successfully decrypted field for AuthSourceLdap Campus Active
Directory
[sql] [I] invalid user

Which makes sense as there is no user in the users table.

I can successfully run foreman-rake ldap:refresh_usergroups and get the
following message:
Successfully decrypted field for AuthSourceLdap Campus Active Directory

Has anyone else got this part working? Do I need to enable filtering? Our
campus AD is very large.

Thanks.

Tim

Hey,

Thank you for your prompt reply.

I am a bit confused - perhaps I am misreading things:
So, the first part you say " This means users in LDAP 'admins', but NOT in
Foreman, will not be
auto-created. Only already existent users will be linked. "

So should I go ahead and create my LDAP user (it's just my last name -
vruwink) in Foreman? Leave the password blank?

Or if I have the Automatically create accounts in Foreman box checked
wouldn't my ldap account be provisioned automagically?

I have my baseDN set to the lowest level in our campus AD (which has worked
for other LDAP enabled apps like OTRS)
Wasn't sure what to use for Groups Base DN? Do I point to my foreman-admins
LDAP group? Or just the base root of our AD?

Lastly, I wasn't using any ldap filters. I tried with one:
(&(objectCategory=Person)(
sAMAccountName=*)(memberOf=CN=Foreman-Admins,OU=Service
Groups,OU=blah,OU=example,DC=ad,DC=fubar,DC=edu))
But didn't have any luck either. I still see:

2015-10-15 10:07:11 [app] [I] Parameters: {"utf8"=>"✓",
"authenticity_token"=>"sdfsdfsdfsdf223sdfsdfsdf=",
"login"=>{"login"=>"DOMAIN\vruwink", "password"=>"[FILTERED]"},
"commit"=>"Login"}
2015-10-15 10:07:11 [sql] [I] Successfully decrypted field for
AuthSourceLdap Campus Active Directory
2015-10-15 10:07:11 [sql] [I] invalid user
2015-10-15 10:07:11 [app] [I] Redirected to
https://foreman.example.edu/users/login
<https://foreman.library.illinois.edu/users/login>
2015-10-15 10:07:11 [app] [I] Completed 302 Found in 55ms (ActiveRecord:
1.7ms)
2015-10-15 10:07:11 [app] [I]
>

I've tried various permutations on my ad login. Prepending DOMAIN\netid
netid@ad.domain.edu
etc etc

It seems like my account just isn't found locally in foreman, and even
though I have the "add users from ldap when they first login checked" it
doesn't work.

Thanks.

Tim

> Hello,
>
> I've running a new install of Foreman 1.9 and am trying to get LDAP
> authentication working with Active Directory.
> I'd done all the steps needed to get openldap talking to the campus AD,
> including downloading the root AD certificate, whitelisting my foreman VM,
> and having a service account we use to connect to AD
> On the foreman side, I've added our AD as an external LDAP source,
> connecting over port 636, assigning the lookup account and setting my base
> DN and groups DN.
> Lastly, I ensured attribute mappings are correct.
>
> Using ldapsearch, I can query our Active Directory succesfully.
>
> On the user group side, I created a group called admins, and in external
> groups - linked to my foreman admins group in AD. Everything thus far works
> fine.

Sounds good! If you were able to add the external user group to your
user group and was saved, that means your AD connection was setup
properly and Foreman was able to link them.
>
> When I hit refresh however, nothing get's populated in my users table -
> even though the command completes succesfully and the production.log shows
> no errors. (I do have create accounts automatically in foreman checked).

Refresh isn't supposed to populate the users table. That'd be a big
problem for large LDAP accounts. What refresh does in your case is to:

• Get all user logins from AD 'admins'
• Find what users in your Foreman setup have a login that is in AD 'admins'
• Put these users in the usergroup linked with 'admins'

This means users in LDAP 'admins', but NOT in Foreman, will not be
auto-created. Only already existent users will be linked. This mechanism
is just a protection to avoid pulling thousands of users into Foreman in
large LDAP installations.

What the setting for creating accounts automatically does is just to
allow Foreman to auto-create users in Foreman when you log in for the
first time with your LDAP credentials

>
> When I try logging in with my AD account, I just get Incorrect User Name or
> Password.
>
> The log file shows:
> [sql] [I] Successfully decrypted field for AuthSourceLdap Campus Active
> Directory
> [sql] [I] invalid user

Can we know what's exactly your user name? It looks like it made the LDAP
lookup properly but couldn't find your user in LDAP.

Is it possible that you have some filter in your LDAP source that is not
working properly?

> Hey,
>
> Thank you for your prompt reply.
>
> I am a bit confused - perhaps I am misreading things:
> So, the first part you say " This means users in LDAP 'admins', but NOT in
> Foreman, will not be
> auto-created. Only already existent users will be linked. "
>
> So should I go ahead and create my LDAP user (it's just my last name -
> vruwink) in Foreman? Leave the password blank?

Correct, this is a bug - we shouldn't show the password when you create
users with auth source LDAP in Foreman.

Any LDAP user that is not in /users when you sync an external usergroup
will not be added.

>
> Or if I have the Automatically create accounts in Foreman box checked
> wouldn't my ldap account be provisioned automagically?

No. 'Automatically create accounts' automatically creates accounts…
when you login, not when refreshing external user groups.

For instance, if I have an user 'tim' that is in LDAP
but not in foreman, and this use tries to login with LDAP credentials,
it would work. If 'tim' hasn't done this, or you haven't added the user
manually to /users, refreshing an external user group will not do
anything

So, to sidestep the issues with on the fly account creation, I've added my
AD user account in the users field for foreman, making sure to use the
correct attributes, and selecting my Active Directory LDAP field for
authorized by field. I did not enter anything under password.

I also enabled debug logging, and ldap logging specifically. My baseDN and
groupDN are set wide and I don't have any specific ldap filters in place.
This is what I see in the logs:

> Started POST "/users/login" for xxx.xxx.xxx.xx at 2015-10-19 14:53:11
-0500
2015-10-19 14:53:11 [app] [I] Processing by UsersController#login as HTML
2015-10-19 14:53:11 [app] [I] Parameters: {"utf8"=>"✓",
"authenticity_token"=>"NJ926haX/aykZu6xUTgK7Y6X/sdf/M05wedfs5R5HU=",
"login"=>{"login"=>"vruwink", "password"=>"[FILTERED]"}, "commit"=>"Login"}
2015-10-19 14:53:11 [app] [D] Setting current user thread-local variable to
nil
2015-10-19 14:53:11 [sql] [D] User Load (0.4ms) SELECT "users".* FROM
"users" WHERE "users"."lower_login" = 'vruwink' LIMIT 1
2015-10-19 14:53:11 [sql] [D] AuthSource Load (0.3ms) SELECT
"auth_sources".* FROM "auth_sources" WHERE "auth_sources"."id" = 3 LIMIT 1
2015-10-19 14:53:11 [sql] [D] LDAP auth with user vruwink against
LDAP-Campus Active Directory
2015-10-19 14:53:11 [sql] [I] Successfully decrypted field for
AuthSourceLdap Campus Active Directory
2015-10-19 14:53:11 [ldap] [D] op bind (16.6ms) [ result=success ]
2015-10-19 14:53:11 [ldap] [D] op search (17.9ms) [ filter=, base= ]
2015-10-19 14:53:11 [ldap] [D] op search (14.6ms) [
filter=(sAMAccountName=vruwink), base=OU=people,dc=ad,dc=domain,dc=edu ]
2015-10-19 14:53:11 [ldap] [D] valid_user? (49.7ms) [ user=vruwink ]

2015-10-19 14:53:11 [sql] [D] Failed to authenticate vruwink against
LDAP-Campus Active Directory authentication source2015-10-19 14:53:11 [sql]
[I] invalid user
2015-10-19 14:53:11 [app] [D] Setting current user thread-local variable to
nil
2015-10-19 14:53:11 [app] [I] Redirected to
https://foreman.example.domain.edu/users/login
2015-10-19 14:53:11 [app] [I] Completed 302 Found in 58ms (ActiveRecord:
1.8ms)

Two errors pop out at me - the failed to auth line and then the invalid
user one. I am using the correct password. Do I need to prepend anything
in front of my username? BLAH\vruwink
or vruwink@domain.example.edu?

Tailing the log, with debugging/ldap on is showing me some semi-useful
stuff. For example, I just saw the app processing external user groups and
apparently crawl my AD group with my users in it, then do a sql select with
those users.

Seems like I am really close, but missing something (or something is broken
I am not seeing).

Thanks.