AD/LDAP group authentication?

Hello, yes, this is entirely possible. Just setup LDAP auth source. Double
check you have "Automatically create accounts in Foreman" checkbox enabled for
this auth source (it's under Account tab)

Hope this helps

··· On pátek 6. října 2017 22:27:46 CEST Charlie Baum wrote: > Pretty new to Foreman and standing up our first POC of the product. > > Can someone verify/shoot down a question I have? Does Foreman not support > AD group authentication? In other words, can you authenticate to the > Foreman UI without being setup as a local Foreman user first? I am playing > around with AD stuff in there and got my AD account setup for access just > fine. I created a user group linked to an external AD account but unless I > setup the user locally in Foreman, a member of that AD group could not > login to Foreman. Is this by design or am I overlooking something? Thanks > folks! > > CB


Marek

The answer is more 'sort of'. So Marek is entirely correct however users
which are created in this way are NOT assigned to any locations nor
organizations so there is manual (or scripted) post work required to be
done.

I raised [1] in 2015, it's private but the comments are:

Currently, when you create a user you have to assign that user to a location in order for that user to be able to view / manage entities within that location. However this is not ideal for two key reasons:

  1. Users which belong to the same group and role still require manual tasks to be performed to ensure they can behave is a consistent manner.

  2. Users created via LDAP / AD where the 'Automatically create accounts in Foreman' option is checked are not added to ANY location. This means that manual steps have to be take to add the users to locations and organizations.

This RFE therefore is to allow location / organization details to be assigned per user group as the user groups section maps users to AD (or internal) groups and maps the groups to roles. This should be enhanced to add Organizations and Locations such that users created who belong to this group will be assigned locations and organizations commensurate to these groups.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1293835

··· On Friday, October 27, 2017 at 4:17:07 PM UTC-4, Marek Hulán wrote: > > On pátek 6. října 2017 22:27:46 CEST Charlie Baum wrote: > > Pretty new to Foreman and standing up our first POC of the product. > > > > Can someone verify/shoot down a question I have? Does Foreman not > support > > AD group authentication? In other words, can you authenticate to the > > Foreman UI without being setup as a local Foreman user first? I am > playing > > around with AD stuff in there and got my AD account setup for access > just > > fine. I created a user group linked to an external AD account but > unless I > > setup the user locally in Foreman, a member of that AD group could not > > login to Foreman. Is this by design or am I overlooking something? > Thanks > > folks! > > > > CB > > Hello, yes, this is entirely possible. Just setup LDAP auth source. Double > check you have "Automatically create accounts in Foreman" checkbox enabled > for > this auth source (it's under Account tab) > > Hope this helps > > -- > Marek >

You can already set orgs/loc per auth source. These will be added to the
newly created users automatically. The limitation is if you have many
combinations of orgs and locs tjat you want to assign, so having ability to
set this per external usergroup mapping would be a good enhancement.

··· -- Marek

On October 28, 2017 00:43:49 Andrew Schofield aas@ourhavens.co.uk wrote:

The answer is more ‘sort of’. So Marek is entirely correct however users
which are created in this way are NOT assigned to any locations nor
organizations so there is manual (or scripted) post work required to be
done.

I raised [1] in 2015, it’s private but the comments are:

Currently, when you create a user you have to assign that user to a
location in order for that user to be able to view / manage entities within
that location. However this is not ideal for two key reasons:

  1. Users which belong to the same group and role still require manual tasks
    to be performed to ensure they can behave is a consistent manner.

  2. Users created via LDAP / AD where the ‘Automatically create accounts in
    Foreman’ option is checked are not added to ANY location. This means that
    manual steps have to be take to add the users to locations and organizations.

This RFE therefore is to allow location / organization details to be
assigned per user group as the user groups section maps users to AD (or
internal) groups and maps the groups to roles. This should be enhanced to
add Organizations and Locations such that users created who belong to this
group will be assigned locations and organizations commensurate to these
groups.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1293835

On Friday, October 27, 2017 at 4:17:07 PM UTC-4, Marek Hulán wrote:

On pátek 6. října 2017 22:27:46 CEST Charlie Baum wrote:

Pretty new to Foreman and standing up our first POC of the product.

Can someone verify/shoot down a question I have? Does Foreman not
support
AD group authentication? In other words, can you authenticate to the
Foreman UI without being setup as a local Foreman user first? I am
playing
around with AD stuff in there and got my AD account setup for access
just
fine. I created a user group linked to an external AD account but
unless I
setup the user locally in Foreman, a member of that AD group could not
login to Foreman. Is this by design or am I overlooking something?
Thanks
folks!

CB

Hello, yes, this is entirely possible. Just setup LDAP auth source. Double
check you have “Automatically create accounts in Foreman” checkbox enabled
for
this auth source (it’s under Account tab)

Hope this helps


Marek


You received this message because you are subscribed to the Google Groups
“Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.