We use Apache for authentication and a LDAP auth source for authorization with AD groups. When a new user logged in it would be authenticated by apache and auto-created in our LDAP auth source in Foreman, get the correct groups and everything was fine and dandy.
Now, in more recent versions of Foreman, external authentication has been separated altogether from ldap authentication. As I understand it, a user authenticated by Apache (external auth) cannot use the ldap auth source for group permissions anymore. So now, when a new user is created it is associated with the ‘external’ auth source and I cant use my ldap groups for authorization for that user, unless I manually change the user to use ‘Authorised by: LDAP’. I am instead supposed to pass REMOTE_USER_GROUPS from apache which is a problem since I use mod_auth_cas for authentication which do pass groups but not in the format Foreman expects them.
Is there some way for me to retain the old behaviour where a user logged in via apache gets associated with the ldap auth source? I see a couple of alternatives:
- Use Apache to modify the group header set by mod_auth_cas to work with Foreman, but since I use proxypass to Puma I can’t get that to work (the modified header is not sent to puma). This is also not ideal since I am using ldap groups heavily right now and dont want to manage the same groups in both the ldap and external auth source.
- Somehow configure Foreman to use LDAP auth source groups for all users. I tried to do this by setting ‘Authorise login delegation auth source user autocreate’ to the name of my LDAP source, which seem to work for creating new users, they are assigned to my ldap source. BUT, for some reason my existing users, which are all associated with my ldap source, can no longer login, they get ‘User not found’.
- Use Foreman hooks to change auth source to LDAP for the user once it’s created, but not sure that would work.
Any help regarding this would be greatly appreciated!
Foreman and Proxy versions:
Distribution and version: