CLI instructions for connecting to LDAP?

Problem: Trying to set up connecting to LDAP via the command line. I can find gui examples, but have not been able to find the steps via CLI. Are those instructions available anywhere?

I pulled down the domain controller’s server certificate using openssl and installed it. I then created the authentication source with:
hammer auth-source ldap create --account my-admin-account --account-password ‘’
–base-dn “dc=my,dc=org,dc=com”
–host ${LDAPHOST}"
–onthefly-register true
–port 636
–server-type active_directory
–name MYORG
–groups-base “OU=Groups,OU=Centrify,OU=Services,DC=my,DC=ORG,DC=com”

I then created two roles:
for ROLE in administrator user; do
hammer role create --name ${ROLE} --organization-id ${ORGID} --description “Role for ${ROLE}s”

I’m just not sure how to map AD users or groups to a role?

Expected outcome: Users can log in with AD account with assigned role.

Foreman and Proxy versions: 3.16-1

Foreman and Proxy plugin versions:

Distribution and version: CentOS 7.6

Other relevant data:

# hammer user
# hammer user-group
to assign roles to users or groups.

OK. So, it looks like I still need to run hammer user create and specify the auth-source as the LDAP connection I defined earlier. Once I have the user defined, I can then assign them a role with the hammer user update command. I need to add permissions to the roles. I’m working on that now.

No. That’s not necessary unless you want to assign a role to a user before the first login.

Users are automatically created if they log in the first time.

You can also create user groups and link them to external user groups (e.g. LDAP groups). Roles assigned to this user group applies to all users in the external user group.

Thus, if a new user logs in the first time and is member of a external user group which is linked to a user group the user obtains roles from the user group.

We usually use user groups for role assignment, thus no manual intervention necessary. For users, which might need additional roles which we don’t assign through user group roles I would rather asked people to log in first. That creates the user in foreman (using the name, mail, etc. from LDAP) and then I assign the role there.