External user groups not adding users to the foreman

Support
1

Hello,

I have ldap configured and that works fine for authenticating users. I have
a filter so it only authenticates users from a certain group. this works
fine - however I can't get users to be created in the foreman from active
directory. I have added a user group, and added an external group to that,
and asked it to create new users from that group but it never does.

When an active directory account logs into the foreman for the first time,
a user account is created but it has no permissions - is it possible to
make it default to create admin accounts with all the roles when a new user
account is created? If it could be configured in this way it wouldn't
matter about adding the users from the AD user group.

2

> Hello,
>
> I have ldap configured and that works fine for authenticating users. I have
> a filter so it only authenticates users from a certain group. this works
> fine - however I can't get users to be created in the foreman from active
> directory. I have added a user group, and added an external group to that,
> and asked it to create new users from that group but it never does.

I'm a little lost at this point, do you expect that adding a LDAP group
to the 'External user group' tab will import all users from that group?
If so, that's not the case. It will merely place your existing users, or
users that are newly created in that user group. See linking user groups
to LDAP for more info:
http://theforeman.org/manuals/1.8/index.html#4.1.1LDAPAuthentication
>
> When an active directory account logs into the foreman for the first time,
> a user account is created but it has no permissions - is it possible to
> make it default to create admin accounts with all the roles when a new user
> account is created? If it could be configured in this way it wouldn't
> matter about adding the users from the AD user group.

Yes it's possible. Basically it's these steps you have to follow:

  1. Create an user group - i.e. admins
  2. Click on the roles tab of that user group, check 'Admin'
  3. Click on the 'external groups' tab, add any LDAP group that you want
    to become admin as soon as they log in.

This has the caveat that you cannot simply make any user in your LDAP
admin right away, they need to be in a certain LDAP group and you need
to add that as a 'external user group'. Hopefully this fits your use
case and your Foreman admins are in just a few LDAP groups.

··· On 07/10, Matt Artley wrote:


You received this message because you are subscribed to the Google Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Daniel Lobato Garcia

@eLobatoss
blog.daniellobato.me
daniellobato.me

GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
Keybase: https://keybase.io/elobato

3

Hello, apologies I was on holiday and I only got back today.

that's really great! thanks for the advice.

··· On Friday, 10 July 2015 15:05:54 UTC+1, Daniel Lobato wrote: > > On 07/10, Matt Artley wrote: > > Hello, > > > > I have ldap configured and that works fine for authenticating users. I > have > > a filter so it only authenticates users from a certain group. this works > > fine - however I can't get users to be created in the foreman from > active > > directory. I have added a user group, and added an external group to > that, > > and asked it to create new users from that group but it never does. > > I'm a little lost at this point, do you expect that adding a LDAP group > to the 'External user group' tab will import all users from that group? > If so, that's not the case. It will merely place your existing users, or > users that are newly created in that user group. See linking user groups > to LDAP for more info: > http://theforeman.org/manuals/1.8/index.html#4.1.1LDAPAuthentication > > > > When an active directory account logs into the foreman for the first > time, > > a user account is created but it has no permissions - is it possible to > > make it default to create admin accounts with all the roles when a new > user > > account is created? If it could be configured in this way it wouldn't > > matter about adding the users from the AD user group. > > Yes it's possible. Basically it's these steps you have to follow: > > 1. Create an user group - i.e. admins > 2. Click on the roles tab of that user group, check 'Admin' > 3. Click on the 'external groups' tab, add any LDAP group that you want > to become admin as soon as they log in. > > This has the caveat that you cannot simply make *any* user in your LDAP > admin right away, they need to be in a certain LDAP group and you need > to add that as a 'external user group'. Hopefully this fits your use > case and your Foreman admins are in just a few LDAP groups. > > > > > -- > > You received this message because you are subscribed to the Google > Groups "Foreman users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to foreman-user...@googlegroups.com . > > To post to this group, send email to forema...@googlegroups.com > . > > Visit this group at http://groups.google.com/group/foreman-users. > > For more options, visit https://groups.google.com/d/optout. > > > -- > Daniel Lobato Garcia > > @eLobatoss > blog.daniellobato.me > daniellobato.me > > GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30 > Keybase: https://keybase.io/elobato >
4

Unfortunately - that doesn't work.

that's exactly how I have it set up - and when a user logs in for the first
time, and any times after that, it just says no permissions - even with an
external group that the user is a member of.

··· On Friday, 10 July 2015 15:05:54 UTC+1, Daniel Lobato wrote: > > On 07/10, Matt Artley wrote: > > Hello, > > > > I have ldap configured and that works fine for authenticating users. I > have > > a filter so it only authenticates users from a certain group. this works > > fine - however I can't get users to be created in the foreman from > active > > directory. I have added a user group, and added an external group to > that, > > and asked it to create new users from that group but it never does. > > I'm a little lost at this point, do you expect that adding a LDAP group > to the 'External user group' tab will import all users from that group? > If so, that's not the case. It will merely place your existing users, or > users that are newly created in that user group. See linking user groups > to LDAP for more info: > http://theforeman.org/manuals/1.8/index.html#4.1.1LDAPAuthentication > > > > When an active directory account logs into the foreman for the first > time, > > a user account is created but it has no permissions - is it possible to > > make it default to create admin accounts with all the roles when a new > user > > account is created? If it could be configured in this way it wouldn't > > matter about adding the users from the AD user group. > > Yes it's possible. Basically it's these steps you have to follow: > > 1. Create an user group - i.e. admins > 2. Click on the roles tab of that user group, check 'Admin' > 3. Click on the 'external groups' tab, add any LDAP group that you want > to become admin as soon as they log in. > > This has the caveat that you cannot simply make *any* user in your LDAP > admin right away, they need to be in a certain LDAP group and you need > to add that as a 'external user group'. Hopefully this fits your use > case and your Foreman admins are in just a few LDAP groups. > > > > > -- > > You received this message because you are subscribed to the Google > Groups "Foreman users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to foreman-user...@googlegroups.com . > > To post to this group, send email to forema...@googlegroups.com > . > > Visit this group at http://groups.google.com/group/foreman-users. > > For more options, visit https://groups.google.com/d/optout. > > > -- > Daniel Lobato Garcia > > @eLobatoss > blog.daniellobato.me > daniellobato.me > > GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30 > Keybase: https://keybase.io/elobato >
5

I use AD sync and have it setup to map to two user groups and my users are
put in there.

If you show linked user groups and hit refresh, do you get any users?

I had to disable user group sync on login and use the cron job since we
have some nasty nested groups that cause people to get infinitely long
login times but it works.

··· On Monday, July 20, 2015 at 4:49:27 AM UTC-5, Matt Artley wrote: > > Unfortunately - that doesn't work. > > that's exactly how I have it set up - and when a user logs in for the > first time, and any times after that, it just says no permissions - even > with an external group that the user is a member of. > > > > On Friday, 10 July 2015 15:05:54 UTC+1, Daniel Lobato wrote: >> >> On 07/10, Matt Artley wrote: >> > Hello, >> > >> > I have ldap configured and that works fine for authenticating users. I >> have >> > a filter so it only authenticates users from a certain group. this >> works >> > fine - however I can't get users to be created in the foreman from >> active >> > directory. I have added a user group, and added an external group to >> that, >> > and asked it to create new users from that group but it never does. >> >> I'm a little lost at this point, do you expect that adding a LDAP group >> to the 'External user group' tab will import all users from that group? >> If so, that's not the case. It will merely place your existing users, or >> users that are newly created in that user group. See linking user groups >> to LDAP for more info: >> http://theforeman.org/manuals/1.8/index.html#4.1.1LDAPAuthentication >> > >> > When an active directory account logs into the foreman for the first >> time, >> > a user account is created but it has no permissions - is it possible to >> > make it default to create admin accounts with all the roles when a new >> user >> > account is created? If it could be configured in this way it wouldn't >> > matter about adding the users from the AD user group. >> >> Yes it's possible. Basically it's these steps you have to follow: >> >> 1. Create an user group - i.e. admins >> 2. Click on the roles tab of that user group, check 'Admin' >> 3. Click on the 'external groups' tab, add any LDAP group that you want >> to become admin as soon as they log in. >> >> This has the caveat that you cannot simply make *any* user in your LDAP >> admin right away, they need to be in a certain LDAP group and you need >> to add that as a 'external user group'. Hopefully this fits your use >> case and your Foreman admins are in just a few LDAP groups. >> >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Foreman users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to foreman-user...@googlegroups.com. >> > To post to this group, send email to forema...@googlegroups.com. >> > Visit this group at http://groups.google.com/group/foreman-users. >> > For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> Daniel Lobato Garcia >> >> @eLobatoss >> blog.daniellobato.me >> daniellobato.me >> >> GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30 >> Keybase: https://keybase.io/elobato >> >
6

>
> If you show linked user groups and hit refresh, do you get any users?
>
>
Should I be seeing that list?

What are the possible reasons for Foreman not able to get a netgroup user
list? I'm able to authenticate my LDAP users and I also added an external
usergroup/netgroup and added an "admin" right to that group, however the
users that belong to netgroup never get an admin rights even though their
account is created just fine.

How do I see what is really returned by my LDAP to Foreman? For example,
here's the debug log:

2015-08-27 17:04:56 [ldap] [D] op bind (2.5ms) [ result=success ]
2015-08-27 17:04:56 [ldap] [D] op search (5.4ms) [ filter=, base= ]
2015-08-27 17:04:56 [ldap] [D] op search (4.4ms) [
filter=(uid=korekhov), base=dc=example,dc=com ]
2015-08-27 17:04:56 [ldap] [D] valid_user? (12.9ms) [ user=korekhov ]
2015-08-27 17:04:56 [ldap] [D] op search (3.9ms) [
filter=(uid=korekhov), base=dc=example,dc=com ]
2015-08-27 17:04:56 [ldap] [D] find_user (4.1ms) [ user=korekhov ]
2015-08-27 17:04:56 [ldap] [D] op bind (22.9ms) [ result=success ]
2015-08-27 17:04:56 [ldap] [D] op search (3.8ms) [
filter=(uid=korekhov), base=dc=example,dc=com ]
2015-08-27 17:04:56 [ldap] [D] op bind (19.2ms) [ result=success ]
2015-08-27 17:04:56 [ldap] [D] authenticate (46.5ms) [ user=korekhov ]
2015-08-27 17:04:56 [ldap] [D] op bind (2.1ms) [ result=success ]
2015-08-27 17:04:56 [ldap] [D] op search (5.2ms) [ filter=, base= ]
2015-08-27 17:04:56 [ldap] [D] op search (2.7ms) [
filter=(memberuid=korekhov), base=dc=example,dc=com ]
2015-08-27 17:04:56 [ldap] [D] group_list (10.6ms) [ user=korekhov ]

Should I see a list of netgroups my user belongs to here?

Or here - should I see a list of the users belonging to my netgroup below?

2015-08-27 16:30:34 [ldap] [D] op bind (3.5ms) [ result=success ]
2015-08-27 16:30:35 [ldap] [D] op search (4.4ms) [ filter=, base= ]
2015-08-27 16:30:35 [ldap] [D] op search (3.9ms) [
filter=(cn=administrators), base=ou=People,dc=example,dc=com ]
2015-08-27 16:30:35 [ldap] [D] user_list (12.6ms) [ group=administrators
]

Just trying to figure out my next steps… If I should see a list of user,
obviously my DNs (I don't have any filters at this point) are still wrong
(I've tried a tons of different combinations as of this point)…

Any pointers are appreciated!
Thanks!

7

Just a heads up on this thread. We recently noticed a couple of LDAP
issues, there are two pull requests currently fixing them:

https://github.com/theforeman/foreman/pull/2621

Both of these issues have to deal with Foreman being case-sensitive with
respect to some LDAP operations when it should not.

I would recommend when you link an External user group (LDAP) with a
Foreman user group, to write the name in lowercase.

Similarly, if your login in Foreman contains uppercase characters, I
would recommend to change it to all lowercase. You can read the
description of the bugs on:

As soon as these bugs are merged and included in a release, Foreman will
be more case-insensitive when it comes to LDAP so the 'lowercase
workaround' won't be needed.

Hope this alleviates some of your problems,

··· On 08/27, 'Konstantin Orekhov' via Foreman users wrote: > > > > > > If you show linked user groups and hit refresh, do you get any users? > > > > > Should I be seeing that list? > > What are the possible reasons for Foreman not able to get a netgroup user > list? I'm able to authenticate my LDAP users and I also added an external > usergroup/netgroup and added an "admin" right to that group, however the > users that belong to netgroup never get an admin rights even though their > account is created just fine. > > How do I see what is really returned by my LDAP to Foreman? For example, > here's the debug log: > > > 2015-08-27 17:04:56 [ldap] [D] op bind (2.5ms) [ result=success ] > 2015-08-27 17:04:56 [ldap] [D] op search (5.4ms) [ filter=, base= ] > 2015-08-27 17:04:56 [ldap] [D] op search (4.4ms) [ > filter=(uid=korekhov), base=dc=example,dc=com ] > 2015-08-27 17:04:56 [ldap] [D] valid_user? (12.9ms) [ user=korekhov ] > 2015-08-27 17:04:56 [ldap] [D] op search (3.9ms) [ > filter=(uid=korekhov), base=dc=example,dc=com ] > 2015-08-27 17:04:56 [ldap] [D] find_user (4.1ms) [ user=korekhov ] > 2015-08-27 17:04:56 [ldap] [D] op bind (22.9ms) [ result=success ] > 2015-08-27 17:04:56 [ldap] [D] op search (3.8ms) [ > filter=(uid=korekhov), base=dc=example,dc=com ] > 2015-08-27 17:04:56 [ldap] [D] op bind (19.2ms) [ result=success ] > 2015-08-27 17:04:56 [ldap] [D] authenticate (46.5ms) [ user=korekhov ] > 2015-08-27 17:04:56 [ldap] [D] op bind (2.1ms) [ result=success ] > 2015-08-27 17:04:56 [ldap] [D] op search (5.2ms) [ filter=, base= ] > 2015-08-27 17:04:56 [ldap] [D] op search (2.7ms) [ > filter=(memberuid=korekhov), base=dc=example,dc=com ] > 2015-08-27 17:04:56 [ldap] [D] group_list (10.6ms) [ user=korekhov ] > > Should I see a list of netgroups my user belongs to here? > > Or here - should I see a list of the users belonging to my netgroup below? > > 2015-08-27 16:30:34 [ldap] [D] op bind (3.5ms) [ result=success ] > 2015-08-27 16:30:35 [ldap] [D] op search (4.4ms) [ filter=, base= ] > 2015-08-27 16:30:35 [ldap] [D] op search (3.9ms) [ > filter=(cn=administrators), base=ou=People,dc=example,dc=com ] > 2015-08-27 16:30:35 [ldap] [D] user_list (12.6ms) [ group=administrators > ] > > Just trying to figure out my next steps... If I should see a list of user, > obviously my DNs (I don't have any filters at this point) are still wrong > (I've tried a tons of different combinations as of this point)... > > Any pointers are appreciated! > Thanks! > > -- > You received this message because you are subscribed to the Google Groups "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com. > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at http://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout.


Daniel Lobato Garcia

@eLobatoss

GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
Keybase: elobato (Daniel Lobato Garcia) | Keybase

8

Thanks, Daniel!

But I don't think that would fix my problem described above as I have
everything lower-case - the username, netgroup name…

Any other thoughts/suggestions on how to troubleshoot this further?