FreeIPA - External Authentication Source - Role Not Assigned on User Login

cordiers · December 4, 2024, 2:36pm

Hi everyone,

My Foreman instance is configured to use FreeIPA as an LDAP server. I have created a FreeIPA group that is mapped to a Foreman group, to which I have assigned a role.

Here is the standard output from the foreman-rake command:

[root@poc-foreman foreman]# foreman-rake console
Loading production environment (Rails 6.1.7.9)
irb(main):002:0> source_now = AuthSourceLdap.find_by_id(6)
=>
#<AuthSourceLdap:0x00007fd40f842cf0
…
irb(main):003:0> conn = source_now.ldap_con
=>
#<LdapFluff:0x00007fd40f735538
…
irb(main):004:0> pp conn.find_group(‘manchester’)
[#<Net::LDAP::Entry:0x00007fd40f69b5a0
@myhash=
{:dn=>[“cn=manchester,cn=groups,cn=accounts,dc=42,dc=school”],
:ipantsecurityidentifier=>
[“S-1-5-21-1868054879-3371231054-2605299079-151679”],
:cn=>[“manchester”],
:objectclass=>
[“top”,
“groupofnames”,
“nestedgroup”,
“ipausergroup”,
“ipaobject”,
“posixgroup”,
“ipantgroupattrs”],
:ipauniqueid=>[“2b60612e-afe9-11ef-9041-022df3c3f43f”],
:gidnumber=>[“40950679”]}>]
=>
[#<Net::LDAP::Entry:0x00007fd40f69b5a0
@myhash=
{:dn=>[“cn=manchester,cn=groups,cn=accounts,dc=42,dc=school”],
:ipantsecurityidentifier=>[“S-1-5-21-1868054879-3371231054-2605299079-151679”],
:cn=>[“manchester”],
:objectclass=>[“top”, “groupofnames”, “nestedgroup”, “ipausergroup”, “ipaobject”, “posixgroup”, “ipantgroupattrs”],
:ipauniqueid=>[“2b60612e-afe9-11ef-9041-022df3c3f43f”],
:gidnumber=>[“40950679”]}>]
irb(main):005:0> conn.valid_group?(‘manchester’)
=> true
irb(main):006:0> conn.user_list(‘manchester’)
=> [“sylvain”, “users”]
irb(main):007:0> conn.valid_user?(‘sylvain’)
=> true
irb(main):008:0> conn.find_user(‘sylvain’)
=>
[#<Net::LDAP::Entry:0x00007fd42595f168
@myhash=
{:dn=>[“uid=sylvain,cn=users,cn=compat,dc=42,dc=school”],
:objectclass=>[“posixAccount”, “ipaOverrideTarget”, “top”],
:gecos=>[“sylvain sylvain”],
:cn=>[“sylvain sylvain”],
:uidnumber=>[“40800015”],
:gidnumber=>[“40800015”],
:loginshell=>[“/bin/sh”],
:homedirectory=>[“/home/sylvain”],
:ipaanchoruuid=>[“:IPA:42.school:f274cdbc-8cb8-11ef-8532-022df3c3f43f”],
:uid=>[“sylvain”]}>,
#<Net::LDAP::Entry:0x00007fd42596a298
@myhash=
{:dn=>[“uid=sylvain,cn=users,cn=accounts,dc=42,dc=school”],
:krbloginfailedcount=>[“0”],
:krblastfailedauth=>[“20241204112132Z”],
:memberof=>
[“cn=admins,cn=groups,cn=accounts,dc=42,dc=school”,
“cn=Replication Administrators,cn=privileges,cn=pbac,dc=42,dc=school”,
“cn=Add Replication Agreements,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=Modify Replication Agreements,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=Read Replication Agreements,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=Remove Replication Agreements,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=Modify DNA Range,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=Read PassSync Managers Configuration,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=Read Replication Changelog Configuration,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=Write Replication Changelog Configuration,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=Modify PassSync Managers Configuration,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=Read LDBM Database Configuration,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=Read DNA Range,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=Host Enrollment,cn=privileges,cn=pbac,dc=42,dc=school”,
“cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=42,dc=school”,
“cn=System: Manage Host Principals,cn=permissions,cn=pbac,dc=42,dc=school”,
“ipaUniqueID=a9dd50f8-8afe-11ef-ba89-022df3c3f43f,cn=hbac,dc=42,dc=school”,
“ipaUniqueID=b8b42c0a-8afe-11ef-81eb-022df3c3f43f,cn=sudorules,cn=sudo,dc=42,dc=school”,
“cn=ipausers,cn=groups,cn=accounts,dc=42,dc=school”,
“cn=manchester,cn=groups,cn=accounts,dc=42,dc=school”,
“ipaUniqueID=e3418690-ad75-11ef-bedc-022df3c3f43f,cn=hbac,dc=42,dc=school”],
:mail=>[“sylvain.cordier-ext@42.fr”],
:givenname=>[“Sylvain”],
:sn=>[“Cordier”],
:gidnumber=>[“40800015”],
:uidnumber=>[“40800015”],
:ipauniqueid=>[“f274cdbc-8cb8-11ef-8532-022df3c3f43f”],
:krbcanonicalname=>[“sylvain@42.SCHOOL”],
:homedirectory=>[“/home/sylvain”],
:loginshell=>[“/bin/sh”],
:objectclass=>
[“top”,
“person”,
“organizationalperson”,
“inetorgperson”,
“inetuser”,
“posixaccount”,
“krbprincipalaux”,
“krbticketpolicyaux”,
“ipaobject”,
“ipasshuser”,
“ipaSshGroupOfPubKeys”,
“mepOriginEntry”,
“ipantuserattrs”],
:krbprincipalname=>[“sylvain@42.SCHOOL”],
:gecos=>[“sylvain sylvain”],
:initials=>[“ss”],
:displayname=>[“sylvain sylvain”],
:cn=>[“sylvain sylvain”],
:uid=>[“sylvain”],
:mepmanagedentry=>[“cn=sylvain,cn=groups,cn=accounts,dc=42,dc=school”],
:ipantsecurityidentifier=>[“S-1-5-21-1868054879-3371231054-2605299079-1015”],
:krblastpwdchange=>[“20241017190504Z”],
:krbpasswordexpiration=>[“20250115190504Z”],
:krbextradata=>[“\x00\x02\xE0_\x11gsylvain@42.SCHOOL\x00”]}>]

The version of Foreman is 3.12.1

The output suggests that everything is okay: the group appears to be correctly associated with my user.

Problem:

When I log in with my user, the role is not assigned. Moreover, when I check the User Groups page in the UI, the external group disappears and is no longer associated with the Foreman group.

This behavior is driving me crazy, and I can’t find anything relevant in the logs to debug the issue.

Thank you in advance for your help.

Sylvain

cordiers · December 4, 2024, 4:55pm

Update :

When I sign in with an FreeIPA user, it doesn’t work :

2024-12-04T11:44:36 [D|dyn|] Executor heartbeat
2024-12-04T11:44:37 [I|app|53c307a3] Started POST “/users/login” for 10.1.0.87 at 2024-12-04 11:44:37 -0500
2024-12-04T11:44:37 [I|app|53c307a3] Processing by UsersController#login as HTML
2024-12-04T11:44:37 [I|app|53c307a3] Parameters: {“login”=>{“login”=>“foremanuser2”, “password”=>“[FILTERED]”}, “authenticity_token”=>“O8WljiL9StnMWs46rbkl0Y_ohOShB-tKNtMyx2efc0uuDnGu9l9e8GQ-mYAvisysLY4-dxxvqvi4NoHT5tO0Ig”}
2024-12-04T11:44:37 [D|app|53c307a3] LDAP auth with user foremanuser2 against LDAP-ipa-1.central
2024-12-04T11:44:37 [D|lda|53c307a3] op bind (179.0ms) [ result=success ]
2024-12-04T11:44:37 [D|lda|53c307a3] op search (292.8ms) [ filter=, base= ]
2024-12-04T11:44:37 [D|lda|53c307a3] op search (270.0ms) [ filter=(uid=foremanuser2), base=dc=42,dc=school ]
2024-12-04T11:44:37 [D|lda|53c307a3] valid_user? (742.6ms) [ user=foremanuser2 ]
2024-12-04T11:44:38 [D|lda|53c307a3] op search (272.3ms) [ filter=(uid=foremanuser2), base=dc=42,dc=school ]
2024-12-04T11:44:38 [D|lda|53c307a3] find_user (272.5ms) [ user=foremanuser2 ]
2024-12-04T11:44:38 [D|lda|53c307a3] op bind (171.8ms) [ result=success ]
2024-12-04T11:44:38 [D|lda|53c307a3] op search (268.3ms) [ filter=(uid=foremanuser2), base=dc=42,dc=school ]
2024-12-04T11:44:38 [D|lda|53c307a3] op bind (166.9ms) [ result=success ]
2024-12-04T11:44:38 [D|lda|53c307a3] authenticate (607.9ms) [ user=foremanuser2 ]
2024-12-04T11:44:38 [D|app|53c307a3] Retrieved LDAP Attributes for foremanuser2: {:firstname=>“Foreman2”, :lastname=>“Foreman2”, :mail=>“foremanuser2@42.school”, :login=>“foremanuser2”, :dn=>“uid=foremanuser2,cn=users,cn=accounts,dc=42,dc=school”}
2024-12-04T11:44:38 [D|app|53c307a3] Authenticated user foremanuser2 against LDAP-ipa-1.central authentication source
2024-12-04T11:44:38 [D|app|53c307a3] Updating user foremanuser2 attributes from auth source: [:firstname, :lastname, :mail, :login, :dn]
2024-12-04T11:44:38 [D|app|53c307a3] Updating user groups for user foremanuser2
2024-12-04T11:44:38 [D|lda|53c307a3] op bind (171.4ms) [ result=success ]
2024-12-04T11:44:39 [D|lda|53c307a3] op search (242.3ms) [ filter=, base= ]
2024-12-04T11:44:39 [D|lda|53c307a3] op search (238.1ms) [ filter=(memberuid=foremanuser2), base=cn=groups,cn=accounts,dc=42,dc=school ]
2024-12-04T11:44:39 [D|lda|53c307a3] group_list (652.7ms) [ user=foremanuser2 ]
2024-12-04T11:44:39 [I|aud|53c307a3] User (25) update event on usergroup_ids 7,
2024-12-04T11:44:39 [D|app|53c307a3] Post-login processing for foremanuser2
2024-12-04T11:44:39 [I|app|53c307a3] User ‘foremanuser2’ logged in from ‘10.1.0.87’
2024-12-04T11:44:39 [D|tax|53c307a3] Current organization set to 42Manchester
2024-12-04T11:44:39 [D|tax|53c307a3] Current location set to Manchester
2024-12-04T11:44:39 [I|app|53c307a3] Redirected to https://poc-foreman.paris.europe.42.school/hosts
2024-12-04T11:44:39 [I|app|53c307a3] Completed 302 Found in 2420ms (ActiveRecord: 33.4ms | Allocations: 37184)
2024-12-04T11:44:39 [I|app|397af60b] Started GET “/hosts” for 10.1.0.87 at 2024-12-04 11:44:39 -0500
2024-12-04T11:44:39 [I|app|397af60b] Processing by HostsController#index as HTML
2024-12-04T11:44:39 [D|tax|397af60b] Current location set to Manchester
2024-12-04T11:44:39 [D|tax|397af60b] Current organization set to 42Manchester
2024-12-04T11:44:39 [D|app|397af60b] Rendering layout layouts/application.html.erb
2024-12-04T11:44:39 [D|app|397af60b] Rendering common/403.html.erb within layouts/application
2024-12-04T11:44:39 [I|app|397af60b] Rendered common/403.html.erb within layouts/application (Duration: 0.8ms | Allocations: 266)
2024-12-04T11:44:39 [D|app|397af60b] Rendered layouts/_application_content.html.erb (Duration: 0.2ms | Allocations: 55)
2024-12-04T11:44:39 [D|app|397af60b] Rendering layouts/base.html.erb
2024-12-04T11:44:39 [I|app|397af60b] Rendered layouts/base.html.erb (Duration: 16.9ms | Allocations: 7900)
2024-12-04T11:44:39 [I|app|397af60b] Rendered layout layouts/application.html.erb (Duration: 19.0ms | Allocations: 8557)
2024-12-04T11:44:39 [I|app|397af60b] Filter chain halted as :authorize rendered or redirected
2024-12-04T11:44:39 [I|app|397af60b] Completed 403 Forbidden in 39ms (Views: 19.1ms | ActiveRecord: 3.9ms | Allocations: 13348)
2024-12-04T11:44:40 [I|app|3ccace89] Started GET “/notification_recipients” for 10.1.0.87 at 2024-12-04 11:44:40 -0500
2024-12-04T11:44:40 [I|app|3ccace89] Processing by NotificationRecipientsController#index as JSON
2024-12-04T11:44:40 [D|tax|3ccace89] Current location set to Manchester
2024-12-04T11:44:40 [D|tax|3ccace89] Current organization set to 42Manchester
2024-12-04T11:44:40 [D|not|3ccace89] Cache Hit: notification, reading cache for notification-25
2024-12-04T11:44:40 [D|app|3ccace89] Body: {“notifications”:}
2024-12-04T11:44:40 [I|app|3ccace89] Completed 200 OK in 19ms (Views: 0.2ms | ActiveRecord: 3.2ms | Allocations: 4477)
2024-12-04T11:44:51 [D|dyn|] Executor heartbeat
2024-12-04T11:45:06 [D|dyn|] Executor heartbeat

After I have refreshed the group and refreshed the sign-in page, it works :

2024-12-04T11:46:08 [I|app|6c6efe4d] Started PUT “/external_usergroups/tests_foreman/refresh” for 10.1.0.87 at 2024-12-04 11:46:08 -0500
2024-12-04T11:46:08 [I|app|6c6efe4d] Processing by ExternalUsergroupsController#refresh as HTML
2024-12-04T11:46:08 [I|app|6c6efe4d] Parameters: {“authenticity_token”=>“ZVnzt0mPhMLj2yU3fDliDqLn9VjRBBIJyhpFanFq06HVze31DTxdX-Ywkuh4b1uNbb5Bs0gERjdGWAQamumb5g”, “id”=>“tests_foreman”}
2024-12-04T11:46:08 [D|tax|6c6efe4d] Current location set to none
2024-12-04T11:46:08 [D|tax|6c6efe4d] Current organization set to none
2024-12-04T11:46:08 [D|lda|6c6efe4d] op bind (166.7ms) [ result=success ]
2024-12-04T11:46:08 [D|lda|6c6efe4d] op search (244.4ms) [ filter=, base= ]
2024-12-04T11:46:08 [D|lda|6c6efe4d] op search (235.1ms) [ filter=(cn=tests_foreman), base=cn=groups,cn=accounts,dc=42,dc=school ]
2024-12-04T11:46:08 [D|lda|6c6efe4d] op search (241.0ms) [ filter=(cn=tests_foreman), base=cn=groups,cn=accounts,dc=42,dc=school ]
2024-12-04T11:46:09 [D|lda|6c6efe4d] op search (236.5ms) [ filter=(|(|(|(objectClass=posixGroup)(objectClass=organizationalunit))(objectClass=groupOfUniqueNames))(objectClass=groupOfNames)), base=cn=tests_foreman,cn=groups,cn=accounts,dc=42,dc=school ]
2024-12-04T11:46:09 [D|lda|6c6efe4d] user_list (1126.1ms) [ group=tests_foreman ]
2024-12-04T11:46:09 [D|lda|6c6efe4d] op bind (164.1ms) [ result=success ]
2024-12-04T11:46:09 [D|lda|6c6efe4d] op search (247.9ms) [ filter=, base= ]
2024-12-04T11:46:09 [D|lda|6c6efe4d] op search (237.9ms) [ filter=(cn=tests_foreman), base=cn=groups,cn=accounts,dc=42,dc=school ]
2024-12-04T11:46:09 [D|lda|6c6efe4d] valid_group? (650.9ms) [ group=tests_foreman ]
2024-12-04T11:46:09 [I|aud|6c6efe4d] Usergroup (7) update event on user_ids 24, 24, 25
2024-12-04T11:46:09 [I|app|6c6efe4d] Redirected to https://poc-foreman.paris.europe.42.school/usergroups
2024-12-04T11:46:09 [I|app|6c6efe4d] Completed 302 Found in 1919ms (ActiveRecord: 42.5ms | Allocations: 36566)
2024-12-04T11:46:10 [I|app|b532b7b0] Started GET “/usergroups” for 10.1.0.87 at 2024-12-04 11:46:10 -0500
2024-12-04T11:46:10 [I|app|b532b7b0] Processing by UsergroupsController#index as HTML
2024-12-04T11:46:10 [D|tax|b532b7b0] Current location set to none
2024-12-04T11:46:10 [D|tax|b532b7b0] Current organization set to none

Refresh sign-in page :

2024-12-04T11:46:10 [I|app|d7c2fa84] Started GET “/usergroups/auto_complete_search?search=” for 10.1.0.87 at 2024-12-04 11:46:10 -0500
2024-12-04T11:46:10 [I|app|d7c2fa84] Processing by UsergroupsController#auto_complete_search as JSON
2024-12-04T11:46:10 [I|app|d7c2fa84] Parameters: {“search”=>“”}
2024-12-04T11:46:10 [D|tax|d7c2fa84] Current location set to none
2024-12-04T11:46:10 [D|tax|d7c2fa84] Current organization set to none
2024-12-04T11:46:10 [I|app|d7c2fa84] Completed 200 OK in 11ms (Views: 0.4ms | ActiveRecord: 1.7ms | Allocations: 2489)
2024-12-04T11:46:21 [D|dyn|] Executor heartbeat
2024-12-04T11:46:36 [D|dyn|] Executor heartbeat
2024-12-04T11:46:51 [D|dyn|] Executor heartbeat
2024-12-04T11:47:06 [D|dyn|] Executor heartbeat
2024-12-04T11:47:21 [D|dyn|] Executor heartbeat
2024-12-04T11:47:36 [D|dyn|] Executor heartbeat
2024-12-04T11:47:51 [D|dyn|] Executor heartbeat
2024-12-04T11:48:06 [D|dyn|] Executor heartbeat
2024-12-04T11:48:21 [I|app|39e79280] Started GET “/notification_recipients” for 10.1.0.87 at 2024-12-04 11:48:21 -0500
2024-12-04T11:48:21 [I|app|39e79280] Processing by NotificationRecipientsController#index as JSON
2024-12-04T11:48:21 [D|tax|39e79280] Current location set to none
2024-12-04T11:48:21 [D|tax|39e79280] Current organization set to none
2024-12-04T11:48:21 [D|not|39e79280] Cache Hit: notification, reading cache for notification-4
2024-12-04T11:48:21 [D|app|39e79280] Body: {“notifications”:[{“id”:12,“seen”:false,“level”:“info”,“text”:“Provisioning Ubuntu Autoinstall”,“created_at”:“2024-11-29T10:10:36.446Z”,“group”:“Community”,“actions”:{“links”:[{“href”:“https://theforeman.org/2024/02/provisioning-ubuntu-autoinstall.html",“title”:“Open”,“external”:true}]}},{“id”:8,“seen”:false,“level”:“info”,“text”:"Sunsetting rsync.theforeman.org”,“created_at”:“2024-11-29T10:10:36.401Z”,“group”:“Community”,“actions”:{“links”:[{“href”:“https://theforeman.org/2024/05/sunsetting-rsynctheforemanorg.html",“title”:“Open”,“external”:true}]}},{“id”:4,“seen”:false,“level”:“info”,“text”:"betadots consulting services”,“created_at”:“2024-11-29T10:10:36.347Z”,“group”:“Community”,“actions”:{“links”:[{“href”:“https://theforeman.org/2024/06/betadots-consulting-services.html",“title”:“Open”,"external”:true}]}}]}
2024-12-04T11:48:21 [I|app|39e79280] Completed 200 OK in 14ms (Views: 0.2ms | ActiveRecord: 2.1ms | Allocations: 1690)
2024-12-04T11:48:21 [D|dyn|] Executor heartbeat
2024-12-04T11:48:26 [I|app|baad71d1] Started GET “/hosts” for 10.1.0.87 at 2024-12-04 11:48:26 -0500
2024-12-04T11:48:26 [I|app|baad71d1] Processing by HostsController#index as HTML
2024-12-04T11:48:26 [D|tax|baad71d1] Current location set to Manchester
2024-12-04T11:48:26 [D|tax|baad71d1] Current organization set to 42Manchester
2024-12-04T11:48:26 [D|app|baad71d1] Rendering layout layouts/application.html.erb
2024-12-04T11:48:26 [D|app|baad71d1] Rendering hosts/welcome.html.erb within layouts/application
2024-12-04T11:48:26 [I|app|baad71d1] Rendered hosts/welcome.html.erb within layouts/application (Duration: 4.3ms | Allocations: 619)
2024-12-04T11:48:26 [D|app|baad71d1] Rendered layouts/_application_content.html.erb (Duration: 2.3ms | Allocations: 432)
2024-12-04T11:48:26 [D|app|baad71d1] Rendering layouts/base.html.erb
2024-12-04T11:48:26 [I|app|baad71d1] Rendered layouts/base.html.erb (Duration: 58.0ms | Allocations: 20668)
2024-12-04T11:48:26 [I|app|baad71d1] Rendered layout layouts/application.html.erb (Duration: 69.7ms | Allocations: 22560)
2024-12-04T11:48:26 [I|app|baad71d1] Filter chain halted as :welcome rendered or redirected
2024-12-04T11:48:26 [I|app|baad71d1] Completed 200 OK in 175ms (Views: 82.5ms | ActiveRecord: 20.1ms | Allocations: 36527)
2024-12-04T11:48:27 [I|app|68e36102] Started GET “/notification_recipients” for 10.1.0.87 at 2024-12-04 11:48:27 -0500
2024-12-04T11:48:27 [I|app|68e36102] Processing by NotificationRecipientsController#index as JSON
2024-12-04T11:48:27 [D|tax|68e36102] Current location set to Manchester
2024-12-04T11:48:27 [D|tax|68e36102] Current organization set to 42Manchester
2024-12-04T11:48:27 [D|not|68e36102] Cache Hit: notification, reading cache for notification-25
2024-12-04T11:48:27 [D|app|68e36102] Body: {“notifications”:}
2024-12-04T11:48:27 [I|app|68e36102] Completed 200 OK in 26ms (Views: 0.2ms | ActiveRecord: 5.0ms | Allocations: 4705)
2024-12-04T11:48:36 [D|dyn|] Executor heartbeat

cordiers · December 4, 2024, 5:11pm

Finally, when I disable the sync of External groups, it works…