A Foreman server configured (and working) with FreeIPA configured as External authentication mechanism. The FreeIPA server has a trust with an AD domain.
When logging in with an IPA user that is not known to Foreman, the useraccount is created and any roles assigned to the user’s group are also assigned succesfully.
When signing in with a trusted, but unknown AD user the authentication succeeds, but the useraccount cannot be created. The Foreman logs mention that the user has no valid email address and refuses to create the user.
This can be succesfully worked around by pre-configuring the useraccounts with a (if required bogus) email address.
Is there any way to either tell Foreman to ignore missing attributes for the user, or default to some (custom) values in case the useraccount trying to sign in is not complete for some reason.
Log in with the AD user as well, without pre-seeding the useraccount in Foreman
Foreman and Proxy versions:
Multiple versions, but I have tested it most recently on Foreman 3.0/Katello 4.2
Distribution and version: Rocky8
Not relevant, but just wondering:
I’m not entirely sure why the AD users attributes are not properly synced, I’m still learning about FreeIPA, but I don’t have extended experience setting it up with AD trusts.