Manage user with AD global group?

Hi all,

I am trying to learn more about how Foreman interacts with AD.

We would like to be able manage users in AD and not really manage them in Foreman.

This is mostly because of the tools we already have to manage user approvals.

It would be nice if when users login and their account gets created if they could be setup as an admin as long and their username was in some global group? Could this be done?

And then have some kind of job that would run probably daily that would verify if the user was still in the global group. If not remove the account.

Thanks is advance for any help or pointers to plugging or other docs to help me learn more about this.


Yes, this can be done by configuring ldap authentication and using your AD Domain Controller as your LDAP authentication source. Foreman can check the user and group membership and grant Administrative Privileges to a specified group.

Some general tips for getting that working:

  • Try using a tool like LDAP Admin to help you out. Leverage the “Copy DN” feature to prevent typos and eliminate guesswork.
  • Configure that without SSL turned on first, and use Wireshark on the server side to help you see what might be happening when things don’t work

I have ldap authentication working, I am just not sure how to deal with the group? How would I query the ldap group?


Sorry, let me read more from that link you gave me. I think I just need to try that I see the section that talks about the AD group.


Go to:

  • Administer->User Groups
  • Click “Create User Groups”
  • Select the “Roles” tab and check off “Admin”
  • Select the “External Groups” tab
  • Enter the name of your AD group
  • Click submit

If you have entered all of your info correctly when you created your LDAP source, it should Just Work ™ if not, you’ll need to go back and work out what went wrong (Eg, wrong Groups Base DN most likely)

1 Like

Thank for the detailed instructions it works. :smile: What happens if the user gets removed from the group? Do I need some kind of job to remove the user?

Thanks so much for your help!

You shouldn’t need to remove the user. It should check each login - but test it to be sure.

Is there a way with the hammer command to create the link?
I found:
hammer user-group create --admin yes --name Wizards
That creates the admin group.
I am not sure how to link the AD external group to the Foreman group?
I found the hammer command:
hammer user-group external
I am not sure if there is an option or not?



You may create external user groups with

hammer user-group external create --user-group USER_GROUP_NAME --name EXTERNAL_USER_GROUP_NAME --auth-source-id AUTH_SOURCE_ID

It’s possible to also refresh, update and delete groups through the CLI.

hammer user-group external

will show you all the options available. You can know which parameters are required by passing ‘–help’ at the end of your command.

That worked!
It looks like it is a 3 step process.
Use the following command to get the auth-source-id number.
hammer auth-source ldap list

The create the local Foreman group:
hammer user-group create --admin yes --name ForemanAdmin
User group [ForemanAdmin] created

Then link it to the external AdAmin group, it is a little confusing because you are saying create when really you are just linking to the external AD group.
hammer user-group external create --user-group ForemanAdmin --name AdAdmin --auth-source-id 3
External user group created

I also noticed that you can only use the external group 1 time.

Thanks again!

I do agree ‘create’ is a bit of a misnomer here, glad to hear it worked!

1 Like