Hi all,
I am trying to learn more about how Foreman interacts with AD.
We would like to be able manage users in AD and not really manage them in Foreman.
This is mostly because of the tools we already have to manage user approvals.
It would be nice if when users login and their account gets created if they could be setup as an admin as long and their username was in some global group? Could this be done?
And then have some kind of job that would run probably daily that would verify if the user was still in the global group. If not remove the account.
Thanks is advance for any help or pointers to plugging or other docs to help me learn more about this.
Thanks!
Jerry
Yes, this can be done by configuring ldap authentication and using your AD Domain Controller as your LDAP authentication source. Foreman can check the user and group membership and grant Administrative Privileges to a specified group.
Some general tips for getting that working:
- Try using a tool like LDAP Admin to help you out. Leverage the âCopy DNâ feature to prevent typos and eliminate guesswork.
- Configure that without SSL turned on first, and use Wireshark on the server side to help you see what might be happening when things donât work
I have ldap authentication working, I am just not sure how to deal with the group? How would I query the ldap group?
Thanks!
Jerry
Sorry, let me read more from that link you gave me. I think I just need to try that I see the section that talks about the AD group.
Thanks!
Jerry
Go to:
- Administer->User Groups
- Click âCreate User Groupsâ
- Select the âRolesâ tab and check off âAdminâ
- Select the âExternal Groupsâ tab
- Enter the name of your AD group
- Click submit
If you have entered all of your info correctly when you created your LDAP source, it should Just Work ⢠if not, youâll need to go back and work out what went wrong (Eg, wrong Groups Base DN most likely)
1 Like
Thank for the detailed instructions it works. 
What happens if the user gets removed from the group? Do I need some kind of job to remove the user?
Thanks so much for your help!
You shouldnât need to remove the user. It should check each login - but test it to be sure.
Is there a way with the hammer command to create the link?
I found:
hammer user-group create --admin yes --name Wizards
That creates the admin group.
I am not sure how to link the AD external group to the Foreman group?
I found the hammer command:
hammer user-group external
I am not sure if there is an option or not?
Thanks!
Jerry
Jerry,
You may create external user groups with
hammer user-group external create --user-group USER_GROUP_NAME --name EXTERNAL_USER_GROUP_NAME --auth-source-id AUTH_SOURCE_ID
Itâs possible to also refresh, update and delete groups through the CLI.
hammer user-group external
will show you all the options available. You can know which parameters are required by passing ââhelpâ at the end of your command.
That worked!
Thanks!
It looks like it is a 3 step process.
Use the following command to get the auth-source-id number.
hammer auth-source ldap list
The create the local Foreman group:
hammer user-group create --admin yes --name ForemanAdmin
User group [ForemanAdmin] created
Then link it to the external AdAmin group, it is a little confusing because you are saying create when really you are just linking to the external AD group.
hammer user-group external create --user-group ForemanAdmin --name AdAdmin --auth-source-id 3
External user group created
I also noticed that you can only use the external group 1 time.
Thanks again!
I do agree âcreateâ is a bit of a misnomer here, glad to hear it worked!
1 Like
