Roles under LDAP connection

Problem: Why does the gui show roles, specifically administrator and user, but when I run hammer role list, it shows nothing? When I tried to create those roles with hammer role create --name administrator --description “Role for administrators” it replied: “Could not create the user role: Name has already been taken.” I then was reading in the manual: “Foreman provides you with a set of seeded roles. These roles can be assigned to users but cannot be modified in any way. They serve as a sane set of defaults and a quick starting point. If you wish to base your custom role on one of these, you can clone it and modify the clone.” So I tried to clone the administrator role to a new one, but that did not work.
What am I doing wrong?

Expected outcome: I just connected the satellite to LDAP. I want to assign the LDAP system administrator’s group to the satellite administrator group and assign the LDAP developer’s group to the satellite user group.

Foreman and Proxy versions: 2.3.3-1

Foreman and Proxy plugin versions: 2.3.3-1

Distribution and version: CentOS 7.9

Other relevant data:

For me, it doesn’t. It shows roles with hammer:

# hammer role list 
ID | NAME                       | BUILTIN
11 | Auditor                    | no     
10 | Bookmarks manager          | no     
1  | Default role               | yes    
7  | Edit hosts                 | no    

I don’t have any administrator or user role, though. Administrator is only a flag for a user or group, not a role. But maybe, it’s because I have katello…

Creating a role ‘administrator’ if there is already one, it’s obviously pointless trying to create another one. The extract from the manual refers to the locked roles, e.g. the “Auditor” role. It’s locked thus I cannot change it and I have to clone it if I want to make changes.

Either way, as you can see the roles in the gui you should be able to create those groups you want and assign them roles. That should do it. No need to create new roles if you already have them…

1 Like

This is on a fresh satellite install. I have not created any roles yet. hammer role list show nothing. I want to connect to LDAP and associate some groups with roles, but that is hard to do when I can’t get the role id number.

I thought it might be related to the organization id and or location id. I create a new version of both that I run my servers under. So, I added --location-id 2 --organization-id 1 (location id 2 is default and organization id 1 is default), but it still shows nothing. I simply want to assign a role to an LDAP group so that when someone from that group logs in, his/her role will be pre-defined.

I resorted to cloning a role through the gui. When I run a hammer role list, that is the only role that I can see. This is just odd. I should not have to use the gui in order to clone a role.