Dear all,
I have installed and configured both Foreman and Katello. Katello runs the
same Foreman version 1.9.2.
Installed foreman without option and katello with the
foreman-ipa-authentication set to true. Have configured both the same way
to authenticate to my FreeIPA server. Server type is POSIX instead of
FreeIPA.
In Administer --> LDAP Authentication, when clicking on the Account tab, I
have 'Automatically create accounts in Foreman' ticked, together with
usergroup sync. When logging in with a newly created user in FreeIPA and
addressing the correct role, I can login fine in both Foreman and Katello
with my ldap user, but with the permission denied page, 'you are not
authorized to perform this action'. This is due to the Anonymous role.
When I run the foreman-rake ldap:refresh_usergroups command, I can log in
fine in Foreman and have the correct permissions because I have configured
a user group. In katello how ever, this doesn't work. I can not even see
the ldap user when login in as admin and looking for the users.
If I check with hammer, my logged in ldap users exist and have the same
permissions as on my foreman server.
Hope someone can help out.
Kind regards,
Peter
For some weird reason, the first user that logges in with User Group A,
gets as 'Authorized by' EXTERNAL. If a second user logges in with the same
User Group A, it works and has as 'Authorized by' LDAP-freeipa.
Tried logging in with a third user but with User Group B and gets the same.
Authorized by is set to EXTERNAL. If I log in with a fourth user with User
Group B, I can log in fine and has the correct LDAP-freeipa set in
'Authorized by'
The Authorized by can be seen in Administer --> Users. I don't see a way of
changing this via hammer.
···
On Tuesday, October 13, 2015 at 4:00:57 PM UTC+2, Peter Verbist wrote:
>
> Dear all,
>
> I have installed and configured both Foreman and Katello. Katello runs the
> same Foreman version 1.9.2.
> Installed foreman without option and katello with the
> foreman-ipa-authentication set to true. Have configured both the same way
> to authenticate to my FreeIPA server. Server type is POSIX instead of
> FreeIPA.
> In Administer --> LDAP Authentication, when clicking on the Account tab, I
> have 'Automatically create accounts in Foreman' ticked, together with
> usergroup sync. When logging in with a newly created user in FreeIPA and
> addressing the correct role, I can login fine in both Foreman and Katello
> with my ldap user, but with the permission denied page, 'you are not
> authorized to perform this action'. This is due to the Anonymous role.
>
> When I run the foreman-rake ldap:refresh_usergroups command, I can log in
> fine in Foreman and have the correct permissions because I have configured
> a user group. In katello how ever, this doesn't work. I can not even see
> the ldap user when login in as admin and looking for the users.
> If I check with hammer, my logged in ldap users exist and have the same
> permissions as on my foreman server.
>
> Hope someone can help out.
>
> Kind regards,
>
> Peter
>
>
>
>
Hello
we have 2 mechanisms for external LDAP authentication, each with its pros and
cons. The first one is done on apache module level and you enabled that by
installer option. In this case Foreman does not know anything about the
FreeIPA server and just trust env variables set by apache module to provide
data. It automatically creates auth source called EXTERNAL for the first user
that logs in this way.
Second way is to configure the auth source through web UI. It works similarly
but it actually actively talks to the FreeIPA to verify user identity.
One difference I'm aware of is that the first way is easier to integrate with
other identity providers, e.g. if you link your FreeIPA with Active Directory
and setup a trust between them. Also kerberos tickets might be used in this
scenario. So in your case, pick one and disable the second one (disabling the
second is probably much easier).
Hope this helps
···
--
Marek
On Wednesday 14 of October 2015 01:14:57 Peter Verbist wrote:
For some weird reason, the first user that logges in with User Group A,
gets as ‘Authorized by’ EXTERNAL. If a second user logges in with the same
User Group A, it works and has as ‘Authorized by’ LDAP-freeipa.
Tried logging in with a third user but with User Group B and gets the same.
Authorized by is set to EXTERNAL. If I log in with a fourth user with User
Group B, I can log in fine and has the correct LDAP-freeipa set in
’Authorized by’
The Authorized by can be seen in Administer --> Users. I don’t see a way of
changing this via hammer.
On Tuesday, October 13, 2015 at 4:00:57 PM UTC+2, Peter Verbist wrote:
Dear all,
I have installed and configured both Foreman and Katello. Katello runs the
same Foreman version 1.9.2.
Installed foreman without option and katello with the
foreman-ipa-authentication set to true. Have configured both the same way
to authenticate to my FreeIPA server. Server type is POSIX instead of
FreeIPA.
In Administer --> LDAP Authentication, when clicking on the Account tab, I
have ‘Automatically create accounts in Foreman’ ticked, together with
usergroup sync. When logging in with a newly created user in FreeIPA and
addressing the correct role, I can login fine in both Foreman and Katello
with my ldap user, but with the permission denied page, ‘you are not
authorized to perform this action’. This is due to the Anonymous role.
When I run the foreman-rake ldap:refresh_usergroups command, I can log in
fine in Foreman and have the correct permissions because I have configured
a user group. In katello how ever, this doesn’t work. I can not even see
the ldap user when login in as admin and looking for the users.
If I check with hammer, my logged in ldap users exist and have the same
permissions as on my foreman server.
Hope someone can help out.
Kind regards,
Peter
–
Marek
