Satellite 6 with Active Directory - Permissions
Hi,
There is a very detailed guide on integrating Red Hat Satellite 6 with Active Directory at
Red Hat Satellite 6.1 User Guide - Using Active Directory Directly
Once complete, the guide states "By completing the above procedure you allow users that belong to the EXAMPLE.ORG realm to log in to the Satellite server".
In my instance, I only want a subset of users in AD to be able to login to Satellite. What's the best way of restricting access to a set of users or AD groups?
Many thanks,
Richard.
Responses
Expert
929 points
The best way would be to create (or use) a group in AD then set the LDAP Filter
Administrator > LDAP Authentication > Name > Account Tab > LDAP Filter
Something like the following for an LDAP filter would work:
(&(objectclass=user)(memberOf=CN=Satellite_Administrators_GG,OU=Groups,DC=EXAMPLE,DC=COM))
Richard,
Thank you for raising the question and to Will for providing the answer so promptly.
I'm a technical writer at Red Hat, working on the Satellite documentation. As yours is, I believe, a common use case I'll raise a request to get documentation of AD group filtering added to the Satellite User Guide.
Richard,
In response to your initial request for information, I have raised the following bug report to have the documentation improved. Please tell me if I have misinterpreted your requirements.
https://bugzilla.redhat.com/show_bug.cgi?id=1309115
Richard,
Bugzilla ticket 1309115 has now been closed as the omission you pointed out earlier in the discussion has been fixed in the Satellite 6.2 Server Administration Guide. You can confirm that by reviewing the Beta edition of the guide at [1].
What was formerly the User Guide has been split into two separate guides, the Server Administration Guide (which covers administration of Satellite itself) and the Host Administration Guide (which covers administration of hosts).
Thanks again for your feedback.
[1] https://access.redhat.com/documentation/en/red-hat-satellite/version-6.2-beta/server-administration-guide/#sect-Red_Hat_Satellite-Server_Administration_Guide-AD_direct
Richard - I have now made the description of both Bugzilla tickets publicly available as I should have made them public when I created them. Thanks for pointing that out.
So did this actually work for anyone else? Just wondering if I've done something wrong as it still allows anyone in the AD domain to authenticate.
Hi Richard,
Thanks for the update....it was the LDAP filter in Satellite that I had the most trouble with as it don't seem to have any effect at all.
I ended up getting it to work with a combination of the original guide Red Hat Satellite 6.1 User Guide - Using Active Directory Directly and then some further configuration within sssd.conf.
Most docs I read suggested to use "ldap_access_filter" but that didn't work at all but "ad_access_filter" does which is mentioned in the Fedora SSSD docs.
Here's some of the key variables I updated after the "realm" command added its defaults.
ldap_schema = ad
ldap_access_order = filter, expire
ad_access_filter = memberOf=CN=Satellite_Administrators_GG,OU=Groups,DC=EXAMPLE,DC=COM
use_fully_qualified_names = false
I would like to have the filter working in the Satellite app but this works well enough for me now. :-)
Cheers, Craig
Has anyone been able to make it work? I followed the instructions Red Hat Satellite6.2 - Server Administration Guide - Using Active Directory Directly but I can't figure out what needs to be done at AD end in order to allow a user to sign in into Satellite. Also, Satellite has some roles, how do I link them on AD? Thanks.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.