User Groups

Latest response

Hello,

I have basic authentication working in Satellite 6.3 and it allows our users to log in and only create an account. I'm trying to set up the whole Roles/User group item. When I try to create a user group. and plug in the Distinguished name I always get a "is not found in the authentication source". in the logs I get this one error:
2018-03-07 14:13:02 0c930bdb [app] [I] Parameters: {"utf8"=>"✓", "authenticity_token"=>"6n/q2OXeLRdO3HZQsYXR4GzobalII+8IOMw8l9ALpqKy4wU4oDLt1Xqw9Pf0is5lhQFWlrYHliyBwg8ETKLpNQ==", "usergroup"=>{"name"=>"admins", "usergroup_ids"=>[""], "user_ids"=>[""], "admin"=>"1", "role_ids"=>[""], "external_usergroups_attributes"=>{"0"=>{"_destroy"=>"false", "name"=>"CN=Linux,OU=Security Groups,DC=myworkdomain,DC=com", "auth_source_id"=>"3"}}}, "commit"=>"Submit"}

Any ideas? I've opened up w a ticket w/ Redhat and its just being slow. Redhat Satellite 6.3 (Successful upgrade from 6.2)

Any info is greatly appreciated.
Thank You

Responses

Figured it out. Please see my comment on this url https://access.redhat.com/solutions/3358091

or solution # 3358091

Louis, I read you comment on solution 3358091, in which you noted the solution to your problem was to convert the whole of the distinguished name string to lowercase. Did you discover this on your own, or via the support case you raised with Red Hat? Would you mind mentioning the case number, so that I can view its history?

Regardless, if the DN always needs to be in lower case, I will make a note of that in the associated documentation.

Thank you for both starting the discussion and noting the solution. It benefits the entire community when you detail the solution to an issue. I hope no-one else experiences this problem, but if they do I hope they discover this discussion.

Hi Russell, While I'm not the strongest AD guy out there I've been working on this for quite a few weeks. I eventually raised a ticket to RH (02050010) but I discovered it on my own before they eventually got back to me. I've been working on this way before when I was using foreman for my stuff before I eventually got RH Satellite + support.. Thank you.

Thanks Louis. It worries me that you had to spent a few weeks trying to identify the cause of this problem. I would prefer no-one else went through that. I'll look over the case and see if I can identify the underlying issue here. Either a change should be made in Satellite, or the documentation could state the criteria for DN.

Louis - I would like to investigate this further, and need your help. When you were creating a user group, were you following the instructions in Procedure 8.6. To Configure an External User Group:?

If I understand correctly you entered the User group name in mixed case, but Satellite Server rejected this, reporting it could not find that group in the authentication source. Once you entered the User group name in lower case, the group could be found. How did you come up with the group's name to put into the User group field? The instructions state this should be copied from the output of the id command, which I believe is always in lower case.

I'd like to ensure that Satellite Server either accepts a group's name in mixed case, or rejects a mixed case group name with an informative error message. Your answers to these questions will help me better find the best way forward.

Hi Russell,

That is correct. Prodecure 8.6 Step #4. So initially when you have nothing in there it seems to error out and says it cannot find a source. When I used the case sensitive ^System Administrators@mydomain.com , it said not found. I ended up using lower case and it worked right off the bat. I tested this on my foreman server and the behavior was identical. Now today if I were to try this again it would work w/ the upper case characters. Its very interesting. Maybe it needs that 1st item in there and auth'd to work correctly before adding more even w/ the upper case characters (i.e. ^System Administrators@mydomain.com .

Thanks Louis. So when you entered the group's name in mixed case, as ^System Administrators@mydomain.com, Satellite Server responded that that group could not be found in the authentication source. When you instead entered the group's name in lower case, as ^system administrators@mydomain.com, Satellite Server accepted the group's name.

When you write "Now today if I were to try this again it would work..." do you mean that if you tried to add a new group from an AD source, Satellite Server would accept it even if the group's name was entered in mixed case? If so, that seems very strange. Was the "System Administrators" group the first you tried adding to Satellite Server?

Hi Russell,
Correct. as of today it works w/ mixed case. Initially it didn't. Again makes me wonder that once that 1st entry is accepted then mixed cased would work afterwords. This happened on both Satellite 6.2 + 6.3 including Foreman 1.15.6. Once I discovered the lower case it worked on 6.3 + foreman 1.15.6.

Thanks Louis. That's (obviously) very strange. I'll follow this up with someone who has a detailed understanding of how this works in Satellite.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.