8.4. Configuring External User Groups

Users authenticated through external sources are automatically created on the Satellite Server the first time they log in. This does not apply to external user groups that must be mapped to user groups created manually in the Satellite GUI. Members of the external user group then automatically become members of the Satellite user group and receive the associated permissions.


The configuration of external user groups depends on the type of external authentication:
  • If using an LDAP source, make sure the LDAP authentication is correctly configured. Navigate to AdministerLDAP Authentication to view and modify the existing sources. For instructions on how to create an LDAP source, see Section 8.1, “Using LDAP”. Take note of the LDAP group names you want to use.


    If you are using external user groups from an LDAP source, you cannot use the $login variable as a substitute for the account user name. You need to use either an anonymous or dedicated service user.
  • If your Satellite is enrolled with the IdM or AD server as described in Chapter 8, Configuring External Authentication, take note of the external group names you want to use. To find the group membership of external users, execute the id command on Satellite:
    # id username
    Here, username is the name of the external group member. Note that Satellite allows you to configure external groups only after at least one external user authenticates for the first time. Also, at least one user must exist in the external authentication source.

Procedure 8.6. To Configure an External User Group:

  1. Navigate to AdministerUser Groups. Click New User Group.
  2. On the User group tab, specify the name of the new user group. Do not select any users as they will be added automatically when refreshing the external user group.
  3. On the Roles tab, select the roles you want to assign to the user group. Alternatively, select the Administrator check box to assign all available permissions.
  4. On the External groups tab, click Add external user group and select an authentication source from the Auth source drop-down menu.
    Specify the exact name of the LDAP or external group in the Name field.
  5. Click Submit.


You can set the LDAP source to synchronize user group membership automatically on user login. If this option is not set, LDAP user groups are refreshed automatically through a scheduled task (cron job) synchronizing the LDAP Authentication source (every 30 minutes by default). If the user groups in the LDAP Authentication source change in the lapse of time between scheduled tasks, the user can be assigned to incorrect external user groups. This is corrected automatically when the scheduled task runs. You can also refresh the LDAP source manually by executing foreman-rake ldap:refresh_usergroups or by refreshing the external user groups through the web UI.
External user groups based on IdM or AD are refreshed only when a group member logs in to Satellite. It is not possible to alter user membership of external user groups in the Satellite GUI, such changes are overwritten on the next group refresh. To assign additional permissions to an external user, add this user to an internal user group that has no external mapping specified. Then assign the required roles to this group.