LDAP user attributes and access are not periodically synchronized in Ansible Automation Platform

Solution Verified - Updated -

Issue

  • There is a requirement for LDAP users to be created in Ansible Automation Platform automatically without requiring an initial interactive login.
  • Users should be automatically removed or disabled in Ansible Automation Platform when they are removed from the LDAP/Active Directory server.
  • LDAP binding and attribute refresh occur only when a user actively authenticates through the Ansible Automation Platform UI, meaning user state is not continuously revalidated.
  • If a user becomes inactive (for example, due to contract termination or a role change), the user may still retain previously assigned permissions in Ansible Automation Platform.
  • A user may continue to access Ansible Automation Platform using an existing User Access Token that was generated before the account was removed or disabled in Active Directory.
  • Since there is no automatic background revalidation of LDAP/Active Directory user state, previously issued tokens may remain valid even after the user is no longer authorized.

Environment

  • Red Hat Ansible Automation Pltatform (Ansible Automation Platform) 2.5, 2.6
  • Authentication configured with LDAP
  • Users authenticating via LDAP backend;

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content