How to automatically assign roles for externally authenticated users on Red Hat Satellite 6?

Solution Unverified - Updated

Environment

  • Red Hat Satellite 6.1 and above
  • FreeIPA / Active Directory

Issue

  • How to automatically assign roles for externally authenticated users (either LDAP Authenticated or using Direct Authentication Method)?
  • Auto-assign roles to users based on the external group membership that they live in.

Resolution

  • Authentication Source (Identity Management) in Red Hat Satellite 6 can be configured in multiple ways :-

    1. LDAP Authentication: This method covers the authentication at the Application level. Click on this documentation link for more information.
    2. Direct Integration: In this method, Red Hat Satellite is joined directly to the AD domain where the identity is stored, which covers both OS and application level authentication. Click to this documentation link for more information

  • If LDAP Authentication is configured, then create a User Group from Administer >> User groups >> click New User group >> In the User group tab, specify a Name (any generic name for identification) >> under Roles tab, select the Role that needs to be assigned once a user logs in >> under External groups tab, click Add external user group >> specify the External Group name and select the correct Authentication Source.
    NOTE: When specifying the External Group name, it is mandatory that the external group name should match the name specified here.

  • In Direct Integration method, find the external group name that needs to be configured by running the id command on Red Hat Satellite 6 server. 

      [root@satellite ~]# id aduser1
uid=784601106(aduser1@lab.example.com) gid=784600513(domain users@lab.example.com) groups=784600513(domain users@lab.example.com),784601110(sat6users@lab.example.com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

NOTE: As an example sat6users@lab.example.com is the group name that needs to specified as the External Group name, when configuring User Group.

  • Once the external group name is retrieved or identified, start creating User Group from Administer >> User groups >> click New User group >> In the User group tab, specify a Name (any generic name for identification) >> under Roles tab, select the Role that needs to be assigned once a user logs in >> under External groups tab, click Add external user group >> specify the External Group name as identified from the id command output and select EXTERNAL as the Auth Source.

    NOTE: Auth Source in Direct Authentication would be listed as EXTERNAL and this value or External groups tab wouldn't be visible until a user from the external source is logged in for first time (This is required only once.).
    NOTE: Refreshing the User Groups configured using this method, would result in an error The page you were looking for doesn't exist. You may have mistyped the address or the page may have moved. This isn't required in Direct Authentication method, as the User Group mappings is checked whenever an external user tries to login.

For more KB articles/solutions related to Red Hat Satellite 6.x Authentication Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Authentication Issues

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.