Can not login to Red Hat Satellite WebUI using Active Directory user

Solution Verified - Updated 21 Nov 2025

Environment

Red Hat Satellite 6.9+

Issue

After deleting LDAP user (xyxadm) from Active Directory, there is an authentication problem.
Cannot login on Red Hat Satellite WebUI via any ldapuser but able to login with only local user credentials.

Resolution

Make sure the bind user is available on Active Directory and it's working fine.

If bind user is not available or deleted, Update the LDAP authentication source by specifying the bind account using the following command:

  # hammer auth-source ldap update --id x --account <account_name

  Replace x with the actual ID of the LDAP authentication source from the previous command output.

  Replace <account_name> with the bind account you created in Active Directory. This bind account is necessary for Satellite to authenticate and query user/group information from AD.

Alternatively, Change the Bind User on Satellite Auth Source using Satellite WebUI:
```
Go to satellite WebUi => Administer => Authentication Sources => Select the profile =>Account ==>Change the bind user in LDAP auth source on Satellite.
```
NOTE: Ensure Organization and Location is set correctly to view 'Authentication Sources'
In case you are unable to login to the satellite using the admin local account to make the above change you may try using the credentials with which hammer works to login to satellite web ui. It is stored in /root/.hammer/cli.modules.d/foreman.yml .

In case the hammer credentials also fail to log in, consider resetting the admin credentials with the below command where redhat is the password that we are setting:
```
# foreman-rake permissions:reset password=redhat
```

For more KB articles/solutions related to Red Hat Satellite 6.x Authentication Issues, please refer to the following:

Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Authentication Issues

LDAP Authentication Troubleshooting via foreman-rake - LdapFluff::Generic::UnauthenticatedException: Could not bind to ActiveDirectory user in Red Hat Satellite 6.

Root Cause

The bind user was deleted from LDAP/AD.

Diagnostic Steps

Run the following command on the Satellite server to check the current LDAP configuration, identify the correct authentication source ID and confirm whether the bind account has been created:
```
# hammer auth-source ldap list
```

Check logs under /var/log/messages

# cat /var/log/messages
2018-10-08 12:38:23 03b25c5c [app] [I]   Parameters: {"utf8"=>"✓", "authenticity_token"=>"zUZ6djLkoFMuq3G/uyLNJbFylEZg2QpXCCuyVM33SY3P00+Yl972uBDYLnnBv9WA7wdPEs3AGuCRmUqlr2yUag==", "login"=>{"login"=>"abcdef12", "password"=>"[FILTERED]"}, "commit"=>"Log In"}
2018-10-08 12:38:23 03b25c5c [app] [W] Action failed
 | LdapFluff::Generic::UnauthenticatedException: Could not bind to ActiveDirectory user ptt\xyzadm
 | /opt/theforeman/tfm/root/usr/share/gems/gems/ldap_fluff-0.4.7/lib/ldap_fluff/generic.rb:76:in `serv

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

authentication

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.