LDAP users from ForgeRock DS are automatically created but are not placed in the assigned user group in Red Hat Satellite 6

Environment

• Red Hat Satellite 6.16
• Forgerock DS configured as LDAP server for central user authentication in Satellite.
• No LDAP filters set.

Issue

• With ForgeRock DS configured as LDAP server for central user authentication in Satellite, need to:

  • Set up LDAP user groups for group placement for new Satellite users.
  • Use Satellite User Groups for role assignment.

• The user is automatically created but is not placed within the assigned user group.

• Red Hat Satellite queries for the wrong attribute memberuid, not the correct attribute member.

Resolution

1. Follow the steps in the Diagnostic Steps to confirm that this knowledge base solution fits the reported issue. Proceed with the next steps of the resolution only if the outcomes from the diagnostic steps match.

2. Change the Server type in the LDAP server tab under:

Satellite Web UI -> Administer -> Authentication Sources -> <ForgeRock_Authentication_Source>

to Active Directory instead of POSIX.

3. Note that applying step (2) above will make the automatically created LDAP user to be placed within the assigned user group, but the assigned user group will not grant its role permissions until the role is manually assign to it. RFE This content is not included.SAT-41834 was raised to address this.

For more KB articles/solutions related to Red Hat Satellite 6.x Authentication Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Authentication Issues

Root Cause

Having the following:

• objectClass: groupOfNames showing up
• the members of the group listed as `member: uid=username,cn=users,o=example,c=com'

in the output of the following command:

# ldapsearch -x -H ldaps://ldap-server.example.com:636 -D "uid=username,cn=users,o=example,c=com" -W -b "o=example,c=com" "(member=uid=username,cn=users,o=example,c=com)"

means that Satellite is configured to treat the LDAP server as a POSIX-style directory (expecting the attribute memberUid and likely objectClass posixGroup), whereas ForgeRock is configured using a standard LDAP structure (using member and likely groupOfNames).

When a user logs in, Satellite queries the LDAP server for groups containing the user. Because it searches on memberUid (which doesn't exist or is empty on the group objects), it finds zero groups. Consequently, no External User Groups are matched, and no Roles are assigned.

Diagnostic Steps

1. Check and confirm that Server type in the LDAP server tab under:

Satellite Web UI -> Administer -> Authentication Sources -> <ForgeRock_Authentication_Source>

is set to POSIX, where <ForgeRock_Authentication_Source> is the actual name of the ForgeRock DS authentication source.

2. Check the output of the following command and confirm that:
   • objectClass: groupOfNames shows up in the output of the command.
   • the members are listed as `member: uid=username,cn=users,o=example,c=com'

  # ldapsearch -x -H ldaps://ldap-server.example.com:636 -D "uid=username,cn=users,o=example,c=com" -W -b "o=example,c=com" "(member=uid=username,cn=users,o=example,c=com)"

  Enter LDAP Password:

  # extended LDIF
  #
  # LDAPv3
  # base <o=example,c=com> with scope subtree
  # filter: (member=uid=username,cn=users,o=example,c=com)
  # requesting: ALL
  #

  # example_group, groups, example, com
  dn: cn=example_group,cn=groups,o=example,c=com
  objectClass: groupOfNames
  objectClass: top
  cn: example_group
  member: uid=user1,cn=users,o=example,c=com
  ...
  member: uid=username,cn=users,o=example,c=com
  ...

  # search result
  search: 1
  result: 0 Success

  # numResponses: 3
  # numEntries: 1

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.