Project

General

Profile

Actions
Copy link

Bug #16231

open

[LDAP] Support AD Universal Groups (UIDNotFoundException)

Added by Michael Hofer over 7 years ago. Updated over 7 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
1.13.1
Red Hat JIRA:

Description

Hi

We're using Foreman 1.9.3 with LDAP authentication against an AD. The AD is
quite big and has 3 main domains:

  • emea.mycompany.com
  • nala.mycompany.com
  • asia.mycompany.com

In addition we make use of the so-called AD universal Groups. This way it's
possible to add users of all the different domains to a single group, which can
then be used by an application or similar.

We did the same for Foreman and created several different universal groups in
AD (prefixed with AD for this example):

  • AD_foreman_users
  • AD_foreman_admins

To synchronize the AD groups we've created some Foreman groups and linked them
accordingly (external groups):

  • foreman_users > AD_foreman_users
  • foreman_admins > AD_foreman_admins

In addition there's a AD group called AD_foreman which contains both AD groups
mentioned above and is used for the filter.

Now add some users from the different domains to the groups:

  • EMEA\test1
  • EMEA\test2
  • NALA\test3

If Foreman now tries to synchronize the groups it'll fail with the following
error (see attachement for full trace):

LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException

Is it possible that LdapFluff does not yet support Universal groups in AD? If
we remove the NALA\test3 user from the group it can successfully resolve the
users.

Files

production.log production.log 14.6 KB Michael Hofer, 08/22/2016 11:03 AM
Actions
Copy link

Also available in: Atom PDF