foreman icon indicating copy to clipboard operation
foreman copied to clipboard
verified publisher icon theforeman

Fixes #9494 - Introduce RFC4519 group membership for posix ldap

Open adamruzicka opened this issue 8 months ago • 7 comments

Requires https://github.com/theforeman/ldap_fluff/pull/88

Steps to reproduce

  1. Have Foreman
  2. Have FreeIPA
  3. Have FreeIPA configured as a type=posix ldap auth source in foreman
  4. Create a user in FreeIPA
  5. Create a type=non-posix user group in FreeIPA
  6. Add user from 4 to group from 5
  7. Create an external group in foreman, mapping to the group created in 5
  8. Log into foreman as user from 4
  9. (as admin in foreman) check that the user is not in the external group
  10. (as admin in foreman) refresh the external group, see the user is there
  11. Log out and log in as user from 4

If everything works, the user should still be in the external group.

TODO:

  • [x] bump dependency on ldap_fluff

adamruzicka avatar Apr 22 '25 16:04 adamruzicka

this new flag is to fix a bug, but is that bug common?

I'm afraid I can't reliably answer that. It is an issue for people running 389DS (or derivatives). In theory it shouldn't hurt to leave this turned on, but I'd still rather stay on the safe side

adamruzicka avatar Apr 28 '25 08:04 adamruzicka

/packit build

adamruzicka avatar May 07 '25 07:05 adamruzicka

Well, it was worth a try. Anyway the packaging pr for bumping the version of ldap_fluff was merged ~an hour ago

adamruzicka avatar May 07 '25 07:05 adamruzicka

@adamruzicka I kicked off https://ci.theforeman.org/job/foreman-nightly-rpm-pipeline/2697/ -- once that passed you should have 0.9.0 available for packit

evgeni avatar May 07 '25 07:05 evgeni

/packit build

evgeni avatar May 07 '25 08:05 evgeni

it built :tada:

evgeni avatar May 07 '25 08:05 evgeni

No actual changes done, just squashed the commits.

adamruzicka avatar May 07 '25 09:05 adamruzicka

Thanks, @adamruzicka, there is nothing from my side except that :robot: :police_officer: is not happy and maybe some of the :copilot: suggestions make sense, mostly for boolean and a new test.

UPD: Although this is confusing, it's just autolink shenanigans in UI (it suggests that this PR is fixing the linked ones :/) Screenshot-1750768969991

ofedoren avatar Jun 24 '25 13:06 ofedoren

Although this is confusing, it's just autolink shenanigans in UI

Yeah, looks like github can't wrap it's head around my redmine archeology.

adamruzicka avatar Jun 24 '25 17:06 adamruzicka

I think this is the first time I see where our Redmine issue number links to an actual PR. We may see that be a problem more often in the future.

ekohl avatar Jun 25 '25 13:06 ekohl

🍏

adamruzicka avatar Jun 25 '25 14:06 adamruzicka

@ofedoren mind doing the honors when you think it's good to merge?

ekohl avatar Jun 25 '25 14:06 ekohl

@ofedoren mind doing the honors when you think it's good to merge?

That's the third time I'd have pressed the button for this PR. I'd not trust myself, but I'm ready to be shot by "Even AI is better at reviewing" :D

Thanks to everyone involved!

ofedoren avatar Jun 25 '25 15:06 ofedoren