Local groups with AD user account


Is it possible to use local groups stored in MIQ with AD user accounts?

I’ve tried to add local groups to an AD user account. MIQ accepts to add the user to the local groups. But when the user logs in again, the local groups are removed from the AD user account.

I suspect MIQ removes the local groups assignment to the users because they are not AD groups the user belongs to. Is there any workaround or alternative solution to have AD user accounts assigned to local groups?


Yes. When a user logs in, httpd should use sssd to authenticate the user. Once the user is authenticated a local user is created in the database and assigned to groups in the local database and that also resets existing memberships (at least in our config).

We pre-create the local groups with the same name as the AD ones in ManageIQ every day by querying LDAP and add missing groups through REST. And the http/sssd config assigns the user to the groups in LDAP.

I would assume you can configure this in the httpd or sssd config?

FYI: If that doesn’t work, we run a Proxy LDAP between sssd and the real LDAP, that can override entries. We use it to add technical service users and a quick and dirty fix if the real LDAPs user record is wrong

Hello Thomas,

Thank you for your response and your time. This is very much appreciated.

I was expecting to have the option to create local groups in MIQ and assign AD users to theses local groups. Simpler is better. Just using AD for authentication.

AD groups may end up being a scarce resource on AD servers. Moreover, using local groups makes sense as it is a local organization based on application needs.

Using AD groups is probably something to avoid because MIQ has to synchronize the group membership from the AD server. This is what it does when the user logs in.

Would there be any “quick” change I could do in the source code to prevent such change?

Best regards