Hi Joe!
Thank you for the links. I did indeed follow the guide that is also mentioned in the blog to enable and configure direct external authentication to Active Directory: ManageIQ
/var/www/miq/vmdb/bin/rails runner 'puts Settings.authentication’
#<Config::Options basedn=nil, bind_dn=nil, bind_pwd=nil, bind_timeout=30, debug=false, follow_referrals=false, get_direct_groups=true, group_memberships_max_depth=2, group_attribute="memberof", ldaphost=[], ldapport="389", mode="httpd", max_failed_login_attempts=3, locked_account_timeout="2.minutes", search_timeout=30, user_suffix=nil, user_type="userprincipalname", amazon_key="********", amazon_secret="********", ldap_role=false, amazon_role=false, httpd_role=true, user_proxies=[#<Config::Options>], provider_type="none", local_login_disabled=false, saml_enabled=false, oidc_enabled=false, sso_enabled=false>
/var/www/miq/vmdb/bin/rails runner 'puts MiqGroup.pluck(:description)``` does return valid AD groups that users are members of. I did check with ´id username
/var/www/miq/vmdb/bin/rails runner 'puts User.pluck(:userid) returns this (among others):
username@example.com
user.name@example.com
examplecom\username@example.com
So entering the username domain\username in the form produces a examplecom\username@example.com in manageIQ
username@domain OR username -> username@example.com
User.Name@domain -> user.name@example.com
The email in all of the cases is user.name@example.com where givenname = user, surname= name
/etc/sssd/sssd.conf
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam, ifp
default_domain_suffix = example.com
[nss]
homedir_substring = /home
[pam]
default_domain_suffix = example.com
[ifp]
allowed_uids = apache, root
user_attributes = +mail, +givenname, +sn, +displayname, +domainname
[domain/src.si]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = simple
dyndns_update = true
ad_gpo_ignore_unreadable = True
ad_gpo_map_permit = +httpd-auth
ldap_user_extra_attrs = mail, givenname, sn, displayname, domainname
dbus_send does provide the same output as the examples given.
Do you want me to provide any log files in specific? I would like to avoid uploading a ~300MB zip file if possible.
The authentication works and all three users are placed in correct groups so there’s no problem there.