[katello-devel] ldap integration expected behavior with a 1:2 User:Group scenario.

Eric Sammons esammons at redhat.com
Wed Sep 5 17:31:24 UTC 2012 

I have a scenario where i have a user, lets call him user1, and user1 is a member of two LDAP groups; groupReadOnly and groupAdmin.  Yes this is odd but it could happen.  In Katello, I have setup ldap groups as follow:  groupReadOnly is a member of role Read Everything and groupAdmin is a member of the Administrator role.  In this setup, it appears that when user1 logs in they will get the permissions of Administrator, if I did my ABCs correctly.

Are there any plans to address this scenario, it may be that I want user1 to have Read Everything permissions and with the current behavior this would not be possible as roles applied are based on the first ldap group returned that matches a role (ABCs).   This may be a matter of simply documenting the behavior so that users are aware they may need to establish specific LDAP groups to satisfy internal security compliance.  With that, there are at least 3 options...

Solution 1: The LDAP admin would need to create a unique group, perhaps KatelloAdmin and KatelloReadEverything and then assign the appropriate users to that group. (Document)

Solution 2: Katello could pull back all results and then apply policy (role) with least permission.

Solution 3: Katello could pull back all results and then apply policy (role) with greatest permission.

Also, as a side note, in my testing it looks like user1 is placed into both roles as a user based on the application of the group role.  i.e. user1 is now a user member in Read Everything and Administrator.  So my question is, do we need to clutter up the user role membership if the ldap group membership already has the information?  This may be desired behavior but wanted to put this out there.

-- 
+--------------------------------------------------------+ 
| Eric L. Sammons                    esammons at redhat.com |
| Senior Quality Assurance Engineer  irc: eanxgeek       |
| Red Hat Quality Engineering        919.754.4963 (w)    |
| rhce  # 805007668329332            919.889.3279 (c)    |
| rhcva # 805007668329332                                |
+--------------------------------------------------------+

More information about the katello-devel mailing list