Dominic Cleal wrote:

The way this is meant to work is that you assign the role to a user group, then configure the user group via external user groups to sync with one of your LDAP groups (same works for Kerberos/REMOTE_USER type integration). Given that you can assign roles to groups, it doesn't make much sense to try and force roles into LDAP.

It seems the bug report is badly misunderstood. Currently, when a user who is in LDAP logs into the UI for the first time, they cannot view anything. An admin must manually assign them a Foreman role. It would be nice to be able to configure Foreman to select a different default role for these new users (e.g. Viewer).

This has nothing to do with putting anything into LDAP.

I think Dominic is right. User that comes to foreman for the first time cannot view anything only if he has no usergroups. The way it's supposed to work is that user belongs to some user group in LDAP (e.g. viewers), there is already a user group viewers in foreman and both user groups are associated in foreman. Also let's suppose that we have view_* permissions assigned to viewers foreman user group (through role). When user logs into foreman (even for the first time), foreman looks up all user groups in ldap that the user belongs to and finds associated foreman internal user groups (viewers) and associate them with user. Since user now belongs to viewers user group he also has all view_* permissions. Same applies to other authentication sources (whatever supported by mod_lookup_identity) that gives us list of remote user groups.