Description of problem:

Using ForgeRock as an authentication source in Red Hat Satellite presents several challenges in configuring it to work as expected. The challenges arise from the fact that ForgeRock is like Posix, but uses standard LDAP attributes like Active Directory.

So, setting the 'Server type' in the 'LDAP server' tab under Administer -> Authentication Sources -> [ForgeRock_Auth_Source] to either 'Posix' or 'Active Directory' does not bring in the expected results. The reason behind that is that Satellite enforces certain values for the LDAP attributes based on the 'Server type' value of the authentication source, and there is no way to customize the LDAP attributes of the authentication source neither in the Satellite's web UI, nor via hammer/API.

Please refer to the following KCS for more details:  https://access.redhat.com/solutions/7136807

How reproducible:

As far as I know, only one customer reported the issue so far.

We do not have a ForgeRock DS server to test with.

Is this issue a regression from an earlier version:

No.

Steps to Reproduce:

1. Configure the ForgeRock DS server as an authentication source on Red Hat Satellite server. Set server type to 'Active Directory'.

2. Follow this KCS to configure External user groups on Satellite so first time they are logged in gets added to an organisation and given a role: https://access.redhat.com/solutions/1231433

Actual behavior:

The user is automatically created and placed within the assigned user group, but the assigned user group will not grant its role permissions until the role is manually assign to it.

Expected behavior:
The user is automatically created and placed within the assigned user group, and the assigned user group grant its role permissions without the need to manually assign the role to user group.

Business Impact / Additional info: