Today I am going to talk about (remote) access with satellite.
Apparently, there are a few things that you must know in order to get stuff working correctly.
First of all: Red Hat Identity Manager <-> Satellite coupling for user accounts.
When you create the coupling as an external LDAP source in satellite, by default users get put in the anonymous group with very little rights within satellite. Luckily you can also provide a “group” DN for Identity servers which can then be used to assign groups in satellite.
So create a user group (for instance : Admins) in the satellite user interface. Then in the third (external group) tab , assign a coupling between a redhat identity manager (IDM) group and the local admin group. The source however, must be set to “External” instead of your identity server, I am not sure if this is a bug or works as designed. Now, when users login who have the correct LDAP group, will automaticly be added to the new Admins group on satellite. Now you can assign rights (or even check the full admin checkbox) to the Admin usergroup and the remote access is done.
Now a short paragraph about local webinterface access as the default admin account:
When satellite needs reconfiguring, or reinstalling, Red Hat notes that the admin password gets reset to a default password and you will simply have to change it again. This is not entirely true. You can put the password of the default admin user in /etc/katello-installer/answers.katello-installer.yaml, but doing so is a security risk according to some people. I am noting that if you have root-access , the security risk of this file is negligant, because you can simply run katello-installer without any arguments and it will printout the admin password on the console after a succesful completion.