Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1356675 - [AAA] Can't add IPA directory users to VM permissions
Summary: [AAA] Can't add IPA directory users to VM permissions
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ovirt-4.0.2
: 4.0.2
Assignee: Ondra Machacek
QA Contact: Jiri Belka
URL:
Whiteboard:
Depends On:
Blocks: 1358286
TreeView+ depends on / blocked
 
Reported: 2016-07-14 16:27 UTC by Anitha Udgiri
Modified: 2017-06-22 11:59 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1358286 (view as bug list)
Environment:
Last Closed: 2016-08-23 20:44:07 UTC
oVirt Team: Infra


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:1743 normal SHIPPED_LIVE Red Hat Virtualization Manager 4.0 GA Enhancement (ovirt-engine) 2016-09-02 21:54:01 UTC
oVirt gerrit 60764 master MERGED bll: search: don't replace all ocurrence of pattern 2016-07-18 08:05:22 UTC
oVirt gerrit 60892 ovirt-engine-4.0 MERGED bll: search: don't replace all ocurrence of pattern 2016-07-18 09:29:19 UTC

Description Anitha Udgiri 2016-07-14 16:27:28 UTC
Created attachment 1179911 [details]
Debug log for the behaviour described

Description of problem:
Site is unable to display any results for IPA when searching/adding new users. 

From the customer: 

I have tried the following, all yield no results:
        "*"
        "thomas*"
        "thomas"
        "thomas stewart"
        "Thomas Stewart"

As a further test, I set the domain to internal and tried the following which both yielded the single "admin" user:
        "*"
        "a*"


The only clue I have found so far is in the /var/log/ovirt-engine/engine.log log file, when I click GO as described above it says:
2016-07-11 09:48:01,035 INFO  [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-6) [] ResourceManager::searchBusinessObjects - erroneous search text - ''ADUSER:dc= allnames=thomas.stewart''
2016-07-11 09:48:01,039 INFO  [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-6) [] ResourceManager::searchBusinessObjects - erroneous search text - ''ADGROUP:dc= name=thomas.stewart''

Comment 2 Ondra Machacek 2016-07-14 17:49:36 UTC
It's issue with search. When namespace is 'dc=something', it don't work properly.

Comment 3 Ondra Machacek 2016-07-14 19:58:44 UTC
As temporary workaround just rename profile name to something different then 'pheunix'.

Comment 5 Javier Coscia 2016-07-15 16:29:56 UTC
(In reply to Ondra Machacek from comment #3)
> As temporary workaround just rename profile name to something different then
> 'pheunix'.

Hi Ondra,

Could you please confirm if the workaround would be to modify the ovirt.engine.aaa.authn.profile.name value in /etc/ovirt-engine/extensions.d/<profile-name>-authn.properties and restart ovirt-engine afterwards ?

Thanks!

Comment 6 Ondra Machacek 2016-07-16 07:29:37 UTC
Hi,

yes, that's correct. But please note that the name can't be any of following:
 dc=pheunix
 c=pheunix
 =pheunix
 pheunix
 heunix
 eunix
 unix
 nix
 ix
 x

Everything other should be fine ( in this specific case ).

Comment 7 Martin Perina 2016-07-18 08:06:08 UTC
Moving back to post as we need to backport to ovirt-engine-4.0

Comment 16 Ondra Machacek 2016-08-08 15:33:38 UTC
We have authz-rename-tool, which handle exactly such scenario. It's shipped along with migration 
tool[1].
So in order to use it, install migration tool and refer to README[2] section:

  12. [OPTIONAL] Rename authz to match legacy convention.

There are steps how to use it.

[1] https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases/tag/ovirt-engine-kerbldap-migration-1.0.4

[2] https://github.com/machacekondra/ovirt-engine-kerbldap-migration/blob/master/README.md

Comment 18 Jiri Belka 2016-08-18 15:30:20 UTC
ok, ovirt-engine-4.0.2.7-0.1.el7ev.noarch

vdadmin at "com" profile name got a VM and logged successfully into User Portal

2016-08-18 15:26:31,538 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-6-thread-1) [6661f726] Correlation ID: 6661f726, Call Stack: null, Custom Event ID: -1, Message: User 'vdcadmin' was added successfully to the system.

2016-08-18 15:26:31,685 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-6-thread-1) [6661f726] Correlation ID: 5a9513c8, Call Stack: null, Custom Event ID: -1, Message: User/Group vdcadmin, Namespace dc=brq-ipa,dc=example,dc=com, Authorization provider: com was granted permission for Role UserRole on VM jb-el7-serial, by admin@internal-authz.

2016-08-18 15:27:03,291 INFO  [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-17) [] User vdcadmin@com successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access

Comment 20 errata-xmlrpc 2016-08-23 20:44:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-1743.html


Note You need to log in before you can comment on or make changes to this bug.