Bug 1034236

Summary: ldap ssl connections fails to load LDAP groups available for role
Product: [JBoss] JBoss Operations Network Reporter: Sunil Kondkar <skondkar>
Component: UIAssignee: Simeon Pinder <spinder>
Status: CLOSED CURRENTRELEASE QA Contact: Mike Foley <mfoley>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: JON 3.2CC: skondkar, spinder
Target Milestone: CR01   
Target Release: JON 3.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1012435    
Attachments:
Description Flags
Screenshot_RoleAssignment_UI
none
Server_log none

Description Sunil Kondkar 2013-11-25 13:21:05 UTC 
Description of problem:

Changing the ldap url to point to a secured port and checking the 'SSL' box displays "Failed to load LDAP groups available for role" in message center and the UI query progress shows 'Loading' in role assignment UI. 

The server log displays stack trace with "LDAP communication error: 10.65.201.128:636; socket closed: javax.naming.ServiceUnavailableException: 10.65.201.128:636; socket closed".

Message center in UI shows below:
--------------------------------------------------------------
Message :	
Failed to load LDAP groups available for role.
Severity :	
Error
	
Time :	
Monday, November 25, 2013 6:16:24 PM UTC+5:30
Root Cause :	
javax.naming.ServiceUnavailableException:10.65.201.128:636; socket closed
Detail :	

java.lang.RuntimeException:[1385383584134] javax.ejb.EJBException:org.rhq.enterprise.server.exception.LdapCommunicationException: javax.naming.ServiceUnavailableException: 10.65.201.128:636; socket closed -> org.rhq.enterprise.server.exception.LdapCommunicationException:javax.naming.ServiceUnavailableException: 10.65.201.128:636; socket closed -> javax.naming.ServiceUnavailableException:10.65.201.128:636; socket closed
--- STACK TRACE FOLLOWS ---
[1385383584134] javax.ejb.EJBException:org.rhq.enterprise.server.exception.LdapCommunicationException: javax.naming.ServiceUnavailableException: 10.65.201.128:636; socket closed -> org.rhq.enterprise.server.exception.LdapCommunicationException:javax.naming.ServiceUnavailableException: 10.65.201.128:636; socket closed -> javax.naming.ServiceUnavailableException:10.65.201.128:636; socket closed
   at Unknown.RuntimeException_0(Unknown Source)
   at Unknown.instantiate_32(Unknown Source)
   at Unknown.$instantiate_0(Unknown Source)
   at Unknown.$instantiate(Unknown Source)
   at Unknown.$readObject(Unknown Source)
   at Unknown.$onResponseReceived(Unknown Source)
   at Unknown.onResponseReceived_6(Unknown Source)
   at Unknown.$fireOnResponseReceived(Unknown Source)
   at Unknown.onReadyStateChange_0(Unknown Source)
   at Unknown.anonymous(Unknown Source)
   at Unknown.apply(Unknown Source)
   at Unknown.entry0(Unknown Source)
   at Unknown.anonymous(Unknown Source)
   at Unknown.anonymous(Unknown Source)
----------------------------------------

Please refer the attached screenshot of role assignment UI and server log for stack trace.

Version-Release number of selected component (if applicable):

JON Version : 3.2.0.ER7 Build Number : e8e6401:ff0061d
LDAP server: Windows 2003 Active directory server

How reproducible:

Always

Steps to Reproduce:

1. Configure JON server to use an ldap server over non-ssl.
2. Verify that user is able to browse available groups in role assignment UI
3. Change the ldap url to point to a secured port and check the 'SSL' box. 
4. Navigate to role assignment UI.
5. Click on LDAP groups tab.
6. The query progress shows 'Loading' and ldap groups are not displayed in available roles.
7. UI shows a message in message center 'Failed to load LDAP groups available for role'.
8. Server log shows stack trace.


Actual results:

ldap ssl connections fails to load LDAP groups available for role

Expected results:

ldap ssl connections should work and load LDAP groups available for role in role assignment UI.

Additional info:
Comment 1 Sunil Kondkar 2013-11-25 13:22:17 UTC 
Created attachment 828671 [details]
Screenshot_RoleAssignment_UI
Comment 2 Sunil Kondkar 2013-11-25 13:22:47 UTC 
Created attachment 828672 [details]
Server_log
Comment 3 Mike Foley 2013-11-25 13:26:22 UTC 
added GA blocker to flag this for discussion and triage
Comment 4 Mike Foley 2013-11-25 13:50:54 UTC 
sunil ... can you verify the validity of this BZ ...

"Caused by: org.rhq.enterprise.server.exception.LdapCommunicationException: javax.naming.ServiceUnavailableException: 10.65.201.128:636; socket closed"  -- that probably means SSL is not set up correctly. skondkar did not write in the BZ if he imported any server certificate or public key etc. into his JON jvm. If he did not, then SSL handshake probably failed and the LDAP-server closed the connection for that reason
Comment 5 Sunil Kondkar 2013-11-25 15:06:03 UTC 
Tested with JON 3.2 alpha53 build where the SSL connection was working..
(Version: 3.2.0.ALPHA_QA Build Number: 1878d58:5e6b489 )

More details on steps:

1. Navigate to Administration->system Settings
2. Enter below details in LDAP Configuration Properties:

3. Enable LDAP : Yes
4. Search Base: dc=pnq,dc=redhat,dc=com
5. Username: cn=Administrator,cn=users,dc=pnq,dc=redhat,dc=com
6. Password: redhat
7. Search Filter: objectclass=*
8. Group Search Filter: objectclass=group
9. Group Member Filter: member
10. Use Group Query Paging: Yes
11. Group Search Page Size: 1000
12. Is PosixGroup: No
13. Login Property: cn
14. LDAP URL: ldap://10.65.201.128:636
15. SSL: Yes
16. Click save
17. Navigate to role assignment UI.


The connection works on JON3.2 Alpha53 build and displays available LDAP groups in role assignment UI
The connection fails to display LDAP roles in JON3.2 ER7 build as described in the bug.
Comment 7 Simeon Pinder 2013-11-26 05:56:53 UTC 
This is fixed with commit e5887ddb552e80 to release/jon3.2.x.  Moving this to MODIFIED for testing/re-testing with next brew build. 

The fix is a one line fix in the LDAPGroupManagerBean around ssl handling and does not affect any other functionality.

We missed this in manual testing as I am not currently aware of any automated cli or UI testing that covers this specific use case.  Automated testing in this area will involve installation, configuration and integration of an additional server with a running JON server.  We should put some more effort into this area if possible although if it was easier we would have already added such automation.

From the dev side, this is leftover fallout from property migration throughout the product that occurred several months ago. This permutation was not explicitly exercised since that change.
Comment 8 Simeon Pinder 2013-12-03 23:19:38 UTC 
Moving to ON_QA for testing in latest(CR1) brew build.
Comment 9 Sunil Kondkar 2013-12-04 11:47:10 UTC 
Verified on Version : 3.2.0.CR1 Build Number :6ecd678:d0dc0b6

LDAP ssl connection works and LDAP groups are available in role assignment UI.
Verified ldap authentication and authorization is working with ssl and non-ssl connections.
Verified on Windows 2003 Active directory server and Redhat Directory Server 8.2.0.