Bug 1117488

Summary: [AAA] Unable to search all users via REST or UI
Product: [Retired] oVirt Reporter: Ondra Machacek <omachace>
Component: ovirt-engine-webadminAssignee: Ravi Nori <rnori>
Status: CLOSED CURRENTRELEASE QA Contact: Ondra Machacek <omachace>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.5CC: alonbl, ecohen, gklein, iheim, mgoldboi, omachace, oourfali, rbalakri, rnori, yeylon
Target Milestone: ---   
Target Release: 3.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-17 12:24:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1076964    
Attachments:
Description Flags
engine.log
none
multi.properties
none
multiZ.properties
none
engine.log none

Description Ondra Machacek 2014-07-08 19:23:00 UTC 
Created attachment 916534 [details]
engine.log

Description of problem:


Version-Release number of selected component (if applicable):
ovirt-engine-extension-aaa-ldap-0.0.0-0.0.master.el6_5.noarch
unboundid-ldapsdk-2.3.7-0.0.snap.r530.el6_5.noarch
ovirt-engine-3.5.0-0.0.master.20140629172257.git0b16ed7.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. engine-manage-domains add --domain=ad-w2k12r2.rhev.lab.eng.brq.redhat.com --user=vdcadmin --provider=activedirectory
2. GET https://engine/ovirt-engine/api/domains/6d756c74-695a-6d75-6c74-695a6d756c74/users

Actual results:
<fault><reason>Operation Failed</reason><detail/></fault>

Expected results:
list of users

Additional info:
Comment 1 Ondra Machacek 2014-07-08 19:43:06 UTC 
Created attachment 916544 [details]
multi.properties

I specified wrong Steps to reproduce.

Correct are:
1) install:
 * ovirt-engine-extension-aaa-ldap-0.0.0-0.0.master.el6_5.noarch
 * unboundid-ldapsdk-2.3.7-0.0.snap.r530.el6_5.noarch

2) add files from attachment to /etc/ovirt-engine/extensions.d/
3) service ovirt-engine restart
4) GET https://engine/ovirt-engine/api/domains/6d756c74-695a-6d75-6c74-695a6d756c74/users
Comment 2 Ondra Machacek 2014-07-08 19:43:34 UTC 
Created attachment 916546 [details]
multiZ.properties
Comment 3 Alon Bar-Lev 2014-07-10 12:18:36 UTC 
2014-07-10 15:17:17,627 ERROR [org.ovirt.engine.core.bll.SearchQuery] (http--0.0.0.0-8080-3) Query SearchQuery failed. Exception message is null : java.lang.NullPointerException: java.lang.NullPointerException
        at org.ovirt.engine.core.bll.SearchQuery.searchDirectoryUsers(SearchQuery.java:180) [bll.jar:]
        at org.ovirt.engine.core.bll.SearchQuery.executeQueryCommand(SearchQuery.java:69) [bll.jar:]
        at org.ovirt.engine.core.bll.QueriesCommandBase.executeCommand(QueriesCommandBase.java:73) [bll.jar:]
        at org.ovirt.engine.core.dal.VdcCommandBase.execute(VdcCommandBase.java:31) [dal.jar:]
Comment 4 Alon Bar-Lev 2014-07-10 12:20:21 UTC 
Known issue[1]

        ExtensionProxy authz = AuthenticationProfileRepository.getInstance().getProfile(data.getDomain()).getAuthz();$

[1] http://gerrit.ovirt.org/#/c/28722/
Comment 5 Yair Zaslavsky 2014-07-18 02:07:03 UTC 
Has to be merged to ovirt-3.5 branch.
Comment 6 Ondra Machacek 2014-07-29 10:24:07 UTC 
Created attachment 922100 [details]
engine.log

Now getting NPE on 3 lines below.

2014-07-29 12:19:55,702 ERROR [org.ovirt.engine.core.bll.SearchQuery] (ajp--127.0.0.1-8702-1) Query SearchQuery failed. Exception message is null : java.lang.NullPointerException: java.lang.NullPointerException
	at org.ovirt.engine.core.bll.SearchQuery.searchDirectoryUsers(SearchQuery.java:183) [bll.jar:]
	at org.ovirt.engine.core.bll.SearchQuery.executeQueryCommand(SearchQuery.java:70) [bll.jar:]
	at org.ovirt.engine.core.bll.QueriesCommandBase.executeCommand(QueriesCommandBase.java:73) [bll.jar:]
	at org.ovirt.engine.core.dal.VdcCommandBase.execute(VdcCommandBase.java:31) [dal.jar:]
Comment 7 Alon Bar-Lev 2014-07-29 10:49:12 UTC 
what version do you use? there was a mess in moving to on qa.
please use latest nightly to check aaa
Comment 8 Ondra Machacek 2014-07-29 12:23:03 UTC 
I tried:
* ovirt-engine-backend-3.5.0-0.0.master.20140726172544.git8e1babc.el6.noarch.rpm
from http://ovirt-mirror.eng.lab.tlv.redhat.com/pub/ovirt-3.5-snapshot

and

* ovirt-engine-backend-3.5.0-0.0.master.20140722232058.git8e1babc.el6.noarch.rpm
from http://ovirt-mirror.eng.lab.tlv.redhat.com/pub/ovirt-3.5-pre/

nor of them worked, same NPE is printed.
Comment 9 Alon Bar-Lev 2014-07-29 14:10:35 UTC 
Please state exact environment and configuration to allow reproduction, comment#0 is confusing, either you use legacy or new provider...
Comment 10 Alon Bar-Lev 2014-07-29 14:17:49 UTC 
if you tested this using the legacy provider, please also try to test using the new provider.

I have this working correctly with this domain and new provider, so maybe this is a bug in the legacy provider and this one is resolved.
Comment 11 Ondra Machacek 2014-07-29 14:29:45 UTC 
ovirt-engine-extension-aaa-ldap-0.0.0-0.0.1.master.el6_5.noarch
ovirt-engine-backend-3.5.0-0.0.master.20140726172544.git8e1babc.el6.noarch


Using new provider. Just specify you want to use SSL/TLS. Set insecure = false,
and don't provide trustore. In general when wrong configuration is specified,
and provider is added(not ignored on startup), then it causes this NPE when 
searching for users in this LDAP.

Steps:
$ cat > /etc/ovirt-engine/extensions.d/ldap-authn-ipa1.properties << "EOT"
ovirt.engine.extension.enabled = true
ovirt.engine.extension.name = ldap-authn-ipa1
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
config.profile.file.1 = /tmp/brq-ipa.rhev.lab.eng.brq.redhat.com.properties
ovirt.engine.aaa.authn.profile.name = ldap-ipa1
ovirt.engine.aaa.authn.authz.plugin = ldap-authz-ipa1
EOT

$ cat >  /etc/ovirt-engine/extensions.d/ldap-authz-ipa1.properties << "EOT"
ovirt.engine.extension.enabled = true
ovirt.engine.extension.name = ldap-authz-ipa1
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /tmp/brq-ipa.rhev.lab.eng.brq.redhat.com.properties

$ cat > /tmp/brq-ipa.rhev.lab.eng.brq.redhat.com.properties << "EOT"
include = <ipa.properties>

vars.user = uid=vdcadmin,cn=users,cn=accounts,dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
vars.password = 123456
vars.domain = rhev.lab.eng.brq.redhat.com
vars.server = brq-ipa.${global:vars.domain}

pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = 636
pool.default.ssl.enable = true
pool.default.ssl.insecure = false
#pool.default.ssl.truststore.file = /tmp/ipa.ts
#pool.default.ssl.truststore.password = 123456
EOT

$ service ovirt-engine restart

Go to API/webadmin and search for users in this domain.
Comment 12 Alon Bar-Lev 2014-07-29 14:35:45 UTC 
> In general when wrong configuration is specified,
and provider is added(not ignored on startup), then it causes this NPE when 
searching for users in this LDAP.

so if provider is valid there is no issue?

if so, this is a different bug... please close this one... and open a new...
Comment 13 Alon Bar-Lev 2014-07-29 14:46:27 UTC 
BTW: I applied configuration of comment#11 I get:

<fault><reason>Operation Failed</reason><detail>trust store must be provided</detail></fault>

using ovirt-engine-3.5 branch commit e7700b8b from Thu Jun 19 09:35:23 2014
Comment 14 Ondra Machacek 2014-07-29 15:24:56 UTC 
Verified. With correctly configured ldap provider, users can be searched.
Comment 15 Pavel Stehlik 2014-08-06 11:26:42 UTC 
*** Bug 1118251 has been marked as a duplicate of this bug. ***
Comment 16 Sandro Bonazzola 2014-10-17 12:24:40 UTC 
oVirt 3.5 has been released and should include the fix for this issue.