Bug 1151127
| Summary: | [AD] fetchPrincipalRecord returns invalid record if pools are not authenticated | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [oVirt] ovirt-engine-extension-aaa-ldap | Reporter: | Ondra Machacek <omachace> | ||||
| Component: | Profile.ad | Assignee: | Alon Bar-Lev <alonbl> | ||||
| Status: | CLOSED WORKSFORME | QA Contact: | Ondra Machacek <omachace> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | master | CC: | alonbl, bazulay, bugs, ecohen, gklein, iheim, lpeer, lsurette, omachace, oourfali, rbalakri, Rhev-m-bugs, yeylon, yzaslavs | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | infra | ||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-02-11 20:43:06 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1063095 | ||||||
| Attachments: |
|
||||||
You probably forgot to mention assigning permissions to vdcadmin somehow? It's not needed for reproducing. The gc pool was not authenticated in this case.
Adding the following resolves the issue.
pool.gc.auth.type = digest-md5
pool.gc.auth.digest-md5.authenticationID = ${global:vars.user}
pool.gc.auth.digest-md5.password = ${global:vars.password}
However, there should have been a proper failure.
took me a while... but per configuration in comment#0 is incorrect. it should be: --- include = <ad.properties> vars.domain = qa.lab.tlv.redhat.com vars.user = vdcadmin vars.password = xxxxxx vars.server = qa1.${global:vars.domain} pool.default.serverset.type = single pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user}@${global:vars.domain} pool.default.auth.simple.password = ${global:vars.password} pool.default.auth.digest-md5.authenticationID = ${global:vars.user} pool.default.auth.digest-md5.realm = ${global:vars.domain} pool.default.auth.digest-md5.password = ${global:vars.password} auth-check.default.auth.type = digest-md5 pool.authz.auth.type = digest-md5 //pool.gc.auth.type = digest-md5 --- active directory requires gc access to be authenticated, so we must provide credentials to all pools, the authn will not perform authentication so it is good. however, active directory user format differs when using digest-md5 and simple, so we need to provide correct credentials to each if we do not set the gc pool to perform digest-md5 as well. |
Created attachment 945381 [details] engine.log Description of problem: Version-Release number of selected component (if applicable): vt5 How reproducible: always Steps to Reproduce: 1. install ovirt-engine-extension-aaa-ldap-0.0.0-0.0.4.master.el6ev.noarch 2. -- conf_ldap-authn-test_digest_ad.properties -- include = <ad.properties> vars.user = vdcadmin vars.password = xxxxxx vars.server = qa1.qa.lab.tlv.redhat.com pool.default.serverset.type = single pool.default.serverset.single.server = ${global:vars.server} auth-check.default.auth.type = digest-md5 pool.authz.auth.type = digest-md5 pool.authz.auth.digest-md5.authenticationID = ${global:vars.user} pool.authz.auth.digest-md5.password = ${global:vars.password} -- ldap-authn-test_digest_ad.properties -- ovirt.engine.extension.enabled = true ovirt.engine.extension.name = ldap-auth-test_digest_ad ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn config.profile.file.1 = /etc/ovirt-engine/extensions.d/conf_ldap-authn-test_digest_ad.properties ovirt.engine.aaa.authn.profile.name = ldap-authn-test_digest_ad ovirt.engine.aaa.authn.authz.plugin = ldap-authz-test_digest_ad -- ldap-authz-test_digest_ad.properties -- ovirt.engine.extension.enabled = true ovirt.engine.extension.name = ldap-authz-test_digest_ad ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/conf_ldap-authn-test_digest_ad.propertie 3. Login as user vdcadmin from ldap-auth-test_digest_ad to engine. Actual results: User can't login. Expected results: User successfully logged in. Additional info: