Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1165775

Summary: oo-admin-ctl-team does not parse uniqueMember LDAP attributes correctly
Product: OpenShift Container Platform Reporter: Evgheni Dereveanchin <ederevea>
Component: NodeAssignee: Brenton Leanhardt <bleanhar>
Status: CLOSED ERRATA QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: high    
Version: 2.1.0CC: bleanhar, erich, jialiu, jokerman, libra-onpremise-devel, mmccomas, ofayans, pep, xiama
Target Milestone: ---Keywords: EasyFix, Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://github.com/openshift/origin-server/blob/master/broker-util/oo-admin-ctl-team#L429-L441
Whiteboard:
Fixed In Version: openshift-origin-broker-util-1.32.1.1-1 Doc Type: Bug Fix
Doc Text:
Cause: oo-admin-ctl-team does not parse uniqueMember LDAP attributes correctly Consequence: You could not provide a full DN when specifying uniqueMember attributes Fix: oo-admin-ctl-team now splits uniqueMember attributes at the first ',' character. Result: uniqueMember attributes may now contain a full DN.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-08 15:34:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Evgheni Dereveanchin 2014-11-19 16:36:35 UTC 
Description of problem:
According to the RFC, the uniqueMember LDAP attribute is a full DN path:
http://tools.ietf.org/html/rfc4519#section-2.40

Example:
uniqueMember: uid=username,ou=team,o=example.local

oo-admin-ctl-team however expect this to be a UID only, for example:
uniqueMember: uid=username

Version-Release number of selected component (if applicable):
2.1

How reproducible:
Always

Steps to Reproduce:
1. create group on LDAP server using uniqueMember for groups
2. create a team
3. try to sync users

Actual results:

process fails with error

Getting user: "uid=username,ou=team,o=example.local"
/usr/sbin/oo-admin-ctl-team:412:in `get_user': Could not find an entry matching "username,ou" (Exception)
        from /usr/sbin/oo-admin-ctl-team:381:in `block (2 levels) in get_users_in_group'
        from /usr/sbin/oo-admin-ctl-team:379:in `each'
        from /usr/sbin/oo-admin-ctl-team:379:in `block in get_users_in_group'
        from /usr/sbin/oo-admin-ctl-team:369:in `each'
        from /usr/sbin/oo-admin-ctl-team:369:in `get_users_in_group'
        from /usr/sbin/oo-admin-ctl-team:228:in `block in sync_to_file'
        from /usr/sbin/oo-admin-ctl-team:227:in `each'
        from /usr/sbin/oo-admin-ctl-team:227:in `sync_to_file'
        from /usr/sbin/oo-admin-ctl-team:521:in `<main>'
Expected results:
users imported successfully

Additional info:
get_user function splits the value using separator "=" and uses only the second value of the resulting array which is not correct:

    def get_user(user_id)
      puts "Getting user: \"#{user_id}\""
      user_id = user_id.split("=")[1] if user_id.include? "="
      base = @ldap_config["Get-User"]["Base"]
      filter = Net::LDAP::Filter.construct(@ldap_config["Get-User"]["Filter"].gsub("<user_id>", user_id))
      attributes = @ldap_config["Get-User"]["Attributes"]
      entries = @ldap.search(:base => base, :filter => filter, :attributes => attributes)
      raise Exception.new("Could not find an entry matching \"#{user_id}\"") if entries.count < 1
      raise Exception.new("Found more than one entry matching \"#{user_id}\"") if entries.count > 1
      entry = entries.first
      puts "Found user dn:\"#{entry.dn}\""
      return entry[@ldap_config["Openshift-Username"]].first
    end
Comment 6 openshift-github-bot 2014-11-19 19:57:13 UTC 
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/512e3eb7cfb4b208dd888e363b49989187bde2b0
Support full DNs in LDAP group members

Split first using commas.  Assumes there's no ',' or '=' in the uid.

Bug 1165775 oo-admin-ctl-team does not parse uniqueMember LDAP ...
Comment 9 Ma xiaoqiang 2014-12-09 05:39:10 UTC 
Check on puddle [2.2.z/2014-12-08.1]


1. add group and member
cat >member.ldif <<EOF
dn: cn=group1,ou=Groups,dc=my-domain,dc=com
objectclass: groupOfUniqueNames
cn: group1
uniqueMember: uid=zzhao,ou=People,dc=my-domain,dc=com


dn: uid=zzhao,ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: Firstname Lastname
uid: zzhao
uidNumber: 3001
gidNumber: 3001
homeDirectory: /home/adminhomedir
loginShell: /bin/bash
userPassword: 214214
EOF
# ldapadd -x -D "cn=Manager,dc=my-domain,dc=com" -W -f member.ldif

2. Create one config.yml in /usr/local/tmp on broker
  cat >config.yml <<EOF
Host: ec2-54-83-240-44.compute-1.amazonaws.com   # change to your LDAP instance
Port: 636
Encryption: true
#Username: cn=Manager,dc=my-domain,dc=com
#Password: redhat

Get-Group:
  Base: dc=my-domain,dc=com
  Filter: (cn=<group_cn>)

Get-Group-Users:
  Base: <group_dn>
  Attributes: [uniqueMember]

Get-User:
  Base: dc=my-domain,dc=com
  Filter: (uid=<user_id>)
  Attributes: [uid]

Openshift-Username: uid
EOF

3. reproduce this issue
# vim /usr/sbin/oo-admin-ctl-team 
431       #user_id = user_id.split(",")[0] if user_id.include? ","
# oo-admin-ctl-team -c create  --groups "group1" --config-file config.yml 
# oo-admin-ctl-team -c sync   --create-new-users  --config-file  config.yml
/usr/sbin/oo-admin-ctl-team:437:in `get_user': Could not find an entry matching "zzhao,ou" (Exception)
	from /usr/sbin/oo-admin-ctl-team:405:in `block (2 levels) in get_users_in_group'

4. check new feature
# vim /usr/sbin/oo-admin-ctl-team 
431       user_id = user_id.split(",")[0] if user_id.include? ","
# oo-admin-ctl-team -c sync   --create-new-users  --config-file  config.yml
Getting users in group: "cn=group1,ou=Groups,dc=my-domain,dc=com"
Getting user: "uid=zzhao,ou=People,dc=my-domain,dc=com"
Found user dn:"uid=zzhao,ou=People,dc=my-domain,dc=com"
Found users: ["zzhao"]
Adding new user: "zzhao"


It works, so move it to VERIFIED.
Comment 11 errata-xmlrpc 2015-01-08 15:34:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0019.html