Bug 1171395

Summary: [aaa][kerbldap] freeIPA 4.x base dn should be obtained using defaultNamingContext
Product: [Retired] oVirt Reporter: Stanislav Mikhalevich <msio57>
Component: ovirt-engine-coreAssignee: Oved Ourfali <oourfali>
Status: CLOSED CURRENTRELEASE QA Contact: Ondra Machacek <omachace>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 3.5CC: alonbl, baumanmo, bugs, ecohen, gklein, lsurette, omachace, oourfali, rbalakri, yeylon
Target Milestone: ---Keywords: Reopened
Target Release: 3.5.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: ovirt-3.5.1_rc1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1213387 (view as bug list) Environment:
Last Closed: 2015-09-04 12:48:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1063095, 1193058, 1196662, 1197441, 1213387    
Attachments:
Description Flags
engine.log
none
Wireshark dump
none
engine.log
none
ovirt.pcapng
none
engine.log
none
ovirt.pcapng none

Description Stanislav Mikhalevich 2014-12-06 10:34:21 UTC 
Created attachment 965413 [details]
engine.log

Description of problem:
Ovirt-engine can't get user list from freeipa 4.1.2 domain.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install ovirt 3.5 (centos 6.6)
2. Install freeipa 4.1.2 (centos 7, minssf set to 1)
3. Add domain via engine-manage-domains
4. Restart ovirt-engine

Actual results:
Can't login to webadmin portal (user has been added)
Can't get list users from domain via WebAdmin -> Configure -> Add System Permission to User

Expected results:


Additional info:
Comment 1 Stanislav Mikhalevich 2014-12-06 10:58:45 UTC 
Created attachment 965415 [details]
Wireshark dump

192.168.100.225 (ovirt.example.com)
192.168.100.244 (ipa.example.com)
Comment 2 Stanislav Mikhalevich 2014-12-07 16:44:48 UTC 
Created attachment 965584 [details]
engine.log

The first engine.log is incorrect. Before that I tested ovirt-engine-expansions-aaa-ldap and deleted it correctly (the extension works). 
This log is obtained after a clean install ovirt.
Comment 3 Stanislav Mikhalevich 2014-12-07 16:47:29 UTC 
Created attachment 965587 [details]
ovirt.pcapng
Comment 4 Stanislav Mikhalevich 2014-12-07 17:04:43 UTC 
Created attachment 965599 [details]
engine.log

After
engine-config -s SASL_QOP=auth
service ovirt-engine restart
engine-manage-domains delete --domain=example.com
service ovirt-engine restart
engine-manage-domains add --domain=example.com --provider=ipa --user=admin --add-permissions
service ovirt-engine restart
Comment 5 Stanislav Mikhalevich 2014-12-07 17:06:14 UTC 
Created attachment 965600 [details]
ovirt.pcapng
Comment 6 Ondra Machacek 2014-12-09 10:10:28 UTC 
I think the problem is that for the ipa, ovirt takes first namingContext in root dse:

$ ldapsearch  -LLL -x -h brq-ipa7.rhev.lab.eng.brq.redhat.com -p 389 -b '' -s base 
dn:
objectClass: top
namingContexts: cn=changelog
namingContexts: dc=brq-ipa7,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
namingContexts: o=ipaca
defaultnamingcontext: dc=brq-ipa7,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=co
 m

$ ldapsearch  -LLL -x -h brq-ipa.rhev.lab.eng.brq.redhat.com -p 389 -b '' -s base 
dn:
objectClass: top
namingContexts: dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
defaultnamingcontext: dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com


which is for ipa 4.1.2 "cn=changelog", it was not in ipa 3.

it should look for defaultnamingcontext not namingContexts.
Comment 7 Alon Bar-Lev 2014-12-09 12:23:12 UTC 
(In reply to Ondra Machacek from comment #6)
> it should look for defaultnamingcontext not namingContexts.

yes, sounds reasonable.
Comment 8 Moritz Baumann 2014-12-14 00:08:25 UTC 
I installed http://resources.ovirt.org/pub/yum-repo/ovirt-release35-snapshot.rpm

as of tonight I still can add a domain but don't see users.

Timestamp from the rpps indicates that the patch is in the binary but I did not verify.
Comment 9 Alon Bar-Lev 2014-12-14 06:30:46 UTC 
(In reply to Moritz Baumann from comment #8)
> I installed
> http://resources.ovirt.org/pub/yum-repo/ovirt-release35-snapshot.rpm
> 
> as of tonight I still can add a domain but don't see users.
> 
> Timestamp from the rpps indicates that the patch is in the binary but I did
> not verify.

was not merged yet. please track this bug until it is at least at MODIFIED state.
Comment 10 Sandro Bonazzola 2015-01-15 14:15:04 UTC 
This is an automated message: 
This bug should be fixed in oVirt 3.5.1 RC1, moving to QA
Comment 11 Sandro Bonazzola 2015-01-21 16:05:48 UTC 
oVirt 3.5.1 has been released. If problems still persist, please make note of it in this bug report.
Comment 12 Eyal Edri 2015-02-26 12:32:24 UTC 
this ovirt bug was fixed during 3.5.1 cycle and is included in the build, and therefore should be verified.
Comment 14 Ondra Machacek 2015-03-12 14:35:45 UTC 
Can list uses and login as user from freeipa 4.1.2.
Comment 15 Sandro Bonazzola 2015-09-04 12:48:11 UTC 
This is an automated message.
oVirt 3.5.4 has been released on September 3rd 2015 and should include the fix for this BZ. Moving to closed current release.