Bug 1180154

Summary: [AAA][AD] USER_FAILED_TO_AUTHENTICATE when trying to login to webadmin portal using an Active Directory domain
Product: Red Hat Enterprise Virtualization Manager Reporter: Anand Nande <anande>
Component: ovirt-engineAssignee: Alon Bar-Lev <alonbl>
Status: CLOSED CURRENTRELEASE QA Contact: Ondra Machacek <omachace>
Severity: high Docs Contact:
Priority: high    
Version: 3.4.3-1CC: adahms, alonbl, andreas.petzold, ecohen, iheim, lpeer, lsurette, oourfali, pstehlik, rbalakri, Rhev-m-bugs, yeylon, ylavi
Target Milestone: ---   
Target Release: 3.5.0   
Hardware: All   
OS: Linux   
Whiteboard: infra
Fixed In Version: Doc Type: Known Issue
Doc Text:
The legacy LDAP provider Active Directory driver does not support users with different SAM account names and user principal names, preventing users with a SAM account name that differs from their user principal name from logging in. As a workaround, use the new LDAP provider ovirt-engine-extension-aaa-ldap. With this driver, the SAM account name is not considered anymore, and users with SAM account names that differ from their user principal name from logging in.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-11 20:44:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1063095    

Comment 1 Alon Bar-Lev 2015-01-13 08:33:20 UTC 
this is known problem, partially dup of bug#798075 and other issues caused by the fact that the implementation is accessing upn while sending the first component as sam account.

this and many other issues[1] should be resolved when using new ldap provider in 3.5[2][3].

this issue will not be resolved when using the legacy provider even in future, so migration should be done in 3.5.

[1] https://bugzilla.redhat.com/showdependencytree.cgi?id=1063095&hide_resolved=0
[2] http://www.ovirt.org/Features/AAA
[3] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
Comment 2 Ondra Machacek 2015-01-13 10:33:11 UTC 
$ ldapsearch ..
dn: CN=diff diff,CN=Users,DC=ad2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com
..
sAMAccountName: diff_
sAMAccountType: 805306368
userPrincipalName: diffferent.lab.eng.brq.redhat.com

With new ldap provider I can connect with user using diffferent.lab.eng.brq.redhat.com.
Comment 4 Alon Bar-Lev 2015-01-13 12:57:00 UTC 
migration can be done in stages.
1. add the same ldap using the new provider.
2. user can login either to old or new profile (select in domain drop down at login dialog).
3. assign permissions to the users/groups of new provider to all resources.
4. wait for all user to migrate / announce
5. remove the old provider.

depend on migration time, we may have experimental tool to perform 1-3.