Bug 1180154
Summary: | [AAA][AD] USER_FAILED_TO_AUTHENTICATE when trying to login to webadmin portal using an Active Directory domain | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Anand Nande <anande> |
Component: | ovirt-engine | Assignee: | Alon Bar-Lev <alonbl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ondra Machacek <omachace> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 3.4.3-1 | CC: | adahms, alonbl, andreas.petzold, ecohen, iheim, lpeer, lsurette, oourfali, pstehlik, rbalakri, Rhev-m-bugs, yeylon, ylavi |
Target Milestone: | --- | ||
Target Release: | 3.5.0 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | infra | ||
Fixed In Version: | Doc Type: | Known Issue | |
Doc Text: |
The legacy LDAP provider Active Directory driver does not support users with different SAM account names and user principal names, preventing users with a SAM account name that differs from their user principal name from logging in. As a workaround, use the new LDAP provider ovirt-engine-extension-aaa-ldap. With this driver, the SAM account name is not considered anymore, and users with SAM account names that differ from their user principal name from logging in.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-02-11 20:44:16 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1063095 |
Comment 1
Alon Bar-Lev
2015-01-13 08:33:20 UTC
$ ldapsearch .. dn: CN=diff diff,CN=Users,DC=ad2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com .. sAMAccountName: diff_ sAMAccountType: 805306368 userPrincipalName: diffferent.lab.eng.brq.redhat.com With new ldap provider I can connect with user using diffferent.lab.eng.brq.redhat.com. migration can be done in stages. 1. add the same ldap using the new provider. 2. user can login either to old or new profile (select in domain drop down at login dialog). 3. assign permissions to the users/groups of new provider to all resources. 4. wait for all user to migrate / announce 5. remove the old provider. depend on migration time, we may have experimental tool to perform 1-3. |