Bug 1285075
Summary: | If the "Usergroup sync" is enabled under LDAP authentication, login to Satellite server hangs | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Leo Thomas <lthomas> |
Component: | Users & Roles | Assignee: | Daniel Lobato Garcia <dlobatog> |
Status: | CLOSED ERRATA | QA Contact: | Kedar Bidarkar <kbidarka> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.1.4 | CC: | ahuchcha, bbuckingham, bkearney, brubisch, kbidarka, pmutha, sclayton, sthirugn, will_darton |
Target Milestone: | Unspecified | Keywords: | Triaged |
Target Release: | Unused | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
URL: | http://projects.theforeman.org/issues/10340 | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-07-27 08:59:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Leo Thomas
2015-11-24 20:18:39 UTC
Clearing flags to make sure it gets triaged. Created redmine issue http://projects.theforeman.org/issues/13617 from this bug Moving to POST since upstream bug http://projects.theforeman.org/issues/10340 has been closed ------------- Vasil Mikhalenya I have no idea how should it works because we use only one group in AD and use it in ldap filter. Seems it fails in different way: I've added group, tried to add mapping to AD it fails with "POST /usergroups/1-admins HTTP/1.1" 500" Started PUT "/usergroups/1-admins" for 10.128.60.25 at 2015-05-01 08:26:17 +0000 2015-05-01 08:26:17 [I] Processing by UsergroupsController#update as HTML 2015-05-01 08:26:17 [I] Parameters: {"utf8"=>"✓", "authenticity_token"=>"...............blanked.........................", "usergroup"=>{"name"=>"admins", "user_ids"=>[""], "admin"=>"1", "role_ids"=>["", "9"], "external_usergroups_attributes"=>{"0"=>{"_destroy"=>"false", "name"=>"Server Administration Team", "auth_source_id"=>"2"}, "new_external_usergroups"=>{"_destroy"=>"false", "name"=>"", "auth_source_id"=>"2"}}}, "commit"=>"Submit", "id"=>"1-admins"} 2015-05-01 08:26:17 [I] But it had been added because item and button appeared. When I click refresh button - get this LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException app/models/auth_sources/auth_source_ldap.rb:114:in `users_in_group' app/models/external_usergroup.rb:32:in `users' app/models/external_usergroup.rb:18:in `refresh' app/controllers/external_usergroups_controller.rb:5:in `refresh' app/controllers/concerns/application_shared.rb:13:in `set_timezone' app/models/concerns/foreman/thread_session.rb:32:in `clear_thread' lib/middleware/catch_json_parse_errors.rb:9:in `call' the same for rake task [v-foreman ~]# foreman-rake ldap:refresh_usergroups Apipie cache enabled but not present yet. Run apipie:cache rake task to speed up API calls. Workaround for RbVmomi may not work as ComputeResource is already loaded: ComputeResource User group Server Administration Team could not be refreshed - LDAP source LDAP-v-dc not available: LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException ------------- Mathieu Parent Hello, This fixes it for me: https://github.com/theforeman/ldap_fluff/pull/43 ------------- Dominic Cleal https://github.com/theforeman/ldap_fluff/pull/44 contains a further fix I think to prevent the hang. ------------- Mathieu Parent The loop has been fixed in https://github.com/theforeman/ldap_fluff/pull/43 and https://github.com/theforeman/ldap_fluff/pull/44. But this is not the end of the story. If your logins are not lowercase, your groups will be considered empty. this should be solved on the foreman side. Also, as performance of ActiveDirectory is very low, an option do disable recursive search would be better. I will try to work on those, but I'm very busy currently. ------------- Dominic Cleal Mathieu Parent wrote: > The loop has been fixed in https://github.com/theforeman/ldap_fluff/pull/43 and https://github.com/theforeman/ldap_fluff/pull/44. > > But this is not the end of the story. If your logins are not lowercase, your groups will be considered empty. this should be solved on the foreman side. You're in luck, Daniel has just been fixing this. I think #11428 and #11407 should fix case insensitivity for both groups and logins. I am also seeing this behavior on Satellite 6.1.7. Active Directory is the server type for the Auth Source. VERIFIED with sat62-snap6.1 Made sure that "Usergroup Sync" option is enabled under LDAP authentication. LDAP user was able to access Satellite6 machine and the Sat6 Server didn't hang. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1500 |