Bug 1326129

Summary: user groups from ldap trusted forest are not retrieved.
Product: Red Hat CloudForms Management Engine Reporter: amogh <amavinag>
Component: ApplianceAssignee: Gregg Tanzillo <gtanzill>
Status: CLOSED WONTFIX QA Contact: Matt Pusateri <mpusater>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.5.0CC: abellott, amavinag, dajohnso, jhardy, mpusater, obarenbo, pmukhedk, sboulden
Target Milestone: GA   
Target Release: cfme-future   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: ldap
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-28 14:46:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description amogh 2016-04-11 22:18:39 UTC 
Description of problem:

user groups from ldap trusted forest are not retrieved.

Version-Release number of selected component (if applicable):

5.5.3.4.20160407153134_b3e2a83

How reproducible:
always

Configuration:
1. Create the user "ldaptest" and group "engineering" in ldap:"cfme-qe-ldap", and add "ldaptest" user to "engineering" group.
2. Create the user "ldaptest" and group "cfme" in ldap:"cfme-qe-ipa" and add "ldaptest" user to "cfme" group.

Steps to Reproduce:
1. Login as "admin" and navigate to configure->configuration->authentication
2. change the authentication mode to 'ldap'
3. specify the hostname for the "cfme-qe-ipa", as the primary ldap.
4. in the "Role Settings" check "Get User Groups from LDAP", observe that "Trusted Forest Settings" table displayed below. specify "Base DN" and "Bind DN"
5. click on '+' to add "Trusted Forest Settings", specify HostName as "cfme-qe-ldap",enter valid Base DN, Bind DN and 'Bind Password' click add the trusted forest and click "Save"
6. navigate to "access control"-> "groups"->"add new group", check (Look Up LDAP Groups), specify the user "ldaptest", click retrieve. Observe that only the groups(cfme) from Primary ldap (cfme-qe-ipa) are retrieved. no group(engineering) from "cfme-qe-ldap" is reqtrieved.
7. manually add the group "engineering", logout and login as "ldaptest". Observe that login fails for the user "ldaptest"

however, the "engineering" group retrieve works and login for "ldaptest" works if "cfme-qe-ldap" is specified as the primary ldap.

Actual results:
user groups from ldap trusted forest are not retrieved.

Expected results:
CloudForms Management Engine is expected to first collect all of the user’s groups from the primary LDAP directory. Then it is expected to collect any additional groups that the user is a member of from all of the configured forests.

Additional info:
section 3.1.4.2.6 in https://access.redhat.com/webassets/avalon/d/Red_Hat_CloudForms-4.0-General_Configuration-en-US/Red_Hat_CloudForms-4.0-General_Configuration-en-US.pdf describes how to add trusted forests and expected results in cfme.
Comment 12 Chris Pelland 2017-08-28 14:46:40 UTC 
This bug has been open for more than a year and is assigned to an older release of CloudForms. 
If you would like to keep this Bugzilla open and if the issue is still present in the latest version of the product, please file a new Bugzilla which will be added and assigned to the latest release of CloudForms.