Bug 1333878
| Summary: | ovirt-engine-extension-aaa-ldap-setup appends '-authz' behind the scene, impacts SSO by default | ||
|---|---|---|---|
| Product: | [oVirt] ovirt-engine-extension-aaa-ldap | Reporter: | Jiri Belka <jbelka> |
| Component: | Setup | Assignee: | Ondra Machacek <omachace> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Gonza <grafuls> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 1.1.3 | CC: | bugs, mperina |
| Target Milestone: | ovirt-4.0.0-rc | Flags: | rule-engine:
ovirt-4.0.0+
rule-engine: planning_ack+ mperina: devel_ack+ rule-engine: testing_ack+ |
| Target Release: | 1.2.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-05 07:50:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
oVirt 4.0 beta has been released, moving to RC milestone. oVirt 4.0 beta has been released, moving to RC milestone. Fix is included in ovirt-engine-extension-aaa-ldap-1.2.0-1 Verified with:
rhevm-4.0.0.5-0.1.el7ev.noarch
Domain name is still the same but SSO is working correctly.
jsonrpc.Executor/3::DEBUG::2016-06-24 16:57:05,877::__init__::522::jsonrpc.JsonRpcServer::(_serveRequest) Calling 'VM.desktopLogin' in bridge with {'username': 'user1', 'domain': 'ad-w2k12r2-authz', 'password': '********', 'vmID': 'd75de907-1e3f-4d00-a062-a6d0fdd61060'}
oVirt 4.0.0 has been released, closing current release. |
Description of problem: ovirt-engine-extension-aaa-ldap-setup asks an user to "specify profile name thta will be visible to users" and then it invisibly appends to such name '-authz' behind the scene. this causes SSO to Windows guest does not work by default as engine "sends" not domain but domain + '-authz' in VM.desktopLogin. very odd for a sysadmin who configured this domain for SSO for Windows guests' client users. # ovirt-engine-extension-aaa-ldap-setup [ INFO ] Stage: Initializing [ INFO ] Stage: Environment setup Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf'] Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20160506150259-66hevw.log Version: otopi-1.4.1 (otopi-1.4.1-1.el6ev) [ INFO ] Stage: Environment packages setup [ INFO ] Stage: Programs detection [ INFO ] Stage: Environment customization Welcome to LDAP extension configuration program Please specify profile name that will be visible to users: ad-w2k8r2.example.com ^^^^^^^^^^^^^^^^^^^^^ provided by admin ... 2016-05-06 15:04:00 INFO ======================================================================== 2016-05-06 15:04:00 INFO ============================== Execution =============================== 2016-05-06 15:04:00 INFO ======================================================================== 2016-05-06 15:04:00 INFO Profile='ad-w2k8r2.example.com' authn='ad-w2k8r2.example.com-authn' authz='ad-w2k8r2.example.com-authz' mapping='null' ^^^^^^ addition 2016-05-06 15:04:00 INFO API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS user='ad-w2k8r2' 2016-05-06 15:04:00 INFO API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS 2016-05-06 15:04:00 INFO --- Begin AuthRecord --- 2016-05-06 15:04:00 INFO AAA_AUTHN_AUTH_RECORD_PRINCIPAL: ad-w2k8r2.com 2016-05-06 15:04:00 INFO --- End AuthRecord --- 2016-05-06 15:04:00 INFO API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='ad-w2k8r2.com' 2016-05-06 15:04:00 INFO API: <--Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD status=SUCCESS 2016-05-06 15:04:00 INFO --- Begin PrincipalRecord --- 2016-05-06 15:04:00 INFO AAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: ad-w2k8r2 2016-05-06 15:04:00 INFO AAA_AUTHZ_PRINCIPAL_PRINCIPAL: ad-w2k8r2.com 2016-05-06 15:04:00 INFO AAA_LDAP_UNBOUNDID_DN: CN=ad-w2k8r2,CN=Users,DC=ad-w2k8r2,DC=example,DC=com 2016-05-06 15:04:00 INFO AAA_AUTHZ_PRINCIPAL_ID: KqAXTzGX9UaxSaIuawL4ug== 2016-05-06 15:04:00 INFO AAA_AUTHZ_PRINCIPAL_NAME: ad-w2k8r2 2016-05-06 15:04:00 INFO AAA_AUTHZ_PRINCIPAL_FIRST_NAME: ad-w2k8r2 2016-05-06 15:04:00 INFO AAA_AUTHZ_PRINCIPAL_NAMESPACE: DC=ad-w2k8r2,DC=example,DC=com 2016-05-06 15:04:00 INFO --- End PrincipalRecord --- jsonrpc.Executor/7::DEBUG::2016-05-06 15:19:49,529::__init__::503::jsonrpc.JsonRpcServer::(_serveRequest) Calling 'VM.desktopLogin' in bridge with {u'username': u'ad-w2k8r2', u'domain': u'ad-w2k8r2.example.com-authz', u'password': '********', u'vmID': u'ed875d98- ^^^^^^ such domain does not exist e407-4b07-967a-363cbecf3bb3'} Version-Release number of selected component (if applicable): ovirt-engine-extension-aaa-ldap-setup-1.1.4-1.el6ev.noarch How reproducible: 100% Steps to Reproduce: 1. configure an AD via ovirt-engine-extension-aaa-ldap-setup, provide exact domain name for profile name to be visible by users 2. assing a VM to an AD user 3. open User Portal as the AD user and open console 4. observe vdsm.log for VM.desktopLogin line and value of domain sent Actual results: ovirt-engine-extension-aaa-ldap-setup appends '-authz' invisibly and this causes engine to send not exact AD domain which was configured to VM.desktopLogin action; thus SSO does not work as domain is wrong Expected results: ovirt-engine-extension-aaa-ldap-setup should not append any string to user provided "names" for domains Additional info: renaming config files is not user friendly and understanding aaa config files seems to be rocket science, thus ovirt-engine-extension-aaa-ldap-setup should create configuration which works by default