Bug 1356675
| Summary: | [AAA] Can't add IPA directory users to VM permissions | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Anitha Udgiri <audgiri> | |
| Component: | ovirt-engine | Assignee: | Ondra Machacek <omachace> | |
| Status: | CLOSED ERRATA | QA Contact: | Jiri Belka <jbelka> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 3.6.0 | CC: | bazulay, jcoscia, lsurette, lsvaty, mgoldboi, mperina, omachace, oourfali, pstehlik, rbalakri, Rhev-m-bugs, srevivo, ykaul | |
| Target Milestone: | ovirt-4.0.2 | Keywords: | ZStream | |
| Target Release: | 4.0.2 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1358286 (view as bug list) | Environment: | ||
| Last Closed: | 2016-08-23 20:44:07 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1358286 | |||
It's issue with search. When namespace is 'dc=something', it don't work properly. As temporary workaround just rename profile name to something different then 'pheunix'. (In reply to Ondra Machacek from comment #3) > As temporary workaround just rename profile name to something different then > 'pheunix'. Hi Ondra, Could you please confirm if the workaround would be to modify the ovirt.engine.aaa.authn.profile.name value in /etc/ovirt-engine/extensions.d/<profile-name>-authn.properties and restart ovirt-engine afterwards ? Thanks! Hi, yes, that's correct. But please note that the name can't be any of following: dc=pheunix c=pheunix =pheunix pheunix heunix eunix unix nix ix x Everything other should be fine ( in this specific case ). Moving back to post as we need to backport to ovirt-engine-4.0 We have authz-rename-tool, which handle exactly such scenario. It's shipped along with migration tool[1]. So in order to use it, install migration tool and refer to README[2] section: 12. [OPTIONAL] Rename authz to match legacy convention. There are steps how to use it. [1] https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases/tag/ovirt-engine-kerbldap-migration-1.0.4 [2] https://github.com/machacekondra/ovirt-engine-kerbldap-migration/blob/master/README.md ok, ovirt-engine-4.0.2.7-0.1.el7ev.noarch vdadmin at "com" profile name got a VM and logged successfully into User Portal 2016-08-18 15:26:31,538 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-6-thread-1) [6661f726] Correlation ID: 6661f726, Call Stack: null, Custom Event ID: -1, Message: User 'vdcadmin' was added successfully to the system. 2016-08-18 15:26:31,685 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-6-thread-1) [6661f726] Correlation ID: 5a9513c8, Call Stack: null, Custom Event ID: -1, Message: User/Group vdcadmin, Namespace dc=brq-ipa,dc=example,dc=com, Authorization provider: com was granted permission for Role UserRole on VM jb-el7-serial, by admin@internal-authz. 2016-08-18 15:27:03,291 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-17) [] User vdcadmin@com successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-1743.html |
Created attachment 1179911 [details] Debug log for the behaviour described Description of problem: Site is unable to display any results for IPA when searching/adding new users. From the customer: I have tried the following, all yield no results: "*" "thomas*" "thomas" "thomas stewart" "Thomas Stewart" As a further test, I set the domain to internal and tried the following which both yielded the single "admin" user: "*" "a*" The only clue I have found so far is in the /var/log/ovirt-engine/engine.log log file, when I click GO as described above it says: 2016-07-11 09:48:01,035 INFO [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-6) [] ResourceManager::searchBusinessObjects - erroneous search text - ''ADUSER:dc= allnames=thomas.stewart'' 2016-07-11 09:48:01,039 INFO [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-6) [] ResourceManager::searchBusinessObjects - erroneous search text - ''ADGROUP:dc= name=thomas.stewart''