Bug 1367600

Summary: LDAP group lookup fails with json UTF conversion errors
Product: Red Hat CloudForms Management Engine Reporter: Jeff Warnica <jwarnica>
Component: ApplianceAssignee: Gregg Tanzillo <gtanzill>
Status: CLOSED CURRENTRELEASE QA Contact: amogh <amavinag>
Severity: high Docs Contact:
Priority: high    
Version: 5.6.0CC: abellott, cpelland, ebeaudoi, gblomqui, jhardy, jocarter, obarenbo, simaishi
Target Milestone: GAKeywords: TestOnly, ZStream
Target Release: 5.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: ldap:auth
Fixed In Version: 5.7.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1370196 (view as bug list) Environment:
Last Closed: 2017-01-11 19:56:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1370196    
Attachments:
Description Flags
ldap_group_retrieve none

Description Jeff Warnica 2016-08-16 22:33:23 UTC 
Description of problem:

the LDAP group lookup functionality fails. The UI just hangs (network inspector shows it gets back the generic error page, viz json).

Ultimately production.log shows :

Error caught: [Encoding::UndefinedConversionError] "\xC3" from ASCII-8BIT to UTF-8

with the first non gem caller being:

/var/www/miq/vmdb/app/controllers/ops_controller/ops_rbac.rb:569:in `rbac_group_user_lookup'


Simulating what I'm guessing CF is doing (e.g. :

 ldapsearch -H ldap://xxx -D "...." -w ... -b ... "(samaccountname=<UI TEXT>)"

I'm not seeing any group *names* or *dn*s which have non-ASCII characters, but globally searching for (objectClass=group), there are *descriptions* which are base64 decoded, one random sample having an "é" 

Also, the *user* I was searching with has a displayName and sn base64 encoded o the command line, and I guess since it gets its own Wikipedia page, "Hébert" isn't obscure enough to censor. The problem is failing on group lookups, but it could be either (or generic encoding failure).


Version: 5.6.0.13.20160624114606_13a9153

How reproducible:
In this environment, always.

Its past the end of my day here, and the VPN just dropped, but will be back on site tomorrow 9AM .
Comment 3 Jeff Warnica 2016-08-17 15:07:08 UTC 
probable dup: https://bugzilla.redhat.com/show_bug.cgi?id=1321082
Comment 6 Josh Carter 2016-08-19 13:31:46 UTC 
Possibly a problem with net/ldap... and fixed at https://github.com/ruby-ldap/ruby-net-ldap/pull/242
Comment 9 Gregg Tanzillo 2016-08-19 19:13:29 UTC 
https://github.com/ManageIQ/manageiq/pull/10635
Comment 10 CFME Bot 2016-08-20 03:06:02 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/895c246fbfb833a13f5718b28334ff2552d83443

commit 895c246fbfb833a13f5718b28334ff2552d83443
Author:     Gregg Tanzillo <gtanzill>
AuthorDate: Fri Aug 19 15:10:05 2016 -0400
Commit:     Gregg Tanzillo <gtanzill>
CommitDate: Fri Aug 19 17:49:50 2016 -0400

    Updating to newer version of net-ldap gem
    
    Version 0.14.0 of the gem (actually, starting with 0.13.0) contains a code change that fixes an encoding error
    (Encoding::UndefinedConversionError) that happens when there are extended characters in a dn. The fix forces
    utf-8 encoding instead of ASCII-8BIT for objects returned from the directory.
    
    See https://github.com/ruby-ldap/ruby-net-ldap/pull/242
    https://bugzilla.redhat.com/show_bug.cgi?id=1367600

 Gemfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 11 CFME Bot 2016-08-22 11:56:49 UTC 
https://github.com/ManageIQ/manageiq/pull/10398
Comment 12 Satoe Imaishi 2016-08-26 19:36:57 UTC 
Already cloned for 5.6.z: https://bugzilla.redhat.com/show_bug.cgi?id=1370196
Comment 13 amogh 2016-10-07 15:54:42 UTC 
verified in 5.7.0.3.20160927165516_075d0f3. group with the name "SR-APP-EPM-Membre-équipe" is retrieved correctly in the UI. production log does not show "Encoding::UndefinedConversionError" Errors. marking this issue as verified.

Refer the screenshot, ldap_group_retrieve.

[root@cfmeappliancerzfpgcv log]# grep -i "UndefinedConversionError" production.log
[root@cfmeappliancerzfpgcv log]#

[root@cfmeappliancerzfpgcv log]# grep -ir "UndefinedConversionError" .
[root@cfmeappliancerzfpgcv log]#
Comment 14 amogh 2016-10-07 15:55:30 UTC 
Created attachment 1208182 [details]
ldap_group_retrieve