Bug 1390349

Summary: Cannot Log in with username and "password+OTP TOKEN"
Product: Red Hat CloudForms Management Engine Reporter: Saif Ali <saali>
Component: ApplianceAssignee: Joe Vlcek <jvlcek>
Status: CLOSED CURRENTRELEASE QA Contact: Matt Pusateri <mpusater>
Severity: high Docs Contact:
Priority: high    
Version: 5.6.0CC: abellott, amavinag, cpelland, hkataria, jhardy, jocarter, jvlcek, mpovolny, obarenbo
Target Milestone: GAKeywords: TestOnly
Target Release: 5.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: external_auth
Fixed In Version: 5.8.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1397091 1397093 (view as bug list) Environment:
Last Closed: 2017-06-12 16:38:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1397091, 1397093    
Attachments:
Description Flags
appliance logs
none
vmdb patch tar file
none
cfme-appliance patch tar file none

Description Saif Ali 2016-10-31 18:56:14 UTC 
Created attachment 1215895 [details]
appliance logs

Description of problem:
I Cannot login to CloudfForms web UI with 2 factor authentication. SSH workfine with password+otp

Error 

----] I, [2016-10-25T11:22:27.889995 #3187:149cab8]  INFO -- Success: MIQ(Authenticator.authenticate) userid: [user1] - User user1 successfully validated by External httpd
[----] I, [2016-10-25T11:22:27.922929 #3187:149cab8]  INFO -- Success: MIQ(Authenticator.authenticate) userid: [user1] - Authentication successful for user user1
[----] W, [2016-10-25T11:22:28.298411 #3172:14b1b70]  WARN -- Failure: MIQ(Authenticator.authenticate) userid: [user1] - Authentication failed for userid user1: Failure setting user credentials


Version-Release number of selected component (if applicable):
5.6.2

How reproducible:


Steps to Reproduce:
1. Enable External auth 
2. Enable 2 factor authentication for IPA/IDM user 
3. try to login with password+OTP 

Actual results:


Expected results:


Additional info:
Comment 4 Joe Vlcek 2016-11-11 12:06:45 UTC 
*** Bug 1364157 has been marked as a duplicate of this bug. ***
Comment 5 Joe Vlcek 2016-11-15 14:12:20 UTC 
Created attachment 1220853 [details]
vmdb patch tar file
Comment 6 Joe Vlcek 2016-11-15 14:13:06 UTC 
Created attachment 1220854 [details]
cfme-appliance patch tar file
Comment 7 Joe Vlcek 2016-11-15 14:13:22 UTC 
Attached are 2 tar files contain a hot patch for this issue. To
install them please do the following:

cd /opt/rh/cfme-appliance
# <move tar file: mk_cfme-appliance.tar here>
tar xvf mk_cfme-appliance.tar

cd /var/www/miq/vmdb
# <move tar file: mk_manageiq_vmdb.tar here>
tar xvf mk_manageiq_vmdb.tar

cd /var/www/miq/vmdb
systemctl stop evmserverd
rake assets:clobber
rake assets:precompile
systemctl restart httpd
systemctl start evmserverd


Once this is done you will need to use the appliance_console to
reconfigure external authentication.

Let us know if you need help with these instructions.

Please let us know if this resolves the two factor authentication
failure you are encountering.

JoeV and Alberto
Comment 8 CFME Bot 2016-11-16 19:52:04 UTC 
https://github.com/ManageIQ/manageiq/pull/12697
Comment 9 CFME Bot 2016-11-16 19:54:17 UTC 
https://github.com/ManageIQ/manageiq-appliance/pull/101
Comment 10 CFME Bot 2016-11-21 15:12:53 UTC 
New commit detected on ManageIQ/manageiq-appliance/master:
https://github.com/ManageIQ/manageiq-appliance/commit/48f60cf3a5f8481ef1002c6a14d7e15cbe5097c1

commit 48f60cf3a5f8481ef1002c6a14d7e15cbe5097c1
Author:     Joe VLcek <jvlcek>
AuthorDate: Wed Nov 16 13:34:21 2016 -0500
Commit:     Joe VLcek <jvlcek>
CommitDate: Wed Nov 16 13:34:21 2016 -0500

    Support a seperate auth URL for external authentication
    
    This will allow external auth to only do a single auth at
    login, which is requried by OTP configurations.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1390349

 TEMPLATE/etc/httpd/conf.d/manageiq-external-auth.conf.erb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
Comment 11 CFME Bot 2016-11-21 15:16:23 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/639a56e71b8c99fe92f2fe868f53aadf8c6e52bc

commit 639a56e71b8c99fe92f2fe868f53aadf8c6e52bc
Author:     Joe VLcek <jvlcek>
AuthorDate: Wed Nov 16 13:23:33 2016 -0500
Commit:     Joe VLcek <jvlcek>
CommitDate: Wed Nov 16 13:23:33 2016 -0500

    Support a seperate auth URL for external authentication
    
    This will allow external auth to only do a single auth at
    login, which is requried by OTP configurations.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1390349

 app/assets/javascripts/miq_application.js | 21 +++++++++++++++++++++
 app/controllers/dashboard_controller.rb   | 26 +++++++++++++++++++-------
 app/views/dashboard/login.html.haml       |  6 +++---
 config/routes.rb                          |  1 +
 4 files changed, 44 insertions(+), 10 deletions(-)
Comment 14 CFME Bot 2016-11-21 20:35:58 UTC 
New commit detected on ManageIQ/manageiq/darga:
https://github.com/ManageIQ/manageiq/commit/b6904869a46b2538914938114838a6babcbe5fbc

commit b6904869a46b2538914938114838a6babcbe5fbc
Author:     Joe VLcek <jvlcek>
AuthorDate: Mon Nov 14 15:39:43 2016 -0500
Commit:     Joe VLcek <jvlcek>
CommitDate: Mon Nov 21 12:58:03 2016 -0500

    Support a seperate auth URL for external authentication
    
    This will allow external auth to only do a single auth at
    login, which is requried by OTP configurations.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1390349

 app/assets/javascripts/miq_application.js | 22 ++++++++++++++++++++++
 app/controllers/dashboard_controller.rb   | 27 ++++++++++++++++++++-------
 app/views/dashboard/login.html.haml       |  6 +++---
 config/routes.rb                          |  1 +
 4 files changed, 46 insertions(+), 10 deletions(-)
Comment 15 Matt Pusateri 2017-03-23 15:39:47 UTC 
Tested on 5.8.0.7 and verified OTP is working