Bug 1391690

Summary: incorrect authentication log message logged for the user without any valid groups.
Product: Red Hat CloudForms Management Engine Reporter: amogh <amavinag>
Component: ApplianceAssignee: Joe Vlcek <jvlcek>
Status: CLOSED WORKSFORME QA Contact: Matt Pusateri <mpusater>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.7.0CC: abellott, dajohnso, jhardy, jvlcek, mpusater, obarenbo
Target Milestone: GA   
Target Release: cfme-future   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: auth
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-12 22:23:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:

Description amogh 2016-11-03 19:01:02 UTC 
Description of problem:
invalid authentication log message for the user without any valid groups is logged in evm.log and audit.log. This is observed when non default (Database) authentication modes are configured for cfme (e.g. miq_ldap, external_auth ipa, saml)

Version-Release number of selected component (if applicable):
5.7.0.9-beta2.1.20161101182054_eb0afaa

How reproducible:
always.

Steps to Reproduce:
1. configure cfme for miq ldap/external_auth ipa/saml
2. create a user 'noldapgroupuser' and do not assign any group to that user.
3. try to login to cfme as 'noldapgroupuser' and valid password.
4. monitor evm.log and audit.logs, observe that authentication successful for userid log message is displayed. which is not correct.

Success: MIQ(Authenticator.authenticate) userid: [noldapgroupuser] - Authentication successful for user uid=noldapgroupuser

Actual results:
authentication successful for userid log message displayed in evm.log and audit.log, which is not correct.

Expected results:
Incorrect log messages needs to be removed from logging.
Comment 3 Gregg Tanzillo 2017-06-01 21:36:12 UTC 
*** Bug 1456873 has been marked as a duplicate of this bug. ***
Comment 4 Joe Vlcek 2017-11-06 22:25:31 UTC 
Please confirm if this is still an issue. I suspect it very likely has been addressed by improvements in this since it had been initially reported over a year ago.
Comment 5 Matt Pusateri 2018-02-12 19:39:09 UTC 
I would say it's been addressed, at least in 5.9.0.20 it looks like this:

[----] I, [2018-02-12T14:36:57.740886 #28778:1131c5c]  INFO -- : MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.16.4.75], User: [test-user7.bos.redhat.com]...
[----] I, [2018-02-12T14:36:58.006972 #28778:1131c5c]  INFO -- : MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.16.4.75], User: [test-user7.bos.redhat.com]... successful
[----] I, [2018-02-12T14:36:58.012558 #28778:1131c5c]  INFO -- : <AuditSuccess> MIQ(Base.authenticate) userid: [test-user7] - User test-user7.bos.redhat.com successfully validated by LDAP
[----] W, [2018-02-12T14:36:58.019264 #28778:1131c5c]  WARN -- : <AuditFailure> MIQ(Base.authenticate) userid: [test-user7] - User test-user7.bos.redhat.com authenticated but not defined in EVM
[----] W, [2018-02-12T14:36:58.019417 #28778:1131c5c]  WARN -- : MIQ(Authenticator::Ldap#authenticate) User authenticated but not defined in EVM, please contact your EVM administrator
Comment 6 Joe Vlcek 2018-02-12 22:23:24 UTC 
(In reply to Matt Pusateri from comment #5)
> I would say it's been addressed, at least in 5.9.0.20 it looks like this:
> 
> [----] I, [2018-02-12T14:36:57.740886 #28778:1131c5c]  INFO -- :
> MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.16.4.75], User:
> [test-user7.bos.redhat.com]...
> [----] I, [2018-02-12T14:36:58.006972 #28778:1131c5c]  INFO -- :
> MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.16.4.75], User:
> [test-user7.bos.redhat.com]... successful
> [----] I, [2018-02-12T14:36:58.012558 #28778:1131c5c]  INFO -- :
> <AuditSuccess> MIQ(Base.authenticate) userid: [test-user7] - User
> test-user7.bos.redhat.com successfully validated by LDAP
> [----] W, [2018-02-12T14:36:58.019264 #28778:1131c5c]  WARN -- :
> <AuditFailure> MIQ(Base.authenticate) userid: [test-user7] - User
> test-user7.bos.redhat.com authenticated but not defined in EVM
> [----] W, [2018-02-12T14:36:58.019417 #28778:1131c5c]  WARN -- :
> MIQ(Authenticator::Ldap#authenticate) User authenticated but not defined in
> EVM, please contact your EVM administrator

Thank you Matt. I'll marked this as CLOSED / WORKSFORME


Please reopen if you feel it should not be closed.

Thank you! JoeV