Bug 1394425

Summary: when ext_auth configured with ldaps through sssd, groups retrieved as "groupname@domain.com"
Product: Red Hat CloudForms Management Engine Reporter: amogh <amavinag>
Component: ApplianceAssignee: Joe Vlcek <jvlcek>
Status: CLOSED CURRENTRELEASE QA Contact: Matt Pusateri <mpusater>
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.7.0CC: abellott, amavinag, cpelland, dajohnso, jhardy, jvlcek, obarenbo, simaishi
Target Milestone: GAKeywords: Regression, TestOnly
Target Release: 5.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: auth:externalauth:openldap
Fixed In Version: 5.8.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1397105 1397516 (view as bug list) Environment:
Last Closed: 2017-06-12 17:17:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1397105, 1397516    

Description amogh 2016-11-11 23:21:27 UTC 
Description of problem:
when ext_auth configured with ldaps through sssd, groups retrieved as  "groupname"and not just as "groupname". This is observed in beta3(5.7.0.10) and not in previous builds (5.7.09-beta2)

Version-Release number of selected component (if applicable):
5.7.0.10-beta3.20161109111947_9a61b18

How reproducible:
always

Steps to Reproduce:
1. configure ext_auth with ldaps by configuring sssd.conf and ldap.conf
2. login as admin and retrieve ldaps user groups by "(Look up External Authentication Groups)"
3. Observe that groups retrieved as "groupname" and not "groupname"


Actual results:
when ext_auth configured with ldaps through sssd, groups retrieved are associated with "group@domain". This is observed in beta3(5.7.0.10) and not in 

Expected results:
groupnames are expected to list only the "groupname", which makes it easy to associate the already defined user groups, in case "Get user groupd from ldap" is unchecked.

Additional info:
Please see the Private comment for dbus command outputs.
Comment 3 Dave Johnson 2016-11-13 01:11:39 UTC 
Amogh, any idea if this is working in 5.6.z meaning is this a new regression that we just introduced?  If so, please add regression keyword to the keywords field.
Comment 4 amogh 2016-11-13 01:15:16 UTC 
Dave,

I observed this on 5.6.3 new build as well and this is not observed on previous 5.6 z. I can put the exact versions and outputs here.

Curious, if anything changed in authentication bits.
Comment 6 amogh 2016-11-15 04:34:47 UTC 
this issue seems to be introduced with RHEL upgrade to 7.3

Installed 5.6.2.2 appliance (RHEL 7.2) on which issue is not observed.

upgraded appliance OS to RHEL7.3, On this appliance Issue is reproducible.
Comment 7 amogh 2016-11-15 15:01:46 UTC 
The default cfme groups are unusable when using ext_auth with ldaps. However, new groups/non-default can be created and the user can login, as usergroups are matched.

CFME is usable when new groups(groupname) are added.
Comment 8 CFME Bot 2016-11-18 20:01:32 UTC 
https://github.com/ManageIQ/manageiq/pull/12752
Comment 9 CFME Bot 2016-11-21 15:01:54 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/e5fe788844523fb720f55a68180dfccc7fa7c69b

commit e5fe788844523fb720f55a68180dfccc7fa7c69b
Author:     Joe VLcek <jvlcek>
AuthorDate: Fri Nov 18 14:38:16 2016 -0500
Commit:     Joe VLcek <jvlcek>
CommitDate: Fri Nov 18 15:28:48 2016 -0500

    Remove the FQDN from group names for ext auth.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1394425

 app/models/authenticator/httpd.rb       | 2 +-
 app/models/miq_group.rb                 | 6 +++++-
 spec/models/authenticator/httpd_spec.rb | 2 +-
 spec/models/miq_group_spec.rb           | 9 +++++++++
 4 files changed, 16 insertions(+), 3 deletions(-)
Comment 10 CFME Bot 2016-11-21 15:25:57 UTC 
New commit detected on ManageIQ/manageiq/euwe:
https://github.com/ManageIQ/manageiq/commit/0323f78f862bda2745bd1d443c99b173a7b90568

commit 0323f78f862bda2745bd1d443c99b173a7b90568
Author:     Gregg Tanzillo <gtanzill>
AuthorDate: Mon Nov 21 10:00:27 2016 -0500
Commit:     Oleg Barenboim <chessbyte>
CommitDate: Mon Nov 21 10:21:16 2016 -0500

    Merge pull request #12752 from jvlcek/bz1394425_domain
    
    Remove the FQDN from group names for ext auth.
    (cherry picked from commit 2f648343d0062cc8c2b35c2c56a0451d2670fb82)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1394425

 app/models/authenticator/httpd.rb       | 2 +-
 app/models/miq_group.rb                 | 6 +++++-
 spec/models/authenticator/httpd_spec.rb | 2 +-
 spec/models/miq_group_spec.rb           | 9 +++++++++
 4 files changed, 16 insertions(+), 3 deletions(-)
Comment 13 Matt Pusateri 2017-01-27 22:05:01 UTC 
Is there a use case when using trusted forests, that you would want to display the @domain part to distinguish which forest or doamin the group is in?
Comment 14 Joe Vlcek 2017-03-16 13:18:11 UTC 
(In reply to Matt Pusateri from comment #13)
> Is there a use case when using trusted forests, that you would want to
> display the @domain part to distinguish which forest or doamin the group is
> in?

Let's focus this BZ on the original issue and provided resolution and
track the investigation of displaying the @domain when using trusted
forests separately here:
  https://www.pivotaltracker.com/n/projects/1610127/stories/141864057
Comment 15 Matt Pusateri 2017-05-16 20:10:40 UTC 
tested MIQLDAP FreeIPA(5.8.0.12-rc1) AD(5.8.0.11-beta2) Openldap(5.8.0.11-beta2) External Auth FreeIPA(5.8.0.12-rc1) AD(5.8.0.14-rc3) Openldap(5.8.0.14-rc3)