Bug 1397185
| Summary: | LDAP user can't run remote execution jobs | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | John Mitsch <jomitsch> | ||||
| Component: | Remote Execution | Assignee: | satellite6-bugs <satellite6-bugs> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 6.2.4 | CC: | aupadhye, bbuckingham, brubisch, dhlavacd, inecas, jcallaha, mhulan, omankame, peter.vreman, prsharma, yundtj | ||||
| Target Milestone: | Unspecified | Keywords: | Triaged | ||||
| Target Release: | Unused | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-05-09 06:58:13 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1122832 | ||||||
| Attachments: |
|
||||||
I don't think this is related to the LDAP. I think it's caused by the user not being in any organization/location. There's a BZ already for auto associating users to orgs/locs after creation. Moving to remote execution component, maybe it would be safe to load user ignoring the context but it needs more thinking. I confirm that the issue was a missing _explicit_ association on that user with an organization and location. Part of the failure is there by the fact that the UI does not allow to fix this, because once the user account is associated with any other resource in a org&loc then those are implicitly added and you cannot add it. I could fix it by trying to delete the user and then see that a certain host resource was associated with the user account. Then i fixed the owner of that host by clicking submit (the listed owner was already an other account, i do not know why the AD account was associated at all). Now with that implicit association out of the way i could associate the organization and location to the user. And now it works. The organization and location mismatch report did not mention this incorrect association of the user. Short summary, the implicit and explicit user auto association of organization and locations is the root cause and needs a some improvements to prevent this kind 'unknown why it does not work' things because the filters (in this case the select from the user table) returned empty once the taxonomy is included. The auth source can be now associated with organizations and locations. User is auto-assigned to these upon creation. This was tracked as BZ 1104822. Does that solve the issue for you? The association problem should be resolved by BZ 1238714 Marek, I can confirm that since 6.2.5 the fix BZ 1104822 with LDAP logins and the association with the location and organization on first login is working as expected and the Remote Execution can be used. This case can be closed as duplicate of BZ 1104822. Peter Thanks a lot for confirmation. *** This bug has been marked as a duplicate of bug 1104822 *** *** Bug 1455339 has been marked as a duplicate of this bug. *** |
Created attachment 1222473 [details] traceback Description of problem: A user from an ldap server who is mapped to a user group with administrator privileges can't run remote execution jobs. Version-Release number of selected component (if applicable): 6.2.4 and has been replicated on 6.2.2 as well How reproducible: %100 Steps to Reproduce: 1. Use an ldap server with a group and a user within that group (has been reproduced with both FreeIPA and Active Directory) 2. Create a user group in Satellite that is mapped to the external group in ldap, check the admin box in the 'roles' tab. 3. Setup the ldap authentication for that server in Satellite, be sure to select the 'Automatically create accounts in Satellite' and 'Usergroup sync' boxes. 4. Login into satellite with the ldap credentials 5. Make sure you are in both an Organization and Location. 6. Run a remote execution job on a host Actual results: Job fails with ERF42-4343 [Foreman::Exception]: Cannot resolve hosts without a user Expected results: Remote execution job is successful Additional info: - The job will run fine under 'Any Location' - Traceback is attached