Bug 1399845

Summary: RHQ 4.14.0 fails getting LDAP groups in authentication
Product: [Other] RHQ Project Reporter: Henry Molina <hmolinab>
Component: Configuration, Core ServerAssignee: RHQ Project Maintainer <rhq-maint>
Status: CLOSED NOTABUG QA Contact: Mike Foley <mfoley>
Severity: low Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: hrupp
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-30 12:54:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Henry Molina 2016-11-29 21:43:49 UTC 
Hi All,

I have RHQ 4.14.0 + LDAP and the role mapping is failing.

The RHQ log for login action:

17:12:05,065 INFO  [org.rhq.enterprise.server.auth.SubjectManagerBean] (http-/0.0.0.0:7080-13) Letting in user [hmolina]  without any assigned roles.
17:12:05,297 INFO  [org.rhq.enterprise.server.auth.SubjectManagerBean] (http-/0.0.0.0:7080-13) Letting in user [hmolina]  without any assigned roles.
17:12:06,851 INFO  [org.rhq.enterprise.server.auth.SubjectManagerBean] (http-/0.0.0.0:7080-3) Letting in user [hmolina]  without any assigned roles.

The LDAP log for RHQ group search:

[29/Nov/2016:17:12:06 -0300] conn=1272 op=1 SRCH base="cn=accounts,dc=example,dc=com" scope=2 filter="(&(objectClass=groupOfNames)(member=hmolina))" attrs="cn description"

The TestLdapSetting.jar tool shows the follow LDAP search with same setings:

STEP-4:TESTING: Using Group Search Filter '(&(objectclass=groupOfNames)(member=uid=hmolina,cn=users,cn=accounts,dc=example,dc=com))', 4 ldap group(s) were located.

The LDAP log for TestLdapSetting.jar group search:

[29/Nov/2016:17:48:39 -0300] conn=1395 op=1 SRCH base="cn=accounts,dc=example,dc=com" scope=2 filter="(&(objectClass=groupOfNames)(member=uid=hmolina,cn=users,cn=accounts,dc=example,dc=com))" attrs="cn description"

In short, RHQ has truncated the filter.

Right filter (TestLdapSetting.jar):
'(&(objectclass=groupOfNames)(member=uid=hmolina,cn=users,cn=accounts,dc=example,dc=com))'

Wrong filter (RHQ):
"(&(objectClass=groupOfNames)(member=hmolina))"

Regrads,

Henry.
Comment 1 Henry Molina 2016-11-30 12:54:47 UTC 
Solved.

LDAP groups works fine for non posix groups.