Bug 1445405

Summary: No valid bind credentials when not using "get groups from LDAP"
Product: Red Hat CloudForms Management Engine Reporter: Matt Pusateri <mpusater>
Component: ApplianceAssignee: Joe Vlcek <jvlcek>
Status: CLOSED DUPLICATE QA Contact: Matt Pusateri <mpusater>
Severity: high Docs Contact:
Priority: high    
Version: 5.8.0CC: abellott, cpelland, fedora, jhardy, mpusater, obarenbo, yrudman
Target Milestone: GA   
Target Release: cfme-future   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: auth:miqldap:ad:freeipa:openldap
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-17 13:41:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Attachments:
Description Flags
EVM Log
none
Audit log none

Description Matt Pusateri 2017-04-25 15:26:58 UTC 
Description of problem:

Auth - MIQLDAP - AD, FreeIPA, OpenLDAP - No valid bind credentials when not using "get groups from LDAP" When you don't use "get groups from LDAP" and you set a default group, User can't log in b/c there are no bind credentials that normally get setup in 
get groups from LDAP" User's creds should be used to bind. User has not logged in, and user is not in UI or custom group, but default group should account for that. Even if user is added to ui, and given a group or custom group binding still fails


Version-Release number of selected component (if applicable):
5.8.0.11-beta2, I suspect 5.6 and 5.7 as well since I never tested this scenario

How reproducible:


Steps to Reproduce:
1. Configure MIQLDAP LDAP/LDAPS
2. Do not check "get greps from ldap"
3. Specify a default group
4. Try logging with a user --> Login fails
5. Add the user to the webUI and assign a group --> Login still fails

Actual results:
Login fails

Expected results:

Login should succeed. 

Additional info:

It appears what is happening is authentication is succcessful as far as validating the user/password combination.  But the user record cannot be created b/c there is no valid bind user as we normally specify a bind user when we use "get groups from ldap"  In this case we should just bind as the user themselves.

[----] I, [2017-04-25T11:27:26.839452 #2947:c319b4]  INFO -- : <AuditSuccess> MIQ(Authenticator.authenticate) userid: [ldapuser2] - User ui
d=ldapuser2,cn=users,cn=accounts,dc=cfme,dc=lab,dc=eng,dc=rdu2,dc=redhat,dc=com successfully validated by LDAP
[----] I, [2017-04-25T11:27:26.841788 #2947:c319b4]  INFO -- : MIQ(Authenticator::Ldap#find_external_identity) Bind DN: []
[----] I, [2017-04-25T11:27:26.841939 #2947:c319b4]  INFO -- : MIQ(Authenticator::Ldap#find_external_identity)  User FQDN: [uid=ldapuser2,c
n=users,cn=accounts,dc=cfme,dc=lab,dc=eng,dc=rdu2,dc=redhat,dc=com]
[----] I, [2017-04-25T11:27:26.842575 #2947:c319b4]  INFO -- : MIQ(MiqLdap#initialize) Server Settings: {:basedn=>nil, :bind_dn=>nil, :bind
_pwd=>nil, :bind_timeout=>30, :follow_referrals=>false, :get_direct_groups=>true, :group_memberships_max_depth=>2, :ldaphost=>["cfme-rhel7-
ipa.cfme.lab.eng.rdu2.redhat.com"], :ldapport=>"636", :mode=>"ldaps", :search_timeout=>30, :user_suffix=>"cn=users,cn=accounts,dc=cfme,dc=l
ab,dc=eng,dc=rdu2,dc=redhat,dc=com", :user_type=>"dn-uid", :amazon_key=>nil, :amazon_secret=>nil, :default_group_for_users=>"EvmGroup-user"
, :local_login_disabled=>false, :saml_enabled=>false, :sso_enabled=>false, :user_proxies=>[{}], :httpd_role=>false, :amazon_role=>false, :l
dap_role=>false}
[----] I, [2017-04-25T11:27:26.844711 #2947:c319b4]  INFO -- : MiqLdap.connection: Resolved host [cfme-rhel7-ipa.cfme.lab.eng.rdu2.redhat.c
om] has these IP Address: ["10.8.58.41"]
[----] I, [2017-04-25T11:27:26.844793 #2947:c319b4]  INFO -- : MiqLdap.connection: Connecting to IP Address [10.8.58.41]
[----] I, [2017-04-25T11:27:26.845909 #2947:c319b4]  INFO -- : options: {:auth=>{:basedn=>nil, :bind_dn=>nil, :bind_pwd=>nil, :bind_timeout
=>30, :follow_referrals=>false, :get_direct_groups=>true, :group_memberships_max_depth=>2, :ldaphost=>["cfme-rhel7-ipa.cfme.lab.eng.rdu2.re
dhat.com"], :ldapport=>"636", :mode=>"ldaps", :search_timeout=>30, :user_suffix=>"cn=users,cn=accounts,dc=cfme,dc=lab,dc=eng,dc=rdu2,dc=red
hat,dc=com", :user_type=>"dn-uid", :amazon_key=>nil, :amazon_secret=>nil, :default_group_for_users=>"EvmGroup-user", :local_login_disabled=
>false, :saml_enabled=>false, :sso_enabled=>false, :user_proxies=>[{}], :httpd_role=>false, :amazon_role=>false, :ldap_role=>false}, :host=
>"10.8.58.41", :port=>"636", :encryption=>{:method=>:simple_tls}}
[----] I, [2017-04-25T11:27:26.846057 #2947:c319b4]  INFO -- : MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.8.58.41], User: []...
[----] E, [2017-04-25T11:27:26.859144 #2947:c319b4] ERROR -- : MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.8.58.41], User: [], 'Invalid bi
nding information'
[----] E, [2017-04-25T11:27:26.865275 #2947:c319b4] ERROR -- : [NoMethodError]: undefined method `get_user_object' for nil:NilClass  Method
:[rescue in authenticate]
[----] E, [2017-04-25T11:27:26.865564 #2947:c319b4] ERROR -- : /var/www/miq/vmdb/app/models/authenticator/ldap.rb:87:in `find_external_iden
tity'
/var/www/miq/vmdb/app/models/authenticator/ldap.rb:94:in `userprincipal_for'
/var/www/miq/vmdb/app/models/authenticator/ldap.rb:34:in `find_or_create_by_ldap'
/var/www/miq/vmdb/app/models/authenticator/ldap.rb:9:in `lookup_by_identity'
/var/www/miq/vmdb/app/models/authenticator.rb:68:in `authenticate'
/var/www/miq/vmdb/app/models/user.rb:155:in `authenticate'
/var/www/miq/vmdb/app/controllers/api/base_controller/authentication.rb:20:in `block in require_api_user_or_token'
/opt/rh/cfme-gemset/gems/actionpack-5.0.2/lib/action_controller/metal/http_authentication.rb:97:in `authenticate'
/opt/rh/cfme-gemset/gems/actionpack-5.0.2/lib/action_controller/metal/http_authentication.rb:87:in `authenticate_with_http_basic'
/var/www/miq/vmdb/app/controllers/api/base_controller/authentication.rb:20:in `require_api_user_or_token'
Comment 2 Matt Pusateri 2017-04-25 15:28:43 UTC 
Created attachment 1273952 [details]
EVM Log
Comment 3 Matt Pusateri 2017-04-25 15:29:27 UTC 
Created attachment 1273953 [details]
Audit log
Comment 4 Matt Pusateri 2017-04-25 15:43:05 UTC 
See related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1445413
Comment 5 Matt Pusateri 2017-04-25 16:08:48 UTC 
And two other bugs that are related:

https://bugzilla.redhat.com/show_bug.cgi?id=1445421
https://bugzilla.redhat.com/show_bug.cgi?id=1445427
Comment 6 Gregg Tanzillo 2017-06-01 21:25:35 UTC 
Looking at the log message above that dumps the Ldap settings, it appears that "get groups from Ldap" is actually checked (:get_direct_groups=>true). In that case I would expect it to try to go out to the directory and lookup the user and groups

Can you double check this and let me know it's still an issue.
Comment 7 Matt Pusateri 2017-06-02 13:53:29 UTC 
I'll have to try to recreate as this system is long gone.
Comment 8 Joe Vlcek 2017-07-17 13:41:48 UTC 

*** This bug has been marked as a duplicate of bug 1442791 ***