Bug 1476980
Summary: | AAA LDAP setup does not add baseDN to *-authn.properties | |||
---|---|---|---|---|
Product: | [oVirt] ovirt-engine-extension-aaa-ldap | Reporter: | Richard Chan <rc556677> | |
Component: | General | Assignee: | Ondra Machacek <omachace> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Gonza <grafuls> | |
Severity: | high | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 1.3.2 | CC: | bugs, lsvaty, michal.skrivanek, mmartinv, mperina, rc556677 | |
Target Milestone: | ovirt-4.1.6 | Keywords: | ZStream | |
Target Release: | 1.3.4 | Flags: | rule-engine:
ovirt-4.1+
lsvaty: testing_ack+ |
|
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | ovirt-engine-extension-aaa-ldap-1.3.4 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1485875 (view as bug list) | Environment: | ||
Last Closed: | 2017-09-19 10:01:43 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | Infra | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1482940 | |||
Bug Blocks: | 1485875 |
Description
Richard Chan
2017-08-01 01:07:19 UTC
This is a from a system upgrade 3.6->4.0-4.1. For some reason, the LDAP configuration for 3.6 didn't work (the simple_baseDN was set by using var_set in the aaa/ profile), so LDAP setup was run anew. ## this didn't work in 4.0/4.1 any more :-( ## 3.6 working config ## ran LDAP setup anew... sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars sequence.my-basedn-init-vars.010.description = set baseDN sequence.my-basedn-init-vars.010.type = var-set sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN sequence.my-basedn-init-vars.010.var-set.value = dc=example,dc=com There's no reason why AAA configuration from 3.6 stops working on 4.x, could you please provide logs with the issue? When I delete the lines config.globals.baseDN.simple_baseDN = dc=example,dc=com from extensions.d/example-authn.properties extensions.d/example-authz.properties and restore in aaa/example.properties sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars sequence.my-basedn-init-vars.010.description = set baseDN sequence.my-basedn-init-vars.010.type = var-set sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN sequence.my-basedn-init-vars.010.var-set.value = dc=example,dc=com my configuration now works. Can't reproduce 3.6->4.1 issue now. This is a false alarm. The original issue with a fresh 4.1 omitting config.globals.baseDN.simple_baseDN = dc=example,dc=com from extensions.d/example-authn.properties remains. Running the setup I cannot get the Login test to pass. Can you please share log? Log from Login test during setup [root@ovirt extensions.d]# cat /tmp/tmpH3Ijdg/extensions.d/example.com-authn.properties ovirt.engine.extension.name = example.com-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = example.com ovirt.engine.aaa.authn.authz.plugin = example.com config.profile.file.1 = ../aaa/example.com.properties Executing login sequence... Login output: 2017-08-01 21:35:40,842+08 INFO ======================================================================== 2017-08-01 21:35:40,856+08 INFO ============================ Initialization ============================ 2017-08-01 21:35:40,856+08 INFO ======================================================================== 2017-08-01 21:35:40,867+08 INFO Loading extension 'example.com-authn' 2017-08-01 21:35:40,912+08 INFO Extension 'example.com-authn' loaded 2017-08-01 21:35:40,915+08 INFO Loading extension 'example.com' 2017-08-01 21:35:40,921+08 INFO Extension 'example.com' loaded 2017-08-01 21:35:40,922+08 INFO Initializing extension 'example.com-authn' 2017-08-01 21:35:40,923+08 INFO [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP pool 'authz' 2017-08-01 21:35:41,365+08 INFO [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] LDAP pool 'authz' information: vendor='null' version='null' 2017-08-01 21:35:41,366+08 INFO [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP pool 'authn' 2017-08-01 21:35:41,626+08 INFO [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] LDAP pool 'authn' information: vendor='null' version='null' 2017-08-01 21:35:41,640+08 INFO Extension 'example.com-authn' initialized 2017-08-01 21:35:41,641+08 INFO Initializing extension 'example.com' 2017-08-01 21:35:41,641+08 INFO [ovirt-engine-extension-aaa-ldap.authz::example.com] Creating LDAP pool 'authz' 2017-08-01 21:35:41,864+08 INFO [ovirt-engine-extension-aaa-ldap.authz::example.com] LDAP pool 'authz' information: vendor='null' version='null' 2017-08-01 21:35:41,868+08 INFO [ovirt-engine-extension-aaa-ldap.authz::example.com] Available Namespaces: [dc=example,dc=com] 2017-08-01 21:35:41,869+08 INFO Extension 'example.com' initialized 2017-08-01 21:35:41,869+08 INFO Start of enabled extensions list 2017-08-01 21:35:41,869+08 INFO Instance name: 'example.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.2-1.el7.centos', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmpH3Ijdg/extensions.d/example.com-authn.properties', Initialized: 'true' 2017-08-01 21:35:41,869+08 INFO Instance name: 'example.com', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.2-1.el7.centos', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmpH3Ijdg/extensions.d/example.com-authz.properties', Initialized: 'true' 2017-08-01 21:35:41,870+08 INFO End of enabled extensions list 2017-08-01 21:35:41,870+08 INFO ======================================================================== 2017-08-01 21:35:41,870+08 INFO ============================== Execution =============================== 2017-08-01 21:35:41,870+08 INFO ======================================================================== 2017-08-01 21:35:41,870+08 INFO Iteration: 0 2017-08-01 21:35:41,871+08 INFO Profile='example.com' authn='example.com-authn' authz='example.com' mapping='null' 2017-08-01 21:35:41,871+08 INFO API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='example.com' user='testuser' 2017-08-01 21:35:41,875+08 INFO API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='example.com' result=CREDENTIALS_INVALID 2017-08-01 21:35:41,876+08 SEVERE Authn.Result code is: CREDENTIALS_INVALID Login sequence failed Please investigate details of the failure (search for lines containing SEVERE log level). On OpenLDAP 'dc=my-domain,dc=com' is another root DN on the same OpenLDAP server used as a testing ground Aug 01 21:35:41 piston.tbs slapd[3779]: conn=20555 op=2 SRCH base="dc=my-domain,dc=com" scope=2 deref=0 filter="(&(objectClass=uidObject)(uid=*)(uid=testuser))" This OpenLDAP server has two root DNs, which setup detects and offers during: Please enter base DN (dc=my-domain,dc=com,dc=example,dc=com) [dc=my-domain,dc=com]: dc=example,dc=com It saves the correct baseDN in -authz but not in -authn Before the Login test, if I manually edit /tmp/tmpHzr1iT/extensions.d/example.com-authn.properties to add config.globals.baseDN.simple_baseDN = o=TreeBox,c=SG then the Login test works. Sorry - the testing baseDN should be dc=example,dc=com, sent the logs from the wrong system Right, I've just reproduced it, thanks a lot, I will send a fix. Karma +1: I have tested the patch in https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=commit;h=860a2add012370b660afc40b3409641f829cb7c5 and can confirm that it fixes my issue. Thank you. Fix is contained is going to be delivered in ovirt-engine-extension-aaa-ldap-1.3.3 Retargeting to ovirt-4.1.6 Fix is included in ovirt-engine-extension-aaa-ldap-1.3.4 Verified with: ovirt-engine-extension-aaa-ldap-setup-1.3.5-0.0.master.git7230cd9.el7.centos.noarch # cat /etc/ovirt-engine/extensions.d/brq-openldap.com-authn.properties ... config.globals.baseDN.simple_baseDN = dc=brq-openldap,dc=com |