Bug 1484016

Summary: LDAP Authentication when filtered with AD Universal Groups fails to authenticate external users
Product: Red Hat Satellite Reporter: Nagoor Shaik <nshaik>
Component: LDAPAssignee: Daniel Lobato Garcia <dlobatog>
Status: CLOSED DUPLICATE QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2.11CC: bkearney, mhulan, nshaik, stran
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: All   
OS: Linux   
URL: http://projects.theforeman.org/issues/16231
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-11 09:57:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nagoor Shaik 2017-08-22 13:13:20 UTC 
Description of problem:
LDAP Authentication when filtered with Universal Groups fails to authenticate users

Version-Release number of selected component (if applicable):
Satellite 6.2.11

How reproducible:
100%

Steps to Reproduce:
1. Create User Groups in Active Directory as follows

Sat6-Admins   -----> user1 is a member of this Admins group
Sat6-Viewers  -----> user2 is a member of this viewer group
Sat6-Groups  ----> This is a universal group i.e. Sat6-Admins and Sat6-Viewers are members of it.

2. Create a LDAP Authentication on WebUI and specify LDAP filter as below 

(&(objectCategory=person)(objectclass=user)(memberOf=CN=Sat6-Groups,OU=RedHat-GSS,DC=lab,DC=example,DC=com))

3. Now user1 and user2 are unable to authenticate in Satellite 

Actual results:
LDAP filter configured on the nested groups is causing an issue, as it doesn't recognize the second level members

Expected results:
Nested groups should be supported and users who are members of nested groups should be able to authenticate with Satellite 6.

Additional info:

irb(main):036:0> AuthSourceLdap.all
=> #<ActiveRecord::Relation [#<AuthSourceLdap id: 3, type: "AuthSourceLdap", name: "AD Authentication", host: "windows.lab.example.com", port: 389, account: "LAB\\sat6svc", account_password: "encrypted-OVBnTElURm1pVmd6Q09BMHMzM25ZR1RWZHVobDEx...", base_dn: "DC=lab,DC=example,DC=com", attr_login: "sAMAccountName", attr_firstname: "givenName", attr_lastname: "sn", attr_mail: "mail", onthefly_register: true, tls: false, created_at: "2017-08-16 14:11:49", updated_at: "2017-08-21 09:24:04", ldap_filter: "(&(objectCategory=person)(objectclass=user)(member...", attr_photo: "", server_type: "active_directory", groups_base: "DC=lab,DC=example,DC=com", usergroup_sync: true>]>

irb(main):002:0> source_now = AuthSourceLdap.find_by_id(3)
=> #<AuthSourceLdap id: 3, type: "AuthSourceLdap", name: "AD Authentication", host: "windows.lab.example.com", port: 389, account: "LAB\\sat6svc", account_password: "encrypted-OVBnTElURm1pVmd6Q09BMHMzM25ZR1RWZHVobDEx...", base_dn: "DC=lab,DC=example,DC=com", attr_login: "sAMAccountName", attr_firstname: "givenName", attr_lastname: "sn", attr_mail: "mail", onthefly_register: true, tls: false, created_at: "2017-08-16 14:11:49", updated_at: "2017-08-21 09:24:04", ldap_filter: "(&(objectCategory=person)(objectclass=user)(member...", attr_photo: "", server_type: "active_directory", groups_base: "DC=lab,DC=example,DC=com", usergroup_sync: true>

irb(main):003:0> conn = source_now.ldap_con
Successfully decrypted field for AuthSourceLdap AD Authentication
=> #<LdapFluff:0x0000000c3be5c8 @ldap=#<LdapFluff::ActiveDirectory:0x0000000c3bd4c0 @ldap=#<Net::LDAP:0x0000000c3bd470 @host="windows.lab.example.com", @port=389, @hosts=nil, @verbose=false, @auth={:method=>:anonymous}, @base="DC=lab,DC=example,DC=com", @force_no_page=false, @encryption=nil, @connect_timeout=nil, @instrumentation_service=ActiveSupport::Notifications, @open_connection=nil>, @bind_user="LAB\\sat6svc", @bind_pass="p@55w0Rd1", @anon=false, @attr_login="sAMAccountName", @base="DC=lab,DC=example,DC=com", @group_base="DC=lab,DC=example,DC=com", @member_service=#<LdapFluff::ActiveDirectory::MemberService:0x0000000c3bd448 @attr_login="sAMAccountName", @ldap=#<Net::LDAP:0x0000000c3bd470 @host="windows.lab.example.com", @port=389, @hosts=nil, @verbose=false, @auth={:method=>:anonymous}, @base="DC=lab,DC=example,DC=com", @force_no_page=false, @encryption=nil, @connect_timeout=nil, @instrumentation_service=ActiveSupport::Notifications, @open_connection=nil>, @base="DC=lab,DC=example,DC=com", @group_base="DC=lab,DC=example,DC=com", @search_filter=#<Net::LDAP::Filter:0x0000000c3bc278 @op=:and, @left=#<Net::LDAP::Filter:0x0000000c3bc2a0 @op=:and, @left=#<Net::LDAP::Filter:0x0000000c3bcb60 @op=:eq, @left="objectCategory", @right="person">, @right=#<Net::LDAP::Filter:0x0000000c3bc5e8 @op=:eq, @left="objectclass", @right="user">>, @right=#<Net::LDAP::Filter:0x0000000c3bc340 @op=:eq, @left="memberOf", @right="CN=Sat6-Groups,OU=RedHat-GSS,DC=lab,DC=example,DC=com">>>>, @instrumentation_service=ActiveSupport::Notifications>

irb(main):004:0> conn.valid_user?('user1')
=> false

irb(main):004:0> conn.valid_user?('user2')
=> false

irb(main):004:0> conn.valid_group?('Sat6-Admins')
=> true

irb(main):004:0> conn.valid_group?('Sat6-Viewers')
=> true

So it basically recognizes the Groups, but not members of the nested groups.
Comment 3 Marek Hulan 2017-09-05 16:47:56 UTC 
Hello Nagoor, could you please check, whether this is a dup of https://bugzilla.redhat.com/show_bug.cgi?id=1385744
Comment 4 Nagoor Shaik 2017-09-11 09:57:21 UTC 

*** This bug has been marked as a duplicate of bug 1385744 ***