Bug 1486041

Summary: Unable to login to new user account when it contains one or more uppercase character(s)
Product: Red Hat CloudForms Management Engine Reporter: Landon LaSmith <llasmith>
Component: ApplianceAssignee: Joe Vlcek <jvlcek>
Status: CLOSED ERRATA QA Contact: Matt Pusateri <mpusater>
Severity: medium Docs Contact:
Priority: high    
Version: 5.8.0CC: abellott, ansinha, apagac, dajohnso, jhardy, jvlcek, mkourim, mpusater, obarenbo, simaishi
Target Milestone: GAKeywords: Regression
Target Release: 5.9.0   
Hardware: All   
OS: All   
Whiteboard: auth:db
Fixed In Version: 5.9.0.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-01 13:16:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Landon LaSmith 2017-08-28 20:14:07 UTC 
Description of problem: After creating a new user account that contains one or more uppercase letter that account is unable to login to via the webui or authenticate using the API


Version-Release number of selected component (if applicable): 5.8.2.0


How reproducible: 100%


Steps to Reproduce:
1. Login to the webui as 'admin'
2. Create a new user account with a username that contains at least one uppercase letter (Landon) and assign it to any of the default groups
3. Logout as admin and attempt to login as the new user

Actual results: Login fails via the webui with "Invalid username or password". Authentication via the api fails also.

/var/www/miq/vmdb/log/audit.log reports that authentication failed for the same username but the log entry reports it as lowercase (landon)


Expected results: Authentication succeeds --OR-- the webui will not allow usernames with uppercase letters

Additional info: If you edit the user account and change the letters to all lowercase then CFME will authenticate the account successfully
Comment 2 Landon LaSmith 2017-08-28 20:16:55 UTC 
This bug exists on a vanilla 5.8.2.0 appliance without enabling any external authentication.  May be related to fix for bug 1480654
Comment 3 CFME Bot 2017-08-29 22:11:33 UTC 
https://github.com/ManageIQ/manageiq/pull/15904
Comment 4 CFME Bot 2017-09-05 15:16:27 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/7135b4304e4ae368fef5e9446065b86a32a8b3cf

commit 7135b4304e4ae368fef5e9446065b86a32a8b3cf
Author:     Joe VLcek <jvlcek>
AuthorDate: Tue Aug 29 17:52:17 2017 -0400
Commit:     Joe VLcek <jvlcek>
CommitDate: Tue Aug 29 17:52:17 2017 -0400

    If the userid is not found in the DB do a case insensitive search
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1486041

 app/models/authenticator/base.rb           | 16 ++++++++++------
 app/models/authenticator/database.rb       |  2 +-
 app/models/authenticator/httpd.rb          |  8 ++------
 spec/models/authenticator/database_spec.rb | 27 +++++++++++++++++++++++++++
 4 files changed, 40 insertions(+), 13 deletions(-)
Comment 5 Joe Vlcek 2017-09-06 13:50:40 UTC 
*** Bug 1488393 has been marked as a duplicate of this bug. ***
Comment 6 Landon LaSmith 2017-09-07 16:36:45 UTC 
Amazon authentication is blocked because CFME imports the AWS IAM user id as the CFME username. The AWS IAM user id is zcapitalized and can't be modified.
Comment 7 Joe Vlcek 2017-09-11 16:07:56 UTC 
(In reply to Landon LaSmith from comment #6)
> Amazon authentication is blocked because CFME imports the AWS IAM user id as
> the CFME username. The AWS IAM user id is zcapitalized and can't be modified.

Landon, That regression is being track in BZ 1489596 which I have already posted a PR for.

JoeV
Comment 8 Gregg Tanzillo 2017-09-13 15:11:23 UTC 
*** Bug 1491198 has been marked as a duplicate of this bug. ***
Comment 11 Matt Pusateri 2017-10-25 20:54:09 UTC 
Also I've tried this with just DB users as is the original intent. You can indeed create a user with mixed case ex: DBuser1 and you can log into the classic UI. (SSUI logins broken on 5.9.0.2). But you can't log in as dbuser1 which you should be able to. Assinging back to dev for investigation.
Comment 12 Joe Vlcek 2017-10-31 21:38:28 UTC 
Per conversation with MattP moving back to ON_QA as by default sssd does case sensitive user matching. In order to do case insensitive with SSSD "case_sensitive = False" needs to be added to the domain section of the sssd.conf

See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.3_technical_notes/sssd section: BZ#735827

JoeV
Comment 13 Matt Pusateri 2017-11-06 18:27:10 UTC 
Verified on 5.9.0.4
Comment 19 Joe Rafaniello 2018-02-26 21:08:53 UTC 
*** Bug 1547445 has been marked as a duplicate of this bug. ***
Comment 22 errata-xmlrpc 2018-03-01 13:16:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0380