Bug 1538813

Summary: Auth MIQLDAP AD - Users can't log in to console after miqldap_to_sssd conversion
Product: Red Hat CloudForms Management Engine Reporter: Matt Pusateri <mpusater>
Component: ApplianceAssignee: Joe Vlcek <jvlcek>
Status: CLOSED CURRENTRELEASE QA Contact: Mike Shriver <mshriver>
Severity: high Docs Contact:
Priority: high    
Version: 5.9.0CC: abellott, cpelland, jprause, mpusater, obarenbo
Target Milestone: GAKeywords: TestOnly, ZStream
Target Release: 5.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: auth:miqldap:externalauth:ad
Fixed In Version: 5.10.0.0 Doc Type: Bug Fix
Doc Text:
See for full doc: http://manageiq.org/blog/2017/09/miqldap-to-sssd/
 Story Points: ---
Clone Of:
: 1552785 (view as bug list) Environment:
Last Closed: 2019-02-11 14:06:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1552785    

Description Matt Pusateri 2018-01-25 21:42:36 UTC 
Description of problem:

Auth MIQLDAP AD - Users can't log in to console after miqldap_to_sssd conversion. - MIQLDAP was setup with AD and was working for UPN users without getting groups from LDAP. 


Version-Release number of selected component (if applicable):
5.9.0.17

How reproducible:


Steps to Reproduce:
1. Configure MIQLDAP for AD with UPN. 
2. Do not get groups from LDAP
3. Manually enter users in UPN username format.
4. Run SSSD conversion miqldap_to_sssd --basedn-domain ad.cloudqe.bos.redhat.com

Actual results:
User cannot log in and dbus-send commands fail, audit.log shows user is unknown to underlying authentication server. 

Expected results:
User can log in. 

Additional info:

dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:test-user1 array:string:mail,givenname,sn,displayname
Error org.freedesktop.DBus.Error.Failed: No such user
Comment 2 Dave Johnson 2018-01-25 21:44:11 UTC 
Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.

If it's something like a tracker bug where it doesn't matter, please set the severity to Low.
Comment 4 CFME Bot 2018-02-08 23:17:05 UTC 
https://github.com/ManageIQ/manageiq/pull/16979
Comment 5 CFME Bot 2018-02-13 14:12:03 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/6b5df3ea0d33b5711566c5092ed93448486502f8

commit 6b5df3ea0d33b5711566c5092ed93448486502f8
Author:     Joe VLcek <jvlcek>
AuthorDate: Thu Feb 8 17:55:10 2018 -0500
Commit:     Joe VLcek <jvlcek>
CommitDate: Thu Feb 8 17:55:10 2018 -0500

    Add support for bind dn and bind pwd on the command line.
    
    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1538813
    
    When mode is ldaps certificates must be provided.
    
    When mode is ldap, bind dn and bind pwd must be provided, either
    in the authentication settings or on the command line.
    
    e.g: miqldap_to_sssd -b "cn=Manager,dc=example,dc=com" -p "password" -d "example.com"

 spec/tools/miqldap_to_sssd/cli_spec.rb             | 10 +++++++
 .../miqldap_to_sssd/miqldap_configuration_spec.rb  | 34 +++++++++++++++++++---
 tools/miqldap_to_sssd/cli.rb                       | 12 ++++++++
 tools/miqldap_to_sssd/miqldap_configuration.rb     | 22 ++++++++++++++
 4 files changed, 74 insertions(+), 4 deletions(-)
Comment 7 Mike Shriver 2019-01-09 23:17:36 UTC 
Tested in CFME 5.10.0.30.20181218191323_900a416

Confirmed recreation and new miqldap_to_sssd command line arguments with JoeV.

Confirmed successfull migration from an MIQLDAP configuration without fetched groups, which lacks domain, bind DN, and bind password data.

miqldap_to_sssd ran with reasonable output when these options were omitted, directing the user to include the required information.