Bug 577800

Summary: LDAP: If an existing ldap user is deleted and recreated and is not associated to any group in ldap, previous role permissions are applied to user after login.
Product: [Other] RHQ Project Reporter: Sunil Kondkar <skondkar>
Component: ConfigurationAssignee: Simeon Pinder <spinder>
Status: CLOSED CURRENTRELEASE QA Contact: Corey Welton <cwelton>
Severity: medium Docs Contact:
Priority: low    
Version: 3.0.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-12 16:53:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 577267, 577817    

Description Sunil Kondkar 2010-03-29 09:52:03 UTC 
Description of problem:

LDAP: If an existing ldap user also a member of a ldap group which is mapped to a rhq role is deleted, is again recreated in ldap and is not associated to any group in ldap, previous role permissions are applied to user.
The user should be logged in to rhq as a guest.

Version-Release number of selected component (if applicable):

3.0.0-SNAPSHOT

How reproducible:


Steps to Reproduce:

1. Create a user in ldap. (Ex: user1)
2. Make the user member of any ldap group. (Ex: Testgroup)
3. Login to rhq as rhqadmin and assign a role (Ex: ALL Resources Role) to the ldap group (Testgroup).
4. Login to rhq as the user created. (Ex: user1)
5. Delete the user in ldap.
6. Try to login to rhq with the deleted user (user1). 
7. Recreate the user in ldap.
8. Do not associate the recreated ldap user to any ldap group.
9. Login to rhq as the recreated user. (user1)
10. Check the role permissions apllied.

Actual results:

Role permissions applied to user after login are same as previously assigned role. (ALL Resources Role)

Expected results:

User should be logged in to rhq as guest as user is not a member of any ldap group.

Additional info:
Comment 1 Charles Crouch 2010-04-05 15:55:01 UTC 
It looks like we're not refreshing the users group list on login. The use case here would be of a user who goes from being an Admin to a regular User. They shouldn't maintain their old permissions.
Comment 2 Simeon Pinder 2010-04-20 21:00:21 UTC 
Reproduced the described behavior.

Problem: The rhq group runtime account membership was not being synchronized with the ldap group information.  Added conditional check to ldaploginmodule to refresh the membership information on login. 

Commit hash:
git 80e3403ada9b0b215715dc3d6ff15d9c016fd451

Additional information:
-Ldap group authorization happens in addition to successful ldap authentication if both the 'groupfilter' and the 'groupmember' fields are set.
-Group Search Filter should be in the form of name=value Ex. 'objectclass=groupOfUniqueNames' with whatever group specific query is valid for the ldap server being used, and should return all the ldap groups that should be available for ldap mapping. 
-Group Member Filter should be of form Ex. 'uniqueMember' with whatever group specific filter is valid for the ldap server being used.
-At runtime the groupfilter and groupmember values are combined with the uid expression for the user being authenticated into a runtime check that the current user exists in the specified groups : 
Ex.(&(objectclass=groupOfUniqueNames)(uniqueMember=uid=testuser1,ou=People,dc=test, dc=com))
Comment 3 Simeon Pinder 2010-04-20 21:10:28 UTC 
Available in master build >= 230.
Comment 4 Simeon Pinder 2010-04-20 21:19:24 UTC 
*** Bug 577817 has been marked as a duplicate of this bug. ***
Comment 5 Sunil Kondkar 2010-04-22 10:00:40 UTC 
Verified on jon build# 108 (Revision: 10611)

If an existing ldap user also a member of a ldap group which is mapped to
a rhq role is deleted, is again recreated in ldap and is not associated to any
group in ldap.
After login to rhq it is observed that the previous role permissions are not applied to user and user logs in as a guest which is as expected.
Comment 6 Corey Welton 2010-08-12 16:53:25 UTC 
Mass-closure of verified bugs against JON.