Bug 623819

Summary:	Upgrade issue : LDAP auth ignored for users with RHQ principals
Product:	[Other] RHQ Project	Reporter:	Jay Shaughnessy <jshaughn>
Component:	Core Server	Assignee:	RHQ Project Maintainer <rhq-maint>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Corey Welton <cwelton>
Severity:	high	Docs Contact:
Priority:	urgent
Version:	4.0.0	CC:	ccrouch, rtimaniy, skondkar, spinder, tao
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	All
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-05-24 01:09:00 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	616081

Description Jay Shaughnessy 2010-08-12 21:17:12 UTC

Prior to RHQ 4.0.0 and JON 2.4 if RHQ user authentication failed (using auth info in the RHQ db) then authentication would be passed to LDAP, if configured.  The authentication could then pass if LDAP stored the correct password and the one in RHQ was stale.

This situation could arise if a user was defined in RHQ prior to LDAP auth being configured, or prior to the user being defined in LDAP.  In this situation a user could have credentials stored in RHQ and LDAP.

In 2.4 the authentication strategy was changed for security reasons.  In 2.4 if the user has credentials stored in RHQ he *must* authenticate against that password.  LDAP will not be queried.

The net effect of this is that after an upgrade LDAP authentication is ignored for users with RHQ stored credentials.  It will seem as if LDAP auth is broken but it is not, it is not being queried.  (Note, if RHQ and LDAP have the same password stored for a user it will seem like LDAP auth is happening, but it is not.)

Unless the user knows the old password he will not be able to log in.

Comment 10 Corey Welton 2011-05-24 01:09:00 UTC

Bookkeeping - closing bug - fixed in recent release.