Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1079952

Summary: Adding a user from a domain via API fails when the ldap provider is IPA
Product: [Retired] oVirt Reporter: Yair Zaslavsky <yzaslavs>
Component: ovirt-engine-coreAssignee: Yair Zaslavsky <yzaslavs>
Status: CLOSED DUPLICATE QA Contact: Pavel Stehlik <pstehlik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.4CC: acathrow, bugs, gklein, iheim, oourfali, s.kieske, yeylon, yzaslavs
Target Milestone: ---Keywords: Triaged
Target Release: 3.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-24 05:04:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yair Zaslavsky 2014-03-24 11:36:28 UTC 
Description of problem:

When adding a user from an IPA domain - the operation fails.
The result contains a string that looks like the search expression generated for search of users.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Add IPA domain using manage-domains
2. Using rest-api, find a user you would like to add ( /api/domains/xxxx/users)
3. Try to add this user to the /api/users collection

Actual results:

Addition fails

Expected results:

Addition should succeed.

Additional info:
Comment 1 Juan Hernández 2014-03-24 15:29:07 UTC 
When trying to add a user by name the RESTAPI receives a request like this:

  <user>
    <user_name>name@domain</user_name>
  </user>

As a result the RESTAPI generates a engine query like this:

  ADUSER@domain: allnames=name@domain

And then it sends this query to the backend for processing. The RESTAPI doesn't do any processing specific to a particular LDAP flavor. The backend in turn translates this engine query into a LDAP query, like this:

  (&($USER_ACCOUNT_TYPE) (|($GIVENNAME=name@domain)(sn=name@domain)($USER_ACCOUNT_NAME=name@domain)($PRINCIPAL_NAME=name@domain)))

This is later translated by the backend to the specific schema required by the LDAP flavor, replacing the $WHATEVER with the actual attribute names. In the particular case of IPA the result is this:

  (&(&(objectClass=posixAccount)(objectClass=krbPrincipalAux)) (|(givenname=name@domain)(sn=name@domain)(uid=name@domain)(krbPrincipalName=name@domain)))

In an IPA server the only attribute that contains the domain name is krbPrincipalAux, but it contains the domain name in upper case:

  krbPrincipalName=name@DOMAIN

The syntax for comparison is case sensitive, so the search will never succeed.

As this lies deep inside the LDAP support of the backend I'm changing the component from RESTAPI to backend.
Comment 2 Sandro Bonazzola 2014-06-11 06:50:39 UTC 
This is an automated message:
This bug has been re-targeted from 3.4.2 to 3.5.0 since neither priority nor severity were high or urgent. Please re-target to 3.4.3 if relevant.
Comment 3 Yair Zaslavsky 2014-06-24 05:04:52 UTC 
The bug was fixed during the effort on BZ1102041

*** This bug has been marked as a duplicate of bug 1102041 ***
Comment 4 Red Hat Bugzilla 2023-09-14 02:05:26 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days