Bug 1122549 - LDAP user registration screen does not appear when 'Enable Login Without Roles' has value 'No'
Summary: LDAP user registration screen does not appear when 'Enable Login Without Role...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Operations Network
Classification: JBoss
Component: Core Server
Version: JON 3.2
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ER01
: JON 3.3.0
Assignee: Jirka Kremser
QA Contact: Sunil Kondkar
URL:
Whiteboard:
: 1122648 (view as bug list)
Depends On:
Blocks: 1122648
TreeView+ depends on / blocked
 
Reported: 2014-07-23 13:30 UTC by Sunil Kondkar
Modified: 2014-12-11 14:04 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1122648 (view as bug list)
Environment:
Last Closed: 2014-12-11 14:04:54 UTC
Type: Bug


Attachments (Terms of Use)
stacktrace (26.90 KB, text/plain)
2014-07-23 13:31 UTC, Sunil Kondkar
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1070277 None None None Never

Internal Links: 1070277

Description Sunil Kondkar 2014-07-23 13:30:35 UTC
Description of problem:

When the system setting has 'Enable Login Without Roles' value as 'No', and ldap group is mapped to a role in UI, ldap user login does not display the ldap user registration screen and there is a stack trace in server log.

Please refer the attached stack trace in server log.

Version-Release number of selected component (if applicable):

Version :	
4.13.0-SNAPSHOT
Build Number :	
25f82ba

Active Directory version used: 
Windows server 2008 Active Directory

How reproducible:

Always

Steps to Reproduce:

1. LDAP group 'testgrp1' has a ldap member 'vijay'.
2. The system setting 'Enable Login Without Roles' in UI has value 'No'

3. Create a compatible group of resources
4. Create a role and assign LDAP group 'testgrp1' to the role.
5. assign the resource group to the role.
6. Try to login as ldap user 'vijay'
7. There is an error in server log
8. The login screen refreshes, however, LDAP user registration screen does not appear.


Note:
 - After 8th step, Log in as rhqadmin
 - Observe that 'Administration->Users' display the user 'vijay' in user list
 - Observe that the 'Users' tab of the role displays the user vijay in 'Available Users' section.
 - Now logout and try to login as ldap user:

The server displays below:
18:31:30,543 ERROR [org.rhq.enterprise.gui.authentication.AuthenticateUserAction] (http-/0.0.0.0:7080-13) Could not log into the web application: org.rhq.enterprise.server.exception.LoginException: There are no preconfigured roles for user [vijay]

 - Now login as rhqadmin again and manually assign the ldap user 'vijay' to 'Assigned Users' section of the role and try to login as ldap user, the login succeeds and user is able to access the assigned resource group member.

Actual results:

LDAP user registration screen does not appear when 'Enable Login Without Roles' has value 'No'

Expected results:
LDAP user registration screen should appear when 'Enable Login Without Roles' has value 'No' -  as the ldap group is mapped to RHQ role.

Additional info:

When the system setting 'Enable Login Without Roles' in UI has value 'yes'

- Tried to login as ldap user 'vijay'
- There is same error in server log as attached.
- Now the user registration screen appears. User does not have access to assigned resource group member.
- When I manually assign the user to 'Assigned Users' section of the role, the user is able to access the assigned resource group member.

Comment 1 Sunil Kondkar 2014-07-23 13:31:26 UTC
Created attachment 920226 [details]
stacktrace

Comment 2 Jirka Kremser 2014-07-29 16:10:56 UTC
branch:  master
link:    https://github.com/rhq-project/rhq/commit/12c727d8b
time:    2014-07-29 17:48:51 +0200
commit:  12c727d8b96694fb60cb119b95aceeeeece02190
author:  Jirka Kremser - jkremser@redhat.com
message: [BZ 1122549] - LDAP user registration screen does not appear when
         'Enable Login Without Roles' has value 'No' -
         SubjectManagerBean.processSubjectForLdap() was calling the
         SubjectManagerBean.login() where the exception was thrown, but
         the roles get assigned after this step. Now the login method is
         called with additional parameter that says 'don't do the role
         checking'. There was also a logical error that actually caused
         that no RHQ roles (based on LDAP group) were assigned at all
         (it was done correctly only when the log level was set to
         DEBUG)


btw. why 2 JON bugs for the same thing? (see bug 1122648), I guess 1 should be marked as project one or a dupe.

Comment 3 Libor Zoubek 2014-08-12 09:12:41 UTC
in release branch

commit ca1dc3d0c072a1505c05fd9159e4ec98c0c24418
Author: Jirka Kremser <jkremser@redhat.com>
Date:   Tue Jul 29 17:48:51 2014 +0200

    [BZ 1122549] - LDAP user registration screen does not appear when 'Enable Login Without Roles' has value 'No' - SubjectManager
    
    (cherry picked from commit 12c727d8b96694fb60cb119b95aceeeeece02190)
    Signed-off-by: Libor Zoubek <lzoubek@redhat.com>

Comment 4 Garik Khachikyan 2014-08-12 11:06:33 UTC
cc-ed

Comment 5 Garik Khachikyan 2014-08-12 12:22:44 UTC
# COMMENT

for QA whoever will check this fix please:

do check also the CLI remote connection as well as REST API (the last one is optional).

e.g. `./rhq-cli.sh -u vijay -p <password> -s <jon-server>`

Comment 6 Jirka Kremser 2014-08-18 17:45:27 UTC
*** Bug 1122648 has been marked as a duplicate of this bug. ***

Comment 7 Simeon Pinder 2014-08-19 23:50:38 UTC
Moving to ON_QA as available to test in the following brew build:

https://brewweb.devel.redhat.com//buildinfo?buildID=379025

Comment 8 Sunil Kondkar 2014-08-26 14:04:55 UTC
Verified on Version : 3.3.0.ER01 Build Number : 23b3476:f3aa7e7

Works as expected. Also verified that LDAP login works as expected in CLI for registered ldap users with/without a JBoss ON mapped role. 
There is an issue with unregistered ldap user login with CLI. Opened another bug#1133947 for the issue.

Marking this bug as verified.


Note You need to log in before you can comment on or make changes to this bug.