Bug 1124478 - [AAA] NPE when searching for users/groups in incorrecly configured external provider
Summary: [AAA] NPE when searching for users/groups in incorrecly configured external p...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-engine-core
Version: 3.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.5.0
Assignee: Alon Bar-Lev
QA Contact: Ondra Machacek
URL:
Whiteboard: infra
Depends On:
Blocks: oVirt-AAA-rewrite
TreeView+ depends on / blocked
 
Reported: 2014-07-29 14:50 UTC by Ondra Machacek
Modified: 2016-02-10 19:34 UTC (History)
7 users (show)

Fixed In Version: ovirt-engine-3.5.0_rc1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-17 12:42:51 UTC
oVirt Team: Infra


Attachments (Terms of Use)

Description Ondra Machacek 2014-07-29 14:50:44 UTC
Description of problem:
Using new provider. Just specify you want to use SSL/TLS. Set insecure = false,
and don't provide trustore. In general when wrong configuration is specified,
and provider is added(not ignored on startup), then it causes this NPE when 
searching for users in this LDAP.

Version-Release number of selected component (if applicable):
ovirt-engine-extension-aaa-ldap-0.0.0-0.0.1.master.el6_5.noarch
ovirt-engine-backend-3.5.0-0.0.master.20140726172544.git8e1babc.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. install ovirt-engine-extension-aaa-ldap-0.0.0-0.0.1.master.el6_5.noarch
           unboundid-ldapsdk-2.3.7-0.0.snap.r530.el6_5.noarch
2)

$ cat > /etc/ovirt-engine/extensions.d/ldap-authn-ipa1.properties << "EOT"
ovirt.engine.extension.enabled = true
ovirt.engine.extension.name = ldap-authn-ipa1
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
config.profile.file.1 = /tmp/brq-ipa.rhev.lab.eng.brq.redhat.com.properties
ovirt.engine.aaa.authn.profile.name = ldap-ipa1
ovirt.engine.aaa.authn.authz.plugin = ldap-authz-ipa1
EOT

$ cat >  /etc/ovirt-engine/extensions.d/ldap-authz-ipa1.properties << "EOT"
ovirt.engine.extension.enabled = true
ovirt.engine.extension.name = ldap-authz-ipa1
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /tmp/brq-ipa.rhev.lab.eng.brq.redhat.com.properties

$ cat > /tmp/brq-ipa.rhev.lab.eng.brq.redhat.com.properties << "EOT"
include = <ipa.properties>

vars.user = uid=vdcadmin,cn=users,cn=accounts,dc=brq-ipa,dc=rhev,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com
vars.password = 123456
vars.domain = rhev.lab.eng.brq.redhat.com
vars.server = brq-ipa.${global:vars.domain}

pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = 636
pool.default.ssl.enable = true
pool.default.ssl.insecure = false
#pool.default.ssl.truststore.file = /tmp/ipa.ts
#pool.default.ssl.truststore.password = 123456
EOT

$ service ovirt-engine restart

3) Go to API/webadmin and search for users in this domain.

Actual results:
NPE and blank output.

2014-07-29 16:28:08,941 ERROR [org.ovirt.engine.core.bll.SearchQuery] (ajp--127.0.0.1-8702-8) Query SearchQuery failed. Exception message is null : java.lang.NullPointerException: java.lang.NullPointerException
	at org.ovirt.engine.core.bll.SearchQuery.searchDirectoryUsers(SearchQuery.java:183) [bll.jar:]
	at org.ovirt.engine.core.bll.SearchQuery.executeQueryCommand(SearchQuery.java:70) [bll.jar:]
	at org.ovirt.engine.core.bll.QueriesCommandBase.executeCommand(QueriesCommandBase.java:73) [bll.jar:]


2014-07-29 16:28:09,028 ERROR [org.ovirt.engine.core.bll.SearchQuery] (ajp--127.0.0.1-8702-8) Query SearchQuery failed. Exception message is null : java.lang.NullPointerException: java.lang.NullPointerException
	at org.ovirt.engine.core.bll.SearchQuery.searchDirectoryGroups(SearchQuery.java:199) [bll.jar:]
	at org.ovirt.engine.core.bll.SearchQuery.executeQueryCommand(SearchQuery.java:66) [bll.jar:]


Expected results:
No NPE and error message shown to user.

Additional info:

Comment 1 Alon Bar-Lev 2014-07-29 15:04:22 UTC
Cannot reproduce, with clean installation and comment#0 settings.

I get:

<fault><reason>Operation Failed</reason><detail>trust store must be provided</detail></fault>

There cannot by UI search as there is no authn, search by internal works.

Testing using ovirt-engine-3.5 branch:

commit 2e0a396c4c119acd4820e20bb915268db66a217b
Date:   Mon Jul 28 13:30:32 2014 -0400

Comment 2 Alon Bar-Lev 2014-07-29 15:21:40 UTC
setting as modified to re-check in next cycle.

Comment 3 Ondra Machacek 2014-07-29 15:23:05 UTC
AuthN is anonymous bind.

I got :
<fault>
    <reason>Operation Failed</reason>
    <detail></detail>
</fault>

with
ovirt-engine-backend-3.5.0-0.0.master.20140729052058.git8e1babc.el6.noarch
ovirt-engine-3.5.0-0.0.master.20140729052058.git8e1babc.el6.noarch

So if it's working for you on lastest ovirt-engine-3.5 branch,
please add this to MODIFIED and I will retest it in another QE build.

Comment 4 Ondra Machacek 2014-08-07 11:10:22 UTC
works OK in ovirt-engine-3.5.0_rc1

Comment 5 Sandro Bonazzola 2014-10-17 12:42:51 UTC
oVirt 3.5 has been released and should include the fix for this issue.


Note You need to log in before you can comment on or make changes to this bug.