Description of problem: After having few issues with IPA controllers domain profile is not available (not listed in webadmin ui at all) Version-Release number of selected component (if applicable): rhevm-3.5.0-0.29.el6ev.noarch ovirt-engine-extension-aaa-ldap-1.0.2-1.el6ev.noarch How reproducible: Unknown Actual results: There is not IPA domain profile in the list only internal one Additional info: During the debug of SSO feature we found that IPAs are not doing well. There were few issue on IPA side. All issues are fixed now 'rhevm-manage-domains validate' shows no errors and ldap connection works (can obtain principal record) but IPA profile is not listed in webadmin anymore.
The SSO configuration cannot be used for password entry, so it is expected that it cannot be selected by user. You must configure the apache mod_auth_kerb per documentation to use this configuration,
(In reply to Alon Bar-Lev from comment #3) > The SSO configuration cannot be used for password entry, so it is expected > that it cannot be selected by user. Thank you. I've checked my test environment and It's not listed. Not bug here.. > > You must configure the apache mod_auth_kerb per documentation to use this > configuration, It's configured but SSO doesn't work still. I'm going to clean users table because it's messed up now.
Finaly reproduced the issue: 1) Create user with underscore character in username like rhev_admin 2) add it to RHEVM database 3) try to login httpd allows user to access webadmin but SSO doesn't work because engine is not able to parse username.
(In reply to Pavel Zhukov from comment #9) > Finaly reproduced the issue: > > 1) Create user with underscore character in username like rhev_admin > 2) add it to RHEVM database > 3) try to login > > httpd allows user to access webadmin but SSO doesn't work because engine is > not able to parse username. I need a full debug log to see that, from the log you provided I can see that the user was successfully fetched, so I am unsure what the actual problem is. Please enable the ALL level for: 1. org.ovirt.engineextensions.aaa.misc 2. org.ovirt.engineextensions.aaa.ldap And restart engine, please send me the log since the start after one attempt to login. Thanks!
Created attachment 1010772 [details] ovirt-engine with ALL debug level There are restart procedure and 2 logins attempts in the log. First one (ruser.com) was successful. Second one (admin_rhev) was not.
(In reply to Pavel Zhukov from comment #11) > Created attachment 1010772 [details] > ovirt-engine with ALL debug level > > There are restart procedure and 2 logins attempts in the log. First one > (ruser.com) was successful. Second one (admin_rhev) was not. both users login sequence succeeds, however for the admin_rhev: 2015-04-04 07:53:06,827 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-12) CanDoAction of action LoginAdminUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION this means that this user does not have role or group with role that enables it to login into webadmin. groups admin_rhev user belongs to: cn=ipausers,cn=groups,cn=accounts,dc=pzhukov,dc=example,dc=com groups ruser belongs to: cn=ipausers,cn=groups,cn=accounts,dc=pzhukov,dc=example,dc=com cn=editors,cn=groups,cn=accounts,dc=pzhukov,dc=example,dc=com cn=trust admins,cn=groups,cn=accounts,dc=pzhukov,dc=example,dc=com cn=rhevmadmins,cn=groups,cn=accounts,dc=pzhukov,dc=example,dc=com I confirmed this by connecting into the ipa server and dump ldap content. then I disabled the httpd kerb, as I cannot login to internal otherwise, and I see the uid=rhevipa,cn=users,cn=accounts,dc=pzhukov,dc=example,dc=com as super user and not uid=admin_rhev,cn=users,cn=accounts,dc=pzhukov,dc=example,dc=com. the admin_rhev which is there belongs to the legacy provider and will not be used within this sequence. I had no problem to add admin_rhev from the correct authz. but could not test this as did not want to mess up with the ipa kerberos configuration.
(In reply to Alon Bar-Lev from comment #13) > (In reply to Pavel Zhukov from comment #11) > > Created attachment 1010772 [details] > > ovirt-engine with ALL debug level > > > > There are restart procedure and 2 logins attempts in the log. First one > > (ruser.com) was successful. Second one (admin_rhev) was not. > > both users login sequence succeeds, however for the admin_rhev: > > 2015-04-04 07:53:06,827 WARN > [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] > (ajp-/127.0.0.1:8702-12) CanDoAction of action LoginAdminUser failed. > Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION > Why did you skip this line? 2015-04-04 07:53:28,673 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-5) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User <UNKNOWN> failed to log in. Is User <UNKNOWN> expected here? And once again. ruser and admin_rhev are absolutely identical. They're created in the same way and added to RHEVM. -[ RECORD 1 ]-----------+------------------------------------- user_id | 3bbb32bb-4450-40b9-9cd5-da6d09fba123 name | admin surname | rhev domain | pzhukov.example.com-authz username | admin_rhev groups | ipausers department | role | email | admin_rhev.com note | last_admin_check_status | f group_ids | 27a42d57-70c6-4912-b3fd-7aed2aa34cd3 external_id | 8c7e2c54-da4a-11e4-b6cc-001a4a2239a5 active | t _create_date | 2015-04-03 23:48:13.112975+02 _update_date | 2015-04-04 08:53:46.449912+02 namespace | dc=pzhukov,dc=example,dc=com -[ RECORD 1 ]-----------+------------------------------------- user_id | 82b3b024-d5ca-4f52-8a92-78d4db863461 name | RHEV surname | USER domain | pzhukov.example.com-authz username | ruser groups | ipausers department | role | email | ruser.com note | last_admin_check_status | t group_ids | 27a42d57-70c6-4912-b3fd-7aed2aa34cd3 external_id | 03dc18be-da01-11e4-a8be-001a4a2239a5 active | t _create_date | 2015-04-03 14:58:58.15159+02 _update_date | 2015-04-04 08:50:41.773258+02 namespace | dc=pzhukov,dc=example,dc=com > this means that this user does not have role or group with role that enables > it to login into webadmin. I don't enabled groups, only roles and both of them are in RHEV > > groups admin_rhev user belongs to: > cn=ipausers,cn=groups,cn=accounts,dc=pzhukov,dc=example,dc=com > > groups ruser belongs to: > cn=ipausers,cn=groups,cn=accounts,dc=pzhukov,dc=example,dc=com > cn=editors,cn=groups,cn=accounts,dc=pzhukov,dc=example,dc=com > cn=trust admins,cn=groups,cn=accounts,dc=pzhukov,dc=example,dc=com > cn=rhevmadmins,cn=groups,cn=accounts,dc=pzhukov,dc=example,dc=com Right I've added all this group to test if group membership is a problem but ruser was able to login even with cn=ipausers only. > > I confirmed this by connecting into the ipa server and dump ldap content. > > then I disabled the httpd kerb, as I cannot login to internal otherwise, and > I see the uid=rhevipa,cn=users,cn=accounts,dc=pzhukov,dc=example,dc=com as > super user and not > uid=admin_rhev,cn=users,cn=accounts,dc=pzhukov,dc=example,dc=com. If you try to login with admin_rhev you will pass apache kerbos authentification and will be able to login as admin@internal. I'm logged in right now without disabling of kerberos authentification. And I did it many times yesterday. > > the admin_rhev which is there belongs to the legacy provider and will not be > used within this sequence. > > I had no problem to add admin_rhev from the correct authz. > > but could not test this as did not want to mess up with the ipa kerberos > configuration.
(In reply to Pavel Zhukov from comment #14) > Why did you skip this line? > 2015-04-04 07:53:28,673 ERROR > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp-/127.0.0.1:8702-5) Correlation ID: null, Call Stack: null, Custom Event > ID: -1, Message: User <UNKNOWN> failed to log in. > > Is User <UNKNOWN> expected here? this is bad error message, and will be fixed in next z. > And once again. ruser and admin_rhev are absolutely identical. They're > created in the same way and added to RHEVM. > > -[ RECORD 1 ]-----------+------------------------------------- > user_id | 3bbb32bb-4450-40b9-9cd5-da6d09fba123 > name | admin > surname | rhev > domain | pzhukov.example.com-authz ^ this was not available when I looked in ui on your server, it was the legacy provider. once again, the problem was that you have the admin-rhev from the wrong provider. I disabled kerberos again, logged into application and still cannot see you added the right user. I added it for you now, and remove the legacy provider users to avoid confusion. there is now invalid entry within system role list that was not there last time I checked, are you playing with the database directly? this entry cannot be removed now,. please test now with correct users added within system configuration.
BTW: all I am looking is the configuration->system roles, not the user list. what I've modified is just adding superuser role to the right user (admin_rhev).
(In reply to Alon Bar-Lev from comment #16) > BTW: all I am looking is the configuration->system roles, not the user list. > what I've modified is just adding superuser role to the right user > (admin_rhev). That's weird. I've checked users list and both users were listed there with aaa provider (actually there were listed twice with legacy provider and new one). Thank you for your help and let's close this messy bugreport for now...