Bug 1284832 - After satellite upgrade to 6.1.4 'Usergroup sync' under ldap authentication gets enabled automatically
After satellite upgrade to 6.1.4 'Usergroup sync' under ldap authentication g...
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Users & Roles (Show other bugs)
x86_64 Linux
medium Severity medium (vote)
: 6.1.z
: --
Assigned To: Daniel Lobato Garcia
Katello QA List
: Reopened, Triaged
Depends On:
Blocks: 1317008 1315268
  Show dependency treegraph
Reported: 2015-11-24 05:14 EST by Mahesh Taru
Modified: 2017-10-20 14:50 EDT (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1315268 (view as bug list)
Last Closed: 2017-01-12 03:14:16 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2064723 None None None Never
Foreman Issue Tracker 10340 None None None 2016-09-12 15:07 EDT
Foreman Issue Tracker 14868 None None None 2016-04-28 10:05 EDT

  None (edit)
Description Mahesh Taru 2015-11-24 05:14:05 EST
Description of problem:
After upgrading satellite to version 6.1.4 the 'Usergroup Sync' under Ldap Authentication get enabled automatically.

Version-Release number of selected component (if applicable):
Red Hat Satellite 6.1.4

How reproducible:

Steps to Reproduce:
1. On Satellite 6.1.3 or below version. Satellite webui --> Administer --> Ldap Authentication --> Click on name --> Account --> here uncheck the 'Usergroup Sync' is present --> Save
2. Upgrade satellite to 6.1.4 by performing steps from installation guide.

3. Satellite webui --> Administer --> Ldap Authentication --> Click on name --> Account --> here the 'Usergroup Sync' is checked

Actual results:
'Usergroup Sync' is enabled automatically resulting in login failure.

Expected results:
Upgrade should not automatically enable 'Usergroup Sync' and should maintain configuration.

Additional info:
Comment 4 Justin Sherrill 2015-12-02 05:00:49 EST
Note that real issue may not be that usergroup sync is enabled, but that logins are failing with usergroup sync enabled (due to sync hanging)
Comment 6 Bryan Kearney 2016-01-26 08:55:24 EST
Moving this out of 6.1.7 due to capacity issues. Will keep it on the 6.1.z and 6.2 trackers to ensure that it is evaluated for both.
Comment 8 Stuart Auchterlonie 2016-02-25 09:45:06 EST
I've observed the following in production.log due to this failure

"Operation FAILED: Insufficient Privileges to query groups data"
Comment 9 Daniel Lobato Garcia 2016-04-28 09:44:31 EDT
Created redmine issue http://projects.theforeman.org/issues/14868 from this bug
Comment 10 Stuart Auchterlonie 2016-04-28 10:20:22 EDT
(In reply to Justin Sherrill from comment #4)
> Note that real issue may not be that usergroup sync is enabled, but that
> logins are failing with usergroup sync enabled (due to sync hanging)

I think this is the key issue here.
Customers may want to run with usergroup sync enabled,
so it should not fail when that is set.

I believe the error I noted in c#8 is applicable here.
Comment 11 Bryan Kearney 2016-04-28 12:11:25 EDT
Upstream bug component is Provisioning
Comment 13 Ivan Necas 2016-07-26 07:15:42 EDT
I don't thing the description in the initial commit is valid. First of all, there was no usersync checkbox in 6.1.3, so one could not preform the step one
and the installer doesn't touch the usersync flag there (other than setting the default). I agree the real issue would be the hanging itself, rather than the upgrade. Changing the component to treat it the right way there.
Comment 14 Bryan Kearney 2016-07-26 08:10:43 EDT
Upstream bug assigned to dlobatog@redhat.com
Comment 15 Bryan Kearney 2016-07-26 08:10:48 EDT
Upstream bug component is Provisioning
Comment 16 Bryan Kearney 2016-07-27 06:10:04 EDT
Upstream bug component is Users & Roles
Comment 18 Daniel Lobato Garcia 2016-12-14 11:23:44 EST
I'm going to go with moving to POST as the original bug was not valid (we did not change any flag on the upgrade - just kept the original behavior by defaulting to true). 

The various 'hanging logins' mentioned in here (linked to issues upstream) have all already been merged and are in 6.2.z via ldap_fluff 0.4.3. I will check how to backport this to 6.1.z.
Comment 25 Kedar Bidarkar 2017-01-10 10:57:07 EST
To test this, I installed Sat6.1.11 and updated the ldap_fluff package to 0.4.3-1 as mentioned in the errata advisory.

This was tested against Sat6.1.11 running on both RHEL6 and RHEL7.

I have tested against admin role, katello role and foreman role and it appears to be working fine.
Comment 27 errata-xmlrpc 2017-01-12 03:14:16 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.