Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1284832 - After satellite upgrade to 6.1.4 'Usergroup sync' under ldap authentication gets enabled automatically
Summary: After satellite upgrade to 6.1.4 'Usergroup sync' under ldap authentication g...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.1.4
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: Unspecified
Assignee: Daniel Lobato Garcia
QA Contact: Katello QA List
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks: 1315268 1317008
TreeView+ depends on / blocked
 
Reported: 2015-11-24 10:14 UTC by Mahesh Taru
Modified: 2020-12-11 11:59 UTC (History)
18 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1315268 (view as bug list)
Environment:
Last Closed: 2017-01-12 08:14:16 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 10340 0 'Normal' 'Closed' 'AD auth hangs while syncing user groups on login' 2019-12-06 11:18:48 UTC
Foreman Issue Tracker 14868 0 'Normal' 'Resolved' 'After satellite upgrade to 6.1.4 ''Usergroup sync'' under ldap authentication gets enabled automatically' 2019-12-06 11:18:48 UTC
Red Hat Knowledge Base (Solution) 2064723 0 None None None Never
Red Hat Product Errata RHBA-2017:0060 0 normal SHIPPED_LIVE Satellite 6.1 LDAP Async Errata 2017-01-12 13:14:04 UTC

Description Mahesh Taru 2015-11-24 10:14:05 UTC 
Description of problem:
After upgrading satellite to version 6.1.4 the 'Usergroup Sync' under Ldap Authentication get enabled automatically.

Version-Release number of selected component (if applicable):
Red Hat Satellite 6.1.4

How reproducible:
Always

Steps to Reproduce:
1. On Satellite 6.1.3 or below version. Satellite webui --> Administer --> Ldap Authentication --> Click on name --> Account --> here uncheck the 'Usergroup Sync' is present --> Save
2. Upgrade satellite to 6.1.4 by performing steps from installation guide.
https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html-single/Installation_Guide/index.html#sect-Red_Hat_Satellite-Installation_Guide-Upgrading_Red_Hat_Satellite_Server_and_Capsule_Server-Upgrading_Red_Hat_Satellite

3. Satellite webui --> Administer --> Ldap Authentication --> Click on name --> Account --> here the 'Usergroup Sync' is checked

Actual results:
'Usergroup Sync' is enabled automatically resulting in login failure.

Expected results:
Upgrade should not automatically enable 'Usergroup Sync' and should maintain configuration.

Additional info:
Comment 4 Justin Sherrill 2015-12-02 10:00:49 UTC 
Note that real issue may not be that usergroup sync is enabled, but that logins are failing with usergroup sync enabled (due to sync hanging)
Comment 6 Bryan Kearney 2016-01-26 13:55:24 UTC 
Moving this out of 6.1.7 due to capacity issues. Will keep it on the 6.1.z and 6.2 trackers to ensure that it is evaluated for both.
Comment 8 Stuart Auchterlonie 2016-02-25 14:45:06 UTC 
I've observed the following in production.log due to this failure

"Operation FAILED: Insufficient Privileges to query groups data"
Comment 9 Daniel Lobato Garcia 2016-04-28 13:44:31 UTC 
Created redmine issue http://projects.theforeman.org/issues/14868 from this bug
Comment 10 Stuart Auchterlonie 2016-04-28 14:20:22 UTC 
(In reply to Justin Sherrill from comment #4)
> Note that real issue may not be that usergroup sync is enabled, but that
> logins are failing with usergroup sync enabled (due to sync hanging)

I think this is the key issue here.
Customers may want to run with usergroup sync enabled,
so it should not fail when that is set.

I believe the error I noted in c#8 is applicable here.
Comment 11 Bryan Kearney 2016-04-28 16:11:25 UTC 
Upstream bug component is Provisioning
Comment 13 Ivan Necas 2016-07-26 11:15:42 UTC 
I don't thing the description in the initial commit is valid. First of all, there was no usersync checkbox in 6.1.3, so one could not preform the step one
and the installer doesn't touch the usersync flag there (other than setting the default). I agree the real issue would be the hanging itself, rather than the upgrade. Changing the component to treat it the right way there.
Comment 14 Bryan Kearney 2016-07-26 12:10:43 UTC 
Upstream bug assigned to dlobatog
Comment 15 Bryan Kearney 2016-07-26 12:10:48 UTC 
Upstream bug component is Provisioning
Comment 16 Bryan Kearney 2016-07-27 10:10:04 UTC 
Upstream bug component is Users & Roles
Comment 18 Daniel Lobato Garcia 2016-12-14 16:23:44 UTC 
I'm going to go with moving to POST as the original bug was not valid (we did not change any flag on the upgrade - just kept the original behavior by defaulting to true). 

The various 'hanging logins' mentioned in here (linked to issues upstream) have all already been merged and are in 6.2.z via ldap_fluff 0.4.3. I will check how to backport this to 6.1.z.
Comment 25 Kedar Bidarkar 2017-01-10 15:57:07 UTC 
To test this, I installed Sat6.1.11 and updated the ldap_fluff package to 0.4.3-1 as mentioned in the errata advisory.

This was tested against Sat6.1.11 running on both RHEL6 and RHEL7.

I have tested against admin role, katello role and foreman role and it appears to be working fine.
Comment 27 errata-xmlrpc 2017-01-12 08:14:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0060
Note You need to log in before you can comment on or make changes to this bug.