Red Hat Bugzilla – Bug 1284832
After satellite upgrade to 6.1.4 'Usergroup sync' under ldap authentication gets enabled automatically
Last modified: 2017-10-20 14:50:17 EDT
Description of problem:
After upgrading satellite to version 6.1.4 the 'Usergroup Sync' under Ldap Authentication get enabled automatically.
Version-Release number of selected component (if applicable):
Red Hat Satellite 6.1.4
Steps to Reproduce:
1. On Satellite 6.1.3 or below version. Satellite webui --> Administer --> Ldap Authentication --> Click on name --> Account --> here uncheck the 'Usergroup Sync' is present --> Save
2. Upgrade satellite to 6.1.4 by performing steps from installation guide.
3. Satellite webui --> Administer --> Ldap Authentication --> Click on name --> Account --> here the 'Usergroup Sync' is checked
'Usergroup Sync' is enabled automatically resulting in login failure.
Upgrade should not automatically enable 'Usergroup Sync' and should maintain configuration.
Note that real issue may not be that usergroup sync is enabled, but that logins are failing with usergroup sync enabled (due to sync hanging)
Moving this out of 6.1.7 due to capacity issues. Will keep it on the 6.1.z and 6.2 trackers to ensure that it is evaluated for both.
I've observed the following in production.log due to this failure
"Operation FAILED: Insufficient Privileges to query groups data"
Created redmine issue http://projects.theforeman.org/issues/14868 from this bug
(In reply to Justin Sherrill from comment #4)
> Note that real issue may not be that usergroup sync is enabled, but that
> logins are failing with usergroup sync enabled (due to sync hanging)
I think this is the key issue here.
Customers may want to run with usergroup sync enabled,
so it should not fail when that is set.
I believe the error I noted in c#8 is applicable here.
Upstream bug component is Provisioning
I don't thing the description in the initial commit is valid. First of all, there was no usersync checkbox in 6.1.3, so one could not preform the step one
and the installer doesn't touch the usersync flag there (other than setting the default). I agree the real issue would be the hanging itself, rather than the upgrade. Changing the component to treat it the right way there.
Upstream bug assigned to email@example.com
Upstream bug component is Users & Roles
I'm going to go with moving to POST as the original bug was not valid (we did not change any flag on the upgrade - just kept the original behavior by defaulting to true).
The various 'hanging logins' mentioned in here (linked to issues upstream) have all already been merged and are in 6.2.z via ldap_fluff 0.4.3. I will check how to backport this to 6.1.z.
To test this, I installed Sat6.1.11 and updated the ldap_fluff package to 0.4.3-1 as mentioned in the errata advisory.
This was tested against Sat6.1.11 running on both RHEL6 and RHEL7.
I have tested against admin role, katello role and foreman role and it appears to be working fine.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.