Bug 1285075 - If the "Usergroup sync" is enabled under LDAP authentication, login to Satellite server hangs
If the "Usergroup sync" is enabled under LDAP authentication, login to Satell...
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Users & Roles (Show other bugs)
6.1.4
x86_64 Linux
unspecified Severity medium (vote)
: Beta
: --
Assigned To: Daniel Lobato Garcia
Kedar Bidarkar
http://projects.theforeman.org/issues...
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-24 15:18 EST by Leo Thomas
Modified: 2017-02-10 15:04 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-27 04:59:53 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Leo Thomas 2015-11-24 15:18:39 EST
Description of problem:

If the Usergroup sync" is enabled while configuring the the "Active Directory" as LDAP Server, the login to Satellite hangs.

Version-Release number of selected component (if applicable):

Satellite 6.1.4

How reproducible:

100 % reproducible. 

Steps to Reproduce:

Configure Active Directory as LDAP Server as described in 
 
https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.1/html/User_Guide/chap-Red_Hat_Satellite-User_Guide-Configuring_External_Authentication.html#sect-Red_Hat_Satellite-User_Guide-Using_Configuring_TLS_for_Secure-LDAP
and https://access.redhat.com/solutions/1498773

Actual results:

Login to Satellite hangs indefinitely.

Expected results:

Should be able to login without any issues.

Additional info:

This same issue is addressed in the following upstream bugzilla and have fix. 

http://projects.theforeman.org/issues/10340

Another similar bz#1284832
Comment 2 Bryan Kearney 2015-12-10 17:01:47 EST
Clearing flags to make sure it gets triaged.
Comment 3 Brad Buckingham 2016-02-09 09:09:36 EST
Created redmine issue http://projects.theforeman.org/issues/13617 from this bug
Comment 4 Bryan Kearney 2016-02-09 10:10:14 EST
Moving to POST since upstream bug http://projects.theforeman.org/issues/10340 has been closed
-------------
Vasil Mikhalenya
I have no idea how should it works because we use only one group in AD and use it in ldap filter.
Seems it fails in different way:
I've added group, tried to add mapping to AD it fails with "POST /usergroups/1-admins HTTP/1.1" 500"

Started PUT "/usergroups/1-admins" for 10.128.60.25 at 2015-05-01 08:26:17 +0000
2015-05-01 08:26:17 [I] Processing by UsergroupsController#update as HTML
2015-05-01 08:26:17 [I]   Parameters: {"utf8"=>"✓", "authenticity_token"=>"...............blanked.........................", "usergroup"=>{"name"=>"admins", "user_ids"=>[""], "admin"=>"1", "role_ids"=>["", "9"], "external_usergroups_attributes"=>{"0"=>{"_destroy"=>"false", "name"=>"Server Administration Team", "auth_source_id"=>"2"}, "new_external_usergroups"=>{"_destroy"=>"false", "name"=>"", "auth_source_id"=>"2"}}}, "commit"=>"Submit", "id"=>"1-admins"}
2015-05-01 08:26:17 [I] 

But it had been added because item and button appeared. When I click refresh button - get this
LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException
LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException
app/models/auth_sources/auth_source_ldap.rb:114:in `users_in_group'
app/models/external_usergroup.rb:32:in `users'
app/models/external_usergroup.rb:18:in `refresh'
app/controllers/external_usergroups_controller.rb:5:in `refresh'
app/controllers/concerns/application_shared.rb:13:in `set_timezone'
app/models/concerns/foreman/thread_session.rb:32:in `clear_thread'
lib/middleware/catch_json_parse_errors.rb:9:in `call'

the same for rake task

[v-foreman ~]# foreman-rake ldap:refresh_usergroups
Apipie cache enabled but not present yet. Run apipie:cache rake task to speed up API calls.
Workaround for RbVmomi may not work as ComputeResource is already loaded: ComputeResource
User group Server Administration Team could not be refreshed - LDAP source LDAP-v-dc not available: LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException

-------------
Mathieu Parent
Hello,

This fixes it for me: https://github.com/theforeman/ldap_fluff/pull/43
-------------
Dominic Cleal
https://github.com/theforeman/ldap_fluff/pull/44 contains a further fix I think to prevent the hang.
-------------
Mathieu Parent
The loop has been fixed in https://github.com/theforeman/ldap_fluff/pull/43 and https://github.com/theforeman/ldap_fluff/pull/44.

But this is not the end of the story. If your logins are not lowercase, your groups will be considered empty. this should be solved on the foreman side.

Also, as performance of ActiveDirectory is very low, an option do disable recursive search would be better.

I will try to work on those, but I'm very busy currently.

-------------
Dominic Cleal
Mathieu Parent wrote:
> The loop has been fixed in https://github.com/theforeman/ldap_fluff/pull/43 and https://github.com/theforeman/ldap_fluff/pull/44.
> 
> But this is not the end of the story. If your logins are not lowercase, your groups will be considered empty. this should be solved on the foreman side.

You're in luck, Daniel has just been fixing this.  I think #11428 and #11407 should fix case insensitivity for both groups and logins.
Comment 6 Stephen Clayton 2016-03-09 17:08:53 EST
I am also seeing this behavior on Satellite 6.1.7. Active Directory is the server type for the Auth Source.
Comment 8 Kedar Bidarkar 2016-04-05 18:01:57 EDT
VERIFIED with sat62-snap6.1


Made sure that "Usergroup Sync" option is enabled under LDAP authentication.

LDAP user was able to access Satellite6 machine and the Sat6 Server didn't hang.
Comment 12 errata-xmlrpc 2016-07-27 04:59:53 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1500

Note You need to log in before you can comment on or make changes to this bug.