Bug 1306436 - OpenLDAP proxy to 3 different domains
OpenLDAP proxy to 3 different domains
Status: CLOSED WORKSFORME
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance (Show other bugs)
5.5.0
Unspecified Unspecified
high Severity urgent
: GA
: 5.7.0
Assigned To: abellott
Matt Pusateri
ldap
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-10 16:04 EST by Jared Deubel
Modified: 2017-04-27 10:48 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-03-17 10:22:38 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
multi-ldap/active direcotry SSSD (3.24 KB, text/plain)
2016-02-17 09:49 EST, Brandon Johnson
no flags Details

  None (edit)
Description Jared Deubel 2016-02-10 16:04:18 EST
Description of problem:
Trying to OpenLDAP Proxy to 3 different domains.  samaccountname and passwords are being cached and passing domain isn't going to work.  CFME is passing '\username' to LDAP and it isn't authenticating.  

We were able to reproduce this issue.  In the log User [ ... ]  we put   domainprefix\userid,  so when we log in to AD, We see  domain\userid,  if we clean the domain prefix, I see \userid and cannot login. The problem seems to be that you probably have the domain prefix empty. Can you check Configure->Authentication->Domain Prefix, that should have their domain prefix (no \'s).

Snippet from evm.log
================================================================================
[----] I, [2016-01-27T14:08:55.743488 #15418:1189998]  INFO -- : MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.10.10.1], User: [\user]...
[----] W, [2016-01-27T14:08:55.753992 #15418:1189998]  WARN -- : MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.10.10.1], User: [\user]... unsuccessful
[----] W, [2016-01-27T14:08:55.769144 #15418:1189998]  WARN -- : <AuditFailure> MIQ(Authenticator.authenticate) userid: [user] - Authentication failed for userid \user
[----] W, [2016-01-27T14:08:55.769288 #15418:1189998]  WARN -- : MIQ(Authenticator::Ldap#authenticate) Authentication failed
[----] E, [2016-01-27T14:08:55.769634 #15418:1189998] ERROR -- : MIQ(dashboard_controller-authenticate): Sorry, the username or password you entered is incorrect.
================================================================================

Version-Release number of selected component (if applicable):
5.5.0.13,
Comment 2 abellott 2016-02-12 13:16:10 EST
Initially attempted to resolve with MiqLdap, but we could not even bind to
the OpenLdap proxy with just the samaccountname (no \).

This authentication scenario was resolved by leveraging the External Authentication (httpd/apache) mechanism supported by CloudForms.

In the environment, the OpenLdap proxy was removed from the CloudForms solution and the Linux/SSSD was configured to authenticate directly with the Active Directory domains. 

Since a service account with entitlements to join a domain was not an option, we could not base the configuration process based on https://github.com/ManageIQ/manageiq_docs/blob/master/auth/active_directory.adoc with realm discover/join. We needed to leverage the more involved https://github.com/ManageIQ/manageiq_docs/blob/master/auth/ldap.adoc but manually configuring the sssd domains against AD using the ldap directives.

With the approach taken, one could login to CloudForms with the fully qualified userid@domain reflecting the specific AD domain, we could also query the groups of users within CloudForms using the same userid@domain syntax for username.

So, no code change was needed to get this to work.

We need to add a configuration scenario in https://github.com/ManageIQ/manageiq_docs/blob/master/auth/ for LDAP external auth to one or more AD domains for documenting the above.
Comment 3 Brandon Johnson 2016-02-17 09:49 EST
Created attachment 1127962 [details]
multi-ldap/active direcotry SSSD
Comment 8 Joe Vlcek 2017-03-17 10:22:38 EDT
Closing per Brandon Johnson's comment indicating this can be closed.

If it is felt this should not be closed please reopen and provide more details.

Thank you,

JoeV

Note You need to log in before you can comment on or make changes to this bug.