Bug 1333878 - ovirt-engine-extension-aaa-ldap-setup appends '-authz' behind the scene, impacts SSO by default
Summary: ovirt-engine-extension-aaa-ldap-setup appends '-authz' behind the scene, impa...
Alias: None
Product: ovirt-engine-extension-aaa-ldap
Classification: oVirt
Component: Setup
Version: 1.1.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: ovirt-4.0.0-rc
: 1.2.0
Assignee: Ondra Machacek
QA Contact: Gonza
Depends On:
TreeView+ depends on / blocked
Reported: 2016-05-06 14:22 UTC by Jiri Belka
Modified: 2016-07-05 07:50 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-07-05 07:50:54 UTC
oVirt Team: Infra
rule-engine: ovirt-4.0.0+
rule-engine: planning_ack+
mperina: devel_ack+
rule-engine: testing_ack+

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1133137 0 low CLOSED [RFE][AAA] Password delegation to VM and newer AAA implementations 2021-02-22 00:41:40 UTC
oVirt gerrit 57367 0 None MERGED setup: ask for SSO and name authz properly 2020-11-03 11:39:57 UTC

Internal Links: 1133137

Description Jiri Belka 2016-05-06 14:22:16 UTC
Description of problem:

ovirt-engine-extension-aaa-ldap-setup asks an user to "specify profile name thta will be visible to users" and then it invisibly appends to such name '-authz' behind the scene.

this causes SSO to Windows guest does not work by default as engine "sends" not domain but domain + '-authz' in VM.desktopLogin. very odd for a sysadmin who configured this domain for SSO for Windows guests' client users.

# ovirt-engine-extension-aaa-ldap-setup 
[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
          Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
          Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20160506150259-66hevw.log
          Version: otopi-1.4.1 (otopi-1.4.1-1.el6ev)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
          Welcome to LDAP extension configuration program
          Please specify profile name that will be visible to users: ad-w2k8r2.example.com
^^^^^^^^^^^^^^^^^^^^^ provided by admin
          2016-05-06 15:04:00 INFO    ========================================================================
          2016-05-06 15:04:00 INFO    ============================== Execution ===============================
          2016-05-06 15:04:00 INFO    ========================================================================
          2016-05-06 15:04:00 INFO    Profile='ad-w2k8r2.example.com' authn='ad-w2k8r2.example.com-authn' authz='ad-w2k8r2.example.com-authz' mapping='null'
                                                      ^^^^^^ addition
          2016-05-06 15:04:00 INFO    API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS user='ad-w2k8r2'
          2016-05-06 15:04:00 INFO    API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS
          2016-05-06 15:04:00 INFO    --- Begin AuthRecord ---
          2016-05-06 15:04:00 INFO    AAA_AUTHN_AUTH_RECORD_PRINCIPAL: ad-w2k8r2.com
          2016-05-06 15:04:00 INFO    --- End   AuthRecord ---
          2016-05-06 15:04:00 INFO    API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='ad-w2k8r2.com'
          2016-05-06 15:04:00 INFO    API: <--Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD status=SUCCESS
          2016-05-06 15:04:00 INFO    --- Begin PrincipalRecord ---
          2016-05-06 15:04:00 INFO    AAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: ad-w2k8r2
          2016-05-06 15:04:00 INFO    AAA_AUTHZ_PRINCIPAL_PRINCIPAL: ad-w2k8r2.com
          2016-05-06 15:04:00 INFO    AAA_LDAP_UNBOUNDID_DN: CN=ad-w2k8r2,CN=Users,DC=ad-w2k8r2,DC=example,DC=com
          2016-05-06 15:04:00 INFO    AAA_AUTHZ_PRINCIPAL_ID: KqAXTzGX9UaxSaIuawL4ug==
          2016-05-06 15:04:00 INFO    AAA_AUTHZ_PRINCIPAL_NAME: ad-w2k8r2
          2016-05-06 15:04:00 INFO    AAA_AUTHZ_PRINCIPAL_FIRST_NAME: ad-w2k8r2
          2016-05-06 15:04:00 INFO    AAA_AUTHZ_PRINCIPAL_NAMESPACE: DC=ad-w2k8r2,DC=example,DC=com
          2016-05-06 15:04:00 INFO    --- End   PrincipalRecord ---

jsonrpc.Executor/7::DEBUG::2016-05-06 15:19:49,529::__init__::503::jsonrpc.JsonRpcServer::(_serveRequest) Calling 'VM.desktopLogin' in bridge with {u'username': u'ad-w2k8r2', u'domain': u'ad-w2k8r2.example.com-authz', u'password': '********', u'vmID': u'ed875d98-
                       ^^^^^^ such domain does not exist


Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. configure an AD via ovirt-engine-extension-aaa-ldap-setup, provide exact
   domain name for profile name to be visible by users
2. assing a VM to an AD user
3. open User Portal as the AD user and open console
4. observe vdsm.log for VM.desktopLogin line and value of domain sent

Actual results:
ovirt-engine-extension-aaa-ldap-setup appends '-authz' invisibly and this causes engine to send not exact AD domain which was configured to VM.desktopLogin action; thus SSO does not work as domain is wrong

Expected results:
ovirt-engine-extension-aaa-ldap-setup should not append any string to user provided "names" for domains

Additional info:
renaming config files is not user friendly and understanding aaa config files seems to be rocket science, thus ovirt-engine-extension-aaa-ldap-setup should create configuration which works by default

Comment 1 Yaniv Lavi 2016-05-23 13:19:00 UTC
oVirt 4.0 beta has been released, moving to RC milestone.

Comment 2 Yaniv Lavi 2016-05-23 13:26:32 UTC
oVirt 4.0 beta has been released, moving to RC milestone.

Comment 3 Martin Perina 2016-05-26 12:55:53 UTC
Fix is included in ovirt-engine-extension-aaa-ldap-1.2.0-1

Comment 4 Gonza 2016-06-24 14:00:08 UTC
Verified with:

Domain name is still the same but SSO is working correctly.
jsonrpc.Executor/3::DEBUG::2016-06-24 16:57:05,877::__init__::522::jsonrpc.JsonRpcServer::(_serveRequest) Calling 'VM.desktopLogin' in bridge with {'username': 'user1', 'domain': 'ad-w2k12r2-authz', 'password': '********', 'vmID': 'd75de907-1e3f-4d00-a062-a6d0fdd61060'}

Comment 5 Sandro Bonazzola 2016-07-05 07:50:54 UTC
oVirt 4.0.0 has been released, closing current release.

Note You need to log in before you can comment on or make changes to this bug.