1333878 – ovirt-engine-extension-aaa-ldap-setup appends '-authz' behind the scene, impacts SSO by default

Bug 1333878 - ovirt-engine-extension-aaa-ldap-setup appends '-authz' behind the scene, impacts SSO by default

Summary: ovirt-engine-extension-aaa-ldap-setup appends '-authz' behind the scene, impa...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine-extension-aaa-ldap
Classification:	oVirt
Component:	Setup
Sub Component:
Version:	1.1.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-4.0.0-rc
Target Release:	1.2.0
Assignee:	Ondra Machacek
QA Contact:	Gonza
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-06 14:22 UTC by Jiri Belka
Modified:	2016-07-05 07:50 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-05 07:50:54 UTC
oVirt Team:	Infra
Embargoed:
Flags:	rule-engine: ovirt-4.0.0+ rule-engine: planning_ack+ mperina: devel_ack+ rule-engine: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1133137	0	low	CLOSED	[RFE][AAA] Password delegation to VM and newer AAA implementations	2021-02-22 00:41:40 UTC
oVirt gerrit	57367	0	None	MERGED	setup: ask for SSO and name authz properly	2020-11-03 11:39:57 UTC

Internal Links: 1133137

Description Jiri Belka 2016-05-06 14:22:16 UTC

Description of problem:

ovirt-engine-extension-aaa-ldap-setup asks an user to "specify profile name thta will be visible to users" and then it invisibly appends to such name '-authz' behind the scene.

this causes SSO to Windows guest does not work by default as engine "sends" not domain but domain + '-authz' in VM.desktopLogin. very odd for a sysadmin who configured this domain for SSO for Windows guests' client users.

# ovirt-engine-extension-aaa-ldap-setup 
[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
          Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
          Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20160506150259-66hevw.log
          Version: otopi-1.4.1 (otopi-1.4.1-1.el6ev)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
          Welcome to LDAP extension configuration program
          Please specify profile name that will be visible to users: ad-w2k8r2.example.com
^^^^^^^^^^^^^^^^^^^^^ provided by admin
...
          2016-05-06 15:04:00 INFO    ========================================================================
          2016-05-06 15:04:00 INFO    ============================== Execution ===============================
          2016-05-06 15:04:00 INFO    ========================================================================
          2016-05-06 15:04:00 INFO    Profile='ad-w2k8r2.example.com' authn='ad-w2k8r2.example.com-authn' authz='ad-w2k8r2.example.com-authz' mapping='null'
                                                      ^^^^^^ addition
          2016-05-06 15:04:00 INFO    API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS user='ad-w2k8r2'
          2016-05-06 15:04:00 INFO    API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS
          2016-05-06 15:04:00 INFO    --- Begin AuthRecord ---
          2016-05-06 15:04:00 INFO    AAA_AUTHN_AUTH_RECORD_PRINCIPAL: ad-w2k8r2.com
          2016-05-06 15:04:00 INFO    --- End   AuthRecord ---
          2016-05-06 15:04:00 INFO    API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='ad-w2k8r2.com'
          2016-05-06 15:04:00 INFO    API: <--Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD status=SUCCESS
          2016-05-06 15:04:00 INFO    --- Begin PrincipalRecord ---
          2016-05-06 15:04:00 INFO    AAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: ad-w2k8r2
          2016-05-06 15:04:00 INFO    AAA_AUTHZ_PRINCIPAL_PRINCIPAL: ad-w2k8r2.com
          2016-05-06 15:04:00 INFO    AAA_LDAP_UNBOUNDID_DN: CN=ad-w2k8r2,CN=Users,DC=ad-w2k8r2,DC=example,DC=com
          2016-05-06 15:04:00 INFO    AAA_AUTHZ_PRINCIPAL_ID: KqAXTzGX9UaxSaIuawL4ug==
          2016-05-06 15:04:00 INFO    AAA_AUTHZ_PRINCIPAL_NAME: ad-w2k8r2
          2016-05-06 15:04:00 INFO    AAA_AUTHZ_PRINCIPAL_FIRST_NAME: ad-w2k8r2
          2016-05-06 15:04:00 INFO    AAA_AUTHZ_PRINCIPAL_NAMESPACE: DC=ad-w2k8r2,DC=example,DC=com
          2016-05-06 15:04:00 INFO    --- End   PrincipalRecord ---



jsonrpc.Executor/7::DEBUG::2016-05-06 15:19:49,529::__init__::503::jsonrpc.JsonRpcServer::(_serveRequest) Calling 'VM.desktopLogin' in bridge with {u'username': u'ad-w2k8r2', u'domain': u'ad-w2k8r2.example.com-authz', u'password': '********', u'vmID': u'ed875d98-
                       ^^^^^^ such domain does not exist

e407-4b07-967a-363cbecf3bb3'}

Version-Release number of selected component (if applicable):
ovirt-engine-extension-aaa-ldap-setup-1.1.4-1.el6ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. configure an AD via ovirt-engine-extension-aaa-ldap-setup, provide exact
   domain name for profile name to be visible by users
2. assing a VM to an AD user
3. open User Portal as the AD user and open console
4. observe vdsm.log for VM.desktopLogin line and value of domain sent

Actual results:
ovirt-engine-extension-aaa-ldap-setup appends '-authz' invisibly and this causes engine to send not exact AD domain which was configured to VM.desktopLogin action; thus SSO does not work as domain is wrong

Expected results:
ovirt-engine-extension-aaa-ldap-setup should not append any string to user provided "names" for domains

Additional info:
renaming config files is not user friendly and understanding aaa config files seems to be rocket science, thus ovirt-engine-extension-aaa-ldap-setup should create configuration which works by default

Comment 1 Yaniv Lavi 2016-05-23 13:19:00 UTC

oVirt 4.0 beta has been released, moving to RC milestone.

Comment 2 Yaniv Lavi 2016-05-23 13:26:32 UTC

oVirt 4.0 beta has been released, moving to RC milestone.

Comment 3 Martin Perina 2016-05-26 12:55:53 UTC

Fix is included in ovirt-engine-extension-aaa-ldap-1.2.0-1

Comment 4 Gonza 2016-06-24 14:00:08 UTC

Verified with:
rhevm-4.0.0.5-0.1.el7ev.noarch

Domain name is still the same but SSO is working correctly.
jsonrpc.Executor/3::DEBUG::2016-06-24 16:57:05,877::__init__::522::jsonrpc.JsonRpcServer::(_serveRequest) Calling 'VM.desktopLogin' in bridge with {'username': 'user1', 'domain': 'ad-w2k12r2-authz', 'password': '********', 'vmID': 'd75de907-1e3f-4d00-a062-a6d0fdd61060'}

Comment 5 Sandro Bonazzola 2016-07-05 07:50:54 UTC

oVirt 4.0.0 has been released, closing current release.

Note You need to log in before you can comment on or make changes to this bug.