Red Hat Bugzilla – Bug 1356675
[AAA] Can't add IPA directory users to VM permissions
Last modified: 2017-06-22 07:59:04 EDT
Created attachment 1179911 [details] Debug log for the behaviour described Description of problem: Site is unable to display any results for IPA when searching/adding new users. From the customer: I have tried the following, all yield no results: "*" "thomas*" "thomas" "thomas stewart" "Thomas Stewart" As a further test, I set the domain to internal and tried the following which both yielded the single "admin" user: "*" "a*" The only clue I have found so far is in the /var/log/ovirt-engine/engine.log log file, when I click GO as described above it says: 2016-07-11 09:48:01,035 INFO [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-6) [] ResourceManager::searchBusinessObjects - erroneous search text - ''ADUSER:dc= allnames=thomas.stewart'' 2016-07-11 09:48:01,039 INFO [org.ovirt.engine.core.bll.SearchQuery] (ajp-/127.0.0.1:8702-6) [] ResourceManager::searchBusinessObjects - erroneous search text - ''ADGROUP:dc= name=thomas.stewart''
It's issue with search. When namespace is 'dc=something', it don't work properly.
As temporary workaround just rename profile name to something different then 'pheunix'.
(In reply to Ondra Machacek from comment #3) > As temporary workaround just rename profile name to something different then > 'pheunix'. Hi Ondra, Could you please confirm if the workaround would be to modify the ovirt.engine.aaa.authn.profile.name value in /etc/ovirt-engine/extensions.d/<profile-name>-authn.properties and restart ovirt-engine afterwards ? Thanks!
Hi, yes, that's correct. But please note that the name can't be any of following: dc=pheunix c=pheunix =pheunix pheunix heunix eunix unix nix ix x Everything other should be fine ( in this specific case ).
Moving back to post as we need to backport to ovirt-engine-4.0
We have authz-rename-tool, which handle exactly such scenario. It's shipped along with migration tool[1]. So in order to use it, install migration tool and refer to README[2] section: 12. [OPTIONAL] Rename authz to match legacy convention. There are steps how to use it. [1] https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases/tag/ovirt-engine-kerbldap-migration-1.0.4 [2] https://github.com/machacekondra/ovirt-engine-kerbldap-migration/blob/master/README.md
ok, ovirt-engine-4.0.2.7-0.1.el7ev.noarch vdadmin at "com" profile name got a VM and logged successfully into User Portal 2016-08-18 15:26:31,538 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-6-thread-1) [6661f726] Correlation ID: 6661f726, Call Stack: null, Custom Event ID: -1, Message: User 'vdcadmin' was added successfully to the system. 2016-08-18 15:26:31,685 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-6-thread-1) [6661f726] Correlation ID: 5a9513c8, Call Stack: null, Custom Event ID: -1, Message: User/Group vdcadmin, Namespace dc=brq-ipa,dc=example,dc=com, Authorization provider: com was granted permission for Role UserRole on VM jb-el7-serial, by admin@internal-authz. 2016-08-18 15:27:03,291 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-17) [] User vdcadmin@com successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-1743.html