1379000 – [RFE] - [AAA] Add support for IBM Security (Tivoli) Directory server

Bug 1379000 - [RFE] - [AAA] Add support for IBM Security (Tivoli) Directory server

Summary: [RFE] - [AAA] Add support for IBM Security (Tivoli) Directory server

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine-extension-aaa-ldap
Sub Component:
Version:	4.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	ovirt-4.1.0-beta
Target Release:	---
Assignee:	Martin Perina
QA Contact:	Gonza
Docs Contact:
URL:
Whiteboard:
Depends On:	1387254
Blocks:	RHV4.1PPC 1427730
TreeView+	depends on / blocked

Reported:	2016-09-23 20:49 UTC by Anitha Udgiri
Modified:	2019-12-16 06:55 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	With this update, IBM Security (Tivoli) Directory Server has been added to supported LDAP servers in ovirt-engine-extension-aaa-ldap. This allows customers to attach Red Hat Virtualization 4.1 to their IBM Security (Tivoli) Directory Server setup and to use users and groups from this setup in Red Hat Virtualization.
Clone Of:
Environment:
Last Closed:	2017-04-25 00:46:16 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:
Flags:	grafuls: testing_plan_complete+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:1017	normal	SHIPPED_LIVE	ovirt-engine-extension-aaa-ldap bug fix and enhancement update for RHV 4.1	2017-04-18 20:24:14 UTC
oVirt gerrit	64457	None	MERGED	profiles: add support for ISDS	2021-02-10 15:18:29 UTC
oVirt gerrit	64995	None	MERGED	profiles: add support for rfc2307 ISDS	2021-02-10 15:18:30 UTC
oVirt gerrit	64996	None	MERGED	setup: add support for ISDS profiles	2021-02-10 15:18:30 UTC

Description Anitha Udgiri 2016-09-23 20:49:10 UTC

Description of problem:

In customer's words :

"We have configured rhv with ovirt-engine-extension-aaa-ldap-setup with 389ds LDAP implementation following the documentation https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/single/administration-guide#sect-Configuring_an_External_LDAP_Provider and RHV say it’s OK (both login and search). 
Then we have restarted the RHV engine and as admin try to add some role to a user. The GUI says nothing but it does not add anything."

The engine.log file has the following logged :

2016-09-22 08:27:48,227 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] Compiled stored procedure. Call string is [{call getuserbyuserid(?, ?)}]
2016-09-22 08:27:48,227 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] SqlCall for procedure [GetUserByUserId] compiled
2016-09-22 08:27:48,229 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] Compiled stored procedure. Call string is [{call getgroupbyid(?)}]
2016-09-22 08:27:48,229 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] SqlCall for procedure [GetGroupById] compiled
2016-09-22 08:27:48,230 DEBUG [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (default task-4) [480d72b] Checking whether user '0000002c-002c-002c-002c-0000000000ad' or one of the groups he is member of, have the following permissions:  ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_PERMISSIONS with role type USER,  ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
2016-09-22 08:27:48,233 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] Compiled stored procedure. Call string is [{call get_entity_permissions(?, ?, ?, ?)}]
2016-09-22 08:27:48,233 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] SqlCall for procedure [get_entity_permissions] compiled
2016-09-22 08:27:48,235 DEBUG [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (default task-4) [480d72b] Found permission '0000002d-002d-002d-002d-0000000003a1' for user when running 'AddSystemPermission', on 'System' with id 'aaa00000-0000-0000-0000-123456789aaa'
2016-09-22 08:27:48,236 DEBUG [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (default task-4) [480d72b] Found permission '0000002d-002d-002d-002d-0000000003a1' for user when running 'AddSystemPermission', on 'System' with id 'aaa00000-0000-0000-0000-123456789aaa'
2016-09-22 08:27:48,240 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] Compiled stored procedure. Call string is [{call getrolsbyid(?)}]
2016-09-22 08:27:48,240 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] SqlCall for procedure [GetRolsByid] compiled
2016-09-22 08:27:48,245 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] Compiled stored procedure. Call string is [{call getforroleandadelementandobject_wgroupcheck(?, ?, ?)}]
2016-09-22 08:27:48,245 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] SqlCall for procedure [GetForRoleAndAdElementAndObject_wGroupCheck] compiled
2016-09-22 08:27:48,247 DEBUG [org.ovirt.engine.core.bll.PrevalidatingMultipleActionsRunner] (org.ovirt.thread.pool-6-thread-13) [480d72b] Executing command AddSystemPermission for user admin@internal-authz.
2016-09-22 08:27:48,249 INFO  [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-13) [480d72b] Running command: AddSystemPermissionCommand(User = org.ovirt.engine.core.common.businessentities.aaa.DbUser@ba985bb6, Group = null, TargetId = null, Permission = org.ovirt.engine.core.common.businessentities.Permission@929e7a01) internal: false. Entities affected :  ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_PERMISSIONS with role type USER,  ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
2016-09-22 08:27:48,256 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (org.ovirt.thread.pool-6-thread-13) [480d72b] Compiled stored procedure. Call string is [{call get_entity_snapshot_by_command_id(?)}]
2016-09-22 08:27:48,256 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (org.ovirt.thread.pool-6-thread-13) [480d72b] SqlCall for procedure [get_entity_snapshot_by_command_id] compiled
2016-09-22 08:27:48,256 DEBUG [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-13) [480d72b] Command [id=39462e54-f17a-43e6-b92e-184773232034]: No compensation data.
2016-09-22 08:27:48,261 ERROR [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-13) [480d72b] Transaction rolled-back for command 'org.ovirt.engine.core.bll.AddSystemPermissionCommand'.
2016-09-22 08:27:48,321 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-6-thread-13) [480d72b] Correlation ID: 480d72b, Call Stack: null, Custom Event ID: -1, Message: User admin@internal-authz failed to grant permission for Role UserRole on System to User/Group <UNKNOWN>.


The logs show that adding permissions did not succeed. But this is not relayed back to the user. The user is under the assumption that everything worked when it did not.

Comment 6 Ondra Machacek 2016-09-25 18:04:00 UTC

Why they use 389ds? I see it's IBM ldap server. Unfortunatelly it's not supported 
in aaa-ldap.

Comment 19 Martin Perina 2016-10-24 09:02:56 UTC

Targeting for now to 4.1

Comment 21 Martin Perina 2016-12-19 10:14:27 UTC

Included in ovirt-engine-extension-aaa-ldap-1.3.0

Comment 23 Gonza 2017-02-03 13:43:23 UTC

Verified basic functionality with:
ovirt-engine-extension-aaa-ldap-setup-1.3.1-0.0.master.20161219093217.git9a5d8da.el7.noarch
ovirt-engine-4.1.0-0.2.master.20161213122836.git2cd5587.el7.centos.noarch

Note You need to log in before you can comment on or make changes to this bug.