Description of problem: In customer's words : "We have configured rhv with ovirt-engine-extension-aaa-ldap-setup with 389ds LDAP implementation following the documentation https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/single/administration-guide#sect-Configuring_an_External_LDAP_Provider and RHV say itβs OK (both login and search). Then we have restarted the RHV engine and as admin try to add some role to a user. The GUI says nothing but it does not add anything." The engine.log file has the following logged : 2016-09-22 08:27:48,227 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] Compiled stored procedure. Call string is [{call getuserbyuserid(?, ?)}] 2016-09-22 08:27:48,227 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] SqlCall for procedure [GetUserByUserId] compiled 2016-09-22 08:27:48,229 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] Compiled stored procedure. Call string is [{call getgroupbyid(?)}] 2016-09-22 08:27:48,229 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] SqlCall for procedure [GetGroupById] compiled 2016-09-22 08:27:48,230 DEBUG [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (default task-4) [480d72b] Checking whether user '0000002c-002c-002c-002c-0000000000ad' or one of the groups he is member of, have the following permissions: ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_PERMISSIONS with role type USER, ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER 2016-09-22 08:27:48,233 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] Compiled stored procedure. Call string is [{call get_entity_permissions(?, ?, ?, ?)}] 2016-09-22 08:27:48,233 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] SqlCall for procedure [get_entity_permissions] compiled 2016-09-22 08:27:48,235 DEBUG [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (default task-4) [480d72b] Found permission '0000002d-002d-002d-002d-0000000003a1' for user when running 'AddSystemPermission', on 'System' with id 'aaa00000-0000-0000-0000-123456789aaa' 2016-09-22 08:27:48,236 DEBUG [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (default task-4) [480d72b] Found permission '0000002d-002d-002d-002d-0000000003a1' for user when running 'AddSystemPermission', on 'System' with id 'aaa00000-0000-0000-0000-123456789aaa' 2016-09-22 08:27:48,240 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] Compiled stored procedure. Call string is [{call getrolsbyid(?)}] 2016-09-22 08:27:48,240 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] SqlCall for procedure [GetRolsByid] compiled 2016-09-22 08:27:48,245 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] Compiled stored procedure. Call string is [{call getforroleandadelementandobject_wgroupcheck(?, ?, ?)}] 2016-09-22 08:27:48,245 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (default task-4) [480d72b] SqlCall for procedure [GetForRoleAndAdElementAndObject_wGroupCheck] compiled 2016-09-22 08:27:48,247 DEBUG [org.ovirt.engine.core.bll.PrevalidatingMultipleActionsRunner] (org.ovirt.thread.pool-6-thread-13) [480d72b] Executing command AddSystemPermission for user admin@internal-authz. 2016-09-22 08:27:48,249 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-13) [480d72b] Running command: AddSystemPermissionCommand(User = org.ovirt.engine.core.common.businessentities.aaa.DbUser@ba985bb6, Group = null, TargetId = null, Permission = org.ovirt.engine.core.common.businessentities.Permission@929e7a01) internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_PERMISSIONS with role type USER, ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER 2016-09-22 08:27:48,256 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (org.ovirt.thread.pool-6-thread-13) [480d72b] Compiled stored procedure. Call string is [{call get_entity_snapshot_by_command_id(?)}] 2016-09-22 08:27:48,256 DEBUG [org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect$PostgresSimpleJdbcCall] (org.ovirt.thread.pool-6-thread-13) [480d72b] SqlCall for procedure [get_entity_snapshot_by_command_id] compiled 2016-09-22 08:27:48,256 DEBUG [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-13) [480d72b] Command [id=39462e54-f17a-43e6-b92e-184773232034]: No compensation data. 2016-09-22 08:27:48,261 ERROR [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-13) [480d72b] Transaction rolled-back for command 'org.ovirt.engine.core.bll.AddSystemPermissionCommand'. 2016-09-22 08:27:48,321 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-6-thread-13) [480d72b] Correlation ID: 480d72b, Call Stack: null, Custom Event ID: -1, Message: User admin@internal-authz failed to grant permission for Role UserRole on System to User/Group <UNKNOWN>. The logs show that adding permissions did not succeed. But this is not relayed back to the user. The user is under the assumption that everything worked when it did not.
Why they use 389ds? I see it's IBM ldap server. Unfortunatelly it's not supported in aaa-ldap.
Targeting for now to 4.1
Included in ovirt-engine-extension-aaa-ldap-1.3.0
Verified basic functionality with: ovirt-engine-extension-aaa-ldap-setup-1.3.1-0.0.master.20161219093217.git9a5d8da.el7.noarch ovirt-engine-4.1.0-0.2.master.20161213122836.git2cd5587.el7.centos.noarch