Bug 1387383 - Usergroup Sync Using Wrong Base DN
Summary: Usergroup Sync Using Wrong Base DN
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.2.2
Hardware: x86_64
OS: Linux
Target Milestone: Unspecified
Assignee: Daniel Lobato Garcia
QA Contact: Sanket Jagtap
Depends On:
Blocks: 1417134
TreeView+ depends on / blocked
Reported: 2016-10-20 18:20 UTC by Adam Killeen
Modified: 2019-08-12 14:36 UTC (History)
9 users (show)

Fixed In Version: tfm-rubygem-ldap_fluff-0.4.5-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1417134 (view as bug list)
Last Closed: 2017-03-06 08:29:36 UTC
Target Upstream Version:

Attachments (Terms of Use)
posix ldap (131.41 KB, image/png)
2017-02-14 14:49 UTC, Sanket Jagtap
no flags Details
Ad ldap (106.55 KB, image/png)
2017-02-14 14:50 UTC, Sanket Jagtap
no flags Details

System ID Private Priority Status Summary Last Updated
Github https://github.com/theforeman ldap_fluff pull 55 0 None None None 2020-06-25 02:59:43 UTC
Red Hat Product Errata RHBA-2017:0447 0 normal SHIPPED_LIVE Satellite 6.2.8 Async Bug Release 2017-03-06 13:23:41 UTC

Description Adam Killeen 2016-10-20 18:20:12 UTC
Description of problem:
When "Usergroup sync" is enabled when using LDAP authentication, Satellite searches the "Base DN" instead of the "Groups Base DN" indicated in the LDAP Authentication configuration. This causes a delay in LDAP authentication while Satellite is searching the whole subtree of the base DN instead of just the groups base DN. 

Version-Release number of selected component (if applicable):

How reproducible:
Every Time

Steps to Reproduce:
1. Configure LDAP Authentication in "LDAP server" tab.
2. Configure "Base DN" and "Groups Base DN" in Accounts tab. (e.g. Base DN: dc=example,dc=com & Groups Base DN: ou=groups,dc=example,dc=com) 
3. Check the box that says "Usergroup Sync". 
4. Authenticate to Satellite with an LDAP id. 

Actual results:
The login process takes approximately 20 seconds. A packet capture reveals that Satellite is doing a search in LDAP with a base object of "dc=example,dc=com", scope of wholeSubtree, filter of (memberUID=$username).

Expected results:
Login should take less time. The LDAP search should have a base object of ou=groups,dc=example,dc=com. 

Additional info:

Comment 3 Daniel Lobato Garcia 2016-12-21 17:37:30 UTC
"Satellite is doing a search in LDAP with a base object of "dc=example,dc=com", scope of wholeSubtree, filter of (memberUID=$username)."

What implementation of LDAP are you using? From the looks of it it's OpenLDAP or something similar that implements POSIX LDAP. The library we use for LDAP seems to look in the group DN for all cases except that one. 

Given that the filter POSIX uses is quite similar to the one - I've assume it's that and submitted a patch upstream.


Feel free to apply the patch locally (it's tiny) and let us know if it fixes your problem in the meantime. I think this is safe enough to backport to 6.2.z

Comment 4 Adam Killeen 2017-01-03 15:22:41 UTC
Sorry for the late reply, just got back from vacation.

We are using Sun One Directory Server, which does implement POSIX LDAP. I will apply the patch after I get caught up and let you know how it goes.

Comment 5 Adam Killeen 2017-01-03 16:48:47 UTC
I installed the patch and verified that it is working as it should now. Thanks for your help!

Comment 6 Daniel Lobato Garcia 2017-01-10 09:11:40 UTC
Glad to hear that! I will merge by the end of the day and hopefully release ldap_fluff 0.4.5 so that we can serve it in 6.2.x

Comment 7 Daniel Lobato Garcia 2017-01-11 08:20:57 UTC
https://github.com/theforeman/foreman-packaging/pull/1486 is on the pipeline for packaging upstream. Once it gets built I'll make sure to propose it for 6.2.z

Comment 9 Daniel Lobato Garcia 2017-01-11 10:58:38 UTC
Adam, the bugfix is already released in ldap_fluff 0.4.5 upstream. It's making it's way through packaging, then QA will test it and it'll get to you in a zStream. 

Thanks for providing feedback about the patch before :)

Comment 10 Sanket Jagtap 2017-02-14 14:49:09 UTC
Created attachment 1250272 [details]
posix ldap

Build: Satellite 6.2.8 snap 2


Verification Steps:
Base DN :cn=Users,dc=xxx,dc=xxx,dc=xxx,dc=xxx,dc=xxx,dc=xxx
Groups base DN : cn=foobargroup,dc=xxx,dc=xxx,dc=xxx,dc=xxx,dc=xxx,dc=xxx

The LDAP search has a base object of cn=foobargroup,dc=xxx,dc=xxx,dc=xxx,dc=xxx,dc=xxx,dc=xxx.

Tested this with AD and also Posix 


Comment 11 Sanket Jagtap 2017-02-14 14:50:08 UTC
Created attachment 1250273 [details]
Ad ldap

Comment 13 errata-xmlrpc 2017-03-06 08:29:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.