Description of problem: when ext_auth configured with ldaps through sssd, groups retrieved as "groupname"and not just as "groupname". This is observed in beta3(5.7.0.10) and not in previous builds (5.7.09-beta2) Version-Release number of selected component (if applicable): 5.7.0.10-beta3.20161109111947_9a61b18 How reproducible: always Steps to Reproduce: 1. configure ext_auth with ldaps by configuring sssd.conf and ldap.conf 2. login as admin and retrieve ldaps user groups by "(Look up External Authentication Groups)" 3. Observe that groups retrieved as "groupname" and not "groupname" Actual results: when ext_auth configured with ldaps through sssd, groups retrieved are associated with "group@domain". This is observed in beta3(5.7.0.10) and not in Expected results: groupnames are expected to list only the "groupname", which makes it easy to associate the already defined user groups, in case "Get user groupd from ldap" is unchecked. Additional info: Please see the Private comment for dbus command outputs.
Amogh, any idea if this is working in 5.6.z meaning is this a new regression that we just introduced? If so, please add regression keyword to the keywords field.
Dave, I observed this on 5.6.3 new build as well and this is not observed on previous 5.6 z. I can put the exact versions and outputs here. Curious, if anything changed in authentication bits.
this issue seems to be introduced with RHEL upgrade to 7.3 Installed 5.6.2.2 appliance (RHEL 7.2) on which issue is not observed. upgraded appliance OS to RHEL7.3, On this appliance Issue is reproducible.
The default cfme groups are unusable when using ext_auth with ldaps. However, new groups/non-default can be created and the user can login, as usergroups are matched. CFME is usable when new groups(groupname) are added.
https://github.com/ManageIQ/manageiq/pull/12752
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/e5fe788844523fb720f55a68180dfccc7fa7c69b commit e5fe788844523fb720f55a68180dfccc7fa7c69b Author: Joe VLcek <jvlcek> AuthorDate: Fri Nov 18 14:38:16 2016 -0500 Commit: Joe VLcek <jvlcek> CommitDate: Fri Nov 18 15:28:48 2016 -0500 Remove the FQDN from group names for ext auth. https://bugzilla.redhat.com/show_bug.cgi?id=1394425 app/models/authenticator/httpd.rb | 2 +- app/models/miq_group.rb | 6 +++++- spec/models/authenticator/httpd_spec.rb | 2 +- spec/models/miq_group_spec.rb | 9 +++++++++ 4 files changed, 16 insertions(+), 3 deletions(-)
New commit detected on ManageIQ/manageiq/euwe: https://github.com/ManageIQ/manageiq/commit/0323f78f862bda2745bd1d443c99b173a7b90568 commit 0323f78f862bda2745bd1d443c99b173a7b90568 Author: Gregg Tanzillo <gtanzill> AuthorDate: Mon Nov 21 10:00:27 2016 -0500 Commit: Oleg Barenboim <chessbyte> CommitDate: Mon Nov 21 10:21:16 2016 -0500 Merge pull request #12752 from jvlcek/bz1394425_domain Remove the FQDN from group names for ext auth. (cherry picked from commit 2f648343d0062cc8c2b35c2c56a0451d2670fb82) https://bugzilla.redhat.com/show_bug.cgi?id=1394425 app/models/authenticator/httpd.rb | 2 +- app/models/miq_group.rb | 6 +++++- spec/models/authenticator/httpd_spec.rb | 2 +- spec/models/miq_group_spec.rb | 9 +++++++++ 4 files changed, 16 insertions(+), 3 deletions(-)
Is there a use case when using trusted forests, that you would want to display the @domain part to distinguish which forest or doamin the group is in?
(In reply to Matt Pusateri from comment #13) > Is there a use case when using trusted forests, that you would want to > display the @domain part to distinguish which forest or doamin the group is > in? Let's focus this BZ on the original issue and provided resolution and track the investigation of displaying the @domain when using trusted forests separately here: https://www.pivotaltracker.com/n/projects/1610127/stories/141864057
tested MIQLDAP FreeIPA(5.8.0.12-rc1) AD(5.8.0.11-beta2) Openldap(5.8.0.11-beta2) External Auth FreeIPA(5.8.0.12-rc1) AD(5.8.0.14-rc3) Openldap(5.8.0.14-rc3)