Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1397185

Summary: LDAP user can't run remote execution jobs
Product: Red Hat Satellite Reporter: John Mitsch <jomitsch>
Component: Remote ExecutionAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2.4CC: aupadhye, bbuckingham, brubisch, dhlavacd, inecas, jcallaha, mhulan, omankame, peter.vreman, prsharma, yundtj
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-09 06:58:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1122832    
Attachments:
Description Flags
traceback none

Description John Mitsch 2016-11-21 20:08:43 UTC 
Created attachment 1222473 [details]
traceback

Description of problem:

A user from an ldap server who is mapped to a user group with administrator privileges can't run remote execution jobs.

Version-Release number of selected component (if applicable):
6.2.4 and has been replicated on 6.2.2 as well

How reproducible:
%100

Steps to Reproduce:
1. Use an ldap server with a group and a user within that group (has been reproduced with both FreeIPA and Active Directory)
2. Create a user group in Satellite that is mapped to the external group in ldap, check the admin box in the 'roles' tab.
3. Setup the ldap authentication for that server in Satellite, be sure to select the 'Automatically create accounts in Satellite' and 'Usergroup sync' boxes.
4. Login into satellite with the ldap credentials
5. Make sure you are in both an Organization and Location.
6. Run a remote execution job on a host

Actual results:

Job fails with ERF42-4343 [Foreman::Exception]: Cannot resolve hosts without a user

Expected results:

Remote execution job is successful

Additional info:

- The job will run fine under 'Any Location'
- Traceback is attached
Comment 1 Marek Hulan 2016-11-22 09:39:01 UTC 
I don't think this is related to the LDAP. I think it's caused by the user not being in any organization/location. There's a BZ already for auto associating users to orgs/locs after creation. Moving to remote execution component, maybe it would be safe to load user ignoring the context but it needs more thinking.
Comment 7 Peter Vreman 2017-02-15 11:50:44 UTC 
I confirm that the issue was a missing _explicit_ association on that user with an  organization and location.

Part of the failure is there by the fact that the UI does not allow to fix this, because once the user account is associated with any other resource in a org&loc then those are implicitly added and you cannot add it.

I could fix it by trying to delete the user and then see that a certain host resource was associated with the user account. Then i fixed the owner of that host  by clicking submit (the listed owner was already an other account, i do not know why the AD account was associated at all).
Now with that implicit association out of the way i could associate the organization and location to the user. And now it works.

The organization and location mismatch report did not mention this incorrect association of the user.

Short summary, the implicit and explicit user auto association of organization and locations is the root cause and needs a some improvements to prevent this kind 'unknown why it does not work' things because the filters (in this case the select from the user table) returned empty once the taxonomy is included.
Comment 9 Marek Hulan 2017-05-04 07:10:10 UTC 
The auth source can be now associated with organizations and locations. User is auto-assigned to these upon creation. This was tracked as BZ 1104822. Does that solve the issue for you?

The association problem should be resolved by BZ 1238714
Comment 10 Peter Vreman 2017-05-05 10:56:06 UTC 
Marek,

I can confirm that since 6.2.5 the fix  BZ 1104822 with LDAP logins and the association with the location and organization on first login is working as expected and the Remote Execution can be used.

This case can be closed as duplicate of BZ 1104822.


Peter
Comment 11 Marek Hulan 2017-05-09 06:58:13 UTC 
Thanks a lot for confirmation.

*** This bug has been marked as a duplicate of bug 1104822 ***
Comment 12 Ivan Necas 2017-07-17 23:03:23 UTC 
*** Bug 1455339 has been marked as a duplicate of this bug. ***