1404114 – [Sat6.2] LDAP authentication fails if there is space/s in group base DN name

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1404114 - [Sat6.2] LDAP authentication fails if there is space/s in group base DN name

Summary: [Sat6.2] LDAP authentication fails if there is space/s in group base DN name

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Users & Roles
Sub Component:
Version:	6.2.4
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1268253 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-13 06:15 UTC by Amit Kumar Das
Modified:	2020-12-14 07:56 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-01-09 07:35:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Error message (76.34 KB, image/png) 2016-12-13 06:15 UTC, Amit Kumar Das	no flags	Details
Success authentication (76.83 KB, image/png) 2016-12-13 06:16 UTC, Amit Kumar Das	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1240291	0	unspecified	CLOSED	Satellite 6.1 Beta cannot have space in OU	2021-02-22 00:41:40 UTC

Internal Links: 1240291

Description Amit Kumar Das 2016-12-13 06:15:17 UTC

Created attachment 1231068 [details]
Error message

Description of problem:

In satellite 6.2, LDAP authentication fails if there is space/s in group base DN name.


a) Throws error since OU value as space/s
Group Name: Role-Unix_Admin
DN Path: OU=Role Groups,OU=Delegation Groups,OU=Admin,DC=alinta,DC=net,DC=int

Error message "<new_group> is not found in the authentication source"
Screen shot attached with this error.

b) If we remove space/s from dn name, no errors are found.
Group Name: ACL_Resource_Managers_WOL
DN Path: OU=Permission,OU=Groups,OU=Client,DC=alinta,DC=net,DC=int

Screen shot attached with this success.
Having space within the DN path attributes is causing issue to create external
groups.
 
Version-Release number of selected component (if applicable):
satellite 6.2.3+

How reproducible:
a) Create DN attributes such as Organisation Unit (OU) with space/s in AD ldap.
b) Complete Ldap Authentication
c) While adding new user group it gives an error
Administer>user groups>new user groups>External groups>+Add


Additional info:

Comment 1 Amit Kumar Das 2016-12-13 06:16:54 UTC

Created attachment 1231069 [details]
Success authentication

Comment 2 Amit Kumar Das 2016-12-13 06:20:21 UTC

LDAPsearch on Failed Group
—————————————————————————-
$ /opt/quest/bin/ldapsearch -s sub '(&(objectclass=group)(samaccountname=Role-unix_admin))' '&((samaccountname)(uid))' '*'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (&(objectclass=group)(samaccountname=Role-unix_admin))
# requesting: &((samaccountname)(uid)) * 
# with pagedResults control: size=500
#

dn: CN=Role-Unix_Admin,OU=Role Groups,OU=Delegation Groups,OU=Admin,DC=alinta,DC=net,DC=int
objectClass: top
objectClass: group
cn: Role-Unix_Admin
description: Provides login access to all Unix Servers in AD


Foreman Tail on failed group add
————————————————————————————————
==> /var/log/httpd/foreman-ssl_access_ssl.log <==
10.157.14.131 - - [13/Dec/2016:13:16:26 +1100] "POST /usergroups HTTP/1.1" 200 1846 "https://10.157.30.58/usergroups" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"

==> /var/log/httpd/foreman-ssl_error_ssl.log <==
[Tue Dec 13 13:16:26.722166 2016] [ssl:warn] [pid 4472] [client 10.157.14.131:32994] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://10.157.30.58/usergroups

==> /var/log/foreman/production.log <==
2016-12-13 13:16:26 [app] [I] Started POST "/usergroups" for 10.157.14.131 at 2016-12-13 13:16:26 +1100
2016-12-13 13:16:26 [app] [I] Processing by UsergroupsController#create as */*
2016-12-13 13:16:26 [app] [I]   Parameters: {"utf8"=>"✓", "authenticity_token"=>"77Hj4JwHpewWu1Yvjzoww7aYn2qlDdbxoh5JK8EQEd8=", "usergroup"=>{"name"=>"Test", "user_ids"=>["", "", ""], "admin"=>"1", "role_ids"=>[""], "external_usergroups_attributes"=>{"new_1481595222832"=>{"_destroy"=>"1", "name"=>"", "auth_source_id"=>"3"}, "new_1481595229117"=>{"_destroy"=>"false", "name"=>"Role-Unix_Admin", "auth_source_id"=>"3"}}}}
2016-12-13 13:16:26 [app] [I] Failed to save: Name is not found in the authentication source              <<<<<<<<<<<--------ERROR MESSAGE
2016-12-13 13:16:26 [app] [I]   Rendered common/_edit_habtm.html.erb (0.3ms)
2016-12-13 13:16:26 [app] [I]   Rendered common/_edit_habtm.html.erb (3.4ms)
2016-12-13 13:16:26 [app] [I]   Rendered usergroups/_external.html.erb (2.5ms)
2016-12-13 13:16:26 [app] [I]   Rendered usergroups/_external.html.erb (2.2ms)
2016-12-13 13:16:26 [app] [I]   Rendered usergroups/_form.html.erb (28.9ms)
2016-12-13 13:16:26 [app] [I]   Rendered usergroups/new.html.erb (29.5ms)
2016-12-13 13:16:26 [app] [I] Completed 200 OK in 125ms (Views: 27.5ms | ActiveRecord: 7.2ms)


LDAPsearch on Successful Group
——————————————————————————————
$ /opt/quest/bin/ldapsearch -s sub '(&(objectclass=group)(samaccountname=ACL_Resource_Managers_WOL))' '&((samaccountname)(uid))' '*'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (&(objectclass=group)(samaccountname=ACL_Resource_Managers_WOL))
# requesting: &((samaccountname)(uid)) * 
# with pagedResults control: size=500
#

dn: CN=ACL_Resource_Managers_WOL,OU=Permission,OU=Groups,OU=Client,DC=alinta,DC=net,DC=int
objectClass: top
objectClass: group
cn: ACL_Resource_Managers_WOL
description: Members can manage Wollongong resources

Foreman Tail on Successful Group Add
————————————————————————————————————
==> /var/log/httpd/foreman-ssl_error_ssl.log <==
[Tue Dec 13 13:25:49.232545 2016] [ssl:warn] [pid 4476] [client 10.157.14.131:33702] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://10.157.30.58/usergroups

==> /var/log/foreman/production.log <==
2016-12-13 13:25:49 [app] [I] Started POST "/usergroups" for 10.157.14.131 at 2016-12-13 13:25:49 +1100
2016-12-13 13:25:49 [app] [I] Processing by UsergroupsController#create as */*
2016-12-13 13:25:49 [app] [I]   Parameters: {"utf8"=>"✓", "authenticity_token"=>"77Hj4JwHpewWu1Yvjzoww7aYn2qlDdbxoh5JK8EQEd8=", "usergroup"=>{"name"=>"Test", "user_ids"=>["", "", ""], "admin"=>"1", "role_ids"=>[""], "external_usergroups_attributes"=>{"new_1481595928216"=>{"_destroy"=>"false", "name"=>"ACL_Resource_Managers_WOL", "auth_source_id"=>"3"}}}}
2016-12-13 13:25:49 [app] [I] Redirected to https://10.157.30.58/usergroups

==> /var/log/httpd/foreman-ssl_access_ssl.log <==
10.157.14.131 - - [13/Dec/2016:13:25:49 +1100] "POST /usergroups HTTP/1.1" 302 97 "https://10.157.30.58/usergroups" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
10.157.14.131 - - [13/Dec/2016:13:25:49 +1100] "GET /usergroups HTTP/1.1" 200 5196 "https://10.157.30.58/usergroups" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"

==> /var/log/httpd/foreman-ssl_error_ssl.log <==
[Tue Dec 13 13:25:49.818059 2016] [ssl:warn] [pid 4476] [client 10.157.14.131:33702] AH02227: Failed to set r->user to 'SSL_CLIENT_S_DN_CN', referer: https://10.157.30.58/usergroups

==> /var/log/foreman/production.log <==
2016-12-13 13:25:49 [app] [I] Completed 302 Found in 571ms (ActiveRecord: 6.7ms)
2016-12-13 13:25:49 [app] [I] Started GET "/usergroups" for 10.157.14.131 at 2016-12-13 13:25:49 +1100
2016-12-13 13:25:49 [app] [I] Processing by UsergroupsController#index as */*
2016-12-13 13:25:49 [app] [I]   Rendered usergroups/index.html.erb within layouts/application (9.5ms)
2016-12-13 13:25:49 [app] [I]   Rendered common/_searchbar.html.erb (2.8ms)
2016-12-13 13:25:49 [app] [I]   Rendered layouts/_application_content.html.erb (3.4ms)
2016-12-13 13:25:49 [app] [I]   Rendered home/_submenu.html.erb (1.4ms)
2016-12-13 13:25:49 [app] [I]   Rendered home/_user_dropdown.html.erb (1.4ms)
2016-12-13 13:25:49 [app] [I] Read fragment views/tabs_and_title_records-3 (0.2ms)
2016-12-13 13:25:49 [app] [I]   Rendered home/_topbar.html.erb (4.1ms)
2016-12-13 13:25:49 [app] [I]   Rendered layouts/base.html.erb (5.9ms)
2016-12-13 13:25:49 [app] [I] Completed 200 OK in 32ms (Views: 18.8ms | ActiveRecord: 3.3ms)

Comment 8 Lukas Zapletal 2016-12-16 13:28:13 UTC

Hello,

I just reproduced this on my system. According to RFB 2254 (http://www.faqs.org/rfcs/rfc2254.html), you are supposed 
to escape the value part of a filter using few escape codes. In our use case it is space which is \0x32 or \20. But this will not work, we need to call Filter::from_rfc2254 in the ldap_fluff library in order to enable these escape sequences to be passed in LDAP correctly.

I will work on the patch on Monday.

http://osdir.com/ml/lang-ruby-ldap/2011-03/msg00016.html

Comment 11 Shane Wallace 2016-12-19 00:59:03 UTC

Hi all,

Thanks for your attention and assistance with this.

I just wanted to mention that this appears to be similar to another bug, 1387093 which had similar issues with spaces (although that was in the login name as opposed to the DN path).

Once the patch is finalised I would be interested to see if it resolved that problem too.

Thanks

Shane

Comment 17 Daniel Lobato Garcia 2016-12-20 12:46:04 UTC

Can you enable the ldap logger and restart httpd to see what's happening exactly? 

To do so, add the following to /etc/foreman/settings.yaml : 

:loggers:
  :ldap:
    :enabled: true


Please try to reproduce the issue after that and paste the logs, so we can know what is going on. Are there any filters on the LDAP authentication source? I'm trying using a group base DN with spaces ("OU=Groups with spaces") and I get the users in the group successfully:


2016-12-20T13:36:45 [ldap] [D]   op search (2.1ms)  [ filter=(cn=dbz heroes), base=OU=Groups with spaces,DC=lobatolan,DC=home ]
2016-12-20T13:36:45 [ldap] [D]   op search (2.3ms)  [ filter=(cn=dbz heroes), base=OU=Groups with spaces,DC=lobatolan,DC=home ]
2016-12-20T13:36:45 [ldap] [D]   op search (2.6ms)  [ filter=(CN=goku), base=CN=Users,DC=lobatolan,DC=home ]
2016-12-20T13:36:45 [ldap] [D]   user_list (9.6ms)  [ group=dbz heroes ]

Also could you run 'rpm -qi tfm-rubygem-ldap_fluff' to check what version of ldap_fluff (the gem that does all the ldap queries) is the customer using? I'm trying to reproduce this with 0.4.3 as per https://access.redhat.com/downloads/content/250/ver=6.2/rhel---7/6.2.4/x86_64/packages

Comment 20 Kedar Bidarkar 2016-12-20 13:22:26 UTC

Also, both setups in my case Sat6.2.3 and sat6.2.4 use the "0.4.3" version of "tfm-rubygem-ldap_fluff" package.

Comment 36 Daniel Lobato Garcia 2017-01-09 07:35:54 UTC

We had a Bomgar session with the customer today (David Joo, Amit Kumar and myself). The customer is using ldap_fluff 0.4.3. At first we tried a few simple things via foreman-rake console:

calling `.test` on each of the AuthSourceLdap (one with spaces on base DN another without) - success
calling `.valid_group?` on each of the AuthSourceLdap for groups known to exist in each - success
calling `.group_list` on each of the AuthSourceLdap for groups known to exist in each source - success, it returned a list of users in the group.

These are essentially the checks Satellite 6 does when you refresh or add an external user group, so at that point we decided to go to the Satellite 6 UI and try it out.

The external user group was detected just fine (using the LDAP Auth Source with spaces in the Group DN). However, they didn't have any users to test it with. We created a user known to exist in that group through the console, and assigned it that auth source.

After that, we clicked on refresh and the user was added to the user group automatically.

We checked twice, deleting and recreating the user group, it worked well. Customer is fine with us closing the bug, as it works now (expected, as 3 people in this BZ tried to reproduce it without success).

Maybe there were not using 0.4.3 originally, although this comment shows https://bugzilla.redhat.com/show_bug.cgi?id=1404114#c21 they have it, and the changes in 0.4.3 shouldn't affect this bug at all. I don't think we did anything new to fix it.

Why did it not work before? 2 guesses:

1. Problems on the AD side of things, misconfiguration, and whatnot
2. Human error in the configuration?

Anyhow, the bug can be closed (customer said OK to that) and the customer is able to use LDAP as they want now.

Comment 37 Daniel Lobato Garcia 2017-01-14 11:29:33 UTC

*** Bug 1268253 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.