Description of problem: Version-Release number of selected component (if applicable): 5.6.4 How reproducible: all the time in customer environment Steps to Reproduce: 1. configure binding to the ldap in cloudforms 2. do not enable group binding, instead use a custom group 3. log in as user of the ldap Actual results: INFO -- : MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.11.12.13], User: [uid=toto,ou=people,dc=example,dc=com]... INFO -- : MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.11.12.13], User: [uid=toto,ou=people,dc=example,dc=com]... successful <AuditSuccess> MIQ(Authenticator.authenticate) userid: [toto] - User uid=toto,ou=people,dc=example,dc=com successfully validated by LDAP ERROR -- : [NoMethodError]: undefined method `get_user_object' for #<Authenticator::Ldap:0x00000004f9aae8> Method:[rescue in authenticate] ERROR -- : /var/www/miq/vmdb/app/models/authenticator/ldap.rb:53:in `create_user_from_ldap' the user is then unable to log in with an authentication error, but the password is correct. Expected results: user able to log in Additional info:
Created attachment 1296407 [details] Example setting get user groups from ldap
Created attachment 1296408 [details] Example unsetting get user groups from ldap
*** Bug 1445405 has been marked as a duplicate of this bug. ***
I have root caused the failure and am working on a fix. There are multiple possible solutions. I need to evaluate which solution will be best before posting a PR
https://github.com/ManageIQ/manageiq/pull/15661
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/c045affcd6984e7539089fddf4d518e286799738 commit c045affcd6984e7539089fddf4d518e286799738 Author: Joe VLcek <jvlcek> AuthorDate: Wed Jul 26 15:59:54 2017 -0400 Commit: Joe VLcek <jvlcek> CommitDate: Wed Jul 26 15:59:54 2017 -0400 If userid in UPN or DN format not found try simple username When not getting groups from LDAP the user is manually created in the DB. It is unlikely the admin will create the user in the UPN or DN formats as return from searching the directory. So this PR will also try to find the user by simple username. https://bugzilla.redhat.com/show_bug.cgi?id=1442791 app/models/authenticator/ldap.rb | 14 ++++++++++++++ spec/models/authenticator/ldap_spec.rb | 14 ++++++++++++-- 2 files changed, 26 insertions(+), 2 deletions(-)
*** Bug 1443442 has been marked as a duplicate of this bug. ***
Tested 5.9.0.2. Openldap While the error message "get_user_object" is now not in the logs, what happens is User is authenticated via ldap, but now we get the " User authenticated but not defined in EVM, please contact your EVM administrator" I tested this two ways. 1. Created a custom group called "marketing", assigned a role to it and created user bill and gave him the marketing group. - login failed. 2. Gave bill a default group of evm-administrator - login still failed. Going to set this back to assigned as login doesn't work.
This fails because when not getting groups from LDAP the user must be created in the exact way it is to match from LDAP. In this case "User Type" is set to "Distinguished Name (UID=<user>)" Therefore the user must be created with the full DN "uid=bill,ou=people,ou=prod,dc=example,dc=com"
Created attachment 1339437 [details] User bill with full Distinguished name
Verified: 5.9.0.2 - properly entered user of uid=bill,ou=people,ou=prod,dc=psavrocks,dc=com can log in.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0380