Description of problem: Auth - MIQLDAP - AD, FreeIPA, OpenLDAP - No valid bind credentials when not using "get groups from LDAP" When you don't use "get groups from LDAP" and you set a default group, User can't log in b/c there are no bind credentials that normally get setup in get groups from LDAP" User's creds should be used to bind. User has not logged in, and user is not in UI or custom group, but default group should account for that. Even if user is added to ui, and given a group or custom group binding still fails Version-Release number of selected component (if applicable): 5.8.0.11-beta2, I suspect 5.6 and 5.7 as well since I never tested this scenario How reproducible: Steps to Reproduce: 1. Configure MIQLDAP LDAP/LDAPS 2. Do not check "get greps from ldap" 3. Specify a default group 4. Try logging with a user --> Login fails 5. Add the user to the webUI and assign a group --> Login still fails Actual results: Login fails Expected results: Login should succeed. Additional info: It appears what is happening is authentication is succcessful as far as validating the user/password combination. But the user record cannot be created b/c there is no valid bind user as we normally specify a bind user when we use "get groups from ldap" In this case we should just bind as the user themselves. [----] I, [2017-04-25T11:27:26.839452 #2947:c319b4] INFO -- : <AuditSuccess> MIQ(Authenticator.authenticate) userid: [ldapuser2] - User ui d=ldapuser2,cn=users,cn=accounts,dc=cfme,dc=lab,dc=eng,dc=rdu2,dc=redhat,dc=com successfully validated by LDAP [----] I, [2017-04-25T11:27:26.841788 #2947:c319b4] INFO -- : MIQ(Authenticator::Ldap#find_external_identity) Bind DN: [] [----] I, [2017-04-25T11:27:26.841939 #2947:c319b4] INFO -- : MIQ(Authenticator::Ldap#find_external_identity) User FQDN: [uid=ldapuser2,c n=users,cn=accounts,dc=cfme,dc=lab,dc=eng,dc=rdu2,dc=redhat,dc=com] [----] I, [2017-04-25T11:27:26.842575 #2947:c319b4] INFO -- : MIQ(MiqLdap#initialize) Server Settings: {:basedn=>nil, :bind_dn=>nil, :bind _pwd=>nil, :bind_timeout=>30, :follow_referrals=>false, :get_direct_groups=>true, :group_memberships_max_depth=>2, :ldaphost=>["cfme-rhel7- ipa.cfme.lab.eng.rdu2.redhat.com"], :ldapport=>"636", :mode=>"ldaps", :search_timeout=>30, :user_suffix=>"cn=users,cn=accounts,dc=cfme,dc=l ab,dc=eng,dc=rdu2,dc=redhat,dc=com", :user_type=>"dn-uid", :amazon_key=>nil, :amazon_secret=>nil, :default_group_for_users=>"EvmGroup-user" , :local_login_disabled=>false, :saml_enabled=>false, :sso_enabled=>false, :user_proxies=>[{}], :httpd_role=>false, :amazon_role=>false, :l dap_role=>false} [----] I, [2017-04-25T11:27:26.844711 #2947:c319b4] INFO -- : MiqLdap.connection: Resolved host [cfme-rhel7-ipa.cfme.lab.eng.rdu2.redhat.c om] has these IP Address: ["10.8.58.41"] [----] I, [2017-04-25T11:27:26.844793 #2947:c319b4] INFO -- : MiqLdap.connection: Connecting to IP Address [10.8.58.41] [----] I, [2017-04-25T11:27:26.845909 #2947:c319b4] INFO -- : options: {:auth=>{:basedn=>nil, :bind_dn=>nil, :bind_pwd=>nil, :bind_timeout =>30, :follow_referrals=>false, :get_direct_groups=>true, :group_memberships_max_depth=>2, :ldaphost=>["cfme-rhel7-ipa.cfme.lab.eng.rdu2.re dhat.com"], :ldapport=>"636", :mode=>"ldaps", :search_timeout=>30, :user_suffix=>"cn=users,cn=accounts,dc=cfme,dc=lab,dc=eng,dc=rdu2,dc=red hat,dc=com", :user_type=>"dn-uid", :amazon_key=>nil, :amazon_secret=>nil, :default_group_for_users=>"EvmGroup-user", :local_login_disabled= >false, :saml_enabled=>false, :sso_enabled=>false, :user_proxies=>[{}], :httpd_role=>false, :amazon_role=>false, :ldap_role=>false}, :host= >"10.8.58.41", :port=>"636", :encryption=>{:method=>:simple_tls}} [----] I, [2017-04-25T11:27:26.846057 #2947:c319b4] INFO -- : MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.8.58.41], User: []... [----] E, [2017-04-25T11:27:26.859144 #2947:c319b4] ERROR -- : MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.8.58.41], User: [], 'Invalid bi nding information' [----] E, [2017-04-25T11:27:26.865275 #2947:c319b4] ERROR -- : [NoMethodError]: undefined method `get_user_object' for nil:NilClass Method :[rescue in authenticate] [----] E, [2017-04-25T11:27:26.865564 #2947:c319b4] ERROR -- : /var/www/miq/vmdb/app/models/authenticator/ldap.rb:87:in `find_external_iden tity' /var/www/miq/vmdb/app/models/authenticator/ldap.rb:94:in `userprincipal_for' /var/www/miq/vmdb/app/models/authenticator/ldap.rb:34:in `find_or_create_by_ldap' /var/www/miq/vmdb/app/models/authenticator/ldap.rb:9:in `lookup_by_identity' /var/www/miq/vmdb/app/models/authenticator.rb:68:in `authenticate' /var/www/miq/vmdb/app/models/user.rb:155:in `authenticate' /var/www/miq/vmdb/app/controllers/api/base_controller/authentication.rb:20:in `block in require_api_user_or_token' /opt/rh/cfme-gemset/gems/actionpack-5.0.2/lib/action_controller/metal/http_authentication.rb:97:in `authenticate' /opt/rh/cfme-gemset/gems/actionpack-5.0.2/lib/action_controller/metal/http_authentication.rb:87:in `authenticate_with_http_basic' /var/www/miq/vmdb/app/controllers/api/base_controller/authentication.rb:20:in `require_api_user_or_token'
Created attachment 1273952 [details] EVM Log
Created attachment 1273953 [details] Audit log
See related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1445413
And two other bugs that are related: https://bugzilla.redhat.com/show_bug.cgi?id=1445421 https://bugzilla.redhat.com/show_bug.cgi?id=1445427
Looking at the log message above that dumps the Ldap settings, it appears that "get groups from Ldap" is actually checked (:get_direct_groups=>true). In that case I would expect it to try to go out to the directory and lookup the user and groups Can you double check this and let me know it's still an issue.
I'll have to try to recreate as this system is long gone.
*** This bug has been marked as a duplicate of bug 1442791 ***