Bug 1445405 - No valid bind credentials when not using "get groups from LDAP"
Summary: No valid bind credentials when not using "get groups from LDAP"
Keywords:
Status: CLOSED DUPLICATE of bug 1442791
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.8.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: cfme-future
Assignee: Joe Vlcek
QA Contact: Matt Pusateri
URL:
Whiteboard: auth:miqldap:ad:freeipa:openldap
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-04-25 15:26 UTC by Matt Pusateri
Modified: 2017-09-12 15:19 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-07-17 13:41:48 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:


Attachments (Terms of Use)
EVM Log (8.68 MB, text/plain)
2017-04-25 15:28 UTC, Matt Pusateri
no flags Details
Audit log (1.25 KB, text/plain)
2017-04-25 15:29 UTC, Matt Pusateri
no flags Details

Description Matt Pusateri 2017-04-25 15:26:58 UTC
Description of problem:

Auth - MIQLDAP - AD, FreeIPA, OpenLDAP - No valid bind credentials when not using "get groups from LDAP" When you don't use "get groups from LDAP" and you set a default group, User can't log in b/c there are no bind credentials that normally get setup in 
get groups from LDAP" User's creds should be used to bind. User has not logged in, and user is not in UI or custom group, but default group should account for that. Even if user is added to ui, and given a group or custom group binding still fails


Version-Release number of selected component (if applicable):
5.8.0.11-beta2, I suspect 5.6 and 5.7 as well since I never tested this scenario

How reproducible:


Steps to Reproduce:
1. Configure MIQLDAP LDAP/LDAPS
2. Do not check "get greps from ldap"
3. Specify a default group
4. Try logging with a user --> Login fails
5. Add the user to the webUI and assign a group --> Login still fails

Actual results:
Login fails

Expected results:

Login should succeed. 

Additional info:

It appears what is happening is authentication is succcessful as far as validating the user/password combination.  But the user record cannot be created b/c there is no valid bind user as we normally specify a bind user when we use "get groups from ldap"  In this case we should just bind as the user themselves.

[----] I, [2017-04-25T11:27:26.839452 #2947:c319b4]  INFO -- : <AuditSuccess> MIQ(Authenticator.authenticate) userid: [ldapuser2] - User ui
d=ldapuser2,cn=users,cn=accounts,dc=cfme,dc=lab,dc=eng,dc=rdu2,dc=redhat,dc=com successfully validated by LDAP
[----] I, [2017-04-25T11:27:26.841788 #2947:c319b4]  INFO -- : MIQ(Authenticator::Ldap#find_external_identity) Bind DN: []
[----] I, [2017-04-25T11:27:26.841939 #2947:c319b4]  INFO -- : MIQ(Authenticator::Ldap#find_external_identity)  User FQDN: [uid=ldapuser2,c
n=users,cn=accounts,dc=cfme,dc=lab,dc=eng,dc=rdu2,dc=redhat,dc=com]
[----] I, [2017-04-25T11:27:26.842575 #2947:c319b4]  INFO -- : MIQ(MiqLdap#initialize) Server Settings: {:basedn=>nil, :bind_dn=>nil, :bind
_pwd=>nil, :bind_timeout=>30, :follow_referrals=>false, :get_direct_groups=>true, :group_memberships_max_depth=>2, :ldaphost=>["cfme-rhel7-
ipa.cfme.lab.eng.rdu2.redhat.com"], :ldapport=>"636", :mode=>"ldaps", :search_timeout=>30, :user_suffix=>"cn=users,cn=accounts,dc=cfme,dc=l
ab,dc=eng,dc=rdu2,dc=redhat,dc=com", :user_type=>"dn-uid", :amazon_key=>nil, :amazon_secret=>nil, :default_group_for_users=>"EvmGroup-user"
, :local_login_disabled=>false, :saml_enabled=>false, :sso_enabled=>false, :user_proxies=>[{}], :httpd_role=>false, :amazon_role=>false, :l
dap_role=>false}
[----] I, [2017-04-25T11:27:26.844711 #2947:c319b4]  INFO -- : MiqLdap.connection: Resolved host [cfme-rhel7-ipa.cfme.lab.eng.rdu2.redhat.c
om] has these IP Address: ["10.8.58.41"]
[----] I, [2017-04-25T11:27:26.844793 #2947:c319b4]  INFO -- : MiqLdap.connection: Connecting to IP Address [10.8.58.41]
[----] I, [2017-04-25T11:27:26.845909 #2947:c319b4]  INFO -- : options: {:auth=>{:basedn=>nil, :bind_dn=>nil, :bind_pwd=>nil, :bind_timeout
=>30, :follow_referrals=>false, :get_direct_groups=>true, :group_memberships_max_depth=>2, :ldaphost=>["cfme-rhel7-ipa.cfme.lab.eng.rdu2.re
dhat.com"], :ldapport=>"636", :mode=>"ldaps", :search_timeout=>30, :user_suffix=>"cn=users,cn=accounts,dc=cfme,dc=lab,dc=eng,dc=rdu2,dc=red
hat,dc=com", :user_type=>"dn-uid", :amazon_key=>nil, :amazon_secret=>nil, :default_group_for_users=>"EvmGroup-user", :local_login_disabled=
>false, :saml_enabled=>false, :sso_enabled=>false, :user_proxies=>[{}], :httpd_role=>false, :amazon_role=>false, :ldap_role=>false}, :host=
>"10.8.58.41", :port=>"636", :encryption=>{:method=>:simple_tls}}
[----] I, [2017-04-25T11:27:26.846057 #2947:c319b4]  INFO -- : MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.8.58.41], User: []...
[----] E, [2017-04-25T11:27:26.859144 #2947:c319b4] ERROR -- : MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.8.58.41], User: [], 'Invalid bi
nding information'
[----] E, [2017-04-25T11:27:26.865275 #2947:c319b4] ERROR -- : [NoMethodError]: undefined method `get_user_object' for nil:NilClass  Method
:[rescue in authenticate]
[----] E, [2017-04-25T11:27:26.865564 #2947:c319b4] ERROR -- : /var/www/miq/vmdb/app/models/authenticator/ldap.rb:87:in `find_external_iden
tity'
/var/www/miq/vmdb/app/models/authenticator/ldap.rb:94:in `userprincipal_for'
/var/www/miq/vmdb/app/models/authenticator/ldap.rb:34:in `find_or_create_by_ldap'
/var/www/miq/vmdb/app/models/authenticator/ldap.rb:9:in `lookup_by_identity'
/var/www/miq/vmdb/app/models/authenticator.rb:68:in `authenticate'
/var/www/miq/vmdb/app/models/user.rb:155:in `authenticate'
/var/www/miq/vmdb/app/controllers/api/base_controller/authentication.rb:20:in `block in require_api_user_or_token'
/opt/rh/cfme-gemset/gems/actionpack-5.0.2/lib/action_controller/metal/http_authentication.rb:97:in `authenticate'
/opt/rh/cfme-gemset/gems/actionpack-5.0.2/lib/action_controller/metal/http_authentication.rb:87:in `authenticate_with_http_basic'
/var/www/miq/vmdb/app/controllers/api/base_controller/authentication.rb:20:in `require_api_user_or_token'

Comment 2 Matt Pusateri 2017-04-25 15:28:43 UTC
Created attachment 1273952 [details]
EVM Log

Comment 3 Matt Pusateri 2017-04-25 15:29:27 UTC
Created attachment 1273953 [details]
Audit log

Comment 4 Matt Pusateri 2017-04-25 15:43:05 UTC
See related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1445413

Comment 5 Matt Pusateri 2017-04-25 16:08:48 UTC
And two other bugs that are related:

https://bugzilla.redhat.com/show_bug.cgi?id=1445421
https://bugzilla.redhat.com/show_bug.cgi?id=1445427

Comment 6 Gregg Tanzillo 2017-06-01 21:25:35 UTC
Looking at the log message above that dumps the Ldap settings, it appears that "get groups from Ldap" is actually checked (:get_direct_groups=>true). In that case I would expect it to try to go out to the directory and lookup the user and groups

Can you double check this and let me know it's still an issue.

Comment 7 Matt Pusateri 2017-06-02 13:53:29 UTC
I'll have to try to recreate as this system is long gone.

Comment 8 Joe Vlcek 2017-07-17 13:41:48 UTC

*** This bug has been marked as a duplicate of bug 1442791 ***


Note You need to log in before you can comment on or make changes to this bug.