Description of problem: Auth - MIQLDAP - AD/OpenLDAP/FreeIPA(most likely) Configuring "get groups from ldap" and then unconfiguring still tries to bind with old creds. If setup MIQLDAP and check "get groups from ldap", then afterwards try to unhceck that box. When a user logs in, it still tries to bind to the LDAP server with the bind creds that were entered in "get groups from ldap". At this point it shouldn't know about those creds, it should only bind with the user login details. Version-Release number of selected component (if applicable): 5.8.0.11-beta2, most likely 5.6 and 5.7 as well. How reproducible: Steps to Reproduce: 1. Configure MIQLDAP for ldap/ldaps 2. Check "Get groups from LDAP" and configure bind credentials 3. log in with some user, validate it works or lookup up a group 4. Uncheck "Get groups from LDAP" 5. Set a default group 6. Log in with a different user. I think this fails to log in. 7. Look in evm.log, and you can see it's still binding with the bind creds entered in "get groups from LDAP" Actual results: Login fails Expected results: Login should succeed with default group Additional info: See related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1445405 You can see it bind as administrator.bos.redhat.com [----] I, [2017-04-21T16:06:42.368269 #2949:191c5c0] INFO -- : MiqLdap.connection: Resolved host [cloudqe-ad.rhq.lab.eng.bos.redhat.com] h as these IP Address: ["10.16.4.75", "2620:52:0:1007:619f:5439:e129:668f"] [----] I, [2017-04-21T16:06:42.368357 #2949:191c5c0] INFO -- : MiqLdap.connection: Connecting to IP Address [10.16.4.75] [----] I, [2017-04-21T16:06:42.398844 #2949:191c5c0] INFO -- : options: {:auth=>{:basedn=>"dc=ad,dc=cloudqe,dc=bos,dc=redhat,dc=com", :bin d_dn=>"administrator.bos.redhat.com", :bind_pwd=>"********", :bind_timeout=>30, :follow_referrals=>false, :get_direct_groups=>tr ue, :group_memberships_max_depth=>2, :ldaphost=>["cloudqe-ad.rhq.lab.eng.bos.redhat.com"], :ldapport=>"389", :mode=>"ldap", :search_timeout =>30, :user_suffix=>"ad.cloudqe.bos.redhat.com", :user_type=>"userprincipalname", :amazon_key=>nil, :amazon_secret=>nil, :default_group_for _users=>"EvmGroup-desktop", :domain_prefix=>"", :local_login_disabled=>false, :saml_enabled=>false, :sso_enabled=>false, :user_proxies=>[{} ], :httpd_role=>false, :amazon_role=>false, :ldap_role=>false}, :host=>"10.16.4.75", :port=>"389"} [----] I, [2017-04-21T16:06:42.398952 #2949:191c5c0] INFO -- : MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.16.4.75], User: [administrator @ad.cloudqe.bos.redhat.com]... [----] I, [2017-04-21T16:06:42.461110 #2949:191c5c0] INFO -- : MIQ(MiqLdap#bind) Binding to LDAP: Host: [10.16.4.75], User: [administrator @ad.cloudqe.bos.redhat.com]... successful [----] I, [2017-04-21T16:06:42.461638 #2949:191c5c0] INFO -- : MIQ(MiqLdap#get_user_object) Type: [userprincipalname], Base DN: [dc=ad,dc= cloudqe,dc=bos,dc=redhat,dc=com], Filter: <(userprincipalname=test-user1.bos.redhat.com)> [----] E, [2017-04-21T16:06:42.657743 #2949:191c5c0] ERROR -- : [RuntimeError]: Unable to auto-create user because LDAP bind credentials ar e not configured Method:[rescue in authenticate] [----] E, [2017-04-21T16:06:42.658116 #2949:191c5c0] ERROR -- : /var/www/miq/vmdb/app/models/authenticator/ldap.rb:37:in `find_or_create_by _ldap'
So the issue seems to be that we do not clear the bind credentials when "Get User Groups From LDAP" is unchecked. However I would argue that we should always require the bind credentials regardless of if "Get User Groups From LDAP" is checked or unchecked. However if the functionality is as expected, users that should be able to log in can and those that should not be able to log in can not, then this is not a bug. I'm going to mark closed-notabug. If it is felt this is a reproducible bug please reopen. JoeV