Bug 1462815 - Assume the user is going to use 'Single Sing-On for Virtual Machines'
Assume the user is going to use 'Single Sing-On for Virtual Machines'
Product: ovirt-engine-extension-aaa-ldap
Classification: oVirt
Component: Setup (Show other bugs)
Unspecified Unspecified
unspecified Severity medium (vote)
: ovirt-4.1.6
: ---
Assigned To: Ondra Machacek
Depends On:
  Show dependency treegraph
Reported: 2017-06-19 11:33 EDT by Miguel Martin
Modified: 2017-08-18 11:02 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑4.1+

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 78318 None None None 2017-06-20 04:59 EDT

  None (edit)
Description Miguel Martin 2017-06-19 11:33:09 EDT
Description of problem:

By default, the 'ovirt-engine-extension-aaa-ldap-setup' script assumes that the user is not going to use 'Single Sing-On for Virtual Machines' feature. 

If the user changes his mind in the future there is no easy way to modify the configuration to make it work. 

There are two options:

1. Remove all the permissions of domain users in 'Administration Portal', rename the authorization extension with upstream tool 'ovirt-engine-kerbldap-migration-authz-rename'. Reassign the user's permissions in 'Administration Portal'.
2. Make the changes manually in profile config files and directly into the database (undocumented and not recommended of course).

As there is no functional impact I believe we should use 'Yes' as the default answer to the question 'Are you going to use Single Sing-On for Virtual Machines?', at least until we had a better implementation. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Run 'ovirt-engine-extension-aaa-ldap-setup'
2. Choose the default answer of 'Are you going to use Single Sing-On for Virtual Machines?'

Actual results:
Virtual Machine SSO in user portal not working

Expected results:
Virtual Machine SSO in user portal working

Additional info:
Comment 1 Martin Perina 2017-08-03 03:46:02 EDT
Fix is contained is going to be delivered in ovirt-engine-extension-aaa-ldap-1.3.3
Comment 2 Gonza 2017-08-15 04:45:22 EDT
Verified with:

"Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: "
Comment 3 Martin Perina 2017-08-18 11:02:41 EDT
Retargeting to 4.1.6 as we need to withdraw release of ovirt-engine-extension-aaa-ldap-setup-1.3.3 and fix critical bug in this release

Note You need to log in before you can comment on or make changes to this bug.