First Last Prev Next    This bug is not in your last search results.
Bug 1468772 - AAA - AD user credentials do not get assigned to correct access groups
AAA - AD user credentials do not get assigned to correct access groups
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-extension-aaa-ldap (Show other bugs)
4.1.2
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Martin Perina
Gonza
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-07 17:16 EDT by Anitha Udgiri
Modified: 2017-07-19 12:27 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-19 11:28:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Screenshot depicting empty "directory groups" tab (103.02 KB, image/png)
2017-07-07 17:16 EDT, Anitha Udgiri 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Anitha Udgiri 2017-07-07 17:16:47 EDT 
Created attachment 1295407 [details]
Screenshot depicting empty "directory groups" tab

Description of problem:
Here is the problem description in customer's own words :
" When users login to RHV, their account gets populated from AD, but they are not in any directory groups. 

If I click on the user, and select the "Directory Groups" tab, the use doesn't seem to get assigned to any groups. 

I need the group expansion to work to allow users to login and user various resources without a admin needing to manually assign access. 

This worked in rhv 4.0."


Version-Release number of selected component (if applicable):

rhevm-4.1.2.3-0.1.el7.noarch  
ovirt-engine-extension-aaa-ldap-1.3.1-1.el7ev.noarch 


How reproducible:

Always

Steps to Reproduce:

I have two installs of RHEV 4.1 ATM

The first install was installed as 4.0, and set up using this guide:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.0/html/administration_guide/sect-configuring_an_external_ldap_provider

It worked, my users inherited permissions upon login. 

Then, after upgrade to 4.1, this isn't working any more.  

The second install of RHEV I have started life as 4.1. It was configures using:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/sect-configuring_an_external_ldap_provider

This install doesn't seem to inherit permissions based on group either.
Comment 2 Ondra Machacek 2017-07-10 04:25:29 EDT 
Are they using multi domain Active directory setup? If yes, then they need to change the 'include = <ad.properties>' to 'include = <ad-recursive.properties>'.

The ad.properties is using LDAP_MATCHING_RULE_IN_CHAIN to retrieve groups, and it don't fetch domain local groups from different domains.

Also it would be useful to send log of following command:

 $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa login-user --profile=nvidia.com --user-name=rsheth@nvidia.com
Comment 3 Martin Perina 2017-07-10 06:35:12 EDT 
For more information about LDAP_MATCHING_RULE_IN_CHAIN please take a look at BZ1393407 and about domain local group at BZ1336707
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.