Red Hat Bugzilla – Bug 1468772
AAA - AD user credentials do not get assigned to correct access groups
Last modified: 2017-07-19 12:27:40 EDT
Created attachment 1295407 [details]
Screenshot depicting empty "directory groups" tab
Description of problem:
Here is the problem description in customer's own words :
" When users login to RHV, their account gets populated from AD, but they are not in any directory groups.
If I click on the user, and select the "Directory Groups" tab, the use doesn't seem to get assigned to any groups.
I need the group expansion to work to allow users to login and user various resources without a admin needing to manually assign access.
This worked in rhv 4.0."
Version-Release number of selected component (if applicable):
Steps to Reproduce:
I have two installs of RHEV 4.1 ATM
The first install was installed as 4.0, and set up using this guide:
It worked, my users inherited permissions upon login.
Then, after upgrade to 4.1, this isn't working any more.
The second install of RHEV I have started life as 4.1. It was configures using:
This install doesn't seem to inherit permissions based on group either.
Are they using multi domain Active directory setup? If yes, then they need to change the 'include = <ad.properties>' to 'include = <ad-recursive.properties>'.
The ad.properties is using LDAP_MATCHING_RULE_IN_CHAIN to retrieve groups, and it don't fetch domain local groups from different domains.
Also it would be useful to send log of following command:
$ ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa login-user --profile=nvidia.com --email@example.com
For more information about LDAP_MATCHING_RULE_IN_CHAIN please take a look at BZ1393407 and about domain local group at BZ1336707