Bug 1468772 - AAA - AD user credentials do not get assigned to correct access groups
AAA - AD user credentials do not get assigned to correct access groups
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-extension-aaa-ldap (Show other bugs)
4.1.2
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Martin Perina
Gonza
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-07 17:16 EDT by Anitha Udgiri
Modified: 2017-07-19 12:27 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-19 11:28:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Screenshot depicting empty "directory groups" tab (103.02 KB, image/png)
2017-07-07 17:16 EDT, Anitha Udgiri
no flags Details

  None (edit)
Description Anitha Udgiri 2017-07-07 17:16:47 EDT
Created attachment 1295407 [details]
Screenshot depicting empty "directory groups" tab

Description of problem:
Here is the problem description in customer's own words :
" When users login to RHV, their account gets populated from AD, but they are not in any directory groups. 

If I click on the user, and select the "Directory Groups" tab, the use doesn't seem to get assigned to any groups. 

I need the group expansion to work to allow users to login and user various resources without a admin needing to manually assign access. 

This worked in rhv 4.0."


Version-Release number of selected component (if applicable):

rhevm-4.1.2.3-0.1.el7.noarch  
ovirt-engine-extension-aaa-ldap-1.3.1-1.el7ev.noarch 


How reproducible:

Always

Steps to Reproduce:

I have two installs of RHEV 4.1 ATM

The first install was installed as 4.0, and set up using this guide:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.0/html/administration_guide/sect-configuring_an_external_ldap_provider

It worked, my users inherited permissions upon login. 

Then, after upgrade to 4.1, this isn't working any more.  

The second install of RHEV I have started life as 4.1. It was configures using:

https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/sect-configuring_an_external_ldap_provider

This install doesn't seem to inherit permissions based on group either.
Comment 2 Ondra Machacek 2017-07-10 04:25:29 EDT
Are they using multi domain Active directory setup? If yes, then they need to change the 'include = <ad.properties>' to 'include = <ad-recursive.properties>'.

The ad.properties is using LDAP_MATCHING_RULE_IN_CHAIN to retrieve groups, and it don't fetch domain local groups from different domains.

Also it would be useful to send log of following command:

 $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa login-user --profile=nvidia.com --user-name=rsheth@nvidia.com
Comment 3 Martin Perina 2017-07-10 06:35:12 EDT
For more information about LDAP_MATCHING_RULE_IN_CHAIN please take a look at BZ1393407 and about domain local group at BZ1336707

Note You need to log in before you can comment on or make changes to this bug.