Bug 1468772 - AAA - AD user credentials do not get assigned to correct access groups
AAA - AD user credentials do not get assigned to correct access groups
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-extension-aaa-ldap (Show other bugs)
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Martin Perina
Depends On:
  Show dependency treegraph
Reported: 2017-07-07 17:16 EDT by Anitha Udgiri
Modified: 2017-07-19 12:27 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-07-19 11:28:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Screenshot depicting empty "directory groups" tab (103.02 KB, image/png)
2017-07-07 17:16 EDT, Anitha Udgiri
no flags Details

  None (edit)
Description Anitha Udgiri 2017-07-07 17:16:47 EDT
Created attachment 1295407 [details]
Screenshot depicting empty "directory groups" tab

Description of problem:
Here is the problem description in customer's own words :
" When users login to RHV, their account gets populated from AD, but they are not in any directory groups. 

If I click on the user, and select the "Directory Groups" tab, the use doesn't seem to get assigned to any groups. 

I need the group expansion to work to allow users to login and user various resources without a admin needing to manually assign access. 

This worked in rhv 4.0."

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

I have two installs of RHEV 4.1 ATM

The first install was installed as 4.0, and set up using this guide:


It worked, my users inherited permissions upon login. 

Then, after upgrade to 4.1, this isn't working any more.  

The second install of RHEV I have started life as 4.1. It was configures using:


This install doesn't seem to inherit permissions based on group either.
Comment 2 Ondra Machacek 2017-07-10 04:25:29 EDT
Are they using multi domain Active directory setup? If yes, then they need to change the 'include = <ad.properties>' to 'include = <ad-recursive.properties>'.

The ad.properties is using LDAP_MATCHING_RULE_IN_CHAIN to retrieve groups, and it don't fetch domain local groups from different domains.

Also it would be useful to send log of following command:

 $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa login-user --profile=nvidia.com --user-name=rsheth@nvidia.com
Comment 3 Martin Perina 2017-07-10 06:35:12 EDT
For more information about LDAP_MATCHING_RULE_IN_CHAIN please take a look at BZ1393407 and about domain local group at BZ1336707

Note You need to log in before you can comment on or make changes to this bug.