Created attachment 1295407 [details] Screenshot depicting empty "directory groups" tab Description of problem: Here is the problem description in customer's own words : " When users login to RHV, their account gets populated from AD, but they are not in any directory groups. If I click on the user, and select the "Directory Groups" tab, the use doesn't seem to get assigned to any groups. I need the group expansion to work to allow users to login and user various resources without a admin needing to manually assign access. This worked in rhv 4.0." Version-Release number of selected component (if applicable): rhevm-4.1.2.3-0.1.el7.noarch ovirt-engine-extension-aaa-ldap-1.3.1-1.el7ev.noarch How reproducible: Always Steps to Reproduce: I have two installs of RHEV 4.1 ATM The first install was installed as 4.0, and set up using this guide: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.0/html/administration_guide/sect-configuring_an_external_ldap_provider It worked, my users inherited permissions upon login. Then, after upgrade to 4.1, this isn't working any more. The second install of RHEV I have started life as 4.1. It was configures using: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/sect-configuring_an_external_ldap_provider This install doesn't seem to inherit permissions based on group either.
Are they using multi domain Active directory setup? If yes, then they need to change the 'include = <ad.properties>' to 'include = <ad-recursive.properties>'. The ad.properties is using LDAP_MATCHING_RULE_IN_CHAIN to retrieve groups, and it don't fetch domain local groups from different domains. Also it would be useful to send log of following command: $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa login-user --profile=nvidia.com --user-name=rsheth
For more information about LDAP_MATCHING_RULE_IN_CHAIN please take a look at BZ1393407 and about domain local group at BZ1336707