1482940 – [aaa-ldap-setup] Login sequence fails on setup

Bug 1482940 - [aaa-ldap-setup] Login sequence fails on setup

Summary: [aaa-ldap-setup] Login sequence fails on setup

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine-extension-aaa-ldap
Classification:	oVirt
Component:	Setup
Sub Component:
Version:	master
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	ovirt-4.1.6
Target Release:	1.3.4
Assignee:	Martin Perina
QA Contact:	Gonza
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1476980
TreeView+	depends on / blocked

Reported:	2017-08-18 13:09 UTC by Gonza
Modified:	2019-04-28 13:51 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ovirt-engine-extension-aaa-ldap-1.3.4
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-09-19 10:02:36 UTC
oVirt Team:	Infra
Embargoed:
Flags:	rule-engine: ovirt-4.1+ rule-engine: blocker+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	3424101	0	None	None	None	2018-04-26 02:57:13 UTC
oVirt gerrit	80049	0	None	MERGED	setup: login sequence is mandatory to execute to finish setup	2021-01-28 14:29:45 UTC

Description Gonza 2017-08-18 13:09:24 UTC

Description of problem:
When running setup for openldap or ipa, bind is successful with the provided user and pass but login fails.

Version-Release number of selected component (if applicable):
ovirt-engine-extension-aaa-ldap-setup-1.3.4-0.0.master.git2db902e.el7.centos.noarch

How reproducible:
100%

Steps to Reproduce:
1. run ovirt-engine-extension-aaa-ldap-setup for openldap or ipa

Actual results:
[ INFO  ] Attempting to bind using 'uid=user1,ou=Users,dc=openldap,dc=lab,dc=com'
          Please enter base DN (dc=openldap,dc=lab,dc=com) [dc=openldap,dc=lab,dc=com]: 
          Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: 
          NOTE:
          Profile name has to match domain name, otherwise Single Sign-On for Virtual Machines will not work.
          Please specify profile name that will be visible to users [openldap.lab.com]: 
[ INFO  ] Stage: Setup validation
          NOTE:
          It is highly recommended to test drive the configuration before applying it into engine.
          Perform at least one Login sequence and one Search sequence.
[ INFO  ] Executing login sequence...
          Login output:
          2017-08-18 14:27:03,406+02 INFO    ========================================================================
          2017-08-18 14:27:03,652+02 INFO    ============================ Initialization ============================
          2017-08-18 14:27:03,652+02 INFO    ========================================================================
          2017-08-18 14:27:03,787+02 INFO    Loading extension 'openldap.lab.com-authn'
          2017-08-18 14:27:04,065+02 INFO    Extension 'openldap.lab.com-authn' loaded
          2017-08-18 14:27:04,100+02 INFO    Loading extension 'openldap.lab.com'
          2017-08-18 14:27:04,225+02 INFO    Extension 'openldap.lab.com' loaded
          2017-08-18 14:27:04,228+02 INFO    Initializing extension 'openldap.lab.com-authn'
          2017-08-18 14:27:04,252+02 INFO    [ovirt-engine-extension-aaa-ldap.authn::openldap.lab.com-authn] Creating LDAP pool 'authz'
          2017-08-18 14:27:05,519+02 INFO    [ovirt-engine-extension-aaa-ldap.authn::openldap.lab.com-authn] LDAP pool 'authz' information: vendor='null' version='null'
          2017-08-18 14:27:05,524+02 INFO    [ovirt-engine-extension-aaa-ldap.authn::openldap.lab.com-authn] Creating LDAP pool 'authn'
          2017-08-18 14:27:05,618+02 INFO    [ovirt-engine-extension-aaa-ldap.authn::openldap.lab.com-authn] LDAP pool 'authn' information: vendor='null' version='null'
          2017-08-18 14:27:05,621+02 INFO    Extension 'openldap.lab.com-authn' initialized
          2017-08-18 14:27:05,623+02 INFO    Initializing extension 'openldap.lab.com'
          2017-08-18 14:27:05,626+02 INFO    [ovirt-engine-extension-aaa-ldap.authz::openldap.lab.com] Creating LDAP pool 'authz'
          2017-08-18 14:27:05,697+02 INFO    [ovirt-engine-extension-aaa-ldap.authz::openldap.lab.com] LDAP pool 'authz' information: vendor='null' version='null'
          2017-08-18 14:27:05,701+02 INFO    [ovirt-engine-extension-aaa-ldap.authz::openldap.lab.com] Available Namespaces: [dc=openldap,dc=lab,dc=com]
          2017-08-18 14:27:05,702+02 INFO    Extension 'openldap.lab.com' initialized
          2017-08-18 14:27:05,703+02 INFO    Start of enabled extensions list
          2017-08-18 14:27:05,721+02 INFO    Instance name: 'openldap.lab.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.4_master', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.4-0.0.master.git2db902e.el7.centos', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmp5wH9gz/extensions.d/openldap.lab.com-authn.properties', Initialized: 'true'
          2017-08-18 14:27:05,723+02 INFO    Instance name: 'openldap.lab.com', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.4_master', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.4-0.0.master.git2db902e.el7.centos', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmp5wH9gz/extensions.d/openldap.lab.com.properties', Initialized: 'true'
          2017-08-18 14:27:05,724+02 INFO    End of enabled extensions list
          2017-08-18 14:27:05,724+02 INFO    ========================================================================
          2017-08-18 14:27:05,725+02 INFO    ============================== Execution ===============================
          2017-08-18 14:27:05,726+02 INFO    ========================================================================
          2017-08-18 14:27:05,727+02 INFO    Iteration: 0
          2017-08-18 14:27:05,734+02 INFO    Profile='openldap.lab.com' authn='openldap.lab.eng.com-authn' authz='openldap.lab.com' mapping='null'
          2017-08-18 14:27:05,735+02 INFO    API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='openldap.lab.com' user='uid=user1,ou=Users,dc=openldap,dc=lab,dc=com'
          2017-08-18 14:27:05,898+02 INFO    API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='openldap.lab.com' result=CREDENTIALS_INVALID
          2017-08-18 14:27:05,929+02 SEVERE  Authn.Result code is: CREDENTIALS_INVALID
[ ERROR ] Login sequence failed

Expected results:
Successful login on setup.

Additional info:
Failure is caused by sending whole DN for authentication instead of just uid.

Comment 1 Martin Perina 2017-08-28 10:44:19 UTC

Fix is included in ovirt-engine-extension-aaa-ldap-1.3.4

Comment 2 Gonza 2017-09-04 11:13:24 UTC

Verified with:
ovirt-engine-extension-aaa-ldap-setup-1.3.5-0.0.master.git7230cd9.el7.centos.noarch

...
[ INFO  ] Login sequence executed successfully
...

Note You need to log in before you can comment on or make changes to this bug.