Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
LDAP Authentication when filtered with Universal Groups fails to authenticate users
Version-Release number of selected component (if applicable):
Satellite 6.2.11
How reproducible:
100%
Steps to Reproduce:
1. Create User Groups in Active Directory as follows
Sat6-Admins -----> user1 is a member of this Admins group
Sat6-Viewers -----> user2 is a member of this viewer group
Sat6-Groups ----> This is a universal group i.e. Sat6-Admins and Sat6-Viewers are members of it.
2. Create a LDAP Authentication on WebUI and specify LDAP filter as below
(&(objectCategory=person)(objectclass=user)(memberOf=CN=Sat6-Groups,OU=RedHat-GSS,DC=lab,DC=example,DC=com))
3. Now user1 and user2 are unable to authenticate in Satellite
Actual results:
LDAP filter configured on the nested groups is causing an issue, as it doesn't recognize the second level members
Expected results:
Nested groups should be supported and users who are members of nested groups should be able to authenticate with Satellite 6.
Additional info:
irb(main):036:0> AuthSourceLdap.all
=> #<ActiveRecord::Relation [#<AuthSourceLdap id: 3, type: "AuthSourceLdap", name: "AD Authentication", host: "windows.lab.example.com", port: 389, account: "LAB\\sat6svc", account_password: "encrypted-OVBnTElURm1pVmd6Q09BMHMzM25ZR1RWZHVobDEx...", base_dn: "DC=lab,DC=example,DC=com", attr_login: "sAMAccountName", attr_firstname: "givenName", attr_lastname: "sn", attr_mail: "mail", onthefly_register: true, tls: false, created_at: "2017-08-16 14:11:49", updated_at: "2017-08-21 09:24:04", ldap_filter: "(&(objectCategory=person)(objectclass=user)(member...", attr_photo: "", server_type: "active_directory", groups_base: "DC=lab,DC=example,DC=com", usergroup_sync: true>]>
irb(main):002:0> source_now = AuthSourceLdap.find_by_id(3)
=> #<AuthSourceLdap id: 3, type: "AuthSourceLdap", name: "AD Authentication", host: "windows.lab.example.com", port: 389, account: "LAB\\sat6svc", account_password: "encrypted-OVBnTElURm1pVmd6Q09BMHMzM25ZR1RWZHVobDEx...", base_dn: "DC=lab,DC=example,DC=com", attr_login: "sAMAccountName", attr_firstname: "givenName", attr_lastname: "sn", attr_mail: "mail", onthefly_register: true, tls: false, created_at: "2017-08-16 14:11:49", updated_at: "2017-08-21 09:24:04", ldap_filter: "(&(objectCategory=person)(objectclass=user)(member...", attr_photo: "", server_type: "active_directory", groups_base: "DC=lab,DC=example,DC=com", usergroup_sync: true>
irb(main):003:0> conn = source_now.ldap_con
Successfully decrypted field for AuthSourceLdap AD Authentication
=> #<LdapFluff:0x0000000c3be5c8 @ldap=#<LdapFluff::ActiveDirectory:0x0000000c3bd4c0 @ldap=#<Net::LDAP:0x0000000c3bd470 @host="windows.lab.example.com", @port=389, @hosts=nil, @verbose=false, @auth={:method=>:anonymous}, @base="DC=lab,DC=example,DC=com", @force_no_page=false, @encryption=nil, @connect_timeout=nil, @instrumentation_service=ActiveSupport::Notifications, @open_connection=nil>, @bind_user="LAB\\sat6svc", @bind_pass="p@55w0Rd1", @anon=false, @attr_login="sAMAccountName", @base="DC=lab,DC=example,DC=com", @group_base="DC=lab,DC=example,DC=com", @member_service=#<LdapFluff::ActiveDirectory::MemberService:0x0000000c3bd448 @attr_login="sAMAccountName", @ldap=#<Net::LDAP:0x0000000c3bd470 @host="windows.lab.example.com", @port=389, @hosts=nil, @verbose=false, @auth={:method=>:anonymous}, @base="DC=lab,DC=example,DC=com", @force_no_page=false, @encryption=nil, @connect_timeout=nil, @instrumentation_service=ActiveSupport::Notifications, @open_connection=nil>, @base="DC=lab,DC=example,DC=com", @group_base="DC=lab,DC=example,DC=com", @search_filter=#<Net::LDAP::Filter:0x0000000c3bc278 @op=:and, @left=#<Net::LDAP::Filter:0x0000000c3bc2a0 @op=:and, @left=#<Net::LDAP::Filter:0x0000000c3bcb60 @op=:eq, @left="objectCategory", @right="person">, @right=#<Net::LDAP::Filter:0x0000000c3bc5e8 @op=:eq, @left="objectclass", @right="user">>, @right=#<Net::LDAP::Filter:0x0000000c3bc340 @op=:eq, @left="memberOf", @right="CN=Sat6-Groups,OU=RedHat-GSS,DC=lab,DC=example,DC=com">>>>, @instrumentation_service=ActiveSupport::Notifications>
irb(main):004:0> conn.valid_user?('user1')
=> false
irb(main):004:0> conn.valid_user?('user2')
=> false
irb(main):004:0> conn.valid_group?('Sat6-Admins')
=> true
irb(main):004:0> conn.valid_group?('Sat6-Viewers')
=> true
So it basically recognizes the Groups, but not members of the nested groups.
Description of problem: LDAP Authentication when filtered with Universal Groups fails to authenticate users Version-Release number of selected component (if applicable): Satellite 6.2.11 How reproducible: 100% Steps to Reproduce: 1. Create User Groups in Active Directory as follows Sat6-Admins -----> user1 is a member of this Admins group Sat6-Viewers -----> user2 is a member of this viewer group Sat6-Groups ----> This is a universal group i.e. Sat6-Admins and Sat6-Viewers are members of it. 2. Create a LDAP Authentication on WebUI and specify LDAP filter as below (&(objectCategory=person)(objectclass=user)(memberOf=CN=Sat6-Groups,OU=RedHat-GSS,DC=lab,DC=example,DC=com)) 3. Now user1 and user2 are unable to authenticate in Satellite Actual results: LDAP filter configured on the nested groups is causing an issue, as it doesn't recognize the second level members Expected results: Nested groups should be supported and users who are members of nested groups should be able to authenticate with Satellite 6. Additional info: irb(main):036:0> AuthSourceLdap.all => #<ActiveRecord::Relation [#<AuthSourceLdap id: 3, type: "AuthSourceLdap", name: "AD Authentication", host: "windows.lab.example.com", port: 389, account: "LAB\\sat6svc", account_password: "encrypted-OVBnTElURm1pVmd6Q09BMHMzM25ZR1RWZHVobDEx...", base_dn: "DC=lab,DC=example,DC=com", attr_login: "sAMAccountName", attr_firstname: "givenName", attr_lastname: "sn", attr_mail: "mail", onthefly_register: true, tls: false, created_at: "2017-08-16 14:11:49", updated_at: "2017-08-21 09:24:04", ldap_filter: "(&(objectCategory=person)(objectclass=user)(member...", attr_photo: "", server_type: "active_directory", groups_base: "DC=lab,DC=example,DC=com", usergroup_sync: true>]> irb(main):002:0> source_now = AuthSourceLdap.find_by_id(3) => #<AuthSourceLdap id: 3, type: "AuthSourceLdap", name: "AD Authentication", host: "windows.lab.example.com", port: 389, account: "LAB\\sat6svc", account_password: "encrypted-OVBnTElURm1pVmd6Q09BMHMzM25ZR1RWZHVobDEx...", base_dn: "DC=lab,DC=example,DC=com", attr_login: "sAMAccountName", attr_firstname: "givenName", attr_lastname: "sn", attr_mail: "mail", onthefly_register: true, tls: false, created_at: "2017-08-16 14:11:49", updated_at: "2017-08-21 09:24:04", ldap_filter: "(&(objectCategory=person)(objectclass=user)(member...", attr_photo: "", server_type: "active_directory", groups_base: "DC=lab,DC=example,DC=com", usergroup_sync: true> irb(main):003:0> conn = source_now.ldap_con Successfully decrypted field for AuthSourceLdap AD Authentication => #<LdapFluff:0x0000000c3be5c8 @ldap=#<LdapFluff::ActiveDirectory:0x0000000c3bd4c0 @ldap=#<Net::LDAP:0x0000000c3bd470 @host="windows.lab.example.com", @port=389, @hosts=nil, @verbose=false, @auth={:method=>:anonymous}, @base="DC=lab,DC=example,DC=com", @force_no_page=false, @encryption=nil, @connect_timeout=nil, @instrumentation_service=ActiveSupport::Notifications, @open_connection=nil>, @bind_user="LAB\\sat6svc", @bind_pass="p@55w0Rd1", @anon=false, @attr_login="sAMAccountName", @base="DC=lab,DC=example,DC=com", @group_base="DC=lab,DC=example,DC=com", @member_service=#<LdapFluff::ActiveDirectory::MemberService:0x0000000c3bd448 @attr_login="sAMAccountName", @ldap=#<Net::LDAP:0x0000000c3bd470 @host="windows.lab.example.com", @port=389, @hosts=nil, @verbose=false, @auth={:method=>:anonymous}, @base="DC=lab,DC=example,DC=com", @force_no_page=false, @encryption=nil, @connect_timeout=nil, @instrumentation_service=ActiveSupport::Notifications, @open_connection=nil>, @base="DC=lab,DC=example,DC=com", @group_base="DC=lab,DC=example,DC=com", @search_filter=#<Net::LDAP::Filter:0x0000000c3bc278 @op=:and, @left=#<Net::LDAP::Filter:0x0000000c3bc2a0 @op=:and, @left=#<Net::LDAP::Filter:0x0000000c3bcb60 @op=:eq, @left="objectCategory", @right="person">, @right=#<Net::LDAP::Filter:0x0000000c3bc5e8 @op=:eq, @left="objectclass", @right="user">>, @right=#<Net::LDAP::Filter:0x0000000c3bc340 @op=:eq, @left="memberOf", @right="CN=Sat6-Groups,OU=RedHat-GSS,DC=lab,DC=example,DC=com">>>>, @instrumentation_service=ActiveSupport::Notifications> irb(main):004:0> conn.valid_user?('user1') => false irb(main):004:0> conn.valid_user?('user2') => false irb(main):004:0> conn.valid_group?('Sat6-Admins') => true irb(main):004:0> conn.valid_group?('Sat6-Viewers') => true So it basically recognizes the Groups, but not members of the nested groups.