1485875 – [downstream clone - 4.1.6] AAA LDAP setup does not add baseDN to *-authn.properties

Bug 1485875 - [downstream clone - 4.1.6] AAA LDAP setup does not add baseDN to *-authn.properties

Summary: [downstream clone - 4.1.6] AAA LDAP setup does not add baseDN to *-authn.prop...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine-extension-aaa-ldap
Sub Component:
Version:	unspecified
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	ovirt-4.1.6
Target Release:	---
Assignee:	Ondra Machacek
QA Contact:	Gonza
Docs Contact:
URL:
Whiteboard:
Depends On:	1476980
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-28 10:46 UTC by rhev-integ
Modified:	2020-09-10 11:19 UTC (History)
CC List:	12 users (show)
Fixed In Version:	ovirt-engine-extension-aaa-ldap-1.3.4
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1476980
Environment:
Last Closed:	2017-09-19 07:16:21 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2743	0	normal	SHIPPED_LIVE	ovirt-engine-extension-aaa-ldap bug fix and enhancement update for RHV 4.1.6	2017-09-19 11:11:44 UTC
oVirt gerrit	80100	0	None	None	None	2017-08-28 10:47:28 UTC

Description rhev-integ 2017-08-28 10:46:03 UTC

+++ This bug is an upstream to downstream clone. The original bug is: +++
+++   bug 1476980 +++
======================================================================

Description of problem:
When you run ovirt-engine-extension-aaa-ldap-setup and set baseDN (dc=example,dc=com)  it does not add the line

config.globals.baseDN.simple_baseDN = dc=example,dc=com

to the -authn.properties file.

Login  test fails.


Version-Release number of selected component (if applicable):
ovirt-engine-extension-aaa-ldap-setup-1.3.2-1.el7.centos.noarch

How reproducible:
Always 

Steps to Reproduce:
1. Run AAA LDAP setup with non-default baseDN
2. Try Search: PASS
3. Try Login: FAIL!

Actual results:
Search test passes
Login test always fails


Expected results:
Search test passes
Login test passes


Additional info:

The line config.globals.baseDN.simple_baseDN = dc=example,dc=com
is added to extensions.d/*-authz.properties but not extensions.d/*-authn.properties

(Originally by rc556677)

Comment 1 rhev-integ 2017-08-28 10:46:11 UTC

This is a from a system upgrade 3.6->4.0-4.1.

For some reason, the LDAP configuration for 3.6 didn't work (the simple_baseDN was set by using var_set in the aaa/ profile), so LDAP setup was run anew.

## this didn't work in 4.0/4.1 any more :-(
## 3.6 working config
## ran LDAP setup anew...
sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
sequence.my-basedn-init-vars.010.description = set baseDN
sequence.my-basedn-init-vars.010.type = var-set
sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
sequence.my-basedn-init-vars.010.var-set.value = dc=example,dc=com

(Originally by rc556677)

Comment 3 rhev-integ 2017-08-28 10:46:17 UTC

There's no reason why AAA configuration from 3.6 stops working on 4.x, could you please provide logs with the issue?

(Originally by Martin Perina)

Comment 4 rhev-integ 2017-08-28 10:46:21 UTC

When I delete the lines

config.globals.baseDN.simple_baseDN = dc=example,dc=com

from extensions.d/example-authn.properties extensions.d/example-authz.properties and restore

in aaa/example.properties

sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
sequence.my-basedn-init-vars.010.description = set baseDN
sequence.my-basedn-init-vars.010.type = var-set
sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
sequence.my-basedn-init-vars.010.var-set.value = dc=example,dc=com

my configuration now works. Can't reproduce 3.6->4.1 issue now.

This is a false alarm. 

The original issue with a fresh 4.1 omitting 

config.globals.baseDN.simple_baseDN = dc=example,dc=com

from extensions.d/example-authn.properties  remains.

Running the setup I cannot get the Login test to pass.

(Originally by rc556677)

Comment 5 rhev-integ 2017-08-28 10:46:26 UTC

Can you please share log?

(Originally by Ondra Machacek)

Comment 6 rhev-integ 2017-08-28 10:46:31 UTC

Log from Login test during setup

[root@ovirt extensions.d]# cat /tmp/tmpH3Ijdg/extensions.d/example.com-authn.properties 
ovirt.engine.extension.name = example.com-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = example.com
ovirt.engine.aaa.authn.authz.plugin = example.com
config.profile.file.1 = ../aaa/example.com.properties

Executing login sequence...
Login output:
2017-08-01 21:35:40,842+08 INFO    ========================================================================
2017-08-01 21:35:40,856+08 INFO    ============================ Initialization ============================
2017-08-01 21:35:40,856+08 INFO    ========================================================================
2017-08-01 21:35:40,867+08 INFO    Loading extension 'example.com-authn'
2017-08-01 21:35:40,912+08 INFO    Extension 'example.com-authn' loaded
2017-08-01 21:35:40,915+08 INFO    Loading extension 'example.com'
2017-08-01 21:35:40,921+08 INFO    Extension 'example.com' loaded
2017-08-01 21:35:40,922+08 INFO    Initializing extension 'example.com-authn'
2017-08-01 21:35:40,923+08 INFO    [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP pool 'authz'
2017-08-01 21:35:41,365+08 INFO    [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] LDAP pool 'authz' information: vendor='null' version='null'
2017-08-01 21:35:41,366+08 INFO    [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP pool 'authn'
2017-08-01 21:35:41,626+08 INFO    [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] LDAP pool 'authn' information: vendor='null' version='null'
2017-08-01 21:35:41,640+08 INFO    Extension 'example.com-authn' initialized
2017-08-01 21:35:41,641+08 INFO    Initializing extension 'example.com'
2017-08-01 21:35:41,641+08 INFO    [ovirt-engine-extension-aaa-ldap.authz::example.com] Creating LDAP pool 'authz'
2017-08-01 21:35:41,864+08 INFO    [ovirt-engine-extension-aaa-ldap.authz::example.com] LDAP pool 'authz' information: vendor='null' version='null'
2017-08-01 21:35:41,868+08 INFO    [ovirt-engine-extension-aaa-ldap.authz::example.com] Available Namespaces: [dc=example,dc=com]
2017-08-01 21:35:41,869+08 INFO    Extension 'example.com' initialized
2017-08-01 21:35:41,869+08 INFO    Start of enabled extensions list
2017-08-01 21:35:41,869+08 INFO    Instance name: 'example.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.2-1.el7.centos', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmpH3Ijdg/extensions.d/example.com-authn.properties', Initialized: 'true'
2017-08-01 21:35:41,869+08 INFO    Instance name: 'example.com', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.2-1.el7.centos', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0',  File: '/tmp/tmpH3Ijdg/extensions.d/example.com-authz.properties', Initialized: 'true'
2017-08-01 21:35:41,870+08 INFO    End of enabled extensions list
2017-08-01 21:35:41,870+08 INFO    ========================================================================
2017-08-01 21:35:41,870+08 INFO    ============================== Execution ===============================
2017-08-01 21:35:41,870+08 INFO    ========================================================================
2017-08-01 21:35:41,870+08 INFO    Iteration: 0
2017-08-01 21:35:41,871+08 INFO    Profile='example.com' authn='example.com-authn' authz='example.com' mapping='null'
2017-08-01 21:35:41,871+08 INFO    API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='example.com' user='testuser'
2017-08-01 21:35:41,875+08 INFO    API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='example.com' result=CREDENTIALS_INVALID
2017-08-01 21:35:41,876+08 SEVERE  Authn.Result code is: CREDENTIALS_INVALID
Login sequence failed
          Please investigate details of the failure (search for lines containing SEVERE log level).


On OpenLDAP

'dc=my-domain,dc=com' is another root DN on the same OpenLDAP server used as a testing ground

Aug 01 21:35:41 piston.tbs slapd[3779]: conn=20555 op=2 SRCH base="dc=my-domain,dc=com" scope=2 deref=0 filter="(&(objectClass=uidObject)(uid=*)(uid=testuser))"

(Originally by rc556677)

Comment 7 rhev-integ 2017-08-28 10:46:38 UTC

This OpenLDAP server has two root DNs, which setup detects and offers during: 

Please enter base DN (dc=my-domain,dc=com,dc=example,dc=com) [dc=my-domain,dc=com]: dc=example,dc=com

It saves the correct baseDN in -authz but not in -authn

(Originally by rc556677)

Comment 8 rhev-integ 2017-08-28 10:46:43 UTC

Before the Login test, if I manually edit 

/tmp/tmpHzr1iT/extensions.d/example.com-authn.properties to add
config.globals.baseDN.simple_baseDN = o=TreeBox,c=SG

then the Login test works.

(Originally by rc556677)

Comment 9 rhev-integ 2017-08-28 10:46:48 UTC

Sorry - the testing baseDN should be dc=example,dc=com, sent the logs from the wrong system

(Originally by rc556677)

Comment 10 rhev-integ 2017-08-28 10:46:53 UTC

Right, I've just reproduced it, thanks a lot, I will send a fix.

(Originally by Ondra Machacek)

Comment 11 rhev-integ 2017-08-28 10:46:59 UTC

Karma +1: I have tested the patch in https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=commit;h=860a2add012370b660afc40b3409641f829cb7c5 and can confirm that it fixes my issue.

Thank you.

(Originally by rc556677)

Comment 12 rhev-integ 2017-08-28 10:47:05 UTC

Fix is contained is going to be delivered in ovirt-engine-extension-aaa-ldap-1.3.3

(Originally by Martin Perina)

Comment 13 rhev-integ 2017-08-28 10:47:11 UTC

Retargeting to ovirt-4.1.6

(Originally by Martin Perina)

Comment 14 rhev-integ 2017-08-28 10:47:17 UTC

Fix is included in ovirt-engine-extension-aaa-ldap-1.3.4

(Originally by Martin Perina)

Comment 16 Gonza 2017-09-04 12:01:08 UTC

Verified with:
ovirt-engine-extension-aaa-ldap-setup-1.3.5-0.0.master.git7230cd9.el7.centos.noarch

# cat /etc/ovirt-engine/extensions.d/brq-openldap.com-authn.properties
...
config.globals.baseDN.simple_baseDN = dc=brq-openldap,dc=com

Comment 18 errata-xmlrpc 2017-09-19 07:16:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2743

Comment 19 Daniel Gur 2019-08-28 12:57:42 UTC

sync2jira

Comment 20 Daniel Gur 2019-08-28 13:02:18 UTC

sync2jira

Comment 21 Daniel Gur 2019-08-28 13:11:39 UTC

sync2jira

Comment 22 Daniel Gur 2019-08-28 13:15:51 UTC

sync2jira

Note You need to log in before you can comment on or make changes to this bug.