Description of problem: Configuring MIQLDAP for LDAP with AD both with UPN and CN user types fails with a ruby stack trace. Appliance is configured in the UI for External Auth, but logins fail. Version-Release number of selected component (if applicable): 5.9.0.17 How reproducible: Steps to Reproduce: 1. Configure MIQLDAP for LDAP against AD. 2. Test that user can log in and shows up in users table. 3. Take snapshot of VM per docs. 4. In ssh shell run miqldap_to_sssd with no parameters. Actual results: Ruby errors out. [root@dhcp-8-198-52 ~]# miqldap_to_sssd Converting from unsecured LDAP authentication to SSSD. This is dangerous. Passwords are not encrypted /opt/rh/cfme-gemset/gems/awesome_spawn-1.4.1/lib/awesome_spawn.rb:105:in `run!': /bin/systemctl exit code: 1 (AwesomeSpawn::CommandResultError) from /opt/rh/cfme-gemset/gems/linux_admin-1.2.0/lib/linux_admin/common.rb:24:in `run!' from /opt/rh/cfme-gemset/gems/linux_admin-1.2.0/lib/linux_admin/service/systemd_service.rb:18:in `start' from /opt/rh/cfme-gemset/gems/linux_admin-1.2.0/lib/linux_admin/service/systemd_service.rb:33:in `restart' from /var/www/miq/vmdb/tools/miqldap_to_sssd/services.rb:14:in `restart' from /var/www/miq/vmdb/tools/miqldap_to_sssd/converter.rb:24:in `run' from /var/www/miq/vmdb/tools/miqldap_to_sssd/cli.rb:48:in `run' from /var/www/miq/vmdb/tools/miqldap_to_sssd/cli.rb:52:in `run' from tools/miqldap_to_sssd.rb:34:in `<module:MiqLdapToSssd>' from tools/miqldap_to_sssd.rb:27:in `<main>' Expected results: Conversion should complete without errors. Additional info:
Also WebUI shows configured for External Auth but no users can log in.
Matt User Type of Distinguish Name CN= is not supported on AD only on an LDAP IdP. If you can get an appliance that depicts this please file a new BZ. The UPN failure you are seeing is because you, wisely, entered the base_dn in mixed case and the miqldap_to_sssd tool needs to be updated to handle mixed case. I'll post a PR soon. JoeV
Per discussion with JoeV CN= is sort of supported, but a low use case and miqldap_to_sssd does not consider CN= a AD configuration type. In any case I've split off the CN= portion of this bug into https://bugzilla.redhat.com/show_bug.cgi?id=1540725 So it can be handled differently due to it's low occurrence of being a configuration that's used.
https://github.com/ManageIQ/manageiq/pull/16925
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/11e3f8c0ba07fc1f62312a0387ed6cda456b629e commit 11e3f8c0ba07fc1f62312a0387ed6cda456b629e Author: Joe VLcek <jvlcek> AuthorDate: Wed Jan 31 17:15:27 2018 -0500 Commit: Joe VLcek <jvlcek> CommitDate: Fri Feb 2 13:14:37 2018 -0500 Support mixed case basedn. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1536663 .../miqldap_to_sssd/miqldap_configuration_spec.rb | 28 ++++++++++++++++++++++ tools/miqldap_to_sssd/miqldap_configuration.rb | 2 +- 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 spec/tools/miqldap_to_sssd/miqldap_configuration_spec.rb
Tested in CFME 5.10.0.30.20181218191323_900a416 I configured MIQLDAP for Active Directory, with UPN user type. Conversion via miqldap_to_sssd was successful, and I was able to login as an Active Directory user.