Bug 1538813 - Auth MIQLDAP AD - Users can't log in to console after miqldap_to_sssd conversion
Summary: Auth MIQLDAP AD - Users can't log in to console after miqldap_to_sssd conversion
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.9.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.10.0
Assignee: Joe Vlcek
QA Contact: Mike Shriver
URL:
Whiteboard: auth:miqldap:externalauth:ad
Depends On:
Blocks: 1552785
TreeView+ depends on / blocked
 
Reported: 2018-01-25 21:42 UTC by Matt Pusateri
Modified: 2019-02-11 14:06 UTC (History)
5 users (show)

Fixed In Version: 5.10.0.0
Doc Type: Bug Fix
Doc Text:
See for full doc: http://manageiq.org/blog/2017/09/miqldap-to-sssd/
Clone Of:
: 1552785 (view as bug list)
Environment:
Last Closed: 2019-02-11 14:06:03 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Matt Pusateri 2018-01-25 21:42:36 UTC 
Description of problem:

Auth MIQLDAP AD - Users can't log in to console after miqldap_to_sssd conversion. - MIQLDAP was setup with AD and was working for UPN users without getting groups from LDAP. 


Version-Release number of selected component (if applicable):
5.9.0.17

How reproducible:


Steps to Reproduce:
1. Configure MIQLDAP for AD with UPN. 
2. Do not get groups from LDAP
3. Manually enter users in UPN username format.
4. Run SSSD conversion miqldap_to_sssd --basedn-domain ad.cloudqe.bos.redhat.com

Actual results:
User cannot log in and dbus-send commands fail, audit.log shows user is unknown to underlying authentication server. 

Expected results:
User can log in. 

Additional info:

dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:test-user1 array:string:mail,givenname,sn,displayname
Error org.freedesktop.DBus.Error.Failed: No such user
Comment 2 Dave Johnson 2018-01-25 21:44:11 UTC 
Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.

If it's something like a tracker bug where it doesn't matter, please set the severity to Low.
Comment 4 CFME Bot 2018-02-08 23:17:05 UTC 
https://github.com/ManageIQ/manageiq/pull/16979
Comment 5 CFME Bot 2018-02-13 14:12:03 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/6b5df3ea0d33b5711566c5092ed93448486502f8

commit 6b5df3ea0d33b5711566c5092ed93448486502f8
Author:     Joe VLcek <jvlcek>
AuthorDate: Thu Feb 8 17:55:10 2018 -0500
Commit:     Joe VLcek <jvlcek>
CommitDate: Thu Feb 8 17:55:10 2018 -0500

    Add support for bind dn and bind pwd on the command line.
    
    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1538813
    
    When mode is ldaps certificates must be provided.
    
    When mode is ldap, bind dn and bind pwd must be provided, either
    in the authentication settings or on the command line.
    
    e.g: miqldap_to_sssd -b "cn=Manager,dc=example,dc=com" -p "password" -d "example.com"

 spec/tools/miqldap_to_sssd/cli_spec.rb             | 10 +++++++
 .../miqldap_to_sssd/miqldap_configuration_spec.rb  | 34 +++++++++++++++++++---
 tools/miqldap_to_sssd/cli.rb                       | 12 ++++++++
 tools/miqldap_to_sssd/miqldap_configuration.rb     | 22 ++++++++++++++
 4 files changed, 74 insertions(+), 4 deletions(-)
Comment 7 Mike Shriver 2019-01-09 23:17:36 UTC 
Tested in CFME 5.10.0.30.20181218191323_900a416

Confirmed recreation and new miqldap_to_sssd command line arguments with JoeV.

Confirmed successfull migration from an MIQLDAP configuration without fetched groups, which lacks domain, bind DN, and bind password data.

miqldap_to_sssd ran with reasonable output when these options were omitted, directing the user to include the required information.
Note You need to log in before you can comment on or make changes to this bug.