Description of problem:
Not able to order a service in a global region via AD user.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Integrate AD to authenticate Global and subordinate region on CFME appliance
2. Login on Global region via AD user and order a service.
Error: "Invalid System Authentication Token specified"
VM should be provisioned.
I've reviewed this case it seems the issue may be rooted in the groups configured for the user and what roles they are assigned to.
Please do this experiment:
- Log into the non-Global region and navigate to "Configuration", expand the "Access Control" drop down and select "Groups".
- Select the "Configuration" tab and select "Add a new Group"
- Select " (Look up LDAP Groups)", Specify the user in question in the "User to Look Up" box and fill in the "Username" and "Password", Click the "Retrieve" button.
- A new dropdown should appear near the top of the page "LDAP Groups for User"
- Expand the "<Choose>" drop down and select one of the groups returned for this user.
- Next to the "Role" dropdown select "EvmRole-super_administrator"
- Select a valid Tenant'
- Add the group.
- Ensure none of the other groups returned for the user are configured in Cloudforms to ensure this is the correct group and role used for this user.
- Repeat this on the other region.
At this point there should only be a single group configured with Role "EvmRole-super_administrator" for this user on both the Global and other region.
- Attempt to log directly in to the non-Global region as the user in question and attempt to perform the operation in question.
- Attempt to log directly in to the Global region as the user in question and attempt to perform the operation in question.
Please report the results of this experiment.
Thank you, JoeV
I am attempting to reproduce this locally. While I am working on that could you please ask the customer to enable debugging log level on both appliances then attempt to Login on Global region via AD user and order a service from the subordinate region.
In the evm.log file on the subordinate region there should now be logged entires for "External Group:" and "Internal Group:".
To enable the debugging log level please navigate to "Configuration/Advanced"
Search for ":level:" and set it to ":level: debug". Then run the above test.
I will continue to research.
Created attachment 1457570 [details]
Authentication User Type User Principal Name
I have a workaround that I would like you to ask the customer to try. This will
work if, in the "Configuration/Authentication" page on both the Global and
remote region, the "User Type" is set to "User Principal Name".
See the screen shot I've attached.
Please let me know if this workaround is acceptable.
Thank you, JoeV
After changing "User Type" to "User Principal Name", AD user is able to order a service from Global region.
(In reply to Nikhil Gupta from comment #19)
> Hi JoeV,
> After changing "User Type" to "User Principal Name", AD user is able to
> order a service from Global region.
Thank you Niks,
So can this BZ be closed now or at least the priority be lowered?
Thank you for your help on this bug.
I will lower down the severity.
New commit detected on ManageIQ/manageiq/master:
Author: Joe VLcek <firstname.lastname@example.org>
AuthorDate: Tue Jul 10 17:00:05 2018 -0400
Commit: Joe VLcek <email@example.com>
CommitDate: Tue Jul 10 17:00:05 2018 -0400
Force user_type to UPN when username is a UPN
lib/miq_ldap.rb | 11 +-
spec/lib/miq_ldap_spec.rb | 51 +
2 files changed, 59 insertions(+), 3 deletions(-)
Tested in CFME 184.108.40.206.20190108221820_a0968c8
Active Directory endpoint
UPN and CN user type configurations
Group fetched from Active Directory
Two regions configured with replication, both with above auth settings.
Openstack provider added to subordinate region appliance.
Catalog item for openstack instance provisioning created and attached to catalog in subordinate region appliance.
Service catalog ordered from global region appliance, logged in as Active Directory user.
Request was submitted, approved, and executed on the subordinate region, provisioning an openstack instance.