Description of problem: After configuring rhq for active directory server in 'LDAP Configuration Properties' section on screen 'Administration->System Configuration->Settings', if user tries to assign a role to ldap group, the screen returns a java exception. Please refer the attached screenshots and stack trace. Active directory is setup and is running and some groups and users are added. Version-Release number of selected component (if applicable): 3.0.0-SNAPSHOT How reproducible: Steps to Reproduce: 1. Login to rhq. (Jon Server URL: suniltest.usersys.redhat.com:7080) 2. Navigate to 'Administration->System Configuration->Settings' screen. 3. In 'LDAP Configuration Properties' section, enter and save the configuration properties as below: Active directory URL: ldap://10.65.201.130:389 (ldap://win2k3red.test.pnq.com) Search base: dc=test,dc=pnq,dc=com Username: cn=Administrator,cn=users,dc=test,dc=pnq,dc=com Login property=cn Group search filter: objectclass=group Group member filter: member 4. Navigate to 'Administration->Security->Roles screen. 5. Click on the link 'All Resources Role'. 6. Click on the button 'ADD TO LIST' in 'Assigned Ldap Groups' section. 7. It returns below error: java.lang.RuntimeException: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: test.pnq.com:389 [Root exception is java.net.ConnectException: Connection timed out]] The page requested cannot be displayed due to some error. Actual results: It returns a java exception. Expected results: It should display the list of related LDAP groups available on active directory server. Additional info:
Created attachment 403749 [details] Screenshot for error
Created attachment 403750 [details] screenshot of LDAP Configuration Properties set
Created attachment 403751 [details] Stack trace for error
Ok, we'll take this one and see if we can reproduce. > Active directory URL: ldap://10.65.201.130:389 (ldap://win2k3red.test.pnq.com) > javax.naming.CommunicationException: test.pnq.com:389 the different hostnames looks very suspicious. Could be a DNS problem
I am not able to reproduce this bug. When I click on the 'All Resources' Role and attempt to add ldap groups, the gui proceeds to display the available groups without error. The host names and ports from configuration image do not match up with the error messages listed in the attached server log. This looks like a misconfiguration problem on the QA side. Please attempt to re-produce this issue again with a working and configured directory server.
We sorted through the dns and configuration issues and confirmed that this is still a problem. Please update this case with the specific 'Active Directory' version and OS details for the ldap host that you are using to connect to.
Below are the details: OS: Windows Server 2003 Active Directory version: Windows Server 2003 active directory Hostname: win2k3red.test.pnq.com Note: The ldap user authorization and ldap group mapping to rhq roles is working in redhat active directory server. For windows active directory server, the ldap user authorization with rhq is working fine. (users existing on windows AD server are able to login to rhq). However, windows AD server group mapping to rhq roles is not working. For more details, below is the ldapsearch command: /usr/lib64/mozldap/ldapsearch -x -h win2k3red.test.pnq.com -p 389 -D "cn=Administrator,cn=users,dc=test,dc=pnq,dc=com" -w RedHat123 -b "dc=test,dc=pnq,dc=com" -s sub "objectclass=computer" dn dnshostname operatingsystem version: 1 dn: CN=WIN2K3RED,OU=Domain Controllers,DC=test,DC=pnq,DC=com operatingSystem: Windows Server 2003 dNSHostName: win2k3red.test.pnq.com
Created attachment 407109 [details] Updated screenshot of error cleaned up after filtered out incorrect configuration details.
Created attachment 407110 [details] Full error from browser.
This issue has the same cause as 580127 but manifests on a different set of screens. This issue has been fixed as of master build >= 218. Details: A number of problems detected: i)group data objects used by the UI could be affected by ldap communication. ii) problems in ldap communication were thrown as runtime exceptions to the browser iii)configuration changes could easily cause ldap communication problems. Solution: Fixed group data object instantiation mechanism for UI and modified the UI to detect ldap failures logging on server side while displaying ui messages on client. Commit hash: 07b28294ef1811d7877153de9516dfa6252fd2e3
A final note that the 'group filter' value shown in the credentials/setup screenshot is invalid as must be in form key=value.
Verified on Jon build#103 (Revision: 10609). User is able to map the rhq role to ldap group on active directory. The screen to assign rhq role displays the ldap group.
Mass-closure of verified bugs against JON.