Bug 623819 - Upgrade issue : LDAP auth ignored for users with RHQ principals
Upgrade issue : LDAP auth ignored for users with RHQ principals
Product: RHQ Project
Classification: Other
Component: Core Server (Show other bugs)
All All
urgent Severity high (vote)
: ---
: ---
Assigned To: RHQ Project Maintainer
Corey Welton
Depends On:
Blocks: jon241-bugs
  Show dependency treegraph
Reported: 2010-08-12 17:17 EDT by Jay Shaughnessy
Modified: 2011-05-23 21:09 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-05-23 21:09:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jay Shaughnessy 2010-08-12 17:17:12 EDT
Prior to RHQ 4.0.0 and JON 2.4 if RHQ user authentication failed (using auth info in the RHQ db) then authentication would be passed to LDAP, if configured.  The authentication could then pass if LDAP stored the correct password and the one in RHQ was stale.

This situation could arise if a user was defined in RHQ prior to LDAP auth being configured, or prior to the user being defined in LDAP.  In this situation a user could have credentials stored in RHQ and LDAP.

In 2.4 the authentication strategy was changed for security reasons.  In 2.4 if the user has credentials stored in RHQ he *must* authenticate against that password.  LDAP will not be queried.

The net effect of this is that after an upgrade LDAP authentication is ignored for users with RHQ stored credentials.  It will seem as if LDAP auth is broken but it is not, it is not being queried.  (Note, if RHQ and LDAP have the same password stored for a user it will seem like LDAP auth is happening, but it is not.)

Unless the user knows the old password he will not be able to log in.
Comment 10 Corey Welton 2011-05-23 21:09:00 EDT
Bookkeeping - closing bug - fixed in recent release.

Note You need to log in before you can comment on or make changes to this bug.