Bug 623819 - Upgrade issue : LDAP auth ignored for users with RHQ principals
Summary: Upgrade issue : LDAP auth ignored for users with RHQ principals
Alias: None
Product: RHQ Project
Classification: Other
Component: Core Server   
(Show other bugs)
Version: 4.0.0
Hardware: All
OS: All
high vote
Target Milestone: ---
: ---
Assignee: RHQ Project Maintainer
QA Contact: Corey Welton
Depends On:
Blocks: jon241-bugs
TreeView+ depends on / blocked
Reported: 2010-08-12 21:17 UTC by Jay Shaughnessy
Modified: 2018-10-27 16:17 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-05-24 01:09:00 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Jay Shaughnessy 2010-08-12 21:17:12 UTC
Prior to RHQ 4.0.0 and JON 2.4 if RHQ user authentication failed (using auth info in the RHQ db) then authentication would be passed to LDAP, if configured.  The authentication could then pass if LDAP stored the correct password and the one in RHQ was stale.

This situation could arise if a user was defined in RHQ prior to LDAP auth being configured, or prior to the user being defined in LDAP.  In this situation a user could have credentials stored in RHQ and LDAP.

In 2.4 the authentication strategy was changed for security reasons.  In 2.4 if the user has credentials stored in RHQ he *must* authenticate against that password.  LDAP will not be queried.

The net effect of this is that after an upgrade LDAP authentication is ignored for users with RHQ stored credentials.  It will seem as if LDAP auth is broken but it is not, it is not being queried.  (Note, if RHQ and LDAP have the same password stored for a user it will seem like LDAP auth is happening, but it is not.)

Unless the user knows the old password he will not be able to log in.

Comment 10 Corey Welton 2011-05-24 01:09:00 UTC
Bookkeeping - closing bug - fixed in recent release.

Note You need to log in before you can comment on or make changes to this bug.