Description of problem: Creating a role linked to an LDAP group will not link existing users Version-Release number of selected component (if applicable): JON 2.4.1 How reproducible: always Steps to Reproduce: 1. Have a user in LDAP which belongs to an LDAP group 2. Configure JON to use LDAP and fill in the group filter so it finds above group. 3. have said user register with JON 4. create a new role, and assign said LDAP group to it 5. Add said user to this role 6. The table RHQ_SUBJECT_ROLE_LDAP_MAP should get an entry linking the user with the role Actual results: The table RHQ_SUBJECT_ROLE_LDAP_MAP is *not* getting an entry Expected results: That the table RHQ_SUBJECT_ROLE_LDAP_MAP gets an entry with the proper subject_id and role_id Additional info: Workaround: Use this SQL to find subject_id and role_id: SELECT id FROM rhq_subject WHERE name LIKE 'username'; This is the subject_id you need. For example 67890 Now get the role_id with: SELECT id FROM rhq_role WHERE name LIKE 'rolename'; For example, returning 12345 Finally insert a new entry: INSERT INTO RHQ_SUBJECT_ROLE_LDAP_MAP (role_id,subject_id) VALUES (12345,67890);
workaround: 1. Have a user in LDAP which belongs to an LDAP group 2. Configure JON to use LDAP and fill in the group filter so it finds above group. 3. have said user register with JON 4. create a new role, and assign said LDAP group to it 5. Add said user to this role 6. Have user logout and login again. I think it would still be better to do the check in step 5 though
Basically this is a case of mixing the RHQ and LDAP Administration models as described on the following link and should be avoided: http://www.rhq-project.org/display/RHQ/Using+RHQ+and+LDAP+Authorization+Models If you enable LDAP Group authorization, you are indicating to RHQ that you want the RHQ Server to automatically assign and update RHQ users/roles every time that an external LDAP user logs in. Even the first assignment of the external LDAP users to the "LDAP Role" is not necessary. In other words, after completing steps 3 and 4 to enable LDAP Group authorization, executing step 5 should not be done. Whenever the user from step 1 logs in, the role->user assigned will be taken care of correctly. ### 3. have said user register with JON 4. create a new role, and assign said LDAP group to it 5. Add said user to this role 6. The table RHQ_SUBJECT_ROLE_LDAP_MAP should get an entry linking the user with the role #### A possible enhancement here would be to display a warning message that "user<->role assignment is automatic" whenever an RHQ Role is being updated with a)an external LDAP group OR b)a user account if an external LDAP group is already assigned. This would address Tom's suggestion to "do the check in step 5".
As described in the previous comment this is not a bug. LDAP users get associated with a JBoss ON role based on the LDAP group the belong to and that LDAP group being assigned to the target role. This is done each time the user logs into JBoss ON.