Red Hat Bugzilla – Bug 866638
Need an admin account for LDAP mode
Last modified: 2013-01-16 08:17:36 EST
Description of problem:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. There is no admin account for ldap mode
2. So as of now if you have to give any ldap user permissions or rights
3. You wil have to login with ldap user and the change the setting back to database mode in /usr/share/aeolus-conductor/config/settings.yml
4. login as admin and you will see the ldap user unders "Users" now
5. Give the ldap user admin rights
6. Change the setting back to LDAP in settings.yml and now ldap user can build/push images.
So this needs to be documented for this release and for next release or later we need an admin account for LDAP mode
Additional info :
rpm -qa|grep aeolus
Copying chat/comments from sseago
<sseago> sshveta, you need to make him an admin or he won't see it I don't think -- I think admin rights are needed to see a user's quota (the way the code is written now)
<sshveta> sseago, in ldap mode admin account doesnt work
<sshveta> sseago, so how shall i give any rights to this user?
<sseago> sshveta, yeah -- so you need to give the ldap user admin rights _before_ switching to ldap mode
<sshveta> sseago, but that user was not existing when i changed it to ldap ..
<sshveta> sseago, so now i should o back to db nmode
<sshveta> mode and do it?
<sseago> sshveta, yeah -- the bootstrapping process is a bit awkward, but you have to create a user that you know has an ldap account before swapping to ldap mode
<sseago> then grant that user admin rights
<sseago> then swap to ldap
<sshveta> sseago, ok ..
<sseago> sshveta, so the issue is right now aeolus-configure doesn't set up ldap for us, so you have to do it manually
<sseago> morazi-afk, hewbrocca but yeah we need more automation around setting up ldap admin users I think
<sseago> hewbrocca, morazi-afk right now it's pretty clumsy. you have to set things up in non-ldap mode, create a user that matches an ldap username and grant that user access, then set up ldap and swap login mode to ldap, and (ideally) then delete the non-ldap "admin" user account
<sseago> sshveta, what we probably need longer-term is a way to identify what account we're creating for admin access in aeolus-configure
So, yes the short-term fix is to document the process, which is essentially:
1) aeolus-configure sets up conductor in database login mode with a user called 'admin'
2) admin logs into conductor and creates a new user with a username corresponding to the desired ldap admin user
3) give this new user admin rights (Global Administrator role)
4) reconfigure conductor for ldap login and restart
5) log in as new admin -- everything should work as expected now
6) (optional but useful in case there is an ldap user called 'admin') Revoke privileges on the original 'admin' user
Longer-term we need to fix aeolus-configure to do the following:
1) configure /etc/ldap_fluff.yml properly for ldap (user will need to customize ldap settings in a puppet recipe or something similar) -- Katello already does this in their config, so we could probably pull some puppet stuff from there
2) configure settings.yml to allow for swapping out the default database auth with ldap auth
3) configurable admin account username (this may be here already)
4) fix the create_user rake task to work under ldap mode too (this may work already, but I suspect at least some tweaking will be needed)