Bug 866638 - Need an admin account for LDAP mode
Need an admin account for LDAP mode
Status: NEW
Product: CloudForms Cloud Engine
Classification: Red Hat
Component: aeolus-configure (Show other bugs)
Unspecified Unspecified
unspecified Severity medium
: rc
: ---
Assigned To: Mike Orazi
: Triaged
Depends On:
  Show dependency treegraph
Reported: 2012-10-15 15:05 EDT by Shveta
Modified: 2013-01-16 08:17 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Shveta 2012-10-15 15:05:50 EDT
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. There is no admin account for ldap mode
2. So as of now if you have to give any ldap user permissions or rights 
3. You wil have to login with ldap user and the change the setting back to database mode in /usr/share/aeolus-conductor/config/settings.yml
4. login as admin and you will see the ldap user unders "Users" now
5. Give the ldap user admin rights
6. Change the setting back to LDAP in settings.yml and now ldap user can build/push images.

So this needs to be documented for this release and for next release or later we need an admin account for LDAP mode
Actual results:

Expected results:

Additional info :

rpm -qa|grep aeolus
Comment 1 Shveta 2012-10-15 15:08:31 EDT
Copying chat/comments from sseago

<sseago> sshveta, you need to make him an admin or he won't see it I don't think -- I think admin rights are needed to see a user's quota (the way the code is written now)
<sshveta> sseago, in ldap mode admin account doesnt work 
<sshveta> sseago, so how shall i give any rights to this user?
<sseago> sshveta, yeah -- so you need to give the ldap user admin rights _before_ switching to ldap mode
<sshveta> sseago, but that user was not existing when i changed it to ldap ..
<sshveta> sseago, so now i should o back to db nmode
<sshveta> mode and do it?
<sseago> sshveta, yeah -- the bootstrapping process is a bit awkward, but you have to create a user that you know has an ldap account before swapping to ldap mode
<sseago> then grant that user admin rights
<sseago> then swap to ldap
<sshveta> sseago, ok .. 
<sseago> sshveta, so the issue is right now aeolus-configure doesn't set up ldap for us, so you have to do it manually
<sseago> morazi-afk, hewbrocca but yeah we need more automation around setting up ldap admin users I think
<sseago> hewbrocca, morazi-afk right now it's pretty clumsy. you have to set things up in non-ldap mode, create a user that matches an ldap username and grant that user access, then set up ldap and swap login mode to ldap, and (ideally) then delete the non-ldap "admin" user account
<sseago> sshveta, what we probably need longer-term is a way to identify what account we're creating for admin access  in aeolus-configure
Comment 3 Scott Seago 2012-10-17 10:57:05 EDT
So, yes the short-term fix is to document the process, which is essentially:
1) aeolus-configure sets up conductor in database login mode with a user called 'admin'
2) admin logs into conductor and creates a new user with a username corresponding to the desired ldap admin user
3) give this new user admin rights (Global Administrator role)
4) reconfigure conductor for ldap login and restart
5) log in as new admin -- everything should work as expected now
6) (optional but useful in case there is an ldap user called 'admin') Revoke privileges on the original 'admin' user
Comment 4 Scott Seago 2012-10-17 11:01:01 EDT
Longer-term we need to fix aeolus-configure to do the following:
1) configure /etc/ldap_fluff.yml properly for ldap (user will need to customize ldap settings in a puppet recipe or something similar) -- Katello already does this in their config, so we could probably pull some puppet stuff from there
2) configure settings.yml to allow for swapping out the default database auth with ldap auth
3) configurable admin account username (this may be here already)
4) fix the create_user rake task to work under ldap mode too (this may work already, but I suspect at least some tweaking will be needed)

Note You need to log in before you can comment on or make changes to this bug.