957163 – Backend uses logging username for LDAP searches - Error while executing action: ENGINE

Bug 957163 - Backend uses logging username for LDAP searches - Error while executing action: ENGINE

Summary: Backend uses logging username for LDAP searches - Error while executing actio...

Keywords:
Status:	CLOSED DUPLICATE of bug 957793
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine
Sub Component:
Version:	3.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	3.2.0
Assignee:	Yair Zaslavsky
QA Contact:
Docs Contact:
URL:
Whiteboard:	infra
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-26 13:41 UTC by Jiri Belka
Modified:	2016-02-10 19:00 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-05-05 13:47:04 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	14392	0	None	None	None	Never

Description Jiri Belka 2013-04-26 13:41:15 UTC

Description of problem:
Backend uses logging username for LDAP searches, thus it means if you would put 'foobar' as user in User Portal, backend would make query to LDAP using 'foobar' user.

As well, there's popup after login failure in User Portal with text:

  Error while executing action: ENGINE

Relevant part from engine.log:

2013-04-26 15:23:27,230 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (QuartzScheduler_Worker-49) No string for UNASSIGNED type. Use default Log
2013-04-26 15:23:32,123 ERROR [org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy] (ajp-/127.0.0.1:8702-5) [1d4dfc28] Authentication Fai
led. Client not found in kerberos database.
2013-04-26 15:23:32,166 ERROR [org.ovirt.engine.core.bll.adbroker.DirectorySearcher] (ajp-/127.0.0.1:8702-5) [1d4dfc28] Failed ldap search server LDAP://dc-01.
rhev.lab.eng.brq.redhat.com:389 using user foobar.ENG.BRQ.REDHAT.COM due to Authentication Failed. Client not found in kerberos database.. We should not try the next server
2013-04-26 15:23:32,169 ERROR [org.ovirt.engine.core.bll.adbroker.LdapBrokerCommandBase] (ajp-/127.0.0.1:8702-5) [1d4dfc28] Failed to run command LdapAuthentic
ateUserCommand. Domain is rhev.lab.eng.brq.redhat.com. User is foobar.}
2013-04-26 15:23:32,170 ERROR [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-5) [1d4dfc28] USER_FAILED_TO_AUTHENTICATE : foobar
2013-04-26 15:23:32,170 WARN  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-5) [1d4dfc28] CanDoAction of action LoginUser failed. Reasons:U
SER_FAILED_TO_AUTHENTICATE
2013-04-26 15:23:39,334 INFO  [org.ovirt.engine.core.bll.LoginUserCommand] (ajp-/127.0.0.1:8702-8) Running command: LoginUserCommand internal: false.

Version-Release number of selected component (if applicable):
sf14

How reproducible:
100%

Steps to Reproduce:
1. have rhevm with AD configured
2. login in User Portal with some nonexisting user
3. check what's going on in User Portal
4. check engine.log for 'Failed ldap search server' line
  
Actual results:
bogus popup in User Portal, incorrectly done search (?)

Expected results:
non bogus popup, query should use configured user used when rhevm-manage-domains was executed

Additional info:
exists even in upstream

# rhevm-manage-domains -action=list
Domain: ad2.rhev.lab.eng.brq.redhat.com
        User name: vdcadmin.LAB.ENG.BRQ.REDHAT.COM
Domain: rhev.lab.eng.brq.redhat.com
        User name: vdcadmin.ENG.BRQ.REDHAT.COM
Manage Domains completed successfully

Note You need to log in before you can comment on or make changes to this bug.