Bug 991686 - LDAP Gecos field and broken authorisation
LDAP Gecos field and broken authorisation
Product: Pulp
Classification: Community
Component: user-experience (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ---
: 2.3.0
Assigned To: Sayli Karmarkar
Preethi Thomas
: Triaged
Depends On:
  Show dependency treegraph
Reported: 2013-08-03 12:09 EDT by redbugzilla
Modified: 2015-03-22 21:12 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-12-09 09:30:25 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description redbugzilla 2013-08-03 12:09:42 EDT
Description of problem:
I have another LDAP server (currently :-), and when I tried to configure LDAP authentication against it, I got back this error message:

The values for the following properties were invalid: name

I traced through the code, and I see that I'm getting authenticated ok against the LDAP server, but when we are trying to create the ldap user in pulp, an exception is thrown in create_user in  pulp/platform/src/pulp/server/managers/auth/user/cud.py 

I have a gecos field in ldap, so I added some debugging in that function to see what was getting in.  <some values changed for google purposes>

2013-08-04 00:44:49,192 pulp.server.auth.ldap_connection:INFO: Found user with id myusername
2013-08-04 00:44:49,194 pulp.server.auth.ldap_connection:INFO: Found user with id myusername with matching credentials
2013-08-04 00:44:49,194 pulp.server.managers.auth.user.cud:INFO: Login myusername 
2013-08-04 00:44:49,194 pulp.server.managers.auth.user.cud:INFO: Password None 
2013-08-04 00:44:49,195 pulp.server.managers.auth.user.cud:INFO: Name ['Mr Givenname Familyname'] 
2013-08-04 00:44:49,195 pulp.server.managers.auth.user.cud:INFO: Roles None 
2013-08-04 00:44:49,195 pulp.server.webservices.middleware.exception:ERROR: Invalid properties: ['name']

My guess (since I don't know python, let alone this code), is that we are one level above in an array structure than where we expected?
If so, it will need to be fixed in _add_from_ldap in pulp/platform/src/pulp/server/auth/ldap_connection.py

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure ldap
2. Restart httpd
3. Try to authenticate using pulp-admin
4. Fail

Curious does it work for any other people?

Actual results:
Fail to authenticate (it is actually the setup of the pulp account which is failing)

Expected results:
pulp-admin lets me run my command

Additional info:
Comment 1 Tim 2013-08-16 01:08:53 EDT
There's something wrong with the check function in /usr/lib/python2.6/site-packages/pulp/servermanagers/auth/user/cud.py.

Comment out lines 70 and 71 and the authentication appears to succeed.  The user is created, at the least.

#        if invalid_type(name, basestring):
#            invalid_values.append('name')
Comment 2 Sayli Karmarkar 2013-08-16 02:51:03 EDT

Thanks for all the details in the bug report. I checked our code and it does look like our parsing of LDAP gecos field maybe wrong. A user in pulp has a 'name' attribute which stores full name of the user. For LDAP users, we parse gecos field (expecting it to be of type basestring) and use it as the 'name' of given user. It looks like what we are receiving in the gecos field in this case is an array and not a string, resulting in an invalid value error. 

When you are adding LDAP users, if you can pass just the name of the user instead of an array with the name inside it, it will authenticate and authorize without any issues. I will also look some more and see whether a standard format of gecos field in LDAP is an array. If that is the case, it makes sense for us to fix this on our side.
Comment 3 Sayli Karmarkar 2013-08-16 12:17:32 EDT
Looked some more and it looks like usually, gecos attribute is a string with user's full name, but it can sometimes contain a list with multiple entries. No matter what, Pulp should have an additional check in there to make sure it is a string before adding it to user's name attribute. Aligning it to an earlier release to get it done sooner.
Comment 4 Sayli Karmarkar 2013-08-28 04:03:04 EDT
commit f459b67e1fe765d9d68bada4c0e13732135c5d6f
Author: Sayli Karmarkar <skarmark@redhat.com>
Date:   Wed Aug 28 01:00:42 2013 -0700

    fixed broken ldap authorisation when gecos field contains a list instead of a string with user's fullname
Comment 5 Sayli Karmarkar 2013-08-28 12:06:39 EDT
Comment 6 Jeff Ortel 2013-09-12 18:35:51 EDT
build: 2.3.0-0.10.alpha
Comment 7 Preethi Thomas 2013-10-09 17:22:17 EDT
running the following script passed

[root@preethi ~]# python populate_users_new.py 
See populate.log for descriptive output.
[root@preethi ~]# 

[root@preethi ~]# pulp-admin auth user list

Login:  admin
Name:   admin

Login:  pulpuser1
Name:   pulpuser1
Comment 8 Preethi Thomas 2013-12-09 09:30:25 EST
Pulp 2.3 released.

Note You need to log in before you can comment on or make changes to this bug.