Bug 991800 - Cannot add users from API using a principal name (user@domain) format when using an open ldap domain
Cannot add users from API using a principal name (user@domain) format when us...
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 3.3.0
Assigned To: Yair Zaslavsky
Ondra Machacek
Depends On:
Blocks: 1019461
  Show dependency treegraph
Reported: 2013-08-04 08:58 EDT by Yair Zaslavsky
Modified: 2016-02-10 14:43 EST (History)
9 users (show)

See Also:
Fixed In Version: is11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 17794 None None None Never

  None (edit)
Description Yair Zaslavsky 2013-08-04 08:58:41 EDT
Description of problem:

Let's say domain example.com is open ldap domain which was added to the system using manage-domains.

The administrator would like to add users via REST API.

In the first attempt the administrator passes the user in principal name format of user@domain - this fails (succeeds in other providers such as AD, IPA, RHDS)

curl -k -X POST -H "Accept: application/xml" -H "Content-Type:
application/xml" -H "Filter: $filter"\
   -u $U https://rhevm.example.com:443/api/users

However, passing with only username, does work -

curl -k -X POST -H "Accept: application/xml" -H "Content-Type:
application/xml" -H "Filter: $filter"\
  -u $U https://rhevm.example.com:443/api/users

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:
Comment 2 Yair Zaslavsky 2013-08-04 09:30:46 EDT
LdapQueryMetadataFactoryImpl.setOpenLdap is the problematic method -

In our code we have diffrentiation between "get user by name" query and "get user by principal name" query - in AD and IPA there are differences in the LDAP queries.

RHDS has no differences in the ldap query to be run, so there is a special utility class that is used to take the principal name (if passed by the API user) and split it to user  and domain part (for example - yair@example.com will be split to "yair" and "example.com"), the user part will be then used with the filter which is the same as the one for "get user by name".

Open ldap does not come with UPN support "out of the box" as can be seen in the file - /etc/openldap/schema/inetorgperson.ldif which defines the users part of the schema.

Although may be changed/extended - I would recommend we go for the RHDS-like approach here (for "get user by principal name" use the utility class that splits the "user@domain" to "user" and "domain").
Comment 3 Ondra Machacek 2013-08-07 09:26:46 EDT
I also have same problem with RHDS.
Comment 4 Yair Zaslavsky 2013-08-07 14:10:17 EDT
Actually, the change should be done at ADSyntaxChecker -

From code review upstream - 
ESTAPI uses a query like "ADUSER@example.com: allnames=whatever" when searching the user that will be added. This query isn't translated into LDAP using the maps in LdapQueryMetadataFactoryImpl, but using ADSyntaxChecker, and there isn't any provision there to remove the @example.com part from the user name (the *LdapQueryFormatter class isn't used there).
Comment 6 Ondra Machacek 2013-08-26 08:09:28 EDT
curl -k -X POST -H "Accept: application/xml" -H "Content-Type: application/xml"
-d "<user><domain><name>example.com</name></domain><user_name>user0@example.com</user_name><roles/></user>"
-u $U $URL/users

User is successfully added to system. Verified on is11.
Comment 7 Itamar Heim 2014-01-21 17:27:51 EST
Closing - RHEV 3.3 Released
Comment 8 Itamar Heim 2014-01-21 17:27:54 EST
Closing - RHEV 3.3 Released
Comment 9 Itamar Heim 2014-01-21 17:30:47 EST
Closing - RHEV 3.3 Released

Note You need to log in before you can comment on or make changes to this bug.