Description of problem: Let's say domain example.com is open ldap domain which was added to the system using manage-domains. The administrator would like to add users via REST API. In the first attempt the administrator passes the user in principal name format of user@domain - this fails (succeeds in other providers such as AD, IPA, RHDS) curl -k -X POST -H "Accept: application/xml" -H "Content-Type: application/xml" -H "Filter: $filter"\ -d "<user><domain><name>example.com</name></domain><user_name>user0</user_name><roles/></user>" \ -u $U https://rhevm.example.com:443/api/users However, passing with only username, does work - curl -k -X POST -H "Accept: application/xml" -H "Content-Type: application/xml" -H "Filter: $filter"\ -d "<user><domain><name>example.com</name></domain><user_name>user0</user_name><roles/></user>" \ -u $U https://rhevm.example.com:443/api/users Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
LdapQueryMetadataFactoryImpl.setOpenLdap is the problematic method - In our code we have diffrentiation between "get user by name" query and "get user by principal name" query - in AD and IPA there are differences in the LDAP queries. RHDS has no differences in the ldap query to be run, so there is a special utility class that is used to take the principal name (if passed by the API user) and split it to user and domain part (for example - yair will be split to "yair" and "example.com"), the user part will be then used with the filter which is the same as the one for "get user by name". Open ldap does not come with UPN support "out of the box" as can be seen in the file - /etc/openldap/schema/inetorgperson.ldif which defines the users part of the schema. Although may be changed/extended - I would recommend we go for the RHDS-like approach here (for "get user by principal name" use the utility class that splits the "user@domain" to "user" and "domain").
I also have same problem with RHDS.
Actually, the change should be done at ADSyntaxChecker - From code review upstream - ESTAPI uses a query like "ADUSER: allnames=whatever" when searching the user that will be added. This query isn't translated into LDAP using the maps in LdapQueryMetadataFactoryImpl, but using ADSyntaxChecker, and there isn't any provision there to remove the @example.com part from the user name (the *LdapQueryFormatter class isn't used there).
curl -k -X POST -H "Accept: application/xml" -H "Content-Type: application/xml" -d "<user><domain><name>example.com</name></domain><user_name>user0</user_name><roles/></user>" -u $U $URL/users User is successfully added to system. Verified on is11.
Closing - RHEV 3.3 Released