-
Notifications
You must be signed in to change notification settings - Fork 897
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Force user_type to UPN when username is a UPN #17690
Conversation
|
||
return "#{username}@#{@user_suffix}" | ||
when "mail" | ||
username = "#{username}@#{@user_suffix}" unless @user_suffix.blank? || username =~ /^.+@.+$/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change is not correct. I'm fixing it now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix has been completed.
@miq-bot assign @abellotti |
@abellotti Please review. |
lib/miq_ldap.rb
Outdated
@@ -303,7 +308,9 @@ def fqusername(username) | |||
|
|||
def get_user_object(username, user_type = nil) | |||
user_type ||= @user_type.split("-").first | |||
user_type = "dn" if self.is_dn?(username) | |||
user_type = "dn" if self.dn?(username) | |||
user_type = "upn" if self.upn?(username) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this needs changing, I believe rdn's in LDAP can have the @ character. so if you have cn=joev@redhat,cn=users,.... the self.upn? call in 312 will return true but would actually be false so then incorrectly setting the user_type. You could use an if/else if structure for 311/312.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@abellotti Thank you. Will do!
lib/miq_ldap.rb
Outdated
|
||
user_type = @user_type.split("-").first | ||
return username if user_type != "mail" && self.upn?(username) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why was this needed ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was necessary because "mail" user_type can also have a "@". Similar to your comment regarding rdns in ldap.
Upon reviewing the old code, where there was logic to handle usernames with "@" when user_type was "mail" I realized this change was necessary.
@miq-bot add_label blocker |
@jvlcek if this can be backported, can you add the gaprindashvili/yes label |
Checked commits jvlcek/manageiq@2c9d3ef~...a45e59f with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0 lib/miq_ldap.rb
|
@miq-bot add_label gaprindashvili/yes |
@gtanzillo Please take a look. |
Hi @jvlcek code looks good, can you test against AD with user type DN ? (unless you did already) Thanks. |
@abellotti Tests against AD with user type DN were successful! Wee HA! |
LGTM!! Thanks @jvlcek for the additional testing. 👍 |
@jvlcek |
Force user_type to UPN when username is a UPN (cherry picked from commit c14bb2c) Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1603058
@jvlcek Added the Gaprindashvili backport details:
|
When ordering a remote service the userid passed to the remote is taken from the database's
userid field, which can be either a UPN or a full DN. If it is a UPN and the authentication
configuration specifies samaccountname for User Type the domain prefix is erroneously
prepended to the username causing group lookup to fail.
This PR plugs this edge case by not prepending the domain prefix to the username if the username is already in UPN format.
Testing Done
In addition to the updated spec tests included in this PR I configured a service on a remote region on a live appliance and successfully ordered it from the global region while logged in as a:
Links
Steps for Testing/QA
with the User Type of samaccountname