> I just did a clean install of oVirt 4.3.1 (engine and nodes).
>
> I setup AD authentication and gave an AD group permissions needed work with
> VMs. I gave them PowerUserRole on the Cluster and Storage.
>
> Users in the AD group can login and create VMs but after they log out and
> log back in they don't see any of the VMs created in the previous session.
>
> I noticed that in Administration -> Users a new row is created for each
> user every time they login. All columns for each user are the same: same
> first and last name, same user name, authorization provider, and so on but
> the behavior looks very much like they are being treated as new user every
> time they login.

I have observed the same behaviour with oVirt 4.3.XY

Delving deeper, in the oVirt engine 'users' table,  external_id is *not*
being set for AD users as documented in (e.g.)
engines/packaging/dbscripts/common_sp.sql

"The external identifier is the user identifier converted to an array of bytes:"

ovirt 4.3.0
user@domain | f3de0b27-c2a0-463b-a2ff-d480bd88c77f |
ece7b8c2-4983-4c1e-9a33-c28d58d40213


And under ovirt 4.2.8 for comparison:

username   |               user_id                |             external_id
user@domain     | 364d176e-8813-4e67-bdd0-dc10b823d23c |
af5bbg/eTkuktBPXW4Ak5g==


Further information on replicating the issue:

1) Configure LDAP authentication:

https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html#configuring-an-external-ldap-provider


2) Add an LDAP group via the Administration Portal:

Administration >> Users > 'Add' button, click 'Group'
radio-button, select the relevant LDAP authorization
select the relevant LDAP authorization provider in the
drop-down list under 'Search', enter the LDAP group
in the search text-box then click 'GO'.

The found group should appear below.  Select the
toggle-button to the left of the group then click
'Add and Close'.


3) Add SuperUser system permission for the LDAP group.

Back under Administration >> Users, click the 'Group'
button if groups are not already displayed.  Click on
the LDAP group added in the previous step then click
'Permissions' -> 'Add System Permissions'


4) Log into the Administration Portal as an LDAP group member.
Logout then log back into the Administration Portal as a
member of the LDAP group specified above.  Login should be
successful because that user will inherit the SuperUser
system permission but note the following issues below:

- under Administration >> Users, note that a 'User' icon
is displayed for the LDAP user rather than an 'Admin' icon.
This is in contrast to 4.2.8, where an Admin icon would
be displayed.


5) Repeat step 4 above.
If you logout then log back into the Administration Portal as
the same member of the LDAP group specified above then
check Administration >> Users, an additional user entry appears:
same First Name, Last Name, Authorization provider, Namespace
and E-mail.
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PC2JLU65QED36MLLN7I5BJEPYEADKUO2/