[ovirt-users] Re: oVirt 4.3.1 with AD creates new user at every login
I just did a clean install of oVirt 4.3.1 (engine and nodes).
I setup AD authentication and gave an AD group permissions needed work with
VMs. I gave them PowerUserRole on the Cluster and Storage.
Users in the AD group can login and create VMs but after they log out and
log back in they don't see any of the VMs created in the previous session.
I noticed that in Administration -> Users a new row is created for each
user every time they login. All columns for each user are the same: same
first and last name, same user name, authorization provider, and so on but
the behavior looks very much like they are being treated as new user every
time they login.
I have observed the same behaviour with oVirt 4.3.XY
Delving deeper, in the oVirt engine 'users' table, external_id is *not*
being set for AD users as documented in (e.g.)
engines/packaging/dbscripts/common_sp.sql
"The external identifier is the user identifier converted to an array of
bytes:"
ovirt 4.3.0
user@domain | f3de0b27-c2a0-463b-a2ff-d480bd88c77f |
ece7b8c2-4983-4c1e-9a33-c28d58d40213
And under ovirt 4.2.8 for comparison:
username | user_id | external_id
user@domain | 364d176e-8813-4e67-bdd0-dc10b823d23c |
af5bbg/eTkuktBPXW4Ak5g==
Further information on replicating the issue:
1) Configure LDAP authentication:
https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles.html...
2) Add an LDAP group via the Administration Portal:
Administration >> Users > 'Add' button, click 'Group'
radio-button, select the relevant LDAP authorization
select the relevant LDAP authorization provider in the
drop-down list under 'Search', enter the LDAP group
in the search text-box then click 'GO'.
The found group should appear below. Select the
toggle-button to the left of the group then click
'Add and Close'.
3) Add SuperUser system permission for the LDAP group.
Back under Administration >> Users, click the 'Group'
button if groups are not already displayed. Click on
the LDAP group added in the previous step then click
'Permissions' -> 'Add System Permissions'
4) Log into the Administration Portal as an LDAP group member.
Logout then log back into the Administration Portal as a
member of the LDAP group specified above. Login should be
successful because that user will inherit the SuperUser
system permission but note the following issues below:
- under Administration >> Users, note that a 'User' icon
is displayed for the LDAP user rather than an 'Admin' icon.
This is in contrast to 4.2.8, where an Admin icon would
be displayed.
5) Repeat step 4 above.
If you logout then log back into the Administration Portal as
the same member of the LDAP group specified above then
check Administration >> Users, an additional user entry appears:
same First Name, Last Name, Authorization provider, Namespace
and E-mail.