manageiq icon indicating copy to clipboard operation
manageiq copied to clipboard
verified publisher icon ManageIQ

Multiple users being created for the same AD account

Open awersate opened this issue 3 years ago • 5 comments

cut domain before \ from username

It fixes user naming when created in ManageIQ. Now, if you log in for the first time under an account like domain\user_name, a user like domain\user_name@domain will be created in ManageIQ, because manageiq thinks domain\user_name is the whole username This creates duplicate users. After this fix if you login first time like domain\user_name or user_name@domain or user_name@UPN_suffix or just user_name will be created one user in ManageIQ kind user_name@domain Testing on lasker and morphy Link to a similar problem https://talk.manageiq.org/t/multiple-users-being-created-for-the-same-ad-account/5255

Discussed in https://github.com/ManageIQ/manageiq/discussions/21905

awersate avatar Jun 08 '22 12:06 awersate

Checked commit https://github.com/awersate/manageiq/commit/5a420fdb268ef6eac450016dbf8e597ce8baa634 with ruby 2.6.9, rubocop 1.19.1, haml-lint 0.35.0, and yamllint 1 file checked, 0 offenses detected Everything looks fine. :trophy:

miq-bot avatar Jun 08 '22 12:06 miq-bot

@kbrock are you familiar if we do this already for ldap users? I feel like this we did something like this already. I wonder if we can have common code to handle it.

jrafanie avatar Jun 09 '22 16:06 jrafanie

Yeah this definitely came up before, and I believe there is some AD or external auth setting needed to deal with it. Perhaps there's something in the auth guides? https://www.manageiq.org/blog/tags/tutorials/

Fryguy avatar Jun 15 '22 19:06 Fryguy

I tested on different MIQ installations, with different sssd settings, but the problem is that MIQ thinks that the domain\username is a whole username. But if AD does not return the domain, then a user without a domain will be created in MIQ

awersate avatar Jun 16 '22 08:06 awersate

Looking through authenticator/httpd.rb and it doesn't look like it will do lookups or creates correctly when the name comes across at name\\domain.

I thought ldap had a number of different formats. Wonder if apache is not configured correctly for AD

kbrock avatar Jun 21 '22 20:06 kbrock

This pull request has been automatically marked as stale because it has not been updated for at least 3 months.

If these changes are still valid, please remove the stale label, make any changes requested by reviewers (if any), and ensure that this issue is being looked at by the assigned/reviewer(s)

Thank you for all your contributions! More information about the ManageIQ triage process can be found in the triage process documentation.

miq-bot avatar Feb 27 '23 00:02 miq-bot

LGTM :shipit:

kbrock avatar May 24 '23 18:05 kbrock

Do we also need to take care of other areas that strip off the domain from the user/group? Maybe these are coming across only as @ domains?

  • https://github.com/ManageIQ/manageiq/blob/master/app/models/miq_group.rb#L149

I really like the idea of normalizing these from backslash. It is cool that some places don't just drop the domain but rather normalize for it:

  • https://github.com/ManageIQ/manageiq/blob/master/app/models/authenticator/base.rb#L214

kbrock avatar May 31 '23 00:05 kbrock

This pull request has been automatically marked as stale because it has not been updated for at least 3 months.

If these changes are still valid, please remove the stale label, make any changes requested by reviewers (if any), and ensure that this issue is being looked at by the assigned/reviewer(s)

Thank you for all your contributions! More information about the ManageIQ triage process can be found in the triage process documentation.

miq-bot avatar Sep 04 '23 00:09 miq-bot

I'm good with this @jrafanie you ok with this?

kbrock avatar Oct 17 '23 20:10 kbrock

Skipping backport to quinteros, because it is already in the branch.

Fryguy avatar Oct 27 '23 15:10 Fryguy