Project

General

Profile

Actions

Bug #10340

closed

AD auth hangs while syncing user groups on login

Added by Vasil Mikhalenya almost 9 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Category:
Authentication
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Please look at https://github.com/theforeman/foreman/commit/01f8b024199f3bb2951ba1e7fe98959f74b9f3a4#commitcomment-10992439

user.auth_source.update_usergroups(login) broke AD auth for my case, after auth nothing happens just infinite traffic between foreman an AD
auth worked on 1.7.4
commenting this line fix the issue


Related issues 3 (0 open3 closed)

Related to Foreman - Bug #7369: External user groups should be updated on loginClosedDaniel Lobato Garcia09/05/2014Actions
Related to Foreman - Bug #10493: LDAP broken in 1.8 with $login in account nameClosedDominic Cleal05/13/2015Actions
Related to Foreman - Feature #10509: Ability to disable syncing external user groups on loginClosedDominic Cleal05/14/2015Actions
Actions #2

Updated by Dominic Cleal almost 9 years ago

  • Related to Bug #7369: External user groups should be updated on login added
Actions #3

Updated by Dominic Cleal almost 9 years ago

Does the refresh button on your external user groups also just hang?

Actions #4

Updated by Vasil Mikhalenya almost 9 years ago

I have no idea how should it works because we use only one group in AD and use it in ldap filter.
Seems it fails in different way:
I've added group, tried to add mapping to AD it fails with "POST /usergroups/1-admins HTTP/1.1" 500"

Started PUT "/usergroups/1-admins" for 10.128.60.25 at 2015-05-01 08:26:17 +0000
2015-05-01 08:26:17 [I] Processing by UsergroupsController#update as HTML
2015-05-01 08:26:17 [I] Parameters: {"utf8"=>"✓", "authenticity_token"=>"...............blanked.........................", "usergroup"=>{"name"=>"admins", "user_ids"=>[""], "admin"=>"1", "role_ids"=>["", "9"], "external_usergroups_attributes"=>{"0"=>{"_destroy"=>"false", "name"=>"Server Administration Team", "auth_source_id"=>"2"}, "new_external_usergroups"=>{"_destroy"=>"false", "name"=>"", "auth_source_id"=>"2"}}}, "commit"=>"Submit", "id"=>"1-admins"}
2015-05-01 08:26:17 [I]

But it had been added because item and button appeared. When I click refresh button - get this
LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException
LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException
app/models/auth_sources/auth_source_ldap.rb:114:in `users_in_group'
app/models/external_usergroup.rb:32:in `users'
app/models/external_usergroup.rb:18:in `refresh'
app/controllers/external_usergroups_controller.rb:5:in `refresh'
app/controllers/concerns/application_shared.rb:13:in `set_timezone'
app/models/concerns/foreman/thread_session.rb:32:in `clear_thread'
lib/middleware/catch_json_parse_errors.rb:9:in `call'

the same for rake task

[v-foreman ~]# foreman-rake ldap:refresh_usergroups
Apipie cache enabled but not present yet. Run apipie:cache rake task to speed up API calls.
Workaround for RbVmomi may not work as ComputeResource is already loaded: ComputeResource
User group Server Administration Team could not be refreshed - LDAP source LDAP-v-dc not available: LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException

Actions #5

Updated by Dominic Cleal almost 9 years ago

  • translation missing: en.field_release set to 50
Actions #6

Updated by Dominic Cleal almost 9 years ago

  • Related to Bug #10493: LDAP broken in 1.8 with $login in account name added
Actions #7

Updated by Dominic Cleal almost 9 years ago

  • Subject changed from AD auth stops working on 1.8 to AD auth hangs while syncing user groups on login
Actions #8

Updated by Dominic Cleal almost 9 years ago

  • Related to Feature #10509: Ability to disable syncing external user groups on login added
Actions #9

Updated by Dominic Cleal almost 9 years ago

#10509 will provide a workaround by disabling this feature, but I don't understand yet why it's hanging.

If you have the ability to install a nightly version of Foreman on a test server, please do so and enable debugging (http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting#How-do-I-enable-debugging) as nightly builds now have LDAP debugging. It might show us what it's attempting to do.

Actions #10

Updated by Tom Sherrod almost 9 years ago

I've installed the latest via git clone, Version 1.9.0-develop.
Enabled debug.
Created the ldap, with one group.
With User Sync off, able to log in, however, have to do a group refresh before user as access.
With User Sync enabled, logging in hangs. LDAP-op search loops in a set of groups. Another user attempted to login with same result with a different group looping. Recovery is to kill the process.

Actions #11

Updated by Dominic Cleal almost 9 years ago

What layout are those groups Tom? Is one a member of the other?

Actions #12

Updated by Tom Sherrod almost 9 years ago

Not sure what you mean by layout. The groups are owners of other multiple groups the id is a member of so the group is repeated a couple of times using powershell to list out the groups, recursively. They are not direct members of each other, however, with this many groups(~180) it may be possible.

Actions #13

Updated by Dominic Cleal almost 9 years ago

  • translation missing: en.field_release changed from 50 to 56
Actions #14

Updated by Dominic Cleal almost 9 years ago

  • translation missing: en.field_release deleted (56)
Actions #16

Updated by Dominic Cleal over 8 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100
  • translation missing: en.field_release set to 62
Actions #17

Updated by Dominic Cleal over 8 years ago

  • Status changed from Closed to Ready For Testing
  • % Done changed from 100 to 50
  • translation missing: en.field_release deleted (62)

https://github.com/theforeman/ldap_fluff/pull/44 contains a further fix I think to prevent the hang.

Actions #18

Updated by Vasil Mikhalenya over 8 years ago

in 1.9.0 issue still exists but unchecking 'Usergroup sync' make it work

Actions #19

Updated by Mathieu Parent over 8 years ago

The loop has been fixed in https://github.com/theforeman/ldap_fluff/pull/43 and https://github.com/theforeman/ldap_fluff/pull/44.

But this is not the end of the story. If your logins are not lowercase, your groups will be considered empty. this should be solved on the foreman side.

Also, as performance of ActiveDirectory is very low, an option do disable recursive search would be better.

I will try to work on those, but I'm very busy currently.

Actions #20

Updated by Dominic Cleal over 8 years ago

  • Status changed from Ready For Testing to Closed
  • Assignee set to Mathieu Parent
  • % Done changed from 50 to 100
  • translation missing: en.field_release set to 72

Mathieu Parent wrote:

The loop has been fixed in https://github.com/theforeman/ldap_fluff/pull/43 and https://github.com/theforeman/ldap_fluff/pull/44.

But this is not the end of the story. If your logins are not lowercase, your groups will be considered empty. this should be solved on the foreman side.

You're in luck, Daniel has just been fixing this. I think #11428 and #11407 should fix case insensitivity for both groups and logins.

Actions

Also available in: Atom PDF