Project

General

Profile

Bug #10340

AD auth hangs while syncing user groups on login

Added by Vasil Mikhalenya over 3 years ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Category:
Authentication
Target version:
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Please look at https://github.com/theforeman/foreman/commit/01f8b024199f3bb2951ba1e7fe98959f74b9f3a4#commitcomment-10992439

user.auth_source.update_usergroups(login) broke AD auth for my case, after auth nothing happens just infinite traffic between foreman an AD
auth worked on 1.7.4
commenting this line fix the issue


Related issues

Related to Foreman - Bug #7369: External user groups should be updated on loginClosed2014-09-05
Related to Foreman - Bug #10493: LDAP broken in 1.8 with $login in account nameClosed2015-05-13
Related to Foreman - Feature #10509: Ability to disable syncing external user groups on loginClosed2015-05-14

History

#2 Updated by Dominic Cleal over 3 years ago

  • Related to Bug #7369: External user groups should be updated on login added

#3 Updated by Dominic Cleal over 3 years ago

Does the refresh button on your external user groups also just hang?

#4 Updated by Vasil Mikhalenya over 3 years ago

I have no idea how should it works because we use only one group in AD and use it in ldap filter.
Seems it fails in different way:
I've added group, tried to add mapping to AD it fails with "POST /usergroups/1-admins HTTP/1.1" 500"

Started PUT "/usergroups/1-admins" for 10.128.60.25 at 2015-05-01 08:26:17 +0000
2015-05-01 08:26:17 [I] Processing by UsergroupsController#update as HTML
2015-05-01 08:26:17 [I] Parameters: {"utf8"=>"✓", "authenticity_token"=>"...............blanked.........................", "usergroup"=>{"name"=>"admins", "user_ids"=>[""], "admin"=>"1", "role_ids"=>["", "9"], "external_usergroups_attributes"=>{"0"=>{"_destroy"=>"false", "name"=>"Server Administration Team", "auth_source_id"=>"2"}, "new_external_usergroups"=>{"_destroy"=>"false", "name"=>"", "auth_source_id"=>"2"}}}, "commit"=>"Submit", "id"=>"1-admins"}
2015-05-01 08:26:17 [I]

But it had been added because item and button appeared. When I click refresh button - get this
LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException
LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException
app/models/auth_sources/auth_source_ldap.rb:114:in `users_in_group'
app/models/external_usergroup.rb:32:in `users'
app/models/external_usergroup.rb:18:in `refresh'
app/controllers/external_usergroups_controller.rb:5:in `refresh'
app/controllers/concerns/application_shared.rb:13:in `set_timezone'
app/models/concerns/foreman/thread_session.rb:32:in `clear_thread'
lib/middleware/catch_json_parse_errors.rb:9:in `call'

the same for rake task

[v-foreman ~]# foreman-rake ldap:refresh_usergroups
Apipie cache enabled but not present yet. Run apipie:cache rake task to speed up API calls.
Workaround for RbVmomi may not work as ComputeResource is already loaded: ComputeResource
User group Server Administration Team could not be refreshed - LDAP source LDAP-v-dc not available: LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException

#5 Updated by Dominic Cleal over 3 years ago

  • Legacy Backlogs Release (now unused) set to 50

#6 Updated by Dominic Cleal over 3 years ago

  • Related to Bug #10493: LDAP broken in 1.8 with $login in account name added

#7 Updated by Dominic Cleal over 3 years ago

  • Subject changed from AD auth stops working on 1.8 to AD auth hangs while syncing user groups on login

#8 Updated by Dominic Cleal over 3 years ago

  • Related to Feature #10509: Ability to disable syncing external user groups on login added

#9 Updated by Dominic Cleal over 3 years ago

#10509 will provide a workaround by disabling this feature, but I don't understand yet why it's hanging.

If you have the ability to install a nightly version of Foreman on a test server, please do so and enable debugging (http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting#How-do-I-enable-debugging) as nightly builds now have LDAP debugging. It might show us what it's attempting to do.

#10 Updated by Tom Sherrod over 3 years ago

I've installed the latest via git clone, Version 1.9.0-develop.
Enabled debug.
Created the ldap, with one group.
With User Sync off, able to log in, however, have to do a group refresh before user as access.
With User Sync enabled, logging in hangs. LDAP-op search loops in a set of groups. Another user attempted to login with same result with a different group looping. Recovery is to kill the process.

#11 Updated by Dominic Cleal over 3 years ago

What layout are those groups Tom? Is one a member of the other?

#12 Updated by Tom Sherrod over 3 years ago

Not sure what you mean by layout. The groups are owners of other multiple groups the id is a member of so the group is repeated a couple of times using powershell to list out the groups, recursively. They are not direct members of each other, however, with this many groups(~180) it may be possible.

#13 Updated by Dominic Cleal over 3 years ago

  • Legacy Backlogs Release (now unused) changed from 50 to 56

#14 Updated by Dominic Cleal over 3 years ago

  • Legacy Backlogs Release (now unused) deleted (56)

#16 Updated by Dominic Cleal over 3 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100
  • Legacy Backlogs Release (now unused) set to 62

#17 Updated by Dominic Cleal over 3 years ago

  • Status changed from Closed to Ready For Testing
  • % Done changed from 100 to 50
  • Legacy Backlogs Release (now unused) deleted (62)

https://github.com/theforeman/ldap_fluff/pull/44 contains a further fix I think to prevent the hang.

#18 Updated by Vasil Mikhalenya over 3 years ago

in 1.9.0 issue still exists but unchecking 'Usergroup sync' make it work

#19 Updated by Mathieu Parent over 3 years ago

The loop has been fixed in https://github.com/theforeman/ldap_fluff/pull/43 and https://github.com/theforeman/ldap_fluff/pull/44.

But this is not the end of the story. If your logins are not lowercase, your groups will be considered empty. this should be solved on the foreman side.

Also, as performance of ActiveDirectory is very low, an option do disable recursive search would be better.

I will try to work on those, but I'm very busy currently.

#20 Updated by Dominic Cleal over 3 years ago

  • Status changed from Ready For Testing to Closed
  • Assignee set to Mathieu Parent
  • % Done changed from 50 to 100
  • Legacy Backlogs Release (now unused) set to 72

Mathieu Parent wrote:

The loop has been fixed in https://github.com/theforeman/ldap_fluff/pull/43 and https://github.com/theforeman/ldap_fluff/pull/44.

But this is not the end of the story. If your logins are not lowercase, your groups will be considered empty. this should be solved on the foreman side.

You're in luck, Daniel has just been fixing this. I think #11428 and #11407 should fix case insensitivity for both groups and logins.

Also available in: Atom PDF