Project

General

Profile

Actions
Copy link

Bug #37757

closed

LDAP not working on high availability foreman environment

Added by Jeff S about 2 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
Authentication
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

We have a load balancer that round robins to each of our 4 foreman servers, they all point to the same redis/postgres server. If I setup a single instance of LDAP, it will auth on one of those servers. If someone tries to log in and the auth gets sent to a different server, it will fail. My current work around was to create 4 duplicate instances of the ldap server, within the UI. I had to make sure that the settings change went to each individual server. Now they can all auth, but that seems like a really poor work around.

Foreman version: 3.10.0
Plugins:
 - foreman-tasks 9.1.1
 - foreman_default_hostgroup 7.0.0
 - foreman_kubevirt 0.1.9
 - foreman_puppet 6.2.0
 - foreman_remote_execution 13.0.0
 - foreman_salt 16.0.2
 - foreman_statistics 2.1.0
 - foreman_templates 9.4.0
 - foreman_vault 2.0.0

2024-08-21T11:08:01 [I|app|78c50d65] Started POST "/users/login" for 10.222.218.3 at 2024-08-21 11:08:01 +0000
2024-08-21T11:08:01 [I|app|78c50d65] Processing by UsersController#login as HTML
2024-08-21T11:08:01 [I|app|78c50d65]   Parameters: {"login"=>{"login"=>"jsparrow", "password"=>"[FILTERED]"}, "authenticity_token"=>"[FILTERED]"}
2024-08-21T11:08:01 [W|app|78c50d65] Could not bind to ActiveDirectory user svc_sse_ldap
2024-08-21T11:08:01 [I|app|78c50d65] Backtrace for 'Could not bind to ActiveDirectory user svc_sse_ldap' error (LdapFluff::Generic::UnauthenticatedException): Could not bind to ActiveDirectory user svc_sse_ldap
 78c50d65 | /usr/share/gems/gems/ldap_fluff-0.6.0/lib/ldap_fluff/generic.rb:76:in `service_bind'
 78c50d65 | /usr/share/gems/gems/ldap_fluff-0.6.0/lib/ldap_fluff/generic.rb:21:in `user_exists?'
 78c50d65 | /usr/share/gems/gems/ldap_fluff-0.6.0/lib/ldap_fluff/ldap_fluff.rb:63:in `block in valid_user?'
 78c50d65 | /usr/share/gems/gems/ldap_fluff-0.6.0/lib/ldap_fluff/ldap_fluff.rb:94:in `block in instrument'
 78c50d65 | /usr/share/gems/gems/activesupport-6.1.7.7/lib/active_support/notifications.rb:203:in `block in instrument'
 78c50d65 | /usr/share/gems/gems/activesupport-6.1.7.7/lib/active_support/notifications/instrumenter.rb:24:in `instrument'
 78c50d65 | /usr/share/gems/gems/activesupport-6.1.7.7/lib/active_support/notifications.rb:203:in `instrument'
 78c50d65 | /usr/share/gems/gems/ldap_fluff-0.6.0/lib/ldap_fluff/ldap_fluff.rb:93:in `instrument'
 78c50d65 | /usr/share/gems/gems/ldap_fluff-0.6.0/lib/ldap_fluff/ldap_fluff.rb:62:in `valid_user?'
 78c50d65 | /usr/share/foreman/app/models/auth_sources/auth_source_ldap.rb:62:in `authenticate'
 78c50d65 | /usr/share/foreman/app/models/user.rb:271:in `try_to_login'
 78c50d65 | /usr/share/foreman/app/controllers/users_controller.rb:127:in `login'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_controller/metal/basic_implicit_render.rb:6:in `send_action'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/abstract_controller/base.rb:228:in `process_action'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_controller/metal/rendering.rb:30:in `process_action'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/abstract_controller/callbacks.rb:42:in `block in process_action'
 78c50d65 | /usr/share/gems/gems/activesupport-6.1.7.7/lib/active_support/callbacks.rb:117:in `block in run_callbacks'
 78c50d65 | /usr/share/foreman/app/controllers/concerns/foreman/controller/timezone.rb:10:in `set_timezone'
 78c50d65 | /usr/share/gems/gems/activesupport-6.1.7.7/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
 78c50d65 | /usr/share/foreman/app/models/concerns/foreman/thread_session.rb:32:in `clear_thread'
 78c50d65 | /usr/share/gems/gems/activesupport-6.1.7.7/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
 78c50d65 | /usr/share/foreman/app/controllers/concerns/foreman/controller/topbar_sweeper.rb:12:in `set_topbar_sweeper_controller'
 78c50d65 | /usr/share/gems/gems/activesupport-6.1.7.7/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
 78c50d65 | /usr/share/gems/gems/audited-5.4.3/lib/audited/sweeper.rb:16:in `around'
 78c50d65 | /usr/share/gems/gems/activesupport-6.1.7.7/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
 78c50d65 | /usr/share/gems/gems/audited-5.4.3/lib/audited/sweeper.rb:16:in `around'
 78c50d65 | /usr/share/gems/gems/activesupport-6.1.7.7/lib/active_support/callbacks.rb:126:in `block in run_callbacks'
 78c50d65 | /usr/share/gems/gems/activesupport-6.1.7.7/lib/active_support/callbacks.rb:137:in `run_callbacks'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/abstract_controller/callbacks.rb:41:in `process_action'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_controller/metal/rescue.rb:22:in `process_action'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_controller/metal/instrumentation.rb:34:in `block in process_action'
 78c50d65 | /usr/share/gems/gems/activesupport-6.1.7.7/lib/active_support/notifications.rb:203:in `block in instrument'
 78c50d65 | /usr/share/gems/gems/activesupport-6.1.7.7/lib/active_support/notifications/instrumenter.rb:24:in `instrument'
 78c50d65 | /usr/share/gems/gems/activesupport-6.1.7.7/lib/active_support/notifications.rb:203:in `instrument'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_controller/metal/instrumentation.rb:33:in `process_action'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_controller/metal/params_wrapper.rb:249:in `process_action'
 78c50d65 | /usr/share/gems/gems/activerecord-6.1.7.7/lib/active_record/railties/controller_runtime.rb:27:in `process_action'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/abstract_controller/base.rb:165:in `process'
 78c50d65 | /usr/share/gems/gems/actionview-6.1.7.7/lib/action_view/rendering.rb:39:in `process'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_controller/metal.rb:190:in `dispatch'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_controller/metal.rb:254:in `dispatch'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/routing/route_set.rb:50:in `dispatch'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/routing/route_set.rb:33:in `serve'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/journey/router.rb:50:in `block in serve'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/journey/router.rb:32:in `each'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/journey/router.rb:32:in `serve'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/routing/route_set.rb:842:in `call'
 78c50d65 | /usr/share/gems/gems/apipie-dsl-2.6.2/lib/apipie_dsl/static_dispatcher.rb:67:in `call'
 78c50d65 | /usr/share/gems/gems/apipie-rails-1.3.0/lib/apipie/static_dispatcher.rb:74:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/static.rb:24:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/static.rb:24:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/static.rb:24:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/static.rb:24:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/static.rb:24:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/static.rb:24:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/static.rb:24:in `call'
 78c50d65 | /usr/share/foreman/lib/foreman/middleware/libvirt_connection_cleaner.rb:9:in `call'
 78c50d65 | /usr/share/foreman/lib/foreman/middleware/telemetry.rb:10:in `call'
 78c50d65 | /usr/share/gems/gems/apipie-rails-1.3.0/lib/apipie/middleware/checksum_in_headers.rb:27:in `call'
 78c50d65 | /usr/share/gems/gems/rack-2.2.4/lib/rack/tempfile_reaper.rb:15:in `call'
 78c50d65 | /usr/share/gems/gems/rack-2.2.4/lib/rack/etag.rb:27:in `call'
 78c50d65 | /usr/share/gems/gems/rack-2.2.4/lib/rack/conditional_get.rb:40:in `call'
 78c50d65 | /usr/share/gems/gems/rack-2.2.4/lib/rack/head.rb:12:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/http/permissions_policy.rb:22:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/http/content_security_policy.rb:19:in `call'
 78c50d65 | /usr/share/foreman/lib/foreman/middleware/logging_context_session.rb:22:in `call'
 78c50d65 | /usr/share/gems/gems/rack-2.2.4/lib/rack/session/abstract/id.rb:266:in `context'
 78c50d65 | /usr/share/gems/gems/rack-2.2.4/lib/rack/session/abstract/id.rb:260:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/cookies.rb:697:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
 78c50d65 | /usr/share/gems/gems/activesupport-6.1.7.7/lib/active_support/callbacks.rb:98:in `run_callbacks'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/callbacks.rb:26:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/debug_exceptions.rb:29:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
 78c50d65 | /usr/share/gems/gems/railties-6.1.7.7/lib/rails/rack/logger.rb:37:in `call_app'
 78c50d65 | /usr/share/gems/gems/railties-6.1.7.7/lib/rails/rack/logger.rb:28:in `call'
 78c50d65 | /usr/share/gems/gems/sprockets-rails-3.4.2/lib/sprockets/rails/quiet_assets.rb:13:in `call'
 78c50d65 | /usr/share/foreman/lib/foreman/middleware/logging_context_request.rb:11:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
 78c50d65 | /usr/share/gems/gems/request_store-1.6.0/lib/request_store/middleware.rb:19:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/request_id.rb:26:in `call'
 78c50d65 | /usr/share/gems/gems/rack-2.2.4/lib/rack/method_override.rb:24:in `call'
 78c50d65 | /usr/share/gems/gems/rack-2.2.4/lib/rack/runtime.rb:22:in `call'
 78c50d65 | /usr/share/gems/gems/activesupport-6.1.7.7/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/executor.rb:14:in `call'
 78c50d65 | /usr/share/gems/gems/rack-2.2.4/lib/rack/sendfile.rb:110:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/ssl.rb:77:in `call'
 78c50d65 | /usr/share/gems/gems/actionpack-6.1.7.7/lib/action_dispatch/middleware/host_authorization.rb:142:in `call'
 78c50d65 | /usr/share/gems/gems/secure_headers-6.5.0/lib/secure_headers/middleware.rb:11:in `call'
 78c50d65 | /usr/share/gems/gems/railties-6.1.7.7/lib/rails/engine.rb:539:in `call'
 78c50d65 | /usr/share/gems/gems/railties-6.1.7.7/lib/rails/railtie.rb:207:in `public_send'
 78c50d65 | /usr/share/gems/gems/railties-6.1.7.7/lib/rails/railtie.rb:207:in `method_missing'
 78c50d65 | /usr/share/gems/gems/rack-2.2.4/lib/rack/urlmap.rb:74:in `block in call'
 78c50d65 | /usr/share/gems/gems/rack-2.2.4/lib/rack/urlmap.rb:58:in `each'
 78c50d65 | /usr/share/gems/gems/rack-2.2.4/lib/rack/urlmap.rb:58:in `call'
 78c50d65 | /usr/share/gems/gems/puma-6.4.2/lib/puma/configuration.rb:272:in `call'
 78c50d65 | /usr/share/gems/gems/puma-6.4.2/lib/puma/request.rb:100:in `block in handle_request'
 78c50d65 | /usr/share/gems/gems/puma-6.4.2/lib/puma/thread_pool.rb:378:in `with_force_shutdown'
 78c50d65 | /usr/share/gems/gems/puma-6.4.2/lib/puma/request.rb:99:in `handle_request'
 78c50d65 | /usr/share/gems/gems/puma-6.4.2/lib/puma/server.rb:464:in `process_client'
 78c50d65 | /usr/share/gems/gems/puma-6.4.2/lib/puma/server.rb:245:in `block in run'
 78c50d65 | /usr/share/gems/gems/puma-6.4.2/lib/puma/thread_pool.rb:155:in `block in spawn_thread'
 78c50d65 | /usr/share/gems/gems/logging-2.3.1/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
2024-08-21T11:08:01 [I|app|78c50d65]   Rendered common/500.html.erb within layouts/application (Duration: 1.2ms | Allocations: 562)
2024-08-21T11:08:01 [I|app|78c50d65]   Rendered layouts/base.html.erb (Duration: 2.3ms | Allocations: 1837)
2024-08-21T11:08:01 [I|app|78c50d65]   Rendered layout layouts/application.html.erb (Duration: 4.1ms | Allocations: 2677)
2024-08-21T11:08:01 [I|app|78c50d65] Completed 500 Internal Server Error in 58ms (Views: 4.6ms | ActiveRecord: 23.3ms | Allocations: 6094)

Here is a successful rails login on .152:

1724238948.915660 [0 10.222.206.152:34402] "get" "foreman:failed_login_10.222.218.3" 
1724238948.918630 [0 10.222.206.152:34402] "get" "foreman:webpack_foreman_vendor_js" 
1724238955.658344 [0 10.222.206.152:34402] "get" "foreman:failed_login_10.222.218.3" 
1724238955.864366 [0 10.222.206.152:34402] "del" "foreman:user/5/taxonomy_and_child_ids/organizations" 
1724238955.864929 [0 10.222.206.152:34402] "del" "foreman:user/5/taxonomy_and_child_ids/locations" 
1724238955.865940 [0 10.222.206.152:34402] "del" "foreman:views/tabs_and_title_records-5" 
1724238956.130330 [0 10.222.206.152:34402] "del" "foreman:user/5/taxonomy_and_child_ids/organizations" 
1724238956.130868 [0 10.222.206.152:34402] "del" "foreman:user/5/taxonomy_and_child_ids/locations" 
1724238956.132013 [0 10.222.206.152:34402] "del" "foreman:views/tabs_and_title_records-5" 
1724238956.143475 [0 10.222.206.152:34402] "del" "foreman:views/tabs_and_title_records-5" 
1724238956.216965 [0 10.222.206.152:34402] "del" "foreman:views/tabs_and_title_records-5" 
1724238956.330156 [0 10.222.206.152:34402] "get" "foreman:webpack_foreman_vendor_js" 
1724238956.332011 [0 10.222.206.152:34402] "get" "foreman:views/tabs_and_title_records-5" 
1724238956.345126 [0 10.222.206.152:34402] "set" "foreman:views/tabs_and_title_records-5" "\x04\bo: ActiveSupport::Cache::Entry\n:\x0b@value\"\x02~\ax\x9c\xed[\xedo\xd46\x1c\x96\xa6\tM\xfb+\xa2N\xdb\x17\xb8\xf7\x17\xda\x1b\xb0u\xb40&\n\xa8w\xa0I\bE>\xc7\xb93ulc;w\x1cS\xff\xf7\xd9y\xe9\xc5\xb9K\x13(M\x90\xb6~h\xaa\xe4\xf9\xd9\x8f\x9d\xdf\xcbc;\xfd\xfe\x87g\a\xdf\xfd=t\x92\x9f\a>\x13(\x00\xb4%\x10\x80\xaa\x05Y\xc0\x19ET9\x14\x04\xe8\xe1\xc1\xb9\xb9{\xcc\xf9\x81\xe3\x01\x05Z\\0.\x1f\x1e\xfc\xf3\xcb\x87\x90\xa9_\t\xd8\xb0P\xc5\x7fO\x92{\x01\xa2ar\xe7mrKm8Jn\xc5\x17\x19\xce\xdd-\xee^|1\xfdY\xa83F\xb1b\xc2\x02a\xc8\xa8\x05\xf2\x81\xe3\x83\x96\x02p\xc9\x02\xa4\x90\x8d\x86KL<\x81h\x19\x1f\xacP`\x19\xa2\x8fz\xd4\tD\x89\x10%\xb7\x97* .\xe3\n3*\xd3Q_\x16\xd1?\x01r9g@xV\xcb\xa1 \x16\xaa\x13_.\xef}\x117\x1f\x10\xf9E\xe4\xfedR9S\x05T(\x91\xbc\x9e\xe0RC]iA\xebf\xfbD\xb7Q\xc2\xd2\xd7\x10w\x05H\xd8\x14\xc7\xe3\xd0\xc3e$A\x06S7\xbf\x99\x8e\x03\xafl\x12\xe3T\x10\xbdm,\x15\x86\xb2\xa32fuS\x9e^\xd1\xf8l\xda2gZ7\xf5\xbf\xd8\xbc\x84\xf4{6w1]1\b2-\x16\xd3\xf4\xf0\n{\xb9\xf4\xb6\xd3\xeb9\xe2L4\xe5`\x8f\x19\xf5\xf1\xc29\x03\x14,\x90\xce\xee\xea\xfa\xf1\xc3\b\xee\x8a\x98\xf2o\x12\x01\x01\x97\x0f\xd1J\x1b\xfa!\xb9\xfb\xf3\xe0\xe4\xae\xc9\xbc\xcd\x8c%\x9eHg\x86\x02N\x80*\xcb\x90*\x85u\xe2\xd1\xb8\xca\xb6\xbb\xe1[}\x12\xbb\xb73\x03\xf2\xa2\xa9\xe4\xb1\xed\xba,\b\x95\x81vTs\\\xcf\x11\x0c\x85\xc0t\xe1<g\x8b\xca\xb9#\xa6-R[\x97dl/\xdf\x15\x8f\xa1\x9a\x941\xe5\xd6&R d$\x12\xab\xdb\x101_^\xd6\bqv\xd9\xef\x15\tM\xe5\x1d-\\\x15\x8aHV\xe0\xd8\xa1h\xdd\x94_.tEB\xa22S\x91\x18|\x95$\xf2J\xb0\x15\x96\x9a\xa8\t\x8c)R!of\x16\x8eu\x96\xd7-C\x15\x8a\xb2\xb4\nv\xa1\xb5\xcbd-\xdf\xd7@ \xe7\x8cy\x88\x94\xf0\r2\x98\xba\x89>\xa3Z\xf1\x10\x12i\t\xe7\x0cy\x18\x94p\xddB\xea\xa6\xfa\x92#\xa1y\x1a7\xdch\xf7\x0eJf\x95\xa5p\x99E\xdf0\x1afU\x0b\xf4-\t\xdb\r\x85\x9f+.\\\xa9\x8d\x1a\xe2\xfb\n\b\x85#\xd7\x9a\x819\xa9.\x87\xb8\xca\xc0k'\x9d\xcdx\x9f\xad\xe4x\xc6\xba\xba\x9e\xbb\xb5\xc5\x84\xa3\xaa\r\xc0\xac*\xf2lo\xac^be\xaf\xb3\xb0\x05+P0k-U\xe0\xd2B6\xab`\xa2\xad\x8e\xa7\x82\x85\xbc\x82\x86Ydpu\xbf\xe6\xa7\x84\xcd\x01qt\xb0\x81h+\xab\x84.dA\xc0\xa8\xcbs\xf0\x9b\xea\x84\x90s\xa4\x9c\xd3\x17\x8f\x9b\x99\x84S\xba\xc2\x82Q\xb3~\xac\xa8\xdcy\xc4\xb8\x83v\x0ck\x17\xa2\x04\xc8\xd2\xdd\xb4\x1c\xeb\xf8\x02\xb3\x96\r\xad\xdb\xabDH\x8e|\xb2\x84o2f\xa6\x81.MN4\xf3\x95\x03\xa7\xf8\x15\xe8U\x1f\xbb\b\xb9{\x816_'\x9a\xa6\x80\xa8o=\x8e\xa4\xe6\x18\xfdr\x9b\x0f!\xb3\xe3W\x16A[\xbeZp\x87\x8d\xc9\x8b7@\xe0\nbh\xcbve\x1b\xdc\xbc,?\xa3\xbe\x00R\x890Z!Y\xd8\x9d\xda\xcc}s\xcb\x89/-\x8a\xd4\x9a\x89\x0b\xcb\xa4\xd9\"\x1d\xc7\xb1\x96l\x1fq\xe9\x8c\x1a\xa8\xcb\xb3\xd0\xfaSf\xc0C\x85\x9cs$Y(`\x19c\x18\xc3]a\xc3\x9bb\xadg\xd9\xc7\xa5\x8e\x9b\x92\xe6\x16\xba\xf6\x84\x10\xce\xb5\xb3\x96yD\x16T7\xc3\x13\x16\x00LK\x18zYP\xed\x9b\x18\xb3\xd9\xabj\xa1\xb5T\x8a7\x1bY\xe7\b\x90\xb2\x1d\x01\x91\xc1\xd4\x9f\xf5C\xa2\xf5\x06\xa3\x14\xc1\x8cE\x11\xd5\x95\x81\xbb0\x0f\xbfy\xee\x7f-Q\xa5\x83\xf10\x8fk6\xcd\x9fm\x9cc\bYXv8dh\xcb\xce\xa8\x83<|\xbb\xfa)\xbeF\x9f6h\xe9\xb8d\x9e\xd54\xbf\xda\xa9-\x1c\xd1s\xb6p^\x86\x95\x86C\xd8\xe2\xeak\x89\x9b{\xc0\xb1\x17`\x9a\xd9\x1f\xbe\xde\x0f [|Cn\xf0\xdc>\xf5,\x9a6R\xf5p\xf4\x966*\xc5\x02P\xfc\xa9\nS\xb6\x0b\xad\xff\xfb\x03\xb5\xd4\xc2\x1d\xc7S\xe6L\xab\b\x13\xa0m\xdcF5\x89\xc9c%$CYao\xe3\xf6\xd8UZ\x18\x1b\x8eM.\x83\xcfY\xa9\x9e\x13\xac1\x11\xf7\x87^Uk\xd1^v\x82<\xb7a\xf5K\x8f\x80iu|\xfa\x11\xc10\n\xa1'\bT8\xa5\x12\x91\x99\x8bR3\xd7\xb7\xccj\x17\xccHE\x87%\xd7\x93\x96\x16\xaa\xf6T5ge\x15\x13\xcc\xb3\xa5\xf2]\x023\x154\x87\x93z(\xb2\xb3D\xc0C\xc2\x1c\xda\xb3\x16D=0\x9f\xdf\x1f\x0f\xfbG#o\x0c\xe0}\xd8\x05\xde\xd1\xb0\x0f{\x83\xc3\xd1x0\x1e\x0cGp\xe0\x8d\x8e\xe6p8\xf7=\xef\xc8\xef\xa3\xd1\xc8\x1b\r\xfa\xfd\xf1!\x82\xf7\xef\xb7\xe5\xca\xae\x95\x94)\xec'y\xd5\xddaj=\x15\bb\x8ew\xf6\\\xa4b\xdc\xc5\x01\xd7\x89\x8c\xd1\x82vb\x8d\xb0\x8b\xb4\xe7\xe9J\xce\xa5\xd2\xc5|\xaf\xa0\xfbsw\x9f\xe0T\xcb\x8c\xb6\xb3\x87mm\xf0^r \x04[[}\xf8XH\xb5{\x06\x81|\xdf\x82\x11\xb0\a5\xdd\xd3\x9e^\xf9\xd8C}\xaf\x9bj'=\xff.%\xc4\x14\xb6\xf5j\xd32\x02F\xdd$V\x99\x0f0M\xa7\xd1\xa7\x19\xd4\xcd\xc9\x9c~\xb7?lu\x0f[\xfd\xde\xac;\x9e\xf4F\x93\xd1\xb8\xdd\x1b\x8c[\xdd\xd1\xa4\xdb\xb5\x9b\xde\x16=\xf7j\x8e\x86\xa9.\x8a>&\xf0\\\xa0\xf6\xb4>n\xf5G\xb3\xdep2\xeaOF\x83\xf6\xf8\xf0pO\xeb!\xf7\x8a\x1b8l\xf5\x06\xb3\xee\xa1\xa1\xd7\xed\xb5\x8f\xc6\xbd=\rp\xed\xd2k&<w\tdr\x8c2\xa1!!\xf9\xc7\xf2jk1\xfb\xd8H&\x82v\xef\x83\x95\x96\xb8\xa2\xa0M\x0f\xf9\xd1:%\xabb\xb6S\xb3\a\x98\n\xb3\xbd \xc2\xd6q(Vq6\xe3\x1c.\xa2f_,m*\x9bV\x14\x0e\xd0'F\xf7\x0c\xc8C\x12\n\xcc\xb7\x11\x92\xf4b\xb5\xeeaY\xd4r:\x8f\xbb-\xefu}\xc7\xf2\xec\xcbL8\xba\x9e`\xdcc\xebR)\xfd\xff\xc2\xee?\xb2\xb0K\xab\xd56\x8d\xeb|0\xdfd<-\xedt.\x00\xb5\x89%g\x13V\xaf\x821;\x99t\xecDl\xaf\x92\xf2\x85!}\xbc7'`b\xe2\xc3\xcd7\xf16_B\x06W\xf1\xa8\x88=MT\xaf-u7\x02\x90\xd6\x05\xb4x-\x05\xf2m\xdaW\xddt\x06-\xcbN\xeb\x11\x82`fi\x1c\xff\xa5\xf3Q\xc1\xa0\xf4\x93\xeb\xc6\xb3g9\xb6;\xa6^\xe1\x98\xa6\xd3\xf4\xf4\xb3p(V\x0f\x9d^\xcb\x98\x14\x8c\x02\x9bOs\xa8.6\xfb;r\x92\xcf;'\x8e9,2[KJKu;\x05\xa4-@F\xd2\xff\x87HZ\xf8\xa9\x1b\xfd\xd8\xbe\xac\x1d\x1e\x18\xcf\xb7\xe7\xee\xf53[\x1b\xa6\xf7\xb5\x93\xbe\x02\x8b\x94\xd8\xa8\xbbM\xb0\x9a\xc8\xe6M\xf0\x92\x9a\x13\xf4\x13=6\x95\x82\xb2\xc1\xa7g\xdc\x16\xca\xd6S\t|d\xbe\x9dJ\x1eeJ\xb9\xce\xcd\x9c\x80\xcd\x93\x0f\x1e\xd53\x90\xf9\xc4p\x0f\xe8\x05ZG\x80\x0c\xcf\xa8\x93t\xc0+\x1dg\xf9B0h\xf7\xec\xc2\xea1\xf8:\x17\xbff\xbfSN:\xe9\x89`[J\n[\x90\t\xde\x86\x84\x85^\x87`z!;\xfaI\b\xec7\xf2\xed\xaa\xad\xbcp\xb2J\x95\xdc\xeb\x00\xfa\r\xe6\x16-\xc9\xec\xa6\xb6\x8a\x81\xed\xdby\xfb\xee\xf2\xe0\xd1\x83N\xc1\x7f\r=\xfa\xf1\xce\xe4\xce\xe9\xec_r\an\x89:\r@versionI\"\x00\x06:\x06EF:\x10@created_atf\x171724238956.3441043:\x10@expires_in0:\x10@compressedT" 
1724238956.917437 [0 10.222.206.152:34402] "del" "foreman:views/tabs_and_title_records-5" 
1724238956.918967 [0 10.222.206.152:34402] "get" "foreman:notification-5" 
1724238956.945469 [0 10.222.206.158:34962] "del" "foreman:views/tabs_and_title_records-5" 
1724238956.957420 [0 10.222.206.152:34402] "del" "foreman:views/tabs_and_title_records-5" 
1724238956.981609 [0 10.222.206.152:34402] "del" "foreman:views/tabs_and_title_records-5" 
1724238957.040475 [0 10.222.206.152:34402] "del" "foreman:views/tabs_and_title_records-5" 
1724238957.042954 [0 10.222.206.158:34962] "del" "foreman:views/tabs_and_title_records-5" 
1724238957.050869 [0 10.222.206.152:39018] "del" "foreman:views/tabs_and_title_records-5" 
1724238957.099073 [0 10.222.206.158:34962] "del" "foreman:views/tabs_and_title_records-5" 
1724238957.112681 [0 10.222.206.152:39018] "del" "foreman:views/tabs_and_title_records-5" 
1724238957.119118 [0 10.222.206.158:34962] "del" "foreman:views/tabs_and_title_records-5" 
1724238957.125383 [0 10.222.206.152:34402] "del" "foreman:views/tabs_and_title_records-5

And here is a failed login on .158:

1724238969.936165 [0 10.222.206.152:39018] "get" "foreman:failed_login_10.222.218.3" 
1724238969.944990 [0 10.222.206.152:39018] "get" "foreman:webpack_foreman_vendor_js" 
1724238976.235933 [0 10.222.206.158:34962] "get" "foreman:failed_login_10.222.218.3" 
1724238976.328621 [0 10.222.206.158:34962] "get" "foreman:webpack_foreman_vendor_js" 
1724239085.106217 [0 10.222.206.152:43816] "get" "foreman:failed_login_10.222.218.3"

It would appear that ldap only works from one server. How can we resolve this?

Actions
Copy link
 #1

Updated by Jeff S about 2 months ago

https://community.theforeman.org/t/ldap-support-with-load-balanced-foremans/39135/4

Here is the one that works:

irb(main):002:0> source_now = AuthSourceLdap.find_by_id(4)
=>
#<AuthSourceLdap:0x00007882313d7d00
...
irb(main):003:0> conn = source_now.ldap_con
=>
#<LdapFluff:0x0000788231283878
...

And the one that fails:

irb(main):001:0> source_now = AuthSourceLdap.find_by_id(4)
=>
#<AuthSourceLdap:0x00007e86cd352668
...
irb(main):002:0> conn = source_now.ldap_con
At least one field decryption failed, check ENCRYPTION_KEY
=>
#<LdapFluff:0x00007e86cd5b9000
...
Actions
Copy link
 #2

Updated by Jeff S about 2 months ago

I changed the encryption key to match that of the originally installed foreman server, and now it seems the issue is gone. Ill keep spot checking over the next couple days.

There should probably be some documentation around this, as I see many threads with the same issue/question.

Actions
Copy link
 #3

Updated by Ewoud Kohl van Wijngaarden about 2 months ago

I can confirm that you must have the same encryption key on all servers.

Actions
Copy link
 #4

Updated by Jeff S about 2 months ago

  • Status changed from New to Resolved
Actions
Copy link

Also available in: Atom PDF