Project

General

Profile

Bug #7308

Foreman 1.6.0-RC2 - LDAP broken

Added by Jack Watroba almost 5 years ago. Updated about 1 year ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
Authentication
Target version:
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Upgraded from 1.5.1 to 1.6.0-RC2, now LDAP authentication is no longer working. The error logs only show "invalid credentials". When I logged in as the local admin, I saw that the Server Type had defaulted to POSIX, I changed this to Active Directory but this did not fix the issue. Also tried added a base group entry, creating a group and tying it to an LDAP group and that did not work either.

History

#1 Updated by Paul Calabro almost 5 years ago

Hi Jack,

I don't think this was introduced in RC2. I think it was one of the earlier releases. I believe what you're seeing might be related to this issue (http://projects.theforeman.org/issues/7003). If so, you can make the change found here (http://projects.theforeman.org/projects/foreman/repository/revisions/02432b498a6b01faed2615e4ddbc16f38648ea35/diff/), which use simple_tls instead of starttls, and try logging in again. That allowed me to login. Hopefully, it will do the same for you.

Best,
Paul

#2 Updated by Dominic Cleal almost 5 years ago

  • Category set to Authentication

Can you provide a bit more info about what's configured? What type of server are you using, what exact settings do you have on the LDAP authentication source - is there an account set? An ldapsearch of the entry would be useful too.

#3 Updated by Jack Watroba almost 5 years ago

I verified the simple_tls was properly set.

Foreman server: CentOS 6.4
AD server: Server 2008R2
Port 636

I have a working LDAP account and the authentication was working right before the upgrade. I'm able to do a successful ldapsearch with the same user/cert from the Foreman server after the upgrade. The foreman logs simply show: invalid user.

#4 Updated by Dominic Cleal almost 5 years ago

  • Status changed from New to Need more information
  1. Do you have an account set on the Foreman auth source? What is it?
  2. What's the base DN set to?
  3. What's the DN of the user?
  4. What username are you logging in with?

Thanks.

#5 Updated by Dominic Cleal almost 5 years ago

Also useful might be to enable debugging, as a couple more log entries might be made:
http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting#How-do-I-enable-debugging

#6 Updated by Jack Watroba almost 5 years ago

1. Yes, we have a dedicated account for LDAP queries. Call it ldapuser
2. BaseDN: ou=users,ou=location,dc=some,dc=company
3. UserDN: cn=ldapuser,ou=users,ou=location,dc=some,dc=company

4. I enabled debugging and tried to log in with my user, which worked before the upgrade, and continues to work on a second Foreman 1.5.1 server. I've verified with my team and all users are experiencing this behavior.

Started POST "/users/login" for x.x.x.x at 2014-09-02 09:04:41 -0700
Processing by UsersController#login as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"oRn6khzmz9DyfcOlNdDZaGyJjFVmS+pQ6KwKuzkvypg=", "login"=>{"login"=>"adminuser", "password"=>"[FILTERED]"}, "commit"=>"Login"}
Setting current user thread-local variable to nil
[[1m[[36mUser Load (1.2ms)^[[0m [[1mSELECT "users".* FROM "users" WHERE "users"."login" = 'adminuser' LIMIT 1[[0m
[[1m[[35mAuthSource Load (1.1ms)^[[0m SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."id" = 2 LIMIT 1
LDAP-Auth with User adminuser
Result: 49
Message: Invalid Credentials
Failed to authenticate adminuser
Failed to authenticate Admin User against LDAP-Some.Company authentication source
invalid user
Setting current user thread-local variable to nil
Redirected to https://foreman/users/login
Completed 302 Found in 496ms (ActiveRecord: 8.9ms)

#8 Updated by Jack Watroba almost 5 years ago

Yep, that fixed it.

Thanks!

#9 Updated by Dominic Cleal almost 5 years ago

  • Status changed from Need more information to Resolved

Ah, great find, thanks Chuck and Jack.

I'm pushing the RPM into the 1.6 repos now, should be available in an hour or so.

Also available in: Atom PDF