Bug #7308: Foreman 1.6.0-RC2 - LDAP broken - Foreman

Actions

Copy link

Bug #7308

closed

Foreman 1.6.0-RC2 - LDAP broken

Added by Jack Watroba over 9 years ago. Updated almost 6 years ago.

Status:

Resolved

Priority:

High

Assignee:

Category:

Authentication

Target version:

1.6.0

Difficulty:

Triaged:

Bugzilla link:

Pull request:

Fixed in Releases:

Found in Releases:

1.6.0

Red Hat JIRA:

Description

Upgraded from 1.5.1 to 1.6.0-RC2, now LDAP authentication is no longer working. The error logs only show "invalid credentials". When I logged in as the local admin, I saw that the Server Type had defaulted to POSIX, I changed this to Active Directory but this did not fix the issue. Also tried added a base group entry, creating a group and tying it to an LDAP group and that did not work either.

Actions

Copy link

Updated by Paul Calabro over 9 years ago

Hi Jack,

I don't think this was introduced in RC2. I think it was one of the earlier releases. I believe what you're seeing might be related to this issue (http://projects.theforeman.org/issues/7003). If so, you can make the change found here (http://projects.theforeman.org/projects/foreman/repository/revisions/02432b498a6b01faed2615e4ddbc16f38648ea35/diff/), which use simple_tls instead of starttls, and try logging in again. That allowed me to login. Hopefully, it will do the same for you.

Best,
Paul

Actions

Copy link

Updated by Dominic Cleal over 9 years ago

Category set to Authentication

Can you provide a bit more info about what's configured? What type of server are you using, what exact settings do you have on the LDAP authentication source - is there an account set? An ldapsearch of the entry would be useful too.

Actions

Copy link

Updated by Jack Watroba over 9 years ago

I verified the simple_tls was properly set.

Foreman server: CentOS 6.4
AD server: Server 2008R2
Port 636

I have a working LDAP account and the authentication was working right before the upgrade. I'm able to do a successful ldapsearch with the same user/cert from the Foreman server after the upgrade. The foreman logs simply show: invalid user.

Actions

Copy link

Updated by Dominic Cleal over 9 years ago

Status changed from New to Need more information

Do you have an account set on the Foreman auth source? What is it?
What's the base DN set to?
What's the DN of the user?
What username are you logging in with?

Thanks.

Actions

Copy link

Updated by Dominic Cleal over 9 years ago

Also useful might be to enable debugging, as a couple more log entries might be made:
http://projects.theforeman.org/projects/foreman/wiki/Troubleshooting#How-do-I-enable-debugging

Actions

Copy link

Updated by Jack Watroba over 9 years ago

1. Yes, we have a dedicated account for LDAP queries. Call it ldapuser
2. BaseDN: ou=users,ou=location,dc=some,dc=company
3. UserDN: cn=ldapuser,ou=users,ou=location,dc=some,dc=company

4. I enabled debugging and tried to log in with my user, which worked before the upgrade, and continues to work on a second Foreman 1.5.1 server. I've verified with my team and all users are experiencing this behavior.

Started POST "/users/login" for x.x.x.x at 2014-09-02 09:04:41 -0700
Processing by UsersController#login as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"oRn6khzmz9DyfcOlNdDZaGyJjFVmS+pQ6KwKuzkvypg=", "login"=>{"login"=>"adminuser", "password"=>"[FILTERED]"}, "commit"=>"Login"}
Setting current user thread-local variable to nil
^[[1m[[36mUser Load (1.2ms)^[[0m ^{[[1mSELECT "users".* FROM "users" WHERE "users"."login" = 'adminuser' LIMIT 1}[[0m
^[[1m[[35mAuthSource Load (1.1ms)^[[0m SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."id" = 2 LIMIT 1
LDAP-Auth with User adminuser
Result: 49
Message: Invalid Credentials
Failed to authenticate adminuser
Failed to authenticate Admin User against LDAP-Some.Company authentication source
invalid user
Setting current user thread-local variable to nil
Redirected to https://foreman/users/login
Completed 302 Found in 496ms (ActiveRecord: 8.9ms)