Foreman 1.2 can no longer authenticate with 389 DS

Support
#1

When running Foreman 1.1 I had LDAP authentication working with my 389 DS
server. My 389 DS is configured to only allow SSL on port 636 or TLS on
389. The LDAP server uses an InCommon trusted certificate issued by my
university.

VM is CentOS 6.4, fully updated before the Foreman upgrade.

After upgrading to 1.2 without issue, I am unable to authenticate using my
LDAP account. I can still authenticate with the local admin account.

The settings LDAP settings that generate an error:

Name = LDAP
Host = <ldap FQDN>
Port = 389
TLS = yes
Onthefly register = yes
Account = <DN of bind account>
Password = <Password of bind account>
Base DN = ou=People,<base DN>
attr login = uid
attr firstname = givenName
attr lastname = sn
mail = mail

The error…

Started POST "/users/login" for ***** at 2013-07-13 20:44:48 -0500
Processing by UsersController#login as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"",
"login"=>{"login"=>"treydock", "password"=>"[FILTERED]"}, "commit"=>"Login"}
Setting current user thread-local variable to nil
User Load (0.3ms) SELECT users.* FROM users WHERE users.login =
'treydock' LIMIT 1
AuthSource Load (0.2ms) SELECT auth_sources.* FROM auth_sources
WHERE auth_sources.id = 2 LIMIT 1
LDAP-Auth with User uid=
Operation FAILED: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3
read server hello A
/opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1126:in
connect&#39; /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1126:inwrap_with_ssl'
/opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1163:in
setup_encryption&#39; /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1110:ininitialize'
/opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:632:in
new&#39; /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:632:insearch'
/opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1038:in
search_root_dse&#39; /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1089:inpaged_searches_supported?'
/opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:618:in
search&#39; /usr/share/foreman/app/models/auth_source_ldap.rb:134:insearch_for_user_entries'
/usr/share/foreman/app/models/auth_source_ldap.rb:39:in authenticate&#39; /usr/share/foreman/app/models/user.rb:117:intry_to_login'
/usr/share/foreman/app/controllers/users_controller.rb:97:in login&#39; /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/implicit_render.rb:4:insend_action'
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/base.rb:167:in
process_action&#39; /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/rendering.rb:10:inprocess_action'
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/callbacks.rb:18:in
block in process_action&#39; /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:461:inblock (3 levels) in
_run__492086408044347043__process_action__1864918965792468347__callbacks'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:215:in
block in _conditional_callback_around_4542&#39; /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:326:inaround'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:310:in
_callback_around_917&#39; /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:214:in_conditional_callback_around_4542'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:460:in
block (2 levels) in _run__492086408044347043__process_action__1864918965792468347__callbacks&#39; /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:215:inblock in _conditional_callback_around_4541'
/usr/share/foreman/lib/foreman/thread_session.rb:31:in clear_thread&#39; /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:214:in_conditional_callback_around_4541'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:415:in
block in _run__492086408044347043__process_action__1864918965792468347__callbacks&#39; /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:215:inblock in _conditional_callback_around_4540'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:326:in
around&#39; /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:310:in_callback_around_13'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:214:in
_conditional_callback_around_4540&#39; /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:414:in_run__492086408044347043__process_action__1864918965792468347__callbacks'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:405:in
__run_callback&#39; /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:385:in_run_process_action_callbacks'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:81:in
run_callbacks&#39; /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/callbacks.rb:17:inprocess_action'
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/rescue.rb:29:in
process_action&#39; /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/instrumentation.rb:30:inblock in process_action'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/notifications.rb:123:in
block in instrument&#39; /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/notifications/instrumenter.rb:20:ininstrument'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/notifications.rb:123:in
instrument&#39; /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/instrumentation.rb:29:inprocess_action'
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/params_wrapper.rb:207:in
process_action&#39; /opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/railties/controller_runtime.rb:18:inprocess_action'
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/base.rb:121:in
process&#39; /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/rendering.rb:45:inprocess'
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal.rb:203:in
dispatch&#39; /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/rack_delegation.rb:14:indispatch'
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal.rb:246:in
block in action&#39; /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/routing/route_set.rb:73:incall'
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/routing/route_set.rb:73:in
dispatch&#39; /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/routing/route_set.rb:36:incall'
/opt/rh/ruby193/root/usr/share/gems/gems/journey-1.0.4/lib/journey/router.rb:68:in
block in call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/journey-1.0.4/lib/journey/router.rb:56:ineach'
/opt/rh/ruby193/root/usr/share/gems/gems/journey-1.0.4/lib/journey/router.rb:56:in
call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/routing/route_set.rb:600:incall'
/opt/rh/ruby193/root/usr/share/gems/gems/apipie-rails-0.0.18/lib/apipie/static_dispatcher.rb:56:in
call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/best_standards_support.rb:17:incall'
/opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/etag.rb:23:in
call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/conditionalget.rb:35:incall'
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/head.rb:14:in
call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/params_parser.rb:21:incall'
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/flash.rb:242:in
call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/session/abstract/id.rb:205:incontext'
/opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/session/abstract/id.rb:200:in
call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/cookies.rb:339:incall'
/opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/query_cache.rb:64:in
call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/connection_adapters/abstract/connection_pool.rb:473:incall'
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/callbacks.rb:28:in
block in call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:405:in_run__2980553456298173138__call__306548220714324554__callbacks'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:405:in
__run_callback&#39; /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:385:in_run_call_callbacks'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:81:in
run_callbacks&#39; /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/callbacks.rb:27:incall'
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/remote_ip.rb:31:in
call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/debug_exceptions.rb:16:incall'
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/show_exceptions.rb:56:in
call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.8/lib/rails/rack/logger.rb:26:incall_app'
/opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.8/lib/rails/rack/logger.rb:16:in
call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/request_id.rb:22:incall'
/opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/methodoverride.rb:21:in
call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/runtime.rb:17:incall'
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/cache/strategy/local_cache.rb:72:in
call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/lock.rb:15:incall'
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/static.rb:62:in
call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.2/lib/rack/cache/context.rb:136:inforward'
/opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.2/lib/rack/cache/context.rb:143:in
pass&#39; /opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.2/lib/rack/cache/context.rb:155:ininvalidate'
/opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.2/lib/rack/cache/context.rb:71:in
call!&#39; /opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.2/lib/rack/cache/context.rb:51:incall'
/opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.8/lib/rails/engine.rb:479:in
call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.8/lib/rails/application.rb:223:incall'
/opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.8/lib/rails/railtie/configurable.rb:30:in
method_missing&#39; /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/builder.rb:134:incall'
/opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:64:in
block in call&#39; /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:49:ineach'
/opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:49:in
call&#39; /usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/lib/phusion_passenger/rack/thread_handler_extension.rb:77:inprocess_request'
/usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/lib/phusion_passenger/request_handler/thread_handler.rb:140:in
accept_and_process_next_request&#39; /usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/lib/phusion_passenger/request_handler/thread_handler.rb:108:inmain_loop'
/usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/lib/phusion_passenger/request_handler.rb:441:in
`block (3 levels) in start_threads'
Rendered common/500.html.erb within layouts/application (4.0ms)
Completed 500 Internal Server Error in 30ms (Views: 7.9ms | ActiveRecord:
0.5ms)

If I change to port 636 without TLS , the login just hangs forever, this is
the log

Started POST "/users/login" for ***** at 2013-07-13 20:50:56 -0500
Processing by UsersController#login as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"",
"login"=>{"login"=>"treydock", "password"=>"[FILTERED]"}, "commit"=>"Login"}
Setting current user thread-local variable to nil
User Load (0.2ms) SELECT users.* FROM users WHERE users.login =
'treydock' LIMIT 1
AuthSource Load (0.2ms) SELECT auth_sources.* FROM auth_sources
WHERE auth_sources.id = 2 LIMIT 1
LDAP-Auth with User uid=

I've had issues with some versions ruby ldap libraries working with 389 DS,
but it was a now dormant development project.

389-ds-base.x86_64 1.2.11.15-12.el6_4
@updates

ldapsearch works fine on the VM running Foreman.

ldapsearch -x -H ldaps://<ldap FQDN>:636 -b <baseDN> -LLL 'uid=treydock'

'uid'
dn: uid=treydock,ou=People,<baseDN>
uid: treydock

ldapsearch -x -H ldap://<ldap FQDN>:389 -ZZ -b <baseDN> -LLL

'uid=treydock' 'uid'
dn: uid=treydock,ou=People,<baseDN>
uid: treydock

Suggestions, or any other info I could provide to troubleshoot is
appreciated.

Thanks

  • Trey
#2

Retrieved 389 DS' log entry when I use TLS in Foreman.

[13/Jul/2013:23:11:03 -0500] conn=11635996 fd=264 slot=264 connection from
<Foreman IP> to <389 IP>
[13/Jul/2013:23:11:03 -0500] conn=11635996 op=-1 fd=264 closed error 34
(Numerical result out of range) - B2

··· On Saturday, July 13, 2013 11:08:27 PM UTC-5, treydock wrote: > > When running Foreman 1.1 I had LDAP authentication working with my 389 DS > server. My 389 DS is configured to only allow SSL on port 636 or TLS on > 389. The LDAP server uses an InCommon trusted certificate issued by my > university. > > VM is CentOS 6.4, fully updated before the Foreman upgrade. > > After upgrading to 1.2 without issue, I am unable to authenticate using my > LDAP account. I can still authenticate with the local admin account. > > The settings LDAP settings that generate an error: > > Name = LDAP > Host = > Port = 389 > TLS = yes > Onthefly register = yes > Account = > Password = > Base DN = ou=People, > attr login = uid > attr firstname = givenName > attr lastname = sn > mail = mail > > The error... > > Started POST "/users/login" for ***** at 2013-07-13 20:44:48 -0500 > Processing by UsersController#login as HTML > Parameters: {"utf8"=>"✓", "authenticity_token"=>"*****", > "login"=>{"login"=>"treydock", "password"=>"[FILTERED]"}, "commit"=>"Login"} > Setting current user thread-local variable to nil > User Load (0.3ms) SELECT `users`.* FROM `users` WHERE `users`.`login` = > 'treydock' LIMIT 1 > AuthSource Load (0.2ms) SELECT `auth_sources`.* FROM `auth_sources` > WHERE `auth_sources`.`id` = 2 LIMIT 1 > LDAP-Auth with User uid=***** > Operation FAILED: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 > read server hello A > /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1126:in > `connect' > /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1126:in > `wrap_with_ssl' > /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1163:in > `setup_encryption' > /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1110:in > `initialize' > /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:632:in > `new' > /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:632:in > `search' > /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1038:in > `search_root_dse' > /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1089:in > `paged_searches_supported?' > /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:618:in > `search' > /usr/share/foreman/app/models/auth_source_ldap.rb:134:in > `search_for_user_entries' > /usr/share/foreman/app/models/auth_source_ldap.rb:39:in `authenticate' > /usr/share/foreman/app/models/user.rb:117:in `try_to_login' > /usr/share/foreman/app/controllers/users_controller.rb:97:in `login' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/implicit_render.rb:4:in > `send_action' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/base.rb:167:in > `process_action' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/rendering.rb:10:in > `process_action' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/callbacks.rb:18:in > `block in process_action' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:461:in > `block (3 levels) in > _run__492086408044347043__process_action__1864918965792468347__callbacks' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:215:in > `block in _conditional_callback_around_4542' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:326:in > `around' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:310:in > `_callback_around_917' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:214:in > `_conditional_callback_around_4542' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:460:in > `block (2 levels) in > _run__492086408044347043__process_action__1864918965792468347__callbacks' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:215:in > `block in _conditional_callback_around_4541' > /usr/share/foreman/lib/foreman/thread_session.rb:31:in `clear_thread' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:214:in > `_conditional_callback_around_4541' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:415:in > `block in > _run__492086408044347043__process_action__1864918965792468347__callbacks' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:215:in > `block in _conditional_callback_around_4540' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:326:in > `around' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:310:in > `_callback_around_13' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:214:in > `_conditional_callback_around_4540' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:414:in > `_run__492086408044347043__process_action__1864918965792468347__callbacks' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:405:in > `__run_callback' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:385:in > `_run_process_action_callbacks' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:81:in > `run_callbacks' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/callbacks.rb:17:in > `process_action' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/rescue.rb:29:in > `process_action' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/instrumentation.rb:30:in > `block in process_action' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/notifications.rb:123:in > `block in instrument' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/notifications/instrumenter.rb:20:in > `instrument' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/notifications.rb:123:in > `instrument' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/instrumentation.rb:29:in > `process_action' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/params_wrapper.rb:207:in > `process_action' > /opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/railties/controller_runtime.rb:18:in > `process_action' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/base.rb:121:in > `process' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/rendering.rb:45:in > `process' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal.rb:203:in > `dispatch' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/rack_delegation.rb:14:in > `dispatch' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal.rb:246:in > `block in action' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/routing/route_set.rb:73:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/routing/route_set.rb:73:in > `dispatch' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/routing/route_set.rb:36:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/journey-1.0.4/lib/journey/router.rb:68:in > `block in call' > /opt/rh/ruby193/root/usr/share/gems/gems/journey-1.0.4/lib/journey/router.rb:56:in > `each' > /opt/rh/ruby193/root/usr/share/gems/gems/journey-1.0.4/lib/journey/router.rb:56:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/routing/route_set.rb:600:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/apipie-rails-0.0.18/lib/apipie/static_dispatcher.rb:56:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/best_standards_support.rb:17:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/etag.rb:23:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/conditionalget.rb:35:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/head.rb:14:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/params_parser.rb:21:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/flash.rb:242:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/session/abstract/id.rb:205:in > `context' > /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/session/abstract/id.rb:200:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/cookies.rb:339:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/query_cache.rb:64:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/connection_adapters/abstract/connection_pool.rb:473:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/callbacks.rb:28:in > `block in call' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:405:in > `_run__2980553456298173138__call__306548220714324554__callbacks' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:405:in > `__run_callback' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:385:in > `_run_call_callbacks' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:81:in > `run_callbacks' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/callbacks.rb:27:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/remote_ip.rb:31:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/debug_exceptions.rb:16:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/show_exceptions.rb:56:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.8/lib/rails/rack/logger.rb:26:in > `call_app' > /opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.8/lib/rails/rack/logger.rb:16:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/request_id.rb:22:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/methodoverride.rb:21:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/runtime.rb:17:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/cache/strategy/local_cache.rb:72:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/lock.rb:15:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/static.rb:62:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.2/lib/rack/cache/context.rb:136:in > `forward' > /opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.2/lib/rack/cache/context.rb:143:in > `pass' > /opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.2/lib/rack/cache/context.rb:155:in > `invalidate' > /opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.2/lib/rack/cache/context.rb:71:in > `call!' > /opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.2/lib/rack/cache/context.rb:51:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.8/lib/rails/engine.rb:479:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.8/lib/rails/application.rb:223:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.8/lib/rails/railtie/configurable.rb:30:in > `method_missing' > /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/builder.rb:134:in > `call' > /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:64:in > `block in call' > /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:49:in > `each' > /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:49:in > `call' > /usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/lib/phusion_passenger/rack/thread_handler_extension.rb:77:in > `process_request' > /usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/lib/phusion_passenger/request_handler/thread_handler.rb:140:in > `accept_and_process_next_request' > /usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/lib/phusion_passenger/request_handler/thread_handler.rb:108:in > `main_loop' > /usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/lib/phusion_passenger/request_handler.rb:441:in > `block (3 levels) in start_threads' > Rendered common/500.html.erb within layouts/application (4.0ms) > Completed 500 Internal Server Error in 30ms (Views: 7.9ms | ActiveRecord: > 0.5ms) > > > If I change to port 636 without TLS , the login just hangs forever, this > is the log > > Started POST "/users/login" for ***** at 2013-07-13 20:50:56 -0500 > Processing by UsersController#login as HTML > Parameters: {"utf8"=>"✓", "authenticity_token"=>"*****", > "login"=>{"login"=>"treydock", "password"=>"[FILTERED]"}, "commit"=>"Login"} > Setting current user thread-local variable to nil > User Load (0.2ms) SELECT `users`.* FROM `users` WHERE `users`.`login` = > 'treydock' LIMIT 1 > AuthSource Load (0.2ms) SELECT `auth_sources`.* FROM `auth_sources` > WHERE `auth_sources`.`id` = 2 LIMIT 1 > LDAP-Auth with User uid=***** > > I've had issues with some versions ruby ldap libraries working with 389 > DS, but it was a now dormant development project. > > 389-ds-base.x86_64 1.2.11.15-12.el6_4 > @updates > > ldapsearch works fine on the VM running Foreman. > > # ldapsearch -x -H ldaps://:636 -b -LLL 'uid=treydock' > 'uid' > dn: uid=treydock,ou=People, > uid: treydock > > # ldapsearch -x -H ldap://:389 -ZZ -b -LLL > 'uid=treydock' 'uid' > dn: uid=treydock,ou=People, > uid: treydock > > Suggestions, or any other info I could provide to troubleshoot is > appreciated. > > Thanks > - Trey >
#3

So far only obvious issue besides lack of STARTTLS in ruby-net-ldap is that
the RPM in the foreman repo for ruby193-rubygem-net-ldap is 0.2.2 and in
the github repo the spec is at 0.3.1 [1]. Hoping this is just a missing RPM
in the foreman repo and not something more serious.

My latest settings, based on net-ldap "simple_tls" information [2] is using
TLS with port 636 and this is the error now:

Started POST "/users/login" for ***** at 2013-07-14 03:11:07 -0500
Processing by UsersController#login as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"*****",
"login"=>{"login"=>"treydock", "password"=>"[FILTERED]"}, "commit"=>"Login"}
Setting current user thread-local variable to nil
User Load (3.7ms) SELECT users.* FROM users WHERE users.login =
'treydock' LIMIT 1
AuthSource Load (0.1ms) SELECT auth_sources.* FROM auth_sources
WHERE auth_sources.id = 2 LIMIT 1
LDAP-Auth with User uid=app_bind,ou=Service Accounts,<base DN>
Search Result: 53
Search Message: Unwilling to perform
Failed to authenticate Trey Dockendorf against LDAP LDAP authentication
source
invalid user
Setting current user thread-local variable to nil
Redirected to https://<foreman FQDN>/users/login
Setting Load (0.1ms) SELECT settings.* FROM settings WHERE
settings.name = 'idle_timeout' ORDER BY name LIMIT 1
Completed 302 Found in 341ms (ActiveRecord: 4.0ms)

My other install of Foreman that is somewhat legacy and needs updating, but
still works with the same LDAP server. That install of foreman 1.0.1 is
using net-ldap 0.3.1 from the old foreman-development repo.

[1] -
https://github.com/theforeman/foreman-packaging/blob/master/rpms/epel-6/ruby193-rubygem-net-ldap/rubygem-net-ldap.spec
[2] - http://net-ldap.rubyforge.org/Net/LDAP.html#method-i-encryption

··· On Saturday, July 13, 2013 11:15:30 PM UTC-5, treydock wrote: > > Retrieved 389 DS' log entry when I use TLS in Foreman. > > [13/Jul/2013:23:11:03 -0500] conn=11635996 fd=264 slot=264 connection from > to <389 IP> > [13/Jul/2013:23:11:03 -0500] conn=11635996 op=-1 fd=264 closed error 34 > (Numerical result out of range) - B2 > > On Saturday, July 13, 2013 11:08:27 PM UTC-5, treydock wrote: >> >> When running Foreman 1.1 I had LDAP authentication working with my 389 DS >> server. My 389 DS is configured to only allow SSL on port 636 or TLS on >> 389. The LDAP server uses an InCommon trusted certificate issued by my >> university. >> >> VM is CentOS 6.4, fully updated before the Foreman upgrade. >> >> After upgrading to 1.2 without issue, I am unable to authenticate using >> my LDAP account. I can still authenticate with the local admin account. >> >> The settings LDAP settings that generate an error: >> >> Name = LDAP >> Host = >> Port = 389 >> TLS = yes >> Onthefly register = yes >> Account = >> Password = >> Base DN = ou=People, >> attr login = uid >> attr firstname = givenName >> attr lastname = sn >> mail = mail >> >> The error... >> >> Started POST "/users/login" for ***** at 2013-07-13 20:44:48 -0500 >> Processing by UsersController#login as HTML >> Parameters: {"utf8"=>"✓", "authenticity_token"=>"*****", >> "login"=>{"login"=>"treydock", "password"=>"[FILTERED]"}, "commit"=>"Login"} >> Setting current user thread-local variable to nil >> User Load (0.3ms) SELECT `users`.* FROM `users` WHERE `users`.`login` >> = 'treydock' LIMIT 1 >> AuthSource Load (0.2ms) SELECT `auth_sources`.* FROM `auth_sources` >> WHERE `auth_sources`.`id` = 2 LIMIT 1 >> LDAP-Auth with User uid=***** >> Operation FAILED: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 >> read server hello A >> /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1126:in >> `connect' >> /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1126:in >> `wrap_with_ssl' >> /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1163:in >> `setup_encryption' >> /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1110:in >> `initialize' >> /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:632:in >> `new' >> /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:632:in >> `search' >> /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1038:in >> `search_root_dse' >> /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:1089:in >> `paged_searches_supported?' >> /opt/rh/ruby193/root/usr/share/gems/gems/net-ldap-0.2.2/lib/net/ldap.rb:618:in >> `search' >> /usr/share/foreman/app/models/auth_source_ldap.rb:134:in >> `search_for_user_entries' >> /usr/share/foreman/app/models/auth_source_ldap.rb:39:in `authenticate' >> /usr/share/foreman/app/models/user.rb:117:in `try_to_login' >> /usr/share/foreman/app/controllers/users_controller.rb:97:in `login' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/implicit_render.rb:4:in >> `send_action' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/base.rb:167:in >> `process_action' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/rendering.rb:10:in >> `process_action' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/callbacks.rb:18:in >> `block in process_action' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:461:in >> `block (3 levels) in >> _run__492086408044347043__process_action__1864918965792468347__callbacks' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:215:in >> `block in _conditional_callback_around_4542' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:326:in >> `around' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:310:in >> `_callback_around_917' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:214:in >> `_conditional_callback_around_4542' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:460:in >> `block (2 levels) in >> _run__492086408044347043__process_action__1864918965792468347__callbacks' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:215:in >> `block in _conditional_callback_around_4541' >> /usr/share/foreman/lib/foreman/thread_session.rb:31:in `clear_thread' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:214:in >> `_conditional_callback_around_4541' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:415:in >> `block in >> _run__492086408044347043__process_action__1864918965792468347__callbacks' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:215:in >> `block in _conditional_callback_around_4540' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:326:in >> `around' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:310:in >> `_callback_around_13' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:214:in >> `_conditional_callback_around_4540' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:414:in >> `_run__492086408044347043__process_action__1864918965792468347__callbacks' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:405:in >> `__run_callback' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:385:in >> `_run_process_action_callbacks' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:81:in >> `run_callbacks' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/callbacks.rb:17:in >> `process_action' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/rescue.rb:29:in >> `process_action' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/instrumentation.rb:30:in >> `block in process_action' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/notifications.rb:123:in >> `block in instrument' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/notifications/instrumenter.rb:20:in >> `instrument' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/notifications.rb:123:in >> `instrument' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/instrumentation.rb:29:in >> `process_action' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/params_wrapper.rb:207:in >> `process_action' >> /opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/railties/controller_runtime.rb:18:in >> `process_action' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/base.rb:121:in >> `process' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/abstract_controller/rendering.rb:45:in >> `process' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal.rb:203:in >> `dispatch' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal/rack_delegation.rb:14:in >> `dispatch' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_controller/metal.rb:246:in >> `block in action' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/routing/route_set.rb:73:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/routing/route_set.rb:73:in >> `dispatch' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/routing/route_set.rb:36:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/journey-1.0.4/lib/journey/router.rb:68:in >> `block in call' >> /opt/rh/ruby193/root/usr/share/gems/gems/journey-1.0.4/lib/journey/router.rb:56:in >> `each' >> /opt/rh/ruby193/root/usr/share/gems/gems/journey-1.0.4/lib/journey/router.rb:56:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/routing/route_set.rb:600:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/apipie-rails-0.0.18/lib/apipie/static_dispatcher.rb:56:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/best_standards_support.rb:17:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/etag.rb:23:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/conditionalget.rb:35:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/head.rb:14:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/params_parser.rb:21:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/flash.rb:242:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/session/abstract/id.rb:205:in >> `context' >> /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/session/abstract/id.rb:200:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/cookies.rb:339:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/query_cache.rb:64:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/activerecord-3.2.8/lib/active_record/connection_adapters/abstract/connection_pool.rb:473:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/callbacks.rb:28:in >> `block in call' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:405:in >> `_run__2980553456298173138__call__306548220714324554__callbacks' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:405:in >> `__run_callback' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:385:in >> `_run_call_callbacks' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/callbacks.rb:81:in >> `run_callbacks' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/callbacks.rb:27:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/remote_ip.rb:31:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/debug_exceptions.rb:16:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/show_exceptions.rb:56:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.8/lib/rails/rack/logger.rb:26:in >> `call_app' >> /opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.8/lib/rails/rack/logger.rb:16:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/request_id.rb:22:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/methodoverride.rb:21:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/runtime.rb:17:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/activesupport-3.2.8/lib/active_support/cache/strategy/local_cache.rb:72:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/lock.rb:15:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.2.8/lib/action_dispatch/middleware/static.rb:62:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.2/lib/rack/cache/context.rb:136:in >> `forward' >> /opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.2/lib/rack/cache/context.rb:143:in >> `pass' >> /opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.2/lib/rack/cache/context.rb:155:in >> `invalidate' >> /opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.2/lib/rack/cache/context.rb:71:in >> `call!' >> /opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.2/lib/rack/cache/context.rb:51:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.8/lib/rails/engine.rb:479:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.8/lib/rails/application.rb:223:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.8/lib/rails/railtie/configurable.rb:30:in >> `method_missing' >> /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/builder.rb:134:in >> `call' >> /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:64:in >> `block in call' >> /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:49:in >> `each' >> /opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/lib/rack/urlmap.rb:49:in >> `call' >> /usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/lib/phusion_passenger/rack/thread_handler_extension.rb:77:in >> `process_request' >> /usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/lib/phusion_passenger/request_handler/thread_handler.rb:140:in >> `accept_and_process_next_request' >> /usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/lib/phusion_passenger/request_handler/thread_handler.rb:108:in >> `main_loop' >> /usr/lib/ruby/gems/1.8/gems/passenger-4.0.5/lib/phusion_passenger/request_handler.rb:441:in >> `block (3 levels) in start_threads' >> Rendered common/500.html.erb within layouts/application (4.0ms) >> Completed 500 Internal Server Error in 30ms (Views: 7.9ms | ActiveRecord: >> 0.5ms) >> >> >> If I change to port 636 without TLS , the login just hangs forever, this >> is the log >> >> Started POST "/users/login" for ***** at 2013-07-13 20:50:56 -0500 >> Processing by UsersController#login as HTML >> Parameters: {"utf8"=>"✓", "authenticity_token"=>"*****", >> "login"=>{"login"=>"treydock", "password"=>"[FILTERED]"}, "commit"=>"Login"} >> Setting current user thread-local variable to nil >> User Load (0.2ms) SELECT `users`.* FROM `users` WHERE `users`.`login` >> = 'treydock' LIMIT 1 >> AuthSource Load (0.2ms) SELECT `auth_sources`.* FROM `auth_sources` >> WHERE `auth_sources`.`id` = 2 LIMIT 1 >> LDAP-Auth with User uid=***** >> >> I've had issues with some versions ruby ldap libraries working with 389 >> DS, but it was a now dormant development project. >> >> 389-ds-base.x86_64 1.2.11.15-12.el6_4 >> @updates >> >> ldapsearch works fine on the VM running Foreman. >> >> # ldapsearch -x -H ldaps://:636 -b -LLL >> 'uid=treydock' 'uid' >> dn: uid=treydock,ou=People, >> uid: treydock >> >> # ldapsearch -x -H ldap://:389 -ZZ -b -LLL >> 'uid=treydock' 'uid' >> dn: uid=treydock,ou=People, >> uid: treydock >> >> Suggestions, or any other info I could provide to troubleshoot is >> appreciated. >> >> Thanks >> - Trey >> >
#4

Yes… Sorry for the late reply… there are two potential issues here:

  1. used incorrect rubygem-netldap, take the right one from [1] , we'll
    update it for 1.2.1
  2. if you update puppet as well, ssl validation is forced (as they monkey
    patched the ruby ssl lib, see [2] for more info.

Ohad

[1] http://koji.katello.org/koji/buildinfo?buildID=4641
[2] http://wiki.theforeman.org/issues/2435

··· On Sun, Jul 14, 2013 at 11:33 AM, treydock wrote:

So far only obvious issue besides lack of STARTTLS in ruby-net-ldap is
that the RPM in the foreman repo for ruby193-rubygem-net-ldap is 0.2.2 and
in the github repo the spec is at 0.3.1 [1]. Hoping this is just a
missing RPM in the foreman repo and not something more serious.

My latest settings, based on net-ldap “simple_tls” information [2] is
using TLS with port 636 and this is the error now:

Started POST “/users/login” for ***** at 2013-07-14 03:11:07 -0500
Processing by UsersController#login as HTML
Parameters: {“utf8”=>“✓”, “authenticity_token”=>"*****",
“login”=>{“login”=>“treydock”, “password”=>"[FILTERED]"}, “commit”=>“Login”}
Setting current user thread-local variable to nil
User Load (3.7ms) SELECT users.* FROM users WHERE users.login =
‘treydock’ LIMIT 1
AuthSource Load (0.1ms) SELECT auth_sources.* FROM auth_sources
WHERE auth_sources.id = 2 LIMIT 1
LDAP-Auth with User uid=app_bind,ou=Service Accounts,
Search Result: 53
Search Message: Unwilling to perform
Failed to authenticate Trey Dockendorf against LDAP LDAP authentication
source
invalid user
Setting current user thread-local variable to nil
Redirected to https:///users/login
Setting Load (0.1ms) SELECT settings.* FROM settings WHERE
settings.name = ‘idle_timeout’ ORDER BY name LIMIT 1
Completed 302 Found in 341ms (ActiveRecord: 4.0ms)

My other install of Foreman that is somewhat legacy and needs updating,
but still works with the same LDAP server. That install of foreman 1.0.1 is
using net-ldap 0.3.1 from the old foreman-development repo.

[1] -
https://github.com/theforeman/foreman-packaging/blob/master/rpms/epel-6/ruby193-rubygem-net-ldap/rubygem-net-ldap.spec
[2] - http://net-ldap.rubyforge.org/Net/LDAP.html#method-i-encryption

On Saturday, July 13, 2013 11:15:30 PM UTC-5, treydock wrote:

Retrieved 389 DS’ log entry when I use TLS in Foreman.

[13/Jul/2013:23:11:03 -0500] conn=11635996 fd=264 slot=264 connection
from to <389 IP>
[13/Jul/2013:23:11:03 -0500] conn=11635996 op=-1 fd=264 closed error 34
(Numerical result out of range) - B2

On Saturday, July 13, 2013 11:08:27 PM UTC-5, treydock wrote:

When running Foreman 1.1 I had LDAP authentication working with my 389
DS server. My 389 DS is configured to only allow SSL on port 636 or TLS on
389. The LDAP server uses an InCommon trusted certificate issued by my
university.

VM is CentOS 6.4, fully updated before the Foreman upgrade.

After upgrading to 1.2 without issue, I am unable to authenticate using
my LDAP account. I can still authenticate with the local admin account.

The settings LDAP settings that generate an error:

Name = LDAP
Host =
Port = 389
TLS = yes
Onthefly register = yes
Account =
Password =
Base DN = ou=People,
attr login = uid
attr firstname = givenName
attr lastname = sn
mail = mail

The error…

Started POST “/users/login” for ***** at 2013-07-13 20:44:48 -0500
Processing by UsersController#login as HTML
Parameters: {“utf8”=>“✓”, “authenticity_token”=>"",
“login”=>{“login”=>“treydock”, “password”=>"[FILTERED]"}, “commit”=>“Login”}
Setting current user thread-local variable to nil
User Load (0.3ms) SELECT users.* FROM users WHERE users.login
= ‘treydock’ LIMIT 1
AuthSource Load (0.2ms) SELECT auth_sources.* FROM auth_sources
WHERE auth_sources.id = 2 LIMIT 1
LDAP-Auth with User uid=
Operation FAILED: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3
read server hello A
/opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1126:in
connect' /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1126:inwrap_with_ssl’
/opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1163:in
setup_encryption' /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1110:ininitialize’
/opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:632:in
new' /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:632:insearch’
/opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1038:in
search_root_dse' /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1089:inpaged_searches_supported?’
/opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:618:in
search' /usr/share/foreman/app/models/**auth_source_ldap.rb:134:insearch_for_user_entries’
/usr/share/foreman/app/models/**auth_source_ldap.rb:39:in authenticate' /usr/share/foreman/app/models/**user.rb:117:intry_to_login’
/usr/share/foreman/app/**controllers/users_controller.**rb:97:in login' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_controller/**metal/implicit_render.rb:4:insend_action’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/abstract_controller/**base.rb:167:in process_action' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_controller/**metal/rendering.rb:10:inprocess_action’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/abstract_controller/**callbacks.rb:18:in block in process_action' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:461:inblock (3 levels) in
run__492086408044347043_**process_action__1864918965792468347__
callbacks’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:215:in block in _conditional_callback_around_**4542' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:326:inaround’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:310:in _callback_around_917' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:214:inconditional_callback_around**4542’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:460:in block (2 levels) in _run__492086408044347043__**process_action__**1864918965792468347__** callbacks' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:215:inblock in
conditional_callback_around**4541’
/usr/share/foreman/lib/**foreman/thread_session.rb:31:**in
clear_thread' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:214:inconditional_callback_around**4541’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:415:in block in _run__492086408044347043__**process_action__**1864918965792468347__** callbacks' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:215:inblock in
conditional_callback_around**4540’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:326:in around' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:310:incallback_around_13’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:214:in
_conditional_callback_around_**4540' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:414:inrun__492086408044347043**process_action__1864918965792468347__
callbacks’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/callbacks.rb:405:in __run_callback' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:385:inrun_process_action
callbacks’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:81:in run_callbacks' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/abstract_controller/**callbacks.rb:17:inprocess_action’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_controller/**metal/rescue.rb:29:in process_action' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_controller/**metal/instrumentation.rb:30:inblock in
process_action’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**notifications.rb:123:in block in instrument' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**notifications/instrumenter.rb:**20:ininstrument’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**notifications.rb:123:in instrument' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_controller/**metal/instrumentation.rb:29:inprocess_action’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_controller/**metal/params_wrapper.rb:207:in
process_action' /opt/rh/ruby193/root/usr/**share/gems/gems/activerecord-** 3.2.8/lib/active_record/**railties/controller_runtime.**rb:18:inprocess_action’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/abstract_controller/**base.rb:121:in process' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/abstract_controller/**rendering.rb:45:inprocess’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_controller/**metal.rb:203:in dispatch' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_controller/**metal/rack_delegation.rb:14:indispatch’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_controller/**metal.rb:246:in block in action' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**routing/route_set.rb:73:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_dispatch/**routing/route_set.rb:73:in dispatch' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**routing/route_set.rb:36:incall’
/opt/rh/ruby193/root/usr/**share/gems/gems/journey-1.0.4/**lib/journey/router.rb:68:in
block in call' /opt/rh/ruby193/root/usr/**share/gems/gems/journey-1.0.4/**lib/journey/router.rb:56:ineach’
/opt/rh/ruby193/root/usr/**share/gems/gems/journey-1.0.4/**lib/journey/router.rb:56:in
call' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**routing/route_set.rb:600:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/apipie-rails-
0.0.18/lib/apipie/static_**dispatcher.rb:56:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**middleware/best_standards_**support.rb:17:incall’
/opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/etag.rb:23:in
call' /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/** lib/rack/conditionalget.rb:35:**incall’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_dispatch/**middleware/head.rb:14:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**middleware/params_parser.rb:**21:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_dispatch/**middleware/flash.rb:242:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/** lib/rack/session/abstract/id.**rb:205:incontext’
/opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/
lib/rack/session/abstract/id.**rb:200:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**middleware/cookies.rb:339:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/activerecord-
3.2.8/lib/active_record/query_**cache.rb:64:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/activerecord-** 3.2.8/lib/active_record/**connection_adapters/abstract/**connection_pool.rb:473:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_dispatch/**middleware/callbacks.rb:28:in block in call' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:405:inrun__2980553456298173138_**call__306548220714324554__**callbacks’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/callbacks.rb:405:in __run_callback' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:385:inrun_call_callbacks’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:81:in run_callbacks' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**middleware/callbacks.rb:27:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_dispatch/**middleware/remote_ip.rb:31:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**middleware/debug_exceptions.**rb:16:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_dispatch/**middleware/show_exceptions.rb:**56:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/railties-3.2.** 8/lib/rails/rack/logger.rb:26:**incall_app’
/opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.
8/lib/rails/rack/logger.rb:16:**in call' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**middleware/request_id.rb:22:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/
lib/rack/methodoverride.rb:21:**in call' /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/runtime.rb:17:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**cache/strategy/local_cache.rb:**72:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/lock.rb:15:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_dispatch/**middleware/static.rb:62:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/rack-cache-1.** 2/lib/rack/cache/context.rb:**136:inforward’
/opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.
2/lib/rack/cache/context.rb:**143:in pass' /opt/rh/ruby193/root/usr/**share/gems/gems/rack-cache-1.** 2/lib/rack/cache/context.rb:**155:ininvalidate’
/opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.
2/lib/rack/cache/context.rb:**71:in call!' /opt/rh/ruby193/root/usr/**share/gems/gems/rack-cache-1.** 2/lib/rack/cache/context.rb:**51:incall’
/opt/rh/ruby193/root/usr/**share/gems/gems/railties-3.2.**8/lib/rails/engine.rb:479:in
call' /opt/rh/ruby193/root/usr/**share/gems/gems/railties-3.2.** 8/lib/rails/application.rb:**223:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.
8/lib/rails/railtie/**configurable.rb:30:in method_missing' /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/builder.rb:134:incall’
/opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/urlmap.rb:64:in
block in call' /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/urlmap.rb:49:ineach’
/opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/urlmap.rb:49:in
call' /usr/lib/ruby/gems/1.8/gems/**passenger-4.0.5/lib/phusion_** passenger/rack/thread_handler_**extension.rb:77:inprocess_request’
/usr/lib/ruby/gems/1.8/gems/**passenger-4.0.5/lib/phusion
passenger/request_handler/**th

#5

Thanks for reply Ohad! I'll grab the katello RPM and see if it solves my
issue tonight or tomorrow. With 1.2, I didn't see a Gemfile.lock IIRC.
Would it be sufficient to just upgrade the rpm from Foreman repo with the
katello RPM?

The SSL cert for my LDAP is from trusted CA and trusted by the EL6 system
cacerts, so hopefully isn't an issue. I run Puppet 3.2.2 on the Foreman
server, and will keep in mind the Puppet monkey patch if I run into
problems.

Thanks

  • Trey
··· On Jul 14, 2013 3:42 AM, "Ohad Levy" wrote:

Yes… Sorry for the late reply… there are two potential issues here:

  1. used incorrect rubygem-netldap, take the right one from [1] , we’ll
    update it for 1.2.1
  2. if you update puppet as well, ssl validation is forced (as they monkey
    patched the ruby ssl lib, see [2] for more info.

Ohad

[1] http://koji.katello.org/koji/buildinfo?buildID=4641
[2] http://wiki.theforeman.org/issues/2435

On Sun, Jul 14, 2013 at 11:33 AM, treydock treydock@gmail.com wrote:

So far only obvious issue besides lack of STARTTLS in ruby-net-ldap is
that the RPM in the foreman repo for ruby193-rubygem-net-ldap is 0.2.2 and
in the github repo the spec is at 0.3.1 [1]. Hoping this is just a
missing RPM in the foreman repo and not something more serious.

My latest settings, based on net-ldap “simple_tls” information [2] is
using TLS with port 636 and this is the error now:

Started POST “/users/login” for ***** at 2013-07-14 03:11:07 -0500
Processing by UsersController#login as HTML
Parameters: {“utf8”=>“✓”, “authenticity_token”=>"*****",
“login”=>{“login”=>“treydock”, “password”=>"[FILTERED]"}, “commit”=>“Login”}
Setting current user thread-local variable to nil
User Load (3.7ms) SELECT users.* FROM users WHERE users.login
= ‘treydock’ LIMIT 1
AuthSource Load (0.1ms) SELECT auth_sources.* FROM auth_sources
WHERE auth_sources.id = 2 LIMIT 1
LDAP-Auth with User uid=app_bind,ou=Service Accounts,
Search Result: 53
Search Message: Unwilling to perform
Failed to authenticate Trey Dockendorf against LDAP LDAP authentication
source
invalid user
Setting current user thread-local variable to nil
Redirected to https:///users/login
Setting Load (0.1ms) SELECT settings.* FROM settings WHERE
settings.name = ‘idle_timeout’ ORDER BY name LIMIT 1
Completed 302 Found in 341ms (ActiveRecord: 4.0ms)

My other install of Foreman that is somewhat legacy and needs updating,
but still works with the same LDAP server. That install of foreman 1.0.1 is
using net-ldap 0.3.1 from the old foreman-development repo.

[1] -
https://github.com/theforeman/foreman-packaging/blob/master/rpms/epel-6/ruby193-rubygem-net-ldap/rubygem-net-ldap.spec
[2] - http://net-ldap.rubyforge.org/Net/LDAP.html#method-i-encryption

On Saturday, July 13, 2013 11:15:30 PM UTC-5, treydock wrote:

Retrieved 389 DS’ log entry when I use TLS in Foreman.

[13/Jul/2013:23:11:03 -0500] conn=11635996 fd=264 slot=264 connection
from to <389 IP>
[13/Jul/2013:23:11:03 -0500] conn=11635996 op=-1 fd=264 closed error 34
(Numerical result out of range) - B2

On Saturday, July 13, 2013 11:08:27 PM UTC-5, treydock wrote:

When running Foreman 1.1 I had LDAP authentication working with my 389
DS server. My 389 DS is configured to only allow SSL on port 636 or TLS on
389. The LDAP server uses an InCommon trusted certificate issued by my
university.

VM is CentOS 6.4, fully updated before the Foreman upgrade.

After upgrading to 1.2 without issue, I am unable to authenticate using
my LDAP account. I can still authenticate with the local admin account.

The settings LDAP settings that generate an error:

Name = LDAP
Host =
Port = 389
TLS = yes
Onthefly register = yes
Account =
Password =
Base DN = ou=People,
attr login = uid
attr firstname = givenName
attr lastname = sn
mail = mail

The error…

Started POST “/users/login” for ***** at 2013-07-13 20:44:48 -0500
Processing by UsersController#login as HTML
Parameters: {“utf8”=>“✓”, “authenticity_token”=>"",
“login”=>{“login”=>“treydock”, “password”=>"[FILTERED]"}, “commit”=>“Login”}
Setting current user thread-local variable to nil
User Load (0.3ms) SELECT users.* FROM users WHERE
users.login = ‘treydock’ LIMIT 1
AuthSource Load (0.2ms) SELECT auth_sources.* FROM auth_sources
WHERE auth_sources.id = 2 LIMIT 1
LDAP-Auth with User uid=
Operation FAILED: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3
read server hello A
/opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1126:in
connect' /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1126:inwrap_with_ssl’
/opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1163:in
setup_encryption' /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1110:ininitialize’
/opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:632:in
new' /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:632:insearch’
/opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1038:in
search_root_dse' /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1089:inpaged_searches_supported?’
/opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:618:in
search' /usr/share/foreman/app/models/**auth_source_ldap.rb:134:insearch_for_user_entries’
/usr/share/foreman/app/models/**auth_source_ldap.rb:39:in
authenticate' /usr/share/foreman/app/models/**user.rb:117:intry_to_login’
/usr/share/foreman/app/**controllers/users_controller.**rb:97:in
login' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_controller/**metal/implicit_render.rb:4:insend_action’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/abstract_controller/**base.rb:167:in process_action' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_controller/**metal/rendering.rb:10:inprocess_action’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/abstract_controller/**callbacks.rb:18:in block in process_action' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:461:inblock (3 levels) in
run__492086408044347043_**process_action__1864918965792468347__
callbacks’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:215:in block in _conditional_callback_around_**4542' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:326:inaround’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:310:in _callback_around_917' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:214:inconditional_callback_around**4542’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:460:in block (2 levels) in _run__492086408044347043__**process_action__**1864918965792468347__** callbacks' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:215:inblock in
conditional_callback_around**4541’
/usr/share/foreman/lib/**foreman/thread_session.rb:31:**in
clear_thread' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:214:inconditional_callback_around**4541’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:415:in block in _run__492086408044347043__**process_action__**1864918965792468347__** callbacks' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:215:inblock in
conditional_callback_around**4540’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:326:in around' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:310:incallback_around_13’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:214:in
_conditional_callback_around_**4540' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:414:inrun__492086408044347043**process_action__1864918965792468347__
callbacks’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/callbacks.rb:405:in __run_callback' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:385:inrun_process_action
callbacks’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:81:in run_callbacks' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/abstract_controller/**callbacks.rb:17:inprocess_action’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_controller/**metal/rescue.rb:29:in process_action' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_controller/**metal/instrumentation.rb:30:inblock in
process_action’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**notifications.rb:123:in block in instrument' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**notifications/instrumenter.rb:**20:ininstrument’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**notifications.rb:123:in instrument' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_controller/**metal/instrumentation.rb:29:inprocess_action’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_controller/**metal/params_wrapper.rb:207:in
process_action' /opt/rh/ruby193/root/usr/**share/gems/gems/activerecord-** 3.2.8/lib/active_record/**railties/controller_runtime.**rb:18:inprocess_action’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/abstract_controller/**base.rb:121:in process' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/abstract_controller/**rendering.rb:45:inprocess’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_controller/**metal.rb:203:in dispatch' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_controller/**metal/rack_delegation.rb:14:indispatch’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_controller/**metal.rb:246:in block in action' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**routing/route_set.rb:73:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_dispatch/**routing/route_set.rb:73:in dispatch' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**routing/route_set.rb:36:incall’
/opt/rh/ruby193/root/usr/**share/gems/gems/journey-1.0.4/**lib/journey/router.rb:68:in
block in call' /opt/rh/ruby193/root/usr/**share/gems/gems/journey-1.0.4/**lib/journey/router.rb:56:ineach’
/opt/rh/ruby193/root/usr/**share/gems/gems/journey-1.0.4/**lib/journey/router.rb:56:in
call' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**routing/route_set.rb:600:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/apipie-rails-
0.0.18/lib/apipie/static_**dispatcher.rb:56:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**middleware/best_standards_**support.rb:17:incall’
/opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/etag.rb:23:in
call' /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/** lib/rack/conditionalget.rb:35:**incall’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_dispatch/**middleware/head.rb:14:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**middleware/params_parser.rb:**21:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_dispatch/**middleware/flash.rb:242:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/** lib/rack/session/abstract/id.**rb:205:incontext’
/opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/
lib/rack/session/abstract/id.**rb:200:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**middleware/cookies.rb:339:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/activerecord-
3.2.8/lib/active_record/query_**cache.rb:64:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/activerecord-** 3.2.8/lib/active_record/**connection_adapters/abstract/**connection_pool.rb:473:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_dispatch/**middleware/callbacks.rb:28:in block in call' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:405:inrun__2980553456298173138_**call__306548220714324554__**callbacks’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:405:in __run_callback' /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** 3.2.8/lib/active_support/**callbacks.rb:385:in_run_call_callbacks’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**callbacks.rb:81:in run_callbacks' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**middleware/callbacks.rb:27:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_dispatch/**middleware/remote_ip.rb:31:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**middleware/debug_exceptions.**rb:16:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_dispatch/**middleware/show_exceptions.rb:**56:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/railties-3.2.** 8/lib/rails/rack/logger.rb:26:**incall_app’
/opt/rh/ruby193/root/usr/share/gems/gems/railties-3.2.
8/lib/rails/rack/logger.rb:16:**in call' /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** 2.8/lib/action_dispatch/**middleware/request_id.rb:22:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/rack-1.4.1/
lib/rack/methodoverride.rb:21:**in call' /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/runtime.rb:17:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/activesupport-
3.2.8/lib/active_support/**cache/strategy/local_cache.rb:**72:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/lock.rb:15:incall’
/opt/rh/ruby193/root/usr/share/gems/gems/actionpack-3.
2.8/lib/action_dispatch/**middleware/static.rb:62:in call' /opt/rh/ruby193/root/usr/**share/gems/gems/rack-cache-1.** 2/lib/rack/cache/context.rb:**136:inforward’
/opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.
2/lib/rack/cache/context.rb:**143:in pass' /opt/rh/ruby193/root/usr/**share/gems/gems/rack-cache-1.** 2/lib/rack/cache/context.rb:**155:ininvalidate’
/opt/rh/ruby193/root/usr/share/gems/gems/rack-cache-1.
2/lib/rack/cache/context.rb:**71:in `call!’
/opt/rh/ruby193/root/usr/**share/gems/gems/rack-cach

#6

There are a few bugs on 389DS, as well, and one tracking bug for Foreman
itself. #47361 contains a patch in the pipeline for release.

https://fedorahosted.org/389/ticket/47361
http://projects.theforeman.org/issues/2611
https://bugzilla.redhat.com/show_bug.cgi?id=963234
https://bugzilla.redhat.com/show_bug.cgi?id=948094

··· On Sunday, July 14, 2013 4:42:50 AM UTC-4, ohad wrote: > > Yes... Sorry for the late reply... there are two potential issues here: > > 1. used incorrect rubygem-netldap, take the right one from [1] , we'll > update it for 1.2.1 > 2. if you update puppet as well, ssl validation is forced (as they monkey > patched the ruby ssl lib, see [2] for more info. > > Ohad > > [1] http://koji.katello.org/koji/buildinfo?buildID=4641 > [2] http://wiki.theforeman.org/issues/2435 > > > On Sun, Jul 14, 2013 at 11:33 AM, treydock <trey...@gmail.com > > wrote: > >> So far only obvious issue besides lack of STARTTLS in ruby-net-ldap is >> that the RPM in the foreman repo for ruby193-rubygem-net-ldap is 0.2.2 and >> in the github repo the spec is at 0.3.1 [1]. Hoping this is just a >> missing RPM in the foreman repo and not something more serious. >> >> My latest settings, based on net-ldap "simple_tls" information [2] is >> using TLS with port 636 and this is the error now: >> >> Started POST "/users/login" for ***** at 2013-07-14 03:11:07 -0500 >> Processing by UsersController#login as HTML >> Parameters: {"utf8"=>"✓", "authenticity_token"=>"*****", >> "login"=>{"login"=>"treydock", "password"=>"[FILTERED]"}, "commit"=>"Login"} >> Setting current user thread-local variable to nil >> User Load (3.7ms) SELECT `users`.* FROM `users` WHERE `users`.`login` >> = 'treydock' LIMIT 1 >> AuthSource Load (0.1ms) SELECT `auth_sources`.* FROM `auth_sources` >> WHERE `auth_sources`.`id` = 2 LIMIT 1 >> LDAP-Auth with User uid=app_bind,ou=Service Accounts, >> Search Result: 53 >> Search Message: Unwilling to perform >> Failed to authenticate Trey Dockendorf against LDAP LDAP authentication >> source >> invalid user >> Setting current user thread-local variable to nil >> Redirected to https:///users/login >> Setting Load (0.1ms) SELECT `settings`.* FROM `settings` WHERE >> `settings`.`name` = 'idle_timeout' ORDER BY name LIMIT 1 >> Completed 302 Found in 341ms (ActiveRecord: 4.0ms) >> >> My other install of Foreman that is somewhat legacy and needs updating, >> but still works with the same LDAP server. That install of foreman 1.0.1 is >> using net-ldap 0.3.1 from the old foreman-development repo. >> >> [1] - >> https://github.com/theforeman/foreman-packaging/blob/master/rpms/epel-6/ruby193-rubygem-net-ldap/rubygem-net-ldap.spec >> [2] - http://net-ldap.rubyforge.org/Net/LDAP.html#method-i-encryption >> >> >> >> >> On Saturday, July 13, 2013 11:15:30 PM UTC-5, treydock wrote: >>> >>> Retrieved 389 DS' log entry when I use TLS in Foreman. >>> >>> [13/Jul/2013:23:11:03 -0500] conn=11635996 fd=264 slot=264 connection >>> from to <389 IP> >>> [13/Jul/2013:23:11:03 -0500] conn=11635996 op=-1 fd=264 closed error 34 >>> (Numerical result out of range) - B2 >>> >>> On Saturday, July 13, 2013 11:08:27 PM UTC-5, treydock wrote: >>>> >>>> When running Foreman 1.1 I had LDAP authentication working with my 389 >>>> DS server. My 389 DS is configured to only allow SSL on port 636 or TLS on >>>> 389. The LDAP server uses an InCommon trusted certificate issued by my >>>> university. >>>> >>>> VM is CentOS 6.4, fully updated before the Foreman upgrade. >>>> >>>> After upgrading to 1.2 without issue, I am unable to authenticate using >>>> my LDAP account. I can still authenticate with the local admin account. >>>> >>>> The settings LDAP settings that generate an error: >>>> >>>> Name = LDAP >>>> Host = >>>> Port = 389 >>>> TLS = yes >>>> Onthefly register = yes >>>> Account = >>>> Password = >>>> Base DN = ou=People, >>>> attr login = uid >>>> attr firstname = givenName >>>> attr lastname = sn >>>> mail = mail >>>> >>>> The error... >>>> >>>> Started POST "/users/login" for ***** at 2013-07-13 20:44:48 -0500 >>>> Processing by UsersController#login as HTML >>>> Parameters: {"utf8"=>"✓", "authenticity_token"=>"*****", >>>> "login"=>{"login"=>"treydock", "password"=>"[FILTERED]"}, "commit"=>"Login"} >>>> Setting current user thread-local variable to nil >>>> User Load (0.3ms) SELECT `users`.* FROM `users` WHERE >>>> `users`.`login` = 'treydock' LIMIT 1 >>>> AuthSource Load (0.2ms) SELECT `auth_sources`.* FROM `auth_sources` >>>> WHERE `auth_sources`.`id` = 2 LIMIT 1 >>>> LDAP-Auth with User uid=***** >>>> Operation FAILED: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 >>>> read server hello A >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1126:in >>>> `connect' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1126:in >>>> `wrap_with_ssl' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1163:in >>>> `setup_encryption' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1110:in >>>> `initialize' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:632:in >>>> `new' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:632:in >>>> `search' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1038:in >>>> `search_root_dse' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1089:in >>>> `paged_searches_supported?' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:618:in >>>> `search' >>>> /usr/share/foreman/app/models/**auth_source_ldap.rb:134:in >>>> `search_for_user_entries' >>>> /usr/share/foreman/app/models/**auth_source_ldap.rb:39:in >>>> `authenticate' >>>> /usr/share/foreman/app/models/**user.rb:117:in `try_to_login' >>>> /usr/share/foreman/app/**controllers/users_controller.**rb:97:in >>>> `login' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_controller/**metal/implicit_render.rb:4:in `send_action' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/abstract_controller/**base.rb:167:in `process_action' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_controller/**metal/rendering.rb:10:in `process_action' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/abstract_controller/**callbacks.rb:18:in `block in >>>> process_action' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:461:in `block (3 levels) in >>>> _run__492086408044347043__**process_action__**1864918965792468347__** >>>> callbacks' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:215:in `block in >>>> _conditional_callback_around_**4542' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:326:in `around' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:310:in `_callback_around_917' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:214:in >>>> `_conditional_callback_around_**4542' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:460:in `block (2 levels) in >>>> _run__492086408044347043__**process_action__**1864918965792468347__** >>>> callbacks' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:215:in `block in >>>> _conditional_callback_around_**4541' >>>> /usr/share/foreman/lib/**foreman/thread_session.rb:31:**in >>>> `clear_thread' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:214:in >>>> `_conditional_callback_around_**4541' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:415:in `block in >>>> _run__492086408044347043__**process_action__**1864918965792468347__** >>>> callbacks' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:215:in `block in >>>> _conditional_callback_around_**4540' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:326:in `around' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:310:in `_callback_around_13' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:214:in >>>> `_conditional_callback_around_**4540' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:414:in >>>> `_run__492086408044347043__**process_action__**1864918965792468347__** >>>> callbacks' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:405:in `__run_callback' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:385:in `_run_process_action_** >>>> callbacks' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:81:in `run_callbacks' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/abstract_controller/**callbacks.rb:17:in `process_action' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_controller/**metal/rescue.rb:29:in `process_action' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_controller/**metal/instrumentation.rb:30:in `block in >>>> process_action' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**notifications.rb:123:in `block in >>>> instrument' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**notifications/instrumenter.rb:**20:in >>>> `instrument' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**notifications.rb:123:in `instrument' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_controller/**metal/instrumentation.rb:29:in >>>> `process_action' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_controller/**metal/params_wrapper.rb:207:in >>>> `process_action' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activerecord-** >>>> 3.2.8/lib/active_record/**railties/controller_runtime.**rb:18:in >>>> `process_action' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/abstract_controller/**base.rb:121:in `process' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/abstract_controller/**rendering.rb:45:in `process' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_controller/**metal.rb:203:in `dispatch' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_controller/**metal/rack_delegation.rb:14:in `dispatch' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_controller/**metal.rb:246:in `block in action' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_dispatch/**routing/route_set.rb:73:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_dispatch/**routing/route_set.rb:73:in `dispatch' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_dispatch/**routing/route_set.rb:36:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/journey-1.0.4/**lib/journey/router.rb:68:in >>>> `block in call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/journey-1.0.4/**lib/journey/router.rb:56:in >>>> `each' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/journey-1.0.4/**lib/journey/router.rb:56:in >>>> `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_dispatch/**routing/route_set.rb:600:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/apipie-rails-** >>>> 0.0.18/lib/apipie/static_**dispatcher.rb:56:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_dispatch/**middleware/best_standards_**support.rb:17:in >>>> `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/etag.rb:23:in >>>> `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/** >>>> lib/rack/conditionalget.rb:35:**in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_dispatch/**middleware/head.rb:14:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_dispatch/**middleware/params_parser.rb:**21:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_dispatch/**middleware/flash.rb:242:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/** >>>> lib/rack/session/abstract/id.**rb:205:in `context' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/** >>>> lib/rack/session/abstract/id.**rb:200:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_dispatch/**middleware/cookies.rb:339:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activerecord-** >>>> 3.2.8/lib/active_record/query_**cache.rb:64:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activerecord-** >>>> 3.2.8/lib/active_record/**connection_adapters/abstract/**connection_pool.rb:473:in >>>> `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_dispatch/**middleware/callbacks.rb:28:in `block in call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:405:in >>>> `_run__2980553456298173138__**call__306548220714324554__**callbacks' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:405:in `__run_callback' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:385:in `_run_call_callbacks' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**callbacks.rb:81:in `run_callbacks' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_dispatch/**middleware/callbacks.rb:27:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_dispatch/**middleware/remote_ip.rb:31:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_dispatch/**middleware/debug_exceptions.**rb:16:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_dispatch/**middleware/show_exceptions.rb:**56:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/railties-3.2.** >>>> 8/lib/rails/rack/logger.rb:26:**in `call_app' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/railties-3.2.** >>>> 8/lib/rails/rack/logger.rb:16:**in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_dispatch/**middleware/request_id.rb:22:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/** >>>> lib/rack/methodoverride.rb:21:**in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/runtime.rb:17:in >>>> `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>> 3.2.8/lib/active_support/**cache/strategy/local_cache.rb:**72:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/lock.rb:15:in >>>> `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>> 2.8/lib/action_dispatch/**middleware/static.rb:62:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-cache-1.** >>>> 2/lib/rack/cache/context.rb:**136:in `forward' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-cache-1.** >>>> 2/lib/rack/cache/context.rb:**143:in `pass' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-cache-1.** >>>> 2/lib/rack/cache/context.rb:**155:in `invalidate' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-cache-1.** >>>> 2/lib/rack/cache/context.rb:**71:in `call!' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-cache-1.** >>>> 2/lib/rack/cache/context.rb:**51:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/railties-3.2.**8/lib/rails/engine.rb:479:in >>>> `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/railties-3.2.** >>>> 8/lib/rails/application.rb:**223:in `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/railties-3.2.** >>>> 8/lib/rails/railtie/**configurable.rb:30:in `method_missing' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/builder.rb:134:in >>>> `call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/urlmap.rb:64:in >>>> `block in call' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/urlmap.rb:49:in >>>> `each' >>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/urlmap.rb:49:in >>>> `call' >>>> /usr/lib/ruby/gems/1.8/gems/**passenger-4.0.5/lib/phusion_** >>>> passenger/rack/thread_handler_**extension.rb:77:in `process_request' >>>> /usr/lib/ruby/gems/1.8/gems/**passenger-4.0.5/lib/phusion_** >>>> passenger/request_handler/**thread_handler.rb:140:in >>>> `accept_and_process_next_**request' >>>> /usr/lib/ruby/gems/1.8/gems/**passenger-4.0.5/lib/phusion_** >>>> passenger/request_handler/**thread_handler.rb:108:in `main_loop' >>>> /usr/lib/ruby/gems/1.8/gems/**passenger-4.0.5/lib/phusion_** >>>> passenger/request_handler.rb:**441:in `block (3 levels) in >>>> start_threads' >>>> Rendered common/500.html.erb within layouts/application (4.0ms) >>>> Completed 500 Internal Server Error in 30ms (Views: 7.9ms | >>>> ActiveRecord: 0.5ms) >>>> >>>> >>>> If I change to port 636 without TLS , the login just hangs forever, >>>> this is the log >>>> >>>> Started POST "/users/login" for ***** at 2013-07-13 20:50:56 -0500 >>>> Processing by UsersController#login as HTML >>>> Parameters: {"utf8"=>"✓", "authenticity_token"=>"*****", >>>> "login"=>{"login"=>"treydock"
#7

Using the net-ldap-0.3.1 rubygem solved the problem.

A minor caviate is that port 389 + TLS still fails [1]. This is likely a
net-ldap problem since they don't yet support STARTTLS which I think is
necessary to do TLS over the unencrypted port 389. Doing port 636 + 'TLS'
in Foreman works.

Thanks!

  • Trey

[1] :

OpenSSL::SSL::SSLError
SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
app/models/auth_source_ldap.rb:134:in search_for_user_entries&#39; app/models/auth_source_ldap.rb:39:inauthenticate'
app/models/user.rb:117:in try_to_login&#39; app/controllers/users_controller.rb:97:inlogin'
lib/foreman/thread_session.rb:31:in `clear_thread'

··· On Sunday, July 14, 2013 2:27:22 PM UTC-5, treydock wrote: > > Thanks for reply Ohad! I'll grab the katello RPM and see if it solves my > issue tonight or tomorrow. With 1.2, I didn't see a Gemfile.lock IIRC. > Would it be sufficient to just upgrade the rpm from Foreman repo with the > katello RPM? > > The SSL cert for my LDAP is from trusted CA and trusted by the EL6 system > cacerts, so hopefully isn't an issue. I run Puppet 3.2.2 on the Foreman > server, and will keep in mind the Puppet monkey patch if I run into > problems. > > Thanks > - Trey > On Jul 14, 2013 3:42 AM, "Ohad Levy" wrote: > >> Yes... Sorry for the late reply... there are two potential issues here: >> >> 1. used incorrect rubygem-netldap, take the right one from [1] , we'll >> update it for 1.2.1 >> 2. if you update puppet as well, ssl validation is forced (as they monkey >> patched the ruby ssl lib, see [2] for more info. >> >> Ohad >> >> [1] http://koji.katello.org/koji/buildinfo?buildID=4641 >> [2] http://wiki.theforeman.org/issues/2435 >> >> >> On Sun, Jul 14, 2013 at 11:33 AM, treydock wrote: >> >>> So far only obvious issue besides lack of STARTTLS in ruby-net-ldap is >>> that the RPM in the foreman repo for ruby193-rubygem-net-ldap is 0.2.2 and >>> in the github repo the spec is at 0.3.1 [1]. Hoping this is just a >>> missing RPM in the foreman repo and not something more serious. >>> >>> My latest settings, based on net-ldap "simple_tls" information [2] is >>> using TLS with port 636 and this is the error now: >>> >>> Started POST "/users/login" for ***** at 2013-07-14 03:11:07 -0500 >>> Processing by UsersController#login as HTML >>> Parameters: {"utf8"=>"✓", "authenticity_token"=>"*****", >>> "login"=>{"login"=>"treydock", "password"=>"[FILTERED]"}, "commit"=>"Login"} >>> Setting current user thread-local variable to nil >>> User Load (3.7ms) SELECT `users`.* FROM `users` WHERE `users`.`login` >>> = 'treydock' LIMIT 1 >>> AuthSource Load (0.1ms) SELECT `auth_sources`.* FROM `auth_sources` >>> WHERE `auth_sources`.`id` = 2 LIMIT 1 >>> LDAP-Auth with User uid=app_bind,ou=Service Accounts, >>> Search Result: 53 >>> Search Message: Unwilling to perform >>> Failed to authenticate Trey Dockendorf against LDAP LDAP authentication >>> source >>> invalid user >>> Setting current user thread-local variable to nil >>> Redirected to https:///users/login >>> Setting Load (0.1ms) SELECT `settings`.* FROM `settings` WHERE >>> `settings`.`name` = 'idle_timeout' ORDER BY name LIMIT 1 >>> Completed 302 Found in 341ms (ActiveRecord: 4.0ms) >>> >>> My other install of Foreman that is somewhat legacy and needs updating, >>> but still works with the same LDAP server. That install of foreman 1.0.1 is >>> using net-ldap 0.3.1 from the old foreman-development repo. >>> >>> [1] - >>> https://github.com/theforeman/foreman-packaging/blob/master/rpms/epel-6/ruby193-rubygem-net-ldap/rubygem-net-ldap.spec >>> [2] - http://net-ldap.rubyforge.org/Net/LDAP.html#method-i-encryption >>> >>> >>> >>> >>> On Saturday, July 13, 2013 11:15:30 PM UTC-5, treydock wrote: >>>> >>>> Retrieved 389 DS' log entry when I use TLS in Foreman. >>>> >>>> [13/Jul/2013:23:11:03 -0500] conn=11635996 fd=264 slot=264 connection >>>> from to <389 IP> >>>> [13/Jul/2013:23:11:03 -0500] conn=11635996 op=-1 fd=264 closed error 34 >>>> (Numerical result out of range) - B2 >>>> >>>> On Saturday, July 13, 2013 11:08:27 PM UTC-5, treydock wrote: >>>>> >>>>> When running Foreman 1.1 I had LDAP authentication working with my 389 >>>>> DS server. My 389 DS is configured to only allow SSL on port 636 or TLS on >>>>> 389. The LDAP server uses an InCommon trusted certificate issued by my >>>>> university. >>>>> >>>>> VM is CentOS 6.4, fully updated before the Foreman upgrade. >>>>> >>>>> After upgrading to 1.2 without issue, I am unable to authenticate >>>>> using my LDAP account. I can still authenticate with the local admin >>>>> account. >>>>> >>>>> The settings LDAP settings that generate an error: >>>>> >>>>> Name = LDAP >>>>> Host = >>>>> Port = 389 >>>>> TLS = yes >>>>> Onthefly register = yes >>>>> Account = >>>>> Password = >>>>> Base DN = ou=People, >>>>> attr login = uid >>>>> attr firstname = givenName >>>>> attr lastname = sn >>>>> mail = mail >>>>> >>>>> The error... >>>>> >>>>> Started POST "/users/login" for ***** at 2013-07-13 20:44:48 -0500 >>>>> Processing by UsersController#login as HTML >>>>> Parameters: {"utf8"=>"✓", "authenticity_token"=>"*****", >>>>> "login"=>{"login"=>"treydock", "password"=>"[FILTERED]"}, "commit"=>"Login"} >>>>> Setting current user thread-local variable to nil >>>>> User Load (0.3ms) SELECT `users`.* FROM `users` WHERE >>>>> `users`.`login` = 'treydock' LIMIT 1 >>>>> AuthSource Load (0.2ms) SELECT `auth_sources`.* FROM `auth_sources` >>>>> WHERE `auth_sources`.`id` = 2 LIMIT 1 >>>>> LDAP-Auth with User uid=***** >>>>> Operation FAILED: SSL_connect SYSCALL returned=5 errno=0 >>>>> state=SSLv2/v3 read server hello A >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1126:in >>>>> `connect' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1126:in >>>>> `wrap_with_ssl' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1163:in >>>>> `setup_encryption' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1110:in >>>>> `initialize' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:632:in >>>>> `new' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:632:in >>>>> `search' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1038:in >>>>> `search_root_dse' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:1089:in >>>>> `paged_searches_supported?' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/net-ldap-0.2.**2/lib/net/ldap.rb:618:in >>>>> `search' >>>>> /usr/share/foreman/app/models/**auth_source_ldap.rb:134:in >>>>> `search_for_user_entries' >>>>> /usr/share/foreman/app/models/**auth_source_ldap.rb:39:in >>>>> `authenticate' >>>>> /usr/share/foreman/app/models/**user.rb:117:in `try_to_login' >>>>> /usr/share/foreman/app/**controllers/users_controller.**rb:97:in >>>>> `login' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_controller/**metal/implicit_render.rb:4:in >>>>> `send_action' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/abstract_controller/**base.rb:167:in `process_action' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_controller/**metal/rendering.rb:10:in `process_action' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/abstract_controller/**callbacks.rb:18:in `block in >>>>> process_action' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:461:in `block (3 levels) in >>>>> _run__492086408044347043__**process_action__**1864918965792468347__** >>>>> callbacks' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:215:in `block in >>>>> _conditional_callback_around_**4542' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:326:in `around' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:310:in `_callback_around_917' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:214:in >>>>> `_conditional_callback_around_**4542' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:460:in `block (2 levels) in >>>>> _run__492086408044347043__**process_action__**1864918965792468347__** >>>>> callbacks' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:215:in `block in >>>>> _conditional_callback_around_**4541' >>>>> /usr/share/foreman/lib/**foreman/thread_session.rb:31:**in >>>>> `clear_thread' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:214:in >>>>> `_conditional_callback_around_**4541' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:415:in `block in >>>>> _run__492086408044347043__**process_action__**1864918965792468347__** >>>>> callbacks' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:215:in `block in >>>>> _conditional_callback_around_**4540' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:326:in `around' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:310:in `_callback_around_13' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:214:in >>>>> `_conditional_callback_around_**4540' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:414:in >>>>> `_run__492086408044347043__**process_action__**1864918965792468347__** >>>>> callbacks' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:405:in `__run_callback' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:385:in `_run_process_action_** >>>>> callbacks' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:81:in `run_callbacks' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/abstract_controller/**callbacks.rb:17:in `process_action' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_controller/**metal/rescue.rb:29:in `process_action' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_controller/**metal/instrumentation.rb:30:in `block in >>>>> process_action' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**notifications.rb:123:in `block in >>>>> instrument' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**notifications/instrumenter.rb:**20:in >>>>> `instrument' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**notifications.rb:123:in `instrument' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_controller/**metal/instrumentation.rb:29:in >>>>> `process_action' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_controller/**metal/params_wrapper.rb:207:in >>>>> `process_action' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activerecord-** >>>>> 3.2.8/lib/active_record/**railties/controller_runtime.**rb:18:in >>>>> `process_action' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/abstract_controller/**base.rb:121:in `process' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/abstract_controller/**rendering.rb:45:in `process' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_controller/**metal.rb:203:in `dispatch' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_controller/**metal/rack_delegation.rb:14:in `dispatch' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_controller/**metal.rb:246:in `block in action' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_dispatch/**routing/route_set.rb:73:in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_dispatch/**routing/route_set.rb:73:in `dispatch' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_dispatch/**routing/route_set.rb:36:in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/journey-1.0.4/**lib/journey/router.rb:68:in >>>>> `block in call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/journey-1.0.4/**lib/journey/router.rb:56:in >>>>> `each' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/journey-1.0.4/**lib/journey/router.rb:56:in >>>>> `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_dispatch/**routing/route_set.rb:600:in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/apipie-rails-** >>>>> 0.0.18/lib/apipie/static_**dispatcher.rb:56:in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_dispatch/**middleware/best_standards_**support.rb:17:in >>>>> `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/etag.rb:23:in >>>>> `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/** >>>>> lib/rack/conditionalget.rb:35:**in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_dispatch/**middleware/head.rb:14:in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_dispatch/**middleware/params_parser.rb:**21:in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_dispatch/**middleware/flash.rb:242:in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/** >>>>> lib/rack/session/abstract/id.**rb:205:in `context' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/** >>>>> lib/rack/session/abstract/id.**rb:200:in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_dispatch/**middleware/cookies.rb:339:in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activerecord-** >>>>> 3.2.8/lib/active_record/query_**cache.rb:64:in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activerecord-** >>>>> 3.2.8/lib/active_record/**connection_adapters/abstract/**connection_pool.rb:473:in >>>>> `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_dispatch/**middleware/callbacks.rb:28:in `block in >>>>> call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:405:in >>>>> `_run__2980553456298173138__**call__306548220714324554__**callbacks' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:405:in `__run_callback' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:385:in `_run_call_callbacks' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**callbacks.rb:81:in `run_callbacks' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_dispatch/**middleware/callbacks.rb:27:in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_dispatch/**middleware/remote_ip.rb:31:in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_dispatch/**middleware/debug_exceptions.**rb:16:in >>>>> `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_dispatch/**middleware/show_exceptions.rb:**56:in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/railties-3.2.** >>>>> 8/lib/rails/rack/logger.rb:26:**in `call_app' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/railties-3.2.** >>>>> 8/lib/rails/rack/logger.rb:16:**in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_dispatch/**middleware/request_id.rb:22:in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/** >>>>> lib/rack/methodoverride.rb:21:**in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/runtime.rb:17:in >>>>> `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/activesupport-** >>>>> 3.2.8/lib/active_support/**cache/strategy/local_cache.rb:**72:in >>>>> `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-1.4.1/**lib/rack/lock.rb:15:in >>>>> `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/actionpack-3.** >>>>> 2.8/lib/action_dispatch/**middleware/static.rb:62:in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-cache-1.** >>>>> 2/lib/rack/cache/context.rb:**136:in `forward' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-cache-1.** >>>>> 2/lib/rack/cache/context.rb:**143:in `pass' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-cache-1.** >>>>> 2/lib/rack/cache/context.rb:**155:in `invalidate' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-cache-1.** >>>>> 2/lib/rack/cache/context.rb:**71:in `call!' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/rack-cache-1.** >>>>> 2/lib/rack/cache/context.rb:**51:in `call' >>>>> /opt/rh/ruby193/root/usr/**share/gems/gems/railties-3.2.**8/lib/rails/engine.rb:479:in >>>>> `call' >>>>> /opt/rh/ruby193