Foreman and LDAP-AD

tybreizh29 · May 24, 2018, 12:05pm

Hello
I try to authenticate with LDAP and AD.
I made numerous tries, but it’s a complete failure.
I put Wireshark to see what happens, the trick is that when I press the Test button on the LDAP server TAB, it says it’s working.
After LDAP is configured, I enter a login/pwd on the login page, I get a failure, but there is no network traffic
Below is my last try
I found nothing relevant in the foreman logs (setup to debug).
Any hint to help me.
thanks
marc

y-me-y · May 24, 2018, 1:52pm

Are you on foreman 1.16 or greater - I think this integration didn’t work before that? you need to specify a bind account I believe for authentication to work, I use a service account with read rights to the domain to authenticate my users.

tybreizh29 · May 24, 2018, 2:40pm

I’m using v1.17.
I made a try with a bind account, but as there is no network communication, I guess the issue is more likely a config issue somewhere, looks like LDAP is not used even if i put some parameters.

lzap · May 24, 2018, 3:40pm

I will soot in the dark but – SELinux? Firewall?

y-me-y · May 24, 2018, 4:59pm

So, it looks like you are using fr$login under the account section (atleast in the screenshots you provided) but that functionality was deprecated because it’s results are inconsistent.

This may use the variable $login which will be replaced by the login of the authenticating user, however this is deprecated and will result in reduced functionality (as it only works at authentication time).

tybreizh29 · May 25, 2018, 6:26am

Hi
$login was my last try, but a real domain/username or left empty it’s the same; not working.
selinux & firewall are off

lzap · May 25, 2018, 6:29am

If you click Test button and you are sure that there is no connection attempt from the Foreman server (not Smart Proxy), then inspect the logs. There must be an error.

tybreizh29 · May 25, 2018, 6:41am

When i click the test button i’m 100% sure there is a connection to the AD server (wireshark is there)
I got the success message.
When I try to login i’m 100% sure there is NO network communication (wireshark again)

dLobatog · May 25, 2018, 9:20am

Could you enable debug logging and share with us the logs in /var/log/foreman/production.log when you try to log in with your LDAP user? You can find some info on how to setup debugging mode in Foreman :: Manual

I would try with admin credentials before using $login, just to make sure it’s trying to do the connection.

In case you haven’t seen it, the manual contains some info at Foreman :: Manual

tybreizh29 · May 25, 2018, 10:03am

The test process gives :

2018-05-25 11:57:02 22388145 [app] [I] Started GET “/auth_source_ldaps/3-FR/edit” for 10.22.42.88 at 2018-05-25 11:57:02 +0200
2018-05-25 11:57:02 22388145 [app] [I] Processing by AuthSourceLdapsController#edit as /
2018-05-25 11:57:02 22388145 [app] [I] Parameters: {“id”=>“3-FR”}
2018-05-25 11:57:02 22388145 [app] [I] Current user: admin (administrator)
2018-05-25 11:57:02 22388145 [app] [D] Setting current user thread-local variable to admin
2018-05-25 11:57:02 22388145 [app] [I] Rendering auth_source_ldaps/edit.html.erb
2018-05-25 11:57:02 22388145 [app] [I] Rendered taxonomies/_loc_org_tabs.html.erb (2.7ms)
2018-05-25 11:57:02 22388145 [app] [I] Rendered auth_source_ldaps/_form.html.erb (50.0ms)
2018-05-25 11:57:02 22388145 [app] [I] Rendered auth_source_ldaps/edit.html.erb (61.2ms)
2018-05-25 11:57:02 22388145 [app] [I] Completed 200 OK in 92ms (Views: 62.5ms | ActiveRecord: 3.0ms)
2018-05-25 11:57:03 5fe162a1 [app] [I] Started PUT “/auth_source_ldaps/test_connection” for 10.22.42.88 at 2018-05-25 11:57:03 +0200
2018-05-25 11:57:03 5fe162a1 [app] [I] Processing by AuthSourceLdapsController#test_connection as /
2018-05-25 11:57:03 5fe162a1 [app] [I] Parameters: {“utf8”=>“✓”, “authenticity_token”=>“l+eBaNxxxxxQ==”, “auth_source_ldap”=>{“name”=>“FR”, “host”=>“10.xxxxx1”, “tls”=>“0”, “port”=>“389”, “server_type”=>“active_directory”, “account”=>“fr\svc_ldapsearch_fr”, “base_dn”=>“dc=fr,dc=xxxx,dc=priv”, “groups_base”=>"", “use_netgroups”=>“0”, “ldap_filter”=>"", “onthefly_register”=>“0”, “usergroup_sync”=>“0”, “attr_login”=>“sAMAccountName”, “attr_firstname”=>“givenName”, “attr_lastname”=>“sn”, “attr_mail”=>“mail”, “attr_photo”=>""}, “fakepassword”=>"[FILTERED]", “_ie_support”=>"", “per_page”=>“20”}
2018-05-25 11:57:03 5fe162a1 [app] [I] Current user: admin (administrator)
2018-05-25 11:57:03 5fe162a1 [app] [D] Setting current user thread-local variable to admin
2018-05-25 11:57:03 5fe162a1 [app] [D] Unpermitted parameters: :utf8, :_method, :authenticity_token, :fakepassword, :_ie_support, :per_page, :locale
2018-05-25 11:57:03 5fe162a1 [ldap] [D] test (50.7ms) [ ]
2018-05-25 11:57:03 5fe162a1 [app] [I] Completed 200 OK in 70ms (Views: 0.5ms | ActiveRecord: 1.7ms)

the login at the we page gives:

2018-05-25 11:57:20 36aed7fd [app] [I] Started GET “/notification_recipients” for 10.22.42.88 at 2018-05-25 11:57:20 +0200
2018-05-25 11:57:20 36aed7fd [app] [I] Processing by NotificationRecipientsController#index as JSON
2018-05-25 11:57:20 36aed7fd [app] [I] Current user: admin (administrator)
2018-05-25 11:57:20 36aed7fd [app] [D] Setting current user thread-local variable to admin
2018-05-25 11:57:20 36aed7fd [notifications] [D] Cache Hit: notification, reading cache for notification-4
2018-05-25 11:57:20 36aed7fd [app] [D] Body: {“notifications”:[]}
2018-05-25 11:57:20 36aed7fd [app] [I] Completed 200 OK in 8ms (Views: 0.4ms | ActiveRecord: 0.8ms)
2018-05-25 11:57:23 315634d5 [app] [I] Started POST “/users/login” for 1xxx8 at 2018-05-25 11:57:23 +0200
2018-05-25 11:57:23 315634d5 [app] [I] Processing by UsersController#login as HTML
2018-05-25 11:57:23 315634d5 [app] [I] Parameters: {“utf8”=>“✓”, “authenticity_token”=>“PisVxxxw==”, “login”=>{“login”=>“fr\xxx”, “password”=>"[FILTERED]"}, “commit”=>“Connexion”}
2018-05-25 11:57:23 315634d5 [app] [D] Setting current user thread-local variable to nil
2018-05-25 11:57:24 315634d5 [app] [D] Setting current user thread-local variable to nil
2018-05-25 11:57:24 315634d5 [app] [I] Redirected to https://scvmpr15.fr.xxxx.priv/users/login
2018-05-25 11:57:24 315634d5 [app] [I] Completed 302 Found in 23ms (ActiveRecord: 5.2ms)
2018-05-25 11:57:24 28e1ca5e [app] [I] Started GET “/users/login” for 10.xxx8 at 2018-05-25 11:57:24 +0200
2018-05-25 11:57:24 28e1ca5e [app] [I] Processing by UsersController#login as HTML
2018-05-25 11:57:24 28e1ca5e [app] [D] Setting current user thread-local variable to nil
2018-05-25 11:57:24 28e1ca5e [app] [I] Rendering users/login.html.erb within layouts/login
2018-05-25 11:57:24 28e1ca5e [app] [I] Rendered users/_welcome_box.html.erb (4.8ms)
2018-05-25 11:57:24 28e1ca5e [app] [I] Rendered users/login.html.erb within layouts/login (7.8ms)
2018-05-25 11:57:24 28e1ca5e [app] [I] Rendering layouts/base.html.erb
2018-05-25 11:57:24 28e1ca5e [app] [I] Rendered layouts/base.html.erb (3.3ms)
2018-05-25 11:57:24 28e1ca5e [app] [I] Completed 200 OK in 18ms (Views: 12.8ms | ActiveRecord: 0.7ms)
2018-05-25 11:57:30 d6437472 [app] [I] Started GET “/notification_recipients” for 10.xxx8 at 2018-05-25 11:57:30 +0200
201

lzap · May 25, 2018, 7:52pm

To see relevant logs, please enable logger called ldap. Enabling all of them except sql will not hurt.

tybreizh29 · May 28, 2018, 6:20am

I think it’s enabled in /etc/foreman/settings.yaml

Individual logging types can be toggled on/off here
:loggers:
:ldap:
:enabled: true

lzap · May 28, 2018, 7:19am

I missed it, I can see that ldap library is being called properly.

On the screenshot I do see “Hostname: 10” is this intentional? This is supposed to be a hostname, it must start with non-number.

tybreizh29 · May 28, 2018, 7:32am

the 10… is my LDAP IP (as i was using Wireshark, i just put one of our LDAP server IP to help filtering)
I just make a try with the FQHN of the LDAP server, and it’s the same:
Testing button is working, on login page it’s not working

tybreizh29 · May 29, 2018, 8:16am

For me LDAP is not even called at login, that’s why there is no network communication nor log.
Where should i look in the code to find out what happens ?
I’m looking a the code but starting from 0 and not knowing Ruby don’t help me a lot.
I found the function self.try_to_login in ./app/models/user.rb but there is no connection to ldap there, as it’s checking Foreman user’s DB.

lzap · May 29, 2018, 2:44pm

I think our LDAP integration creates local DB accounts, but still does a LDAP connection on each login to check password, @Marek_Hulan correct me if I am wrong.

@tybreizh29 one important thing to check is that every user has Auth Source flag and this can be set to either INTERNAL or LDAP source. Make sure it’s not set to INTERNAL, otherwise the LDAP you configured won’t be used at all.

https://theforeman.org/manuals/1.17/index.html#4.1.1LDAPAuthentication

tybreizh29 · May 30, 2018, 7:23am

Thanks a lot Izap.
The trick is that i did not figure out that I had to declare my LDAP users in Foreman users config.
On all the software I have with LDAP auth, all do only use the LDAP to manage users (i can use LDAP groups to filter accesses, emails retrieved from LDAP…).
Once I had the logs working I found all the remaining not working stuff.
have a nice day

tybreizh29 · May 30, 2018, 10:11am

A trick is the French translation for the field “Onthefly Register” is not precise enough.
I understood that the LDAP users would be created, but on LDAP server side (I understood that I would have to put LDAP admin right to he user in the Account field)
In real LDAP users are created in Foreman DB.
The French would be:
Les utilisateurs LDAP seront automatiquement crées dans la base des utilisateurs Foreman, lors de leur première connexion.
not
Les utilisateurs LDAP seront automatiquement crées lors de leur première connexion sur Foreman

lzap · May 30, 2018, 2:48pm

Thanks for report, would you mind spending few minutes fixing this in our translation site?

tybreizh29 · May 31, 2018, 7:20am

I did some