Hello,
I have configured the LDAP from Foreman GUI and LDAP authentication is
working fine. I tried to automate the same by using python script which is
calling Foreman API and LDAP configuration is added successfully by the
script. But LDAP authentication is not working unless I login to Foreman
GUI and update the LDAP account password.
I am using the same LDAP account password in the script but it is working
only when I am updating it from GUI (Administer -> LDAP authentication)
Foreman version: 1.11
Backend DB: MySQL
Could you please help?
Best Regards,
Unnikrishnan K
This was also filed at Bug #18135: LDAP account password is not working while configuring LDAP in Foreman via API - Foreman, but
without the information I requested it's difficult to say what's wrong.
Please include the exact details and logs from your API call.
···
On 19/01/17 10:41, Unnikrishnan K wrote:
>
> Hello,
>
> I have configured the LDAP from Foreman GUI and LDAP authentication is
> working fine. I tried to automate the same by using python script which
> is calling Foreman API and LDAP configuration is added successfully by
> the script. But LDAP authentication is not working unless I login to
> Foreman GUI and update the LDAP account password.
>
>
> I am using the same LDAP account password in the script but it is
> working only when I am updating it from GUI (Administer -> LDAP
> authentication)
–
Dominic Cleal
dominic@cleal.org
Hello Dominic,
Thanks for the reply.
I have enabled the debug mode and captured the logs for API call.
Please find the attached logs file with this mail.
After the API call for LDAP configuration, I tried to login to foreman with
LDAP user and I am getting below error
2017-01-24T11:09:52 [ldap] [D] op bind (6105.6ms) [ result=failure ]
2017-01-24T11:09:52 [ldap] [D] valid_user? (6106.3ms) [ user=b09871 ]
2017-01-24T11:09:52 [app] [W] Error during authentication against
'LDAP-LDAP-Server'
> LdapFluff::Generic::UnauthenticatedException: Could not bind to
ActiveDirectory user b09876@itsupport.example.com
>
/usr/share/foreman/vendor/ruby/2.0.0/gems/ldap_fluff-0.4.1/lib/ldap_fluff/generic.rb:59:in
`service_bind'
Then I login to Foreman GUI and update the same account password from GUI
and it is working fine.
2017-01-24T11:14:54 [ldap] [D] op bind (5217.0ms) [ result=success ]
2017-01-24T11:14:54 [ldap] [D] authenticate (15610.1ms) [ user=b09871 ]
Please help
Best Regards,
Unnikrishnan K
production.log (7.61 KB)
···
On Mon, Jan 23, 2017 at 2:19 PM, Dominic Cleal wrote:
On 19/01/17 10:41, Unnikrishnan K wrote:
Hello,
I have configured the LDAP from Foreman GUI and LDAP authentication is
working fine. I tried to automate the same by using python script which
is calling Foreman API and LDAP configuration is added successfully by
the script. But LDAP authentication is not working unless I login to
Foreman GUI and update the LDAP account password.
I am using the same LDAP account password in the script but it is
working only when I am updating it from GUI (Administer → LDAP
authentication)
This was also filed at Bug #18135: LDAP account password is not working while configuring LDAP in Foreman via API - Foreman, but
without the information I requested it’s difficult to say what’s wrong.
Please include the exact details and logs from your API call.
–
Dominic Cleal
dominic@cleal.org
–
You received this message because you are subscribed to the Google Groups
“Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
> Hello Dominic,
>
> Thanks for the reply.
>
> I have enabled the debug mode and captured the logs for API call.
> Please find the attached logs file with this mail.
Thanks, though unfortunately I don't see anything that might explain the
issue. The account_password does appear to be persisted correctly.
You could perhaps double check by using the Rails console: execute
foreman-rake console and enter:
AuthSourceLdap.find_by_name("LDAP-Server").account_password
This will return the decrypted account password, which should match your
input.
> After the API call for LDAP configuration, I tried to login to foreman
> with LDAP user and I am getting below error
>
> 2017-01-24T11:09:52 [ldap] [D] op bind (6105.6ms) [ result=failure ]
> 2017-01-24T11:09:52 [ldap] [D] valid_user? (6106.3ms) [ user=b09871 ]
> 2017-01-24T11:09:52 [app] [W] Error during authentication against
> 'LDAP-LDAP-Server'
> > LdapFluff::Generic::UnauthenticatedException: Could not bind to
> ActiveDirectory user b09876@itsupport.example.com
> <mailto:b09876@itsupport.example.com>
> >
> /usr/share/foreman/vendor/ruby/2.0.0/gems/ldap_fluff-0.4.1/lib/ldap_fluff/generic.rb:59:in
> `service_bind'
>
> Then I login to Foreman GUI and update the same account password from
> GUI and it is working fine.
Could you capture the SQL log while updating the account? Perhaps the
"UPDATE" SQL query will help show which fields have changed.
···
On 24/01/17 16:32, Unnikrishnan K wrote:
–
Dominic Cleal
dominic@cleal.org
Hello Dominic,
Thanks for the information.
As you mentioned, I have executed foreman rake console and entered
AuthSourceLdap.find_by_name("LDAP-Server").account_password. But it seems
decryption is failed might be due to the the encryption key issue.
irb(main):001:0> AuthSourceLdap.find_by_name("LDAP-Server").account_password
WARNING: Decryption failed for string. Please check that the ENCRYPTION_KEY
has not changed.
Then I login to foreman GUI and update the same account password and
decryption is working fine.
irb(main):001:0> AuthSourceLdap.find_by_name("LDAP-Server").account_password
Successfully decrypted field for AuthSourceLdap LDAP-Server
Could you please let me know how to troubleshoot it further?
Thanks,
Best Regards,
Unnikrishnan K
···
On Thu, Jan 26, 2017 at 2:17 PM, Dominic Cleal wrote:
On 24/01/17 16:32, Unnikrishnan K wrote:
Hello Dominic,
Thanks for the reply.
I have enabled the debug mode and captured the logs for API call.
Please find the attached logs file with this mail.
Thanks, though unfortunately I don’t see anything that might explain the
issue. The account_password does appear to be persisted correctly.
You could perhaps double check by using the Rails console: execute
foreman-rake console and enter:
AuthSourceLdap.find_by_name(“LDAP-Server”).account_password
This will return the decrypted account password, which should match your
input.
After the API call for LDAP configuration, I tried to login to foreman
with LDAP user and I am getting below error
2017-01-24T11:09:52 [ldap] [D] op bind (6105.6ms) [ result=failure ]
2017-01-24T11:09:52 [ldap] [D] valid_user? (6106.3ms) [ user=b09871 ]
2017-01-24T11:09:52 [app] [W] Error during authentication against
’LDAP-LDAP-Server’
LdapFluff::Generic::UnauthenticatedException: Could not bind to
ActiveDirectory user b09876@itsupport.example.com
mailto:b09876@itsupport.example.com
/usr/share/foreman/vendor/ruby/2.0.0/gems/ldap_fluff-0.4.1/
lib/ldap_fluff/generic.rb:59:in
`service_bind’
Then I login to Foreman GUI and update the same account password from
GUI and it is working fine.
Could you capture the SQL log while updating the account? Perhaps the
"UPDATE" SQL query will help show which fields have changed.
–
Dominic Cleal
dominic@cleal.org
–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
