LDAP auth in Foreman multi-node deployment

Support
1

Hello again!

While deploying a multi-node Foreman 1.11.1 "cluster" (for HA), I ran into
interesting issue with LDAP accounts. It appears that only a node where one
changes/updates "Account password" in LDAP server configuration tab is able
to talk to LDAP and authenticate. On all other nodes I get this error for
the same user:

Oops, we're sorry but something went wrong Could not bind to Posix user
uid=proxyagent,ou=Special_Users,dc=domain,dc=com

A full trace taken is here -

Is something written locally to Foreman node (instead of a DB, which is
shared between nodes in my case) when user updates LDAP account password in
UI? If so, how do I solve this problem?

Thanks!

2

Hello Konstantin,

did you make sure, that /usr/share/foreman/config/initializers/encryption_key.rb is identical on both machines?
This file is used to encrypt/decrypt database values and might explain your current observation.

Regards,
Stefan

··· ----- Original Message ----- > From: "'Konstantin Orekhov' via Foreman users" > To: "Foreman users" > Sent: Wednesday, May 18, 2016 9:56:25 PM > Subject: [foreman-users] LDAP auth in Foreman multi-node deployment

Hello again!

While deploying a multi-node Foreman 1.11.1 “cluster” (for HA), I ran into
interesting issue with LDAP accounts. It appears that only a node where one
changes/updates “Account password” in LDAP server configuration tab is able
to talk to LDAP and authenticate. On all other nodes I get this error for
the same user:

Oops, we’re sorry but something went wrong Could not bind to Posix user
uid=proxyagent,ou=Special_Users,dc=domain,dc=com

A full trace taken is here -
LDAP auth issue · GitHub

Is something written locally to Foreman node (instead of a DB, which is
shared between nodes in my case) when user updates LDAP account password in
UI? If so, how do I solve this problem?

Thanks!


You received this message because you are subscribed to the Google Groups
“Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email
to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

3

That was exactly it - thanks for pointing that out, Stefan!Updating the key on non-working nodes to a key from working node solved the problem.
However, now I'm wondering if there's a way to force foreman-installer to use the same key for specified nodes somehow. That will help new deployments to be automated.Otherwise, I'll have to come up with something else to keep the key the same for all nodes in a cluster…

Thanks! Konstantin Orekhov

··· From: "Dietrich, Stefan" To: foreman-users@googlegroups.com Sent: Wednesday, May 18, 2016 1:24 PM Subject: Re: [foreman-users] LDAP auth in Foreman multi-node deployment

Hello Konstantin,

did you make sure, that /usr/share/foreman/config/initializers/encryption_key.rb is identical on both machines?
This file is used to encrypt/decrypt database values and might explain your current observation.

Regards,
Stefan

----- Original Message -----

From: “‘Konstantin Orekhov’ via Foreman users” foreman-users@googlegroups.com
To: “Foreman users” foreman-users@googlegroups.com
Sent: Wednesday, May 18, 2016 9:56:25 PM
Subject: [foreman-users] LDAP auth in Foreman multi-node deployment

Hello again!

While deploying a multi-node Foreman 1.11.1 “cluster” (for HA), I ran into
interesting issue with LDAP accounts. It appears that only a node where one
changes/updates “Account password” in LDAP server configuration tab is able
to talk to LDAP and authenticate. On all other nodes I get this error for
the same user:

Oops, we’re sorry but something went wrong Could not bind to Posix user
uid=proxyagent,ou=Special_Users,dc=domain,dc=com

A full trace taken is here -
LDAP auth issue · GitHub

Is something written locally to Foreman node (instead of a DB, which is
shared between nodes in my case) when user updates LDAP account password in
UI? If so, how do I solve this problem?

Thanks!


You received this message because you are subscribed to the Google Groups
“Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email
to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to a topic in the Google Groups “Foreman users” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/foreman-users/DMAAstD88Io/unsubscribe.
To unsubscribe from this group and all its topics, send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

4

The installer doesn't manage this file at all now, it's generated by
packages at installation time.

··· On 18/05/16 21:51, 'Konstantin Orekhov' via Foreman users wrote: > That was exactly it - thanks for pointing that out, Stefan! > Updating the key on non-working nodes to a key from working node solved > the problem. > > However, now I'm wondering if there's a way to force foreman-installer > to use the same key for specified nodes somehow. That will help new > deployments to be automated.


Dominic Cleal
dominic@cleal.org