While deploying a multi-node Foreman 1.11.1 "cluster" (for HA), I ran into
interesting issue with LDAP accounts. It appears that only a node where one
changes/updates "Account password" in LDAP server configuration tab is able
to talk to LDAP and authenticate. On all other nodes I get this error for
the same user:
Oops, we're sorry but something went wrong Could not bind to Posix user
uid=proxyagent,ou=Special_Users,dc=domain,dc=com
A full trace taken is here -
Is something written locally to Foreman node (instead of a DB, which is
shared between nodes in my case) when user updates LDAP account password in
UI? If so, how do I solve this problem?
did you make sure, that /usr/share/foreman/config/initializers/encryption_key.rb is identical on both machines?
This file is used to encrypt/decrypt database values and might explain your current observation.
Regards,
Stefan
···
----- Original Message -----
> From: "'Konstantin Orekhov' via Foreman users"
> To: "Foreman users"
> Sent: Wednesday, May 18, 2016 9:56:25 PM
> Subject: [foreman-users] LDAP auth in Foreman multi-node deployment
Hello again!
While deploying a multi-node Foreman 1.11.1 “cluster” (for HA), I ran into
interesting issue with LDAP accounts. It appears that only a node where one
changes/updates “Account password” in LDAP server configuration tab is able
to talk to LDAP and authenticate. On all other nodes I get this error for
the same user:
Oops, we’re sorry but something went wrong Could not bind to Posix user
uid=proxyagent,ou=Special_Users,dc=domain,dc=com
Is something written locally to Foreman node (instead of a DB, which is
shared between nodes in my case) when user updates LDAP account password in
UI? If so, how do I solve this problem?
That was exactly it - thanks for pointing that out, Stefan!Updating the key on non-working nodes to a key from working node solved the problem.
However, now I'm wondering if there's a way to force foreman-installer to use the same key for specified nodes somehow. That will help new deployments to be automated.Otherwise, I'll have to come up with something else to keep the key the same for all nodes in a cluster…
Thanks! Konstantin Orekhov
···
From: "Dietrich, Stefan"
To: foreman-users@googlegroups.com
Sent: Wednesday, May 18, 2016 1:24 PM
Subject: Re: [foreman-users] LDAP auth in Foreman multi-node deployment
Hello Konstantin,
did you make sure, that /usr/share/foreman/config/initializers/encryption_key.rb is identical on both machines?
This file is used to encrypt/decrypt database values and might explain your current observation.
While deploying a multi-node Foreman 1.11.1 “cluster” (for HA), I ran into
interesting issue with LDAP accounts. It appears that only a node where one
changes/updates “Account password” in LDAP server configuration tab is able
to talk to LDAP and authenticate. On all other nodes I get this error for
the same user:
Oops, we’re sorry but something went wrong Could not bind to Posix user
uid=proxyagent,ou=Special_Users,dc=domain,dc=com
Is something written locally to Foreman node (instead of a DB, which is
shared between nodes in my case) when user updates LDAP account password in
UI? If so, how do I solve this problem?
The installer doesn't manage this file at all now, it's generated by
packages at installation time.
···
On 18/05/16 21:51, 'Konstantin Orekhov' via Foreman users wrote:
> That was exactly it - thanks for pointing that out, Stefan!
> Updating the key on non-working nodes to a key from working node solved
> the problem.
>
> However, now I'm wondering if there's a way to force foreman-installer
> to use the same key for specified nodes somehow. That will help new
> deployments to be automated.