Hi,
So, a while ago I posted an issue with LDAP authentication breaking when I
upgraded a Katello 2.1 installation to Katello 2.2/Foreman 1.8
installation. This wasn't solved, so I continued on with Katello 2.1.
Katello 2.3/Foreman 1.9 was just released, so I tried the upgrade again,
same result, broken LDAP auth.
So, instead of adding the complexity of Katello, I've just attempted a
fresh Foreman 1.9 installation on a CentOS 6.7 VM, and get the same issue.
If I configure LDAP auth against my company's Windows Server 2003 Active
Directory, whenever an LDAP user attempts to login, the Passenger process
goes mad, creating literally 100s and 1000s of connections to the LDAP
server, all of which it appears to close badly, as they sit in the
TIME_WAIT state.
So, given I have a more simple reproduction of the issue, what extra
information could I provide from debug/logs, in order to solve the issue,
with the list's help…
Cheers,
John
This sounds like Bug #10340: AD auth hangs while syncing user groups on login - Foreman, which
there's a patch open for, hopefully we can incorporate it soon.
In the meantime, since Foreman 1.8.1, you can disable group syncing from
the LDAP auth source settings in the Foreman UI (just log in with a
non-LDAP account).
···
On 26/08/15 11:34, John Beranek - PA wrote:
> Hi,
>
> So, a while ago I posted an issue with LDAP authentication breaking when
> I upgraded a Katello 2.1 installation to Katello 2.2/Foreman 1.8
> installation. This wasn't solved, so I continued on with Katello 2.1.
>
> Katello 2.3/Foreman 1.9 was just released, so I tried the upgrade again,
> same result, broken LDAP auth.
>
> So, instead of adding the complexity of Katello, I've just attempted a
> fresh Foreman 1.9 installation on a CentOS 6.7 VM, and get the same issue.
>
> If I configure LDAP auth against my company's Windows Server 2003 Active
> Directory, whenever an LDAP user attempts to login, the Passenger
> process goes mad, creating literally 100s and 1000s of connections to
> the LDAP server, all of which it appears to close badly, as they sit in
> the TIME_WAIT state.
>
> So, given I have a more simple reproduction of the issue, what extra
> information could I provide from debug/logs, in order to solve the
> issue, with the list's help...
–
Dominic Cleal
Red Hat Engineering
Thank you, I can confirm that turning off group sync does indeed work
around the LDAP login issue.
Cheers,
John
···
On Wednesday, 26 August 2015 13:52:24 UTC+1, Dominic Cleal wrote:
>
> On 26/08/15 11:34, John Beranek - PA wrote:
> > Hi,
> >
> > So, a while ago I posted an issue with LDAP authentication breaking when
> > I upgraded a Katello 2.1 installation to Katello 2.2/Foreman 1.8
> > installation. This wasn't solved, so I continued on with Katello 2.1.
> >
> > Katello 2.3/Foreman 1.9 was just released, so I tried the upgrade again,
> > same result, broken LDAP auth.
> >
> > So, instead of adding the complexity of Katello, I've just attempted a
> > fresh Foreman 1.9 installation on a CentOS 6.7 VM, and get the same
> issue.
> >
> > If I configure LDAP auth against my company's Windows Server 2003 Active
> > Directory, whenever an LDAP user attempts to login, the Passenger
> > process goes mad, creating literally 100s and 1000s of connections to
> > the LDAP server, all of which it appears to close badly, as they sit in
> > the TIME_WAIT state.
> >
> > So, given I have a more simple reproduction of the issue, what extra
> > information could I provide from debug/logs, in order to solve the
> > issue, with the list's help...
>
> This sounds like http://projects.theforeman.org/issues/10340, which
> there's a patch open for, hopefully we can incorporate it soon.
>
> In the meantime, since Foreman 1.8.1, you can disable group syncing from
> the LDAP auth source settings in the Foreman UI (just log in with a
> non-LDAP account).
