I have an instance of foreman 1.6 up and running and I've been trying to
add LDAP authentication. I was able to add AD without any issues, but I'm
now trying to connect to an externally managed POSIX compliant LDAP server
and I'm experiencing some difficulty. Ideally I would check the LDAP server
to see the incoming connection request, but I do not have access to the
logs on the LDAP server I am trying to authenticate against. Is there any
way to see what is being sent to the server? I can try connecting via 389
and using either tcpdump or wireshark next, but I would greatly appreciate
an easier approach.
relevant log snippet from /var/log/foreman/production.log
Authenticating '<serialnumber>' against '<external_LDAP>'
LDAP-Auth with User <serialnumber>
trying to auto create user <–debug message I added trying to trace. I have
also tried pre-populating the user which will take me straight to invalid
user.
invalid user <-- error from user model try_to_login method
Setting current user thread-local variable to nil
Things that I have tried so far:
Adding logger.debug messages all over the place to see which methods and
conditionals were being hit.
Hacking posix.rb in ldap_fluff to support additional objectClasses. I'm
worried that results are being filtered due to some hravy use of custom
objectClasses. This is the main reason why I want to see what's being sent
to and from the LDAP server.
Adding a bind account. I was able to generate a error log entry by
purposely supplying invalid credentials. I also added debug messages to
verify that I can bind successfully.
As a heads up, I'm able to authenticate against both openLDAP (synology
dsm5)and AD (samba4) but also struggling to get the groups stuff to work.
Did you try ldapsearch to see if any results are returned?
Joop
···
On 17-9-2014 23:32, Chris Hupman wrote:
> Hello,
>
> I have an instance of foreman 1.6 up and running and I've been trying
> to add LDAP authentication. I was able to add AD without any issues,
> but I'm now trying to connect to an externally managed POSIX compliant
> LDAP server and I'm experiencing some difficulty. Ideally I would
> check the LDAP server to see the incoming connection request, but I do
> not have access to the logs on the LDAP server I am trying to
> authenticate against. Is there any way to see what is being sent to
> the server? I can try connecting via 389 and using either tcpdump or
> wireshark next, but I would greatly appreciate an easier approach.
>
> relevant log snippet from /var/log/foreman/production.log
>
> Authenticating '' against ''
> LDAP-Auth with User
> trying to auto create user <--debug message I added trying to trace. I
> have also tried pre-populating the user which will take me straight to
> invalid user.
> invalid user <-- error from *user* model *try_to_login* method
> Setting current user thread-local variable to nil
>
> Things that I have tried so far:
>
> Adding logger.debug messages all over the place to see which methods
> and conditionals were being hit.
> Hacking posix.rb in ldap_fluff to support additional objectClasses.
> I'm worried that results are being filtered due to some hravy use of
> custom objectClasses. This is the main reason why I want to see what's
> being sent to and from the LDAP server.
> Adding a bind account. I was able to generate a error log entry by
> purposely supplying invalid credentials. I also added debug messages
> to verify that I can bind successfully.
>
After troubleshooting my connection parameters with ldap_fluff and net-ldap
in irb I finally figured out my issue and wanted to post in case anyone
else was unfortunate enough to have the same problem. The ancient LDAP I
was authenticating against only supports LDAP v2. I 'll have to patch
ldap_fluff locally to override the following constant:
"class Net::LDAP::Connection
LdapVersion=2
end"
Since LDAP v3 has been out for more than 15 years I don't think v2 should
be supported in ldap_fluff.
···
On Wednesday, September 17, 2014 2:32:46 PM UTC-7, Chris Hupman wrote:
>
> Hello,
>
> I have an instance of foreman 1.6 up and running and I've been trying to
> add LDAP authentication. I was able to add AD without any issues, but I'm
> now trying to connect to an externally managed POSIX compliant LDAP server
> and I'm experiencing some difficulty. Ideally I would check the LDAP server
> to see the incoming connection request, but I do not have access to the
> logs on the LDAP server I am trying to authenticate against. Is there any
> way to see what is being sent to the server? I can try connecting via 389
> and using either tcpdump or wireshark next, but I would greatly appreciate
> an easier approach.
>
> relevant log snippet from /var/log/foreman/production.log
>
> Authenticating '' against ''
> LDAP-Auth with User
> trying to auto create user <--debug message I added trying to trace. I
> have also tried pre-populating the user which will take me straight to
> invalid user.
> invalid user <-- error from *user* model *try_to_login* method
> Setting current user thread-local variable to nil
>
> Things that I have tried so far:
>
> Adding logger.debug messages all over the place to see which methods and
> conditionals were being hit.
> Hacking posix.rb in ldap_fluff to support additional objectClasses. I'm
> worried that results are being filtered due to some hravy use of custom
> objectClasses. This is the main reason why I want to see what's being sent
> to and from the LDAP server.
> Adding a bind account. I was able to generate a error log entry by
> purposely supplying invalid credentials. I also added debug messages to
> verify that I can bind successfully.
>
>
I'm able to connect with ldapsearch and I did a wireshark packet capture of
ldapsearch and foreman to help troubleshoot. One thing I noticed was that
my filter (mail=$login) didn't actually work and was getting sent out
without any variable substitution. For now I'm going to retry some of the
settings I attempted earlier, but this time hard-code the filter to the
account I'm testing with. A wireshark capture on the outbound interface
with a filter of "ldap" or "ip.addr == <IP of ldap server>" gives you a
pretty good view of the request.
···
On Thursday, September 18, 2014 7:28:13 AM UTC-7, jvandewege wrote:
>
> On 17-9-2014 23:32, Chris Hupman wrote:
>
> Hello,
>
> I have an instance of foreman 1.6 up and running and I've been trying to
> add LDAP authentication. I was able to add AD without any issues, but I'm
> now trying to connect to an externally managed POSIX compliant LDAP server
> and I'm experiencing some difficulty. Ideally I would check the LDAP server
> to see the incoming connection request, but I do not have access to the
> logs on the LDAP server I am trying to authenticate against. Is there any
> way to see what is being sent to the server? I can try connecting via 389
> and using either tcpdump or wireshark next, but I would greatly appreciate
> an easier approach.
>
> relevant log snippet from /var/log/foreman/production.log
>
> Authenticating '' against ''
> LDAP-Auth with User
> trying to auto create user <--debug message I added trying to trace. I
> have also tried pre-populating the user which will take me straight to
> invalid user.
> invalid user <-- error from *user* model *try_to_login* method
> Setting current user thread-local variable to nil
>
> Things that I have tried so far:
>
> Adding logger.debug messages all over the place to see which methods and
> conditionals were being hit.
> Hacking posix.rb in ldap_fluff to support additional objectClasses. I'm
> worried that results are being filtered due to some hravy use of custom
> objectClasses. This is the main reason why I want to see what's being sent
> to and from the LDAP server.
> Adding a bind account. I was able to generate a error log entry by
> purposely supplying invalid credentials. I also added debug messages to
> verify that I can bind successfully.
>
> As a heads up, I'm able to authenticate against both openLDAP (synology
> dsm5)and AD (samba4) but also struggling to get the groups stuff to work.
> Did you try ldapsearch to see if any results are returned?
>
> Joop
>
>
