[opensuse-buildservice] Private OBS Questions
Hi all, I have a project at my job to start implementing OBS as a replacement for our few disparate build systems and servers. While in general I'm very pleased with the system, there are a few things which I need some help with. I am running a 4 server setup for OBS - one main box, 3 workers. I am using the appliance images. * LDAP Auth Where is the correct place to configure this? I saw some things about it, and attempted to edit a production.rb file for the API, but it seems every so often this was regenerated by something. Try as I might, I could not get it to work, and could not find a way to turn up logging. This is pretty important. * Reliance on opensuse.org How can I make my base distributions not dependent on build.opensuse.org? Under normal circumstances this all works fine, but it would make me feel better having everything in-house. An extension of this would be - what if I want to build against Ubuntu 12.10 beta? Related to this would be - supporting Debian variants - like debian-amd64-kfreebsd. * Putting OBS into version control (git) I think I saw something which puts the specs and such into git from OBS? Anyone have that link? I can't find it again. * Documentation There's a lot of documentation, it's just hard to find some things because of the sheer amount. I'm very familiar with this as it's similar on our internal wiki. I've basically used the appliance files, some kickstart stuff, and a little bit of puppet to get everything going. If someone can provide hints to the items above, I'd be glad to submit back some detailed docs. I'm quite excited as to what this will help my company get done, but need some things addressed before going full-steam-ahead. Thanks. -Matt PS Any opinions expressed are my own and not of the company, etc, etc. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Am Mittwoch, 10. Oktober 2012, 07:40:36 schrieb Matthew Drobnak:
Hi all,
I have a project at my job to start implementing OBS as a replacement for our few disparate build systems and servers.
Since this mailing list is in first place for OBS and openSUSE developers, I suggest that you may contact our partner for support and consulting services for your needs: http://openbuildservice.org/support/ Sorry, but at least I have no time to help here. adrian
While in general I'm very pleased with the system, there are a few things which I need some help with.
I am running a 4 server setup for OBS - one main box, 3 workers. I am using the appliance images.
* LDAP Auth Where is the correct place to configure this? I saw some things about it, and attempted to edit a production.rb file for the API, but it seems every so often this was regenerated by something. Try as I might, I could not get it to work, and could not find a way to turn up logging.
This is pretty important.
* Reliance on opensuse.org How can I make my base distributions not dependent on build.opensuse.org? Under normal circumstances this all works fine, but it would make me feel better having everything in-house.
An extension of this would be - what if I want to build against Ubuntu 12.10 beta?
Related to this would be - supporting Debian variants - like debian-amd64-kfreebsd.
* Putting OBS into version control (git) I think I saw something which puts the specs and such into git from OBS? Anyone have that link? I can't find it again.
* Documentation There's a lot of documentation, it's just hard to find some things because of the sheer amount. I'm very familiar with this as it's similar on our internal wiki.
I've basically used the appliance files, some kickstart stuff, and a little bit of puppet to get everything going.
If someone can provide hints to the items above, I'd be glad to submit back some detailed docs.
I'm quite excited as to what this will help my company get done, but need some things addressed before going full-steam-ahead.
Thanks.
-Matt
PS Any opinions expressed are my own and not of the company, etc, etc.
-- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hey Matt, welcome to the OBS project :) On 10.10.2012 13:40, Matthew Drobnak wrote:
I have a project at my job to start implementing OBS as a replacement for our few disparate build systems and servers.
While in general I'm very pleased with the system,
Glad to hear that, hope OBS will make you more productive focusing on the right stuff (instead of build systems).
there are a few things which I need some help with.
Sure, let's roll :)
I am running a 4 server setup for OBS - one main box, 3 workers. I am using the appliance images.
* LDAP Auth Where is the correct place to configure this? I saw some things about it, and attempted to edit a production.rb file for the API, but it seems every so often this was regenerated by something. Try as I might, I could not get it to work, and could not find a way to turn up logging.
Well config/environments/production.rb is the right file to set it up. Maybe you should try again and tell us what exactly isn't working. It also helps a great deal to show us some error messages :)
* Reliance on opensuse.org How can I make my base distributions not dependent on build.opensuse.org? Under normal circumstances this all works fine, but it would make me feel better having everything in-house.
You import them. Have a look at the obs_mirror_project script from the obs-utils package.
* Putting OBS into version control (git) I think I saw something which puts the specs and such into git from OBS? Anyone have that link? I can't find it again.
There was an OBS git backend and a git frontend (code is somewhere on gitorious.org/opensuse). Both are incomplete and no longer maintained as far as we know.
* Documentation There's a lot of documentation, it's just hard to find some things because of the sheer amount. I'm very familiar with this as it's similar on our internal wiki.
Uhm yeah :-/ Cleaning this up is something that is burning on my TODO list. Stay tuned!
If someone can provide hints to the items above, I'd be glad to submit back some detailed docs.
That would be cool. Maybe we can do a guest blog about your setup on openbuildservice.org or something similar. If you're interested let us know. Henne -- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Thanks for the welcome and some info. I don't have a lot of time at the second, but I at least wanted to share the error I had: [INFO |# 2983] Parameters: {"return_to_path"=>"/", "authenticity_token"=>"R1+EmBXzEFwy4k+hqhocVENZALWrSTM5w5tFM3CeWV0=", "commit"=>"Login", "controller"=>"user", "password"=>"[FILTERED]", "action"=>"do_login", "username"=>"mdrobnak"} [INFO # 2983] Anonymous request to / [INFO # 2983] Login to / failed for mdrobnak: <?xml version="1.0" encoding="UTF-8"?> <status code="unknown"> <summary>Unknown user 'mdrobnak' or invalid password</summary> <details></details> </status> The other items I'll definitely look into. Thanks! -Matt On 10/10/2012 09:18 AM, Henne Vogelsang wrote:
Hey Matt,
welcome to the OBS project :)
On 10.10.2012 13:40, Matthew Drobnak wrote:
I have a project at my job to start implementing OBS as a replacement for our few disparate build systems and servers.
While in general I'm very pleased with the system,
Glad to hear that, hope OBS will make you more productive focusing on the right stuff (instead of build systems).
there are a few things which I need some help with.
Sure, let's roll :)
I am running a 4 server setup for OBS - one main box, 3 workers. I am using the appliance images.
* LDAP Auth Where is the correct place to configure this? I saw some things about it, and attempted to edit a production.rb file for the API, but it seems every so often this was regenerated by something. Try as I might, I could not get it to work, and could not find a way to turn up logging.
Well config/environments/production.rb is the right file to set it up. Maybe you should try again and tell us what exactly isn't working. It also helps a great deal to show us some error messages :)
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Also, I'm hanging my head in shame here - I have the production.rb file managed by puppet. So that was what was undoing my changes. Ignore that issue. Sorry! I'm certain though I got the error below with the correct values in place. -Matt On 10/10/2012 11:31 AM, Matthew Drobnak wrote:
Thanks for the welcome and some info. I don't have a lot of time at the second, but I at least wanted to share the error I had:
[INFO |# 2983] Parameters: {"return_to_path"=>"/", "authenticity_token"=>"R1+EmBXzEFwy4k+hqhocVENZALWrSTM5w5tFM3CeWV0=", "commit"=>"Login", "controller"=>"user", "password"=>"[FILTERED]", "action"=>"do_login", "username"=>"mdrobnak"} [INFO # 2983] Anonymous request to / [INFO # 2983] Login to / failed for mdrobnak: <?xml version="1.0" encoding="UTF-8"?> <status code="unknown"> <summary>Unknown user 'mdrobnak' or invalid password</summary> <details></details> </status>
The other items I'll definitely look into.
Thanks! -Matt
On 10/10/2012 09:18 AM, Henne Vogelsang wrote:
Hey Matt,
welcome to the OBS project :)
On 10.10.2012 13:40, Matthew Drobnak wrote:
I have a project at my job to start implementing OBS as a replacement for our few disparate build systems and servers.
While in general I'm very pleased with the system,
Glad to hear that, hope OBS will make you more productive focusing on the right stuff (instead of build systems).
there are a few things which I need some help with.
Sure, let's roll :)
I am running a 4 server setup for OBS - one main box, 3 workers. I am using the appliance images.
* LDAP Auth Where is the correct place to configure this? I saw some things about it, and attempted to edit a production.rb file for the API, but it seems every so often this was regenerated by something. Try as I might, I could not get it to work, and could not find a way to turn up logging.
Well config/environments/production.rb is the right file to set it up. Maybe you should try again and tell us what exactly isn't working. It also helps a great deal to show us some error messages :)
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Ok, more details: [INFO |#25431] Processing MainController#index (for 68.67.167.114 at 2012-10-10 15:59:50) [GET] [DEBUG|#25431] Validate XML request: #<ActionController::Request:0x7fd4c8e5b998> [DEBUG|#25431] no schema found, skipping validation for typerequestmethodgetcontrollermainactionindex [DEBUG|#25431] AUTH: ["Basic", "REDACTED"] [DEBUG|#25431] Using LDAP to find mdrobnak [DEBUG|#25431] Looking for mdrobnak using ldap [DEBUG|#25431] Cache read: ldap_cache_userpasswd:mdrobnak [DEBUG|#25431] Connecting to ldap.local.appnexus.net as '' [DEBUG|#25431] mdrobnak not found in LDAP. [DEBUG|#25431] User not found with LDAP, falling back to database [DEBUG|#25431] User Load (0.4ms) SELECT * FROM `users` WHERE (login = 'mdrobnak') LIMIT 1 [INFO |#25431] Rendering template within layouts/rbac [INFO |#25431] Rendering status [INFO |#25431] errorcode 'unknown' - Unknown user 'mdrobnak' or invalid password [INFO |#25431] Rendering status (401) [INFO |#25431] Filter chain halted as [:extract_user] rendered_or_redirected. [INFO |#25431] Completed in 21ms (View: 1, DB: 0) | 401 Unauthorized [https://obs01.nym1.appnexus.net/] So, why is it not attempting to connect as the user itself (ie mdrobnak) ? I temporarily set it to a auth user: [INFO |#27017] Processing MainController#index (for 68.67.167.114 at 2012-10-10 16:16:49) [GET] [DEBUG|#27017] Validate XML request: #<ActionController::Request:0x7ff5df8a1c40> [DEBUG|#27017] no schema found, skipping validation for methodgettyperequestactionindexcontrollermain [DEBUG|#27017] AUTH: ["Basic", "REDACTED"] [DEBUG|#27017] Using LDAP to find mdrobnak [DEBUG|#27017] Looking for mdrobnak using ldap [DEBUG|#27017] Cache read: ldap_cache_userpasswd:mdrobnak [DEBUG|#27017] Cache read: ldap_cache_userpasswd:mdrobnak ({:raw=>true}) [DEBUG|#27017] Connecting to ldap.local.appnexus.net as 'uid=cmcvalidation,ou=Pseudousers,dc=appnexus,dc=com' [DEBUG|#27017] mdrobnak not found in LDAP. [DEBUG|#27017] User not found with LDAP, falling back to database [DEBUG|#27017] User Load (0.4ms) SELECT * FROM `users` WHERE (login = 'mdrobnak') LIMIT 1 [INFO |#27017] Rendering template within layouts/rbac [INFO |#27017] Rendering status [INFO |#27017] errorcode 'unknown' - Unknown user 'mdrobnak' or invalid password [INFO |#27017] Rendering status (401) [INFO |#27017] Filter chain halted as [:extract_user] rendered_or_redirected. [INFO |#27017] Completed in 21ms (View: 1, DB: 0) | 401 Unauthorized [https://obs01.nym1.appnexus.net/] But still same problem. Any ideas? Thanks. -Matt On 10/10/2012 11:52 AM, Matthew Drobnak wrote:
Also, I'm hanging my head in shame here - I have the production.rb file managed by puppet. So that was what was undoing my changes. Ignore that issue. Sorry! I'm certain though I got the error below with the correct values in place.
-Matt
On 10/10/2012 11:31 AM, Matthew Drobnak wrote:
Thanks for the welcome and some info. I don't have a lot of time at the second, but I at least wanted to share the error I had:
[INFO |# 2983] Parameters: {"return_to_path"=>"/", "authenticity_token"=>"R1+EmBXzEFwy4k+hqhocVENZALWrSTM5w5tFM3CeWV0=", "commit"=>"Login", "controller"=>"user", "password"=>"[FILTERED]", "action"=>"do_login", "username"=>"mdrobnak"} [INFO # 2983] Anonymous request to / [INFO # 2983] Login to / failed for mdrobnak: <?xml version="1.0" encoding="UTF-8"?> <status code="unknown"> <summary>Unknown user 'mdrobnak' or invalid password</summary> <details></details> </status>
The other items I'll definitely look into.
Thanks! -Matt
On 10/10/2012 09:18 AM, Henne Vogelsang wrote:
Hey Matt,
welcome to the OBS project :)
On 10.10.2012 13:40, Matthew Drobnak wrote:
I have a project at my job to start implementing OBS as a replacement for our few disparate build systems and servers.
While in general I'm very pleased with the system,
Glad to hear that, hope OBS will make you more productive focusing on the right stuff (instead of build systems).
there are a few things which I need some help with.
Sure, let's roll :)
I am running a 4 server setup for OBS - one main box, 3 workers. I am using the appliance images.
* LDAP Auth Where is the correct place to configure this? I saw some things about it, and attempted to edit a production.rb file for the API, but it seems every so often this was regenerated by something. Try as I might, I could not get it to work, and could not find a way to turn up logging.
Well config/environments/production.rb is the right file to set it up. Maybe you should try again and tell us what exactly isn't working. It also helps a great deal to show us some error messages :)
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hi Matthew, On Wednesday, October 10, 2012 12:19:39 PM Matthew Drobnak wrote:
I temporarily set it to a auth user:
[INFO |#27017] Processing MainController#index (for 68.67.167.114 at 2012-10-10 16:16:49) [GET] [DEBUG|#27017] Validate XML request: #<ActionController::Request:0x7ff5df8a1c40> [DEBUG|#27017] no schema found, skipping validation for methodgettyperequestactionindexcontrollermain [DEBUG|#27017] AUTH: ["Basic", "REDACTED"] [DEBUG|#27017] Using LDAP to find mdrobnak [DEBUG|#27017] Looking for mdrobnak using ldap [DEBUG|#27017] Cache read: ldap_cache_userpasswd:mdrobnak [DEBUG|#27017] Cache read: ldap_cache_userpasswd:mdrobnak ({:raw=>true}) [DEBUG|#27017] Connecting to ldap.local.appnexus.net as 'uid=cmcvalidation,ou=Pseudousers,dc=appnexus,dc=com'
Here goes something wrong. Looks like we are missing here some exception handling. You should get at least get a log message like "Bound as $YOURBINDUSERSTRING" ... And some more logging ... but instead the ldap init code drops out at:
[DEBUG|#27017] mdrobnak not found in LDAP.
src/api/app/controllers/application_controller.rb: def extract_user [...] if defined?( LDAP_MODE ) && LDAP_MODE == :on begin require 'ldap' logger.debug( "Using LDAP to find #{login}" ) ldap_info = User.find_with_ldap( login, passwd ) rescue LoadError logger.warn "LDAP_MODE selected but 'ruby-ldap' module not installed." ldap_info = nil # now fall through as if we'd not found a user rescue Exception logger.debug "#{login} not found in LDAP." <------------------------- ldap_info = nil # now fall through as if we'd not found a user end
[DEBUG|#27017] User not found with LDAP, falling back to database [DEBUG|#27017] User Load (0.4ms) SELECT * FROM `users` WHERE (login = 'mdrobnak') LIMIT 1 [INFO |#27017] Rendering template within layouts/rbac [INFO |#27017] Rendering status [INFO |#27017] errorcode 'unknown' - Unknown user 'mdrobnak' or invalid password [INFO |#27017] Rendering status (401) [INFO |#27017] Filter chain halted as [:extract_user] rendered_or_redirected. [INFO |#27017] Completed in 21ms (View: 1, DB: 0) | 401 Unauthorized [https://obs01.nym1.appnexus.net/]
But still same problem. Any ideas?
you might want to try this little helper for debugging purposes: You need to adapt the LOGIN and LDAP_ values to your needs: ----8<----- #/usr/bin/ruby require 'ldap' LOGIN = "gollub" LDAP_SEARCH_ATTR = "uid" LDAP_SERVERS = "yourldap.b1-systems.de" LDAP_PORT = 636 LDAP_START_TLS = false LDAP_SSL = :on LDAP_SEARCH_USER="uid=ldapbinduser,ou=obs,dc=b1-systems,dc=de" LDAP_SEARCH_AUTH="SECRET" LDAP_SEARCH_BASE = "ou=users,dc=b1-systems,dc=de" user_filter = "(#{LDAP_SEARCH_ATTR}=#{LOGIN})" # Note: OBS is performing also an ICMP test if LDAP server # is reachable. This little tester is not performing such # test ... begin if LDAP_SSL == :on conn = LDAP::SSLConn.new(LDAP_SERVERS, LDAP_PORT, LDAP_START_TLS) else conn = LDAP::Conn.new(LDAP_SERVERS, LDAP_PORT) end conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3) conn.bind(LDAP_SEARCH_USER, LDAP_SEARCH_AUTH) rescue LDAP::ResultError print "Connect or bind failed: #{conn.err}: ", conn.err2string(conn.err), "\n" exit 1 end dn = String.new conn.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE, user_filter ) do |entry| print "Bingo: ", entry.dn, "\n" dn = entry.dn end if dn.empty? print "No user found ...\n" end conn.unbind() ---->8------ Best Regards, Daniel -- Daniel Gollub Linux Consultant & Developer Tel.: +49-160 47 73 970 Mail: gollub@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
Ok, so the root of this is: SSL Cert issues. As you suspected. We have our own root CA, but I thought I did this right: obs01:/etc/ssl/certs # ls -l /usr/share/ca-certificates/mozilla/AppNex* lrwxrwxrwx 1 root root 23 Oct 5 21:19 /usr/share/ca-certificates/mozilla/AppNexus-Root.crt -> AppNexus-Root.crt-1.2.4 -rwxr-xr-x 1 root bin 1704 Aug 1 21:27 /usr/share/ca-certificates/mozilla/AppNexus-Root.crt-1.2.4 lrwxrwxrwx 1 root root 33 Oct 5 21:19 /usr/share/ca-certificates/mozilla/AppNexus-ServerChain-v1.crt -> AppNexus-ServerChain-v1.crt-1.2.4 -rwxr-xr-x 1 root bin 3432 Aug 1 21:27 /usr/share/ca-certificates/mozilla/AppNexus-ServerChain-v1.crt-1.2.4 lrwxrwxrwx 1 root root 33 Oct 5 21:19 /usr/share/ca-certificates/mozilla/AppNexus-ServerChain-v2.crt -> AppNexus-ServerChain-v2.crt-1.2.4 -rwxr-xr-x 1 root bin 3603 Aug 1 21:27 /usr/share/ca-certificates/mozilla/AppNexus-ServerChain-v2.crt-1.2.4 lrwxrwxrwx 1 root root 30 Oct 5 21:19 /usr/share/ca-certificates/mozilla/AppNexus-ServerChain.crt -> AppNexus-ServerChain.crt-1.2.4 -rwxr-xr-x 1 root bin 5331 Aug 1 21:27 /usr/share/ca-certificates/mozilla/AppNexus-ServerChain.crt-1.2.4 obs01:/etc/ssl/certs # ls -l |grep AppNexus lrwxrwxrwx 1 root root 24 Oct 10 21:29 0bb5348d.0 -> AppNexus-ServerChain.pem lrwxrwxrwx 1 root root 27 Oct 10 21:29 0bb5348d.1 -> AppNexus-ServerChain-v1.pem lrwxrwxrwx 1 root root 17 Oct 10 21:29 5292bd88.0 -> AppNexus-Root.pem lrwxrwxrwx 1 root root 17 Oct 10 21:29 608d956e.0 -> AppNexus-Root.pem lrwxrwxrwx 1 root root 52 Oct 10 21:29 AppNexus-Root.pem -> /usr/share/ca-certificates/mozilla/AppNexus-Root.crt lrwxrwxrwx 1 root root 62 Oct 10 21:29 AppNexus-ServerChain-v1.pem -> /usr/share/ca-certificates/mozilla/AppNexus-ServerChain-v1.crt lrwxrwxrwx 1 root root 62 Oct 10 21:29 AppNexus-ServerChain-v2.pem -> /usr/share/ca-certificates/mozilla/AppNexus-ServerChain-v2.crt lrwxrwxrwx 1 root root 59 Oct 10 21:29 AppNexus-ServerChain.pem -> /usr/share/ca-certificates/mozilla/AppNexus-ServerChain.crt lrwxrwxrwx 1 root root 24 Oct 10 21:29 f0d0c49d.0 -> AppNexus-ServerChain.pem lrwxrwxrwx 1 root root 27 Oct 10 21:29 f0d0c49d.1 -> AppNexus-ServerChain-v1.pem obs01:/etc/ssl/certs # And I did a update-ca-certificates, and it was in the list...So I have no idea what's still broken. :( FYI, if I turn off SSL, it does work. -Matt On 10/10/2012 02:59 PM, Daniel Gollub wrote:
Hi Matthew,
On Wednesday, October 10, 2012 12:19:39 PM Matthew Drobnak wrote:
I temporarily set it to a auth user:
[INFO |#27017] Processing MainController#index (for 68.67.167.114 at 2012-10-10 16:16:49) [GET] [DEBUG|#27017] Validate XML request: #<ActionController::Request:0x7ff5df8a1c40> [DEBUG|#27017] no schema found, skipping validation for methodgettyperequestactionindexcontrollermain [DEBUG|#27017] AUTH: ["Basic", "REDACTED"] [DEBUG|#27017] Using LDAP to find mdrobnak [DEBUG|#27017] Looking for mdrobnak using ldap [DEBUG|#27017] Cache read: ldap_cache_userpasswd:mdrobnak [DEBUG|#27017] Cache read: ldap_cache_userpasswd:mdrobnak ({:raw=>true}) [DEBUG|#27017] Connecting to ldap.local.appnexus.net as 'uid=cmcvalidation,ou=Pseudousers,dc=appnexus,dc=com' Here goes something wrong. Looks like we are missing here some exception handling.
You should get at least get a log message like "Bound as $YOURBINDUSERSTRING" ...
And some more logging ... but instead the ldap init code drops out at:
[DEBUG|#27017] mdrobnak not found in LDAP.
src/api/app/controllers/application_controller.rb:
def extract_user [...] if defined?( LDAP_MODE ) && LDAP_MODE == :on begin require 'ldap' logger.debug( "Using LDAP to find #{login}" ) ldap_info = User.find_with_ldap( login, passwd ) rescue LoadError logger.warn "LDAP_MODE selected but 'ruby-ldap' module not installed." ldap_info = nil # now fall through as if we'd not found a user rescue Exception logger.debug "#{login} not found in LDAP." <------------------------- ldap_info = nil # now fall through as if we'd not found a user end
[DEBUG|#27017] User not found with LDAP, falling back to database [DEBUG|#27017] User Load (0.4ms) SELECT * FROM `users` WHERE (login = 'mdrobnak') LIMIT 1 [INFO |#27017] Rendering template within layouts/rbac [INFO |#27017] Rendering status [INFO |#27017] errorcode 'unknown' - Unknown user 'mdrobnak' or invalid password [INFO |#27017] Rendering status (401) [INFO |#27017] Filter chain halted as [:extract_user] rendered_or_redirected. [INFO |#27017] Completed in 21ms (View: 1, DB: 0) | 401 Unauthorized [https://obs01.nym1.appnexus.net/]
But still same problem. Any ideas? you might want to try this little helper for debugging purposes:
You need to adapt the LOGIN and LDAP_ values to your needs:
----8<----- #/usr/bin/ruby require 'ldap'
LOGIN = "gollub"
LDAP_SEARCH_ATTR = "uid" LDAP_SERVERS = "yourldap.b1-systems.de" LDAP_PORT = 636 LDAP_START_TLS = false LDAP_SSL = :on
LDAP_SEARCH_USER="uid=ldapbinduser,ou=obs,dc=b1-systems,dc=de" LDAP_SEARCH_AUTH="SECRET" LDAP_SEARCH_BASE = "ou=users,dc=b1-systems,dc=de"
user_filter = "(#{LDAP_SEARCH_ATTR}=#{LOGIN})"
# Note: OBS is performing also an ICMP test if LDAP server # is reachable. This little tester is not performing such # test ...
begin if LDAP_SSL == :on conn = LDAP::SSLConn.new(LDAP_SERVERS, LDAP_PORT, LDAP_START_TLS) else conn = LDAP::Conn.new(LDAP_SERVERS, LDAP_PORT) end conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3) conn.bind(LDAP_SEARCH_USER, LDAP_SEARCH_AUTH) rescue LDAP::ResultError print "Connect or bind failed: #{conn.err}: ", conn.err2string(conn.err), "\n" exit 1 end
dn = String.new conn.search( LDAP_SEARCH_BASE, LDAP::LDAP_SCOPE_SUBTREE, user_filter ) do |entry| print "Bingo: ", entry.dn, "\n" dn = entry.dn end if dn.empty? print "No user found ...\n" end
conn.unbind() ---->8------
Best Regards, Daniel
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hi Matt, On Wednesday, October 10, 2012 05:40:29 PM Matthew Drobnak wrote:
Ok, so the root of this is:
SSL Cert issues. As you suspected. We have our own root CA, but I thought I did this right:
obs01:/etc/ssl/certs # ls -l /usr/share/ca-certificates/mozilla/AppNex* [...] obs01:/etc/ssl/certs # And I did a update-ca-certificates, and it was in the list...So I have no idea what's still broken.
FYI, if I turn off SSL, it does work.
You might want to use the little helper script and run it like this: strace -o ruby-ldap-ssl.trace -f -e file -s1024 ruby ldap.rb And check which files in /etc/ssl/certs/ the openssl library tries to access. I could imagine that there might be a hash symlink inside /etc/ssl/certs/ missing - e.g. /etc/ssl/certs/$HASH.0 -> toyourCAorCert.crt or so. Note: also make sure that the SSL server cert matches with the provided domain you have configured for your LDAP. And the server cert is not expired and such stuff ... otherwise the ldap connection willl fail also - due to "untrusted" SSL cert. Best Regards, Daniel
-Matt
-- Daniel Gollub Linux Consultant & Developer Tel.: +49-160 47 73 970 Mail: gollub@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
Daniel, So here's the problem - it looks like OpenLDAP on SuSE is not configured to use the default system ca_bundle.pem file. I added this line: TLS_CACERT /etc/ssl/ca-bundle.pem to /etc/openldap/ldap.conf, and re-ran the script, and it works perfectly. So, of course, I made the config settings match between the script, and the production.rb file. Something is a bit different however, as it does not work with API auth still: obs01:/srv/www/obs/api/log # /root/obs-ldap.rb Bingo: uid=mdrobnak,ou=People,dc=appnexus,dc=com obs01:/srv/www/obs/api/log # head -n 10 /root/obs-ldap.rb #!/usr/bin/ruby require 'ldap' LOGIN = "mdrobnak" LDAP_SEARCH_ATTR = "uid" LDAP_SERVERS = "ldap.local.appnexus.net" LDAP_PORT = 389 LDAP_START_TLS = true LDAP_SSL = :on obs01:/srv/www/obs/api/log # grep LDAP ../config/environments/production.rb LDAP_MODE = :on # LDAP Servers separated by ':'. LDAP_SERVERS = "ldap.local.appnexus.net" # If you're using LDAP_AUTHENTICATE=:ldap then you should ensure that LDAP_SSL = :on # Use StartTLS extension of LDAP LDAP_START_TLS = :on # LDAP port defaults to 636 for ldaps and 389 for ldap and ldap with StartTLS LDAP_PORT=389 LDAP_REFERRALS = :off # Max number of times to attempt to contact the LDAP servers LDAP_MAX_ATTEMPTS = 10 LDAP_SEARCH_BASE = "dc=appnexus,dc=com" # Sam Account Name is the login name for LDAP LDAP_SEARCH_ATTR = "uid" LDAP_NAME_ATTR="cn" LDAP_MAIL_ATTR="mail" [INFO |# 7455] Processing MainController#index (for 68.67.167.97 at 2012-10-14 15:44:19) [GET] [DEBUG|# 7455] Validate XML request: #<ActionController::Request:0x7f145fa0df50> [DEBUG|# 7455] no schema found, skipping validation for controllermainmethodgettyperequestactionindex [DEBUG|# 7455] AUTH: ["Basic", "REDACTED"] [DEBUG|# 7455] Using LDAP to find mdrobnak [DEBUG|# 7455] Looking for mdrobnak using ldap [DEBUG|# 7455] Cache read: ldap_cache_userpasswd:mdrobnak [DEBUG|# 7455] Cache read: ldap_cache_userpasswd:mdrobnak ({:raw=>true}) [DEBUG|# 7455] Connecting to ldap.local.appnexus.net as 'uid=cmcvalidation,ou=Pseudousers,dc=appnexus,dc=com' [DEBUG|# 7455] mdrobnak not found in LDAP. [DEBUG|# 7455] User not found with LDAP, falling back to database [DEBUG|# 7455] User Load (0.4ms) SELECT * FROM `users` WHERE (login = 'mdrobnak') LIMIT 1 [DEBUG|# 7455] SQL (0.1ms) BEGIN [DEBUG|# 7455] User Load (0.2ms) SELECT `users`.id FROM `users` WHERE (`users`.`login` = 'mdrobnak' AND `users`.id <> 3) LIMIT 1 [DEBUG|# 7455] Error - skipping to create user [DEBUG|# 7455] User Update (0.3ms) UPDATE `users` SET `login_failure_count` = 5, `updated_at` = '2012-10-14 15:44:19' WHERE `id` = 3 [DEBUG|# 7455] SQL (2.5ms) COMMIT Apologies for the delay in getting this information; it's been quite hectic last week at work. Thanks for everyone's help so far. -Matt On 10/11/2012 03:02 AM, Daniel Gollub wrote:
Hi Matt,
On Wednesday, October 10, 2012 05:40:29 PM Matthew Drobnak wrote:
Ok, so the root of this is:
SSL Cert issues. As you suspected. We have our own root CA, but I thought I did this right:
obs01:/etc/ssl/certs # ls -l /usr/share/ca-certificates/mozilla/AppNex* [...] obs01:/etc/ssl/certs # And I did a update-ca-certificates, and it was in the list...So I have no idea what's still broken.
FYI, if I turn off SSL, it does work. You might want to use the little helper script and run it like this:
strace -o ruby-ldap-ssl.trace -f -e file -s1024 ruby ldap.rb
And check which files in /etc/ssl/certs/ the openssl library tries to access. I could imagine that there might be a hash symlink inside /etc/ssl/certs/ missing - e.g. /etc/ssl/certs/$HASH.0 -> toyourCAorCert.crt or so.
Note: also make sure that the SSL server cert matches with the provided domain you have configured for your LDAP. And the server cert is not expired and such stuff ... otherwise the ldap connection willl fail also - due to "untrusted" SSL cert.
Best Regards, Daniel
-Matt
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hi Matt, On Sunday, October 14, 2012 11:46:36 AM Matthew Drobnak wrote:
Daniel,
So here's the problem - it looks like OpenLDAP on SuSE is not configured to use the default system ca_bundle.pem file.
I added this line:
TLS_CACERT /etc/ssl/ca-bundle.pem
to /etc/openldap/ldap.conf,
and re-ran the script, and it works perfectly.
Good catch! LDAP & TLS is always fun :(
So, of course, I made the config settings match between the script, and the production.rb file. Something is a bit different however, as it does not work with API auth still:
My little helper script seems to different in the relevant part. At least I helped a bit so far .... The TLS vs. SSL handling in my helper script is pretty simplified compared to the LDAP implementation in OBS.
obs01:/srv/www/obs/api/log # /root/obs-ldap.rb Bingo: uid=mdrobnak,ou=People,dc=appnexus,dc=com obs01:/srv/www/obs/api/log # head -n 10 /root/obs-ldap.rb #!/usr/bin/ruby require 'ldap'
LOGIN = "mdrobnak"
LDAP_SEARCH_ATTR = "uid" LDAP_SERVERS = "ldap.local.appnexus.net" LDAP_PORT = 389
LDAP_START_TLS = true LDAP_SSL = :on
So this two option might work for my helper script .. but not for OBS. Those are XOR in OBS... :(
obs01:/srv/www/obs/api/log # grep LDAP ../config/environments/production.rb LDAP_MODE = :on # LDAP Servers separated by ':'. LDAP_SERVERS = "ldap.local.appnexus.net" # If you're using LDAP_AUTHENTICATE=:ldap then you should ensure that
LDAP_SSL = :on
Since you are using TLS: turn LDAP_SSL := off
# Use StartTLS extension of LDAP LDAP_START_TLS = :on
... and keep this LDAP_START_TLS = :on. This hopefully should do the trick for you. With your current configuration OBS would only try to do plain-SSL chatting on Port 389 which is going to fail since your TLS configured LDAP is expecting TLS handshake. Still I really wonder why the exception when all this goes fail is completely silenced in the logs ... But we should definitly introduce a sanity check that warns you having LDAP_SSL and LDAP_START_TLS activated at the same time ... which is usually not what you want. (TLS will turn the initial plain connection into an encrypted one after the TLS handshake thingy ...)
# LDAP port defaults to 636 for ldaps and 389 for ldap and ldap with StartTLS LDAP_PORT=389 LDAP_REFERRALS = :off # Max number of times to attempt to contact the LDAP servers LDAP_MAX_ATTEMPTS = 10 LDAP_SEARCH_BASE = "dc=appnexus,dc=com" # Sam Account Name is the login name for LDAP LDAP_SEARCH_ATTR = "uid" LDAP_NAME_ATTR="cn" LDAP_MAIL_ATTR="mail"
Not related so far .. . but maybe this comes next. Make sure all your users in your LDAP tree have this MAIL attribute set ... if not they will also fail to login. HTH BR Daniel
[INFO |# 7455] Processing MainController#index (for 68.67.167.97 at 2012-10-14 15:44:19) [GET] [DEBUG|# 7455] Validate XML request: #<ActionController::Request:0x7f145fa0df50> [DEBUG|# 7455] no schema found, skipping validation for controllermainmethodgettyperequestactionindex [DEBUG|# 7455] AUTH: ["Basic", "REDACTED"] [DEBUG|# 7455] Using LDAP to find mdrobnak [DEBUG|# 7455] Looking for mdrobnak using ldap [DEBUG|# 7455] Cache read: ldap_cache_userpasswd:mdrobnak [DEBUG|# 7455] Cache read: ldap_cache_userpasswd:mdrobnak ({:raw=>true}) [DEBUG|# 7455] Connecting to ldap.local.appnexus.net as 'uid=cmcvalidation,ou=Pseudousers,dc=appnexus,dc=com' [DEBUG|# 7455] mdrobnak not found in LDAP. [DEBUG|# 7455] User not found with LDAP, falling back to database [DEBUG|# 7455] User Load (0.4ms) SELECT * FROM `users` WHERE (login = 'mdrobnak') LIMIT 1 [DEBUG|# 7455] SQL (0.1ms) BEGIN [DEBUG|# 7455] User Load (0.2ms) SELECT `users`.id FROM `users` WHERE (`users`.`login` = 'mdrobnak' AND `users`.id <> 3) LIMIT 1 [DEBUG|# 7455] Error - skipping to create user [DEBUG|# 7455] User Update (0.3ms) UPDATE `users` SET `login_failure_count` = 5, `updated_at` = '2012-10-14 15:44:19' WHERE `id` = 3 [DEBUG|# 7455] SQL (2.5ms) COMMIT
Apologies for the delay in getting this information; it's been quite hectic last week at work.
Thanks for everyone's help so far.
-Matt
On 10/11/2012 03:02 AM, Daniel Gollub wrote:
Hi Matt,
On Wednesday, October 10, 2012 05:40:29 PM Matthew Drobnak wrote:
Ok, so the root of this is:
SSL Cert issues. As you suspected. We have our own root CA, but I thought I did this right:
obs01:/etc/ssl/certs # ls -l /usr/share/ca-certificates/mozilla/AppNex*
[...]
obs01:/etc/ssl/certs # And I did a update-ca-certificates, and it was in the list...So I have no idea what's still broken.
FYI, if I turn off SSL, it does work.
You might want to use the little helper script and run it like this:
strace -o ruby-ldap-ssl.trace -f -e file -s1024 ruby ldap.rb
And check which files in /etc/ssl/certs/ the openssl library tries to access. I could imagine that there might be a hash symlink inside /etc/ssl/certs/ missing - e.g. /etc/ssl/certs/$HASH.0 -> toyourCAorCert.crt or so.
Note: also make sure that the SSL server cert matches with the provided domain you have configured for your LDAP. And the server cert is not expired and such stuff ... otherwise the ldap connection willl fail also - due to "untrusted" SSL cert.
Best Regards, Daniel
-Matt
-- Daniel Gollub Linux Consultant & Developer Tel.: +49-160 47 73 970 Mail: gollub@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
On 10/16/2012 09:17 AM, Daniel Gollub wrote:
Hi Matt,
On Sunday, October 14, 2012 11:46:36 AM Matthew Drobnak wrote:
Daniel,
So here's the problem - it looks like OpenLDAP on SuSE is not configured to use the default system ca_bundle.pem file.
I added this line:
TLS_CACERT /etc/ssl/ca-bundle.pem
to /etc/openldap/ldap.conf,
and re-ran the script, and it works perfectly. Good catch! LDAP & TLS is always fun :(
So, of course, I made the config settings match between the script, and the production.rb file. Something is a bit different however, as it does not work with API auth still: My little helper script seems to different in the relevant part. At least I helped a bit so far ....
The TLS vs. SSL handling in my helper script is pretty simplified compared to the LDAP implementation in OBS.
obs01:/srv/www/obs/api/log # /root/obs-ldap.rb Bingo: uid=mdrobnak,ou=People,dc=appnexus,dc=com obs01:/srv/www/obs/api/log # head -n 10 /root/obs-ldap.rb #!/usr/bin/ruby require 'ldap'
LOGIN = "mdrobnak"
LDAP_SEARCH_ATTR = "uid" LDAP_SERVERS = "ldap.local.appnexus.net" LDAP_PORT = 389
LDAP_START_TLS = true LDAP_SSL = :on So this two option might work for my helper script .. but not for OBS. Those are XOR in OBS... :(
obs01:/srv/www/obs/api/log # grep LDAP ../config/environments/production.rb LDAP_MODE = :on # LDAP Servers separated by ':'. LDAP_SERVERS = "ldap.local.appnexus.net" # If you're using LDAP_AUTHENTICATE=:ldap then you should ensure that LDAP_SSL = :on Since you are using TLS: turn LDAP_SSL := off
# Use StartTLS extension of LDAP LDAP_START_TLS = :on ... and keep this LDAP_START_TLS = :on.
This hopefully should do the trick for you. With your current configuration OBS would only try to do plain-SSL chatting on Port 389 which is going to fail since your TLS configured LDAP is expecting TLS handshake.
Still I really wonder why the exception when all this goes fail is completely silenced in the logs ...
But we should definitly introduce a sanity check that warns you having LDAP_SSL and LDAP_START_TLS activated at the same time ... which is usually not what you want. (TLS will turn the initial plain connection into an encrypted one after the TLS handshake thingy ...) Oops. That's what I get for not reading it closely enough. I thought you emulated the OBS logic in your script.
Yes, switching LDAP_SSL to off, and keeping the START_TLS on made things work. Thanks a lot for all your help! Now on to the other issues I have. :) -Matt
# LDAP port defaults to 636 for ldaps and 389 for ldap and ldap with StartTLS LDAP_PORT=389 LDAP_REFERRALS = :off # Max number of times to attempt to contact the LDAP servers LDAP_MAX_ATTEMPTS = 10 LDAP_SEARCH_BASE = "dc=appnexus,dc=com" # Sam Account Name is the login name for LDAP LDAP_SEARCH_ATTR = "uid" LDAP_NAME_ATTR="cn" LDAP_MAIL_ATTR="mail" Not related so far .. . but maybe this comes next. Make sure all your users in your LDAP tree have this MAIL attribute set ... if not they will also fail to login.
HTH
BR Daniel
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
* Reliance on opensuse.org How can I make my base distributions not dependent on build.opensuse.org? Under normal circumstances this all works fine, but it would make me feel better having everything in-house. You have several options :
- download on demand (break the link with the original source but followoing update is a bit complex (manual actions are required) - copy the entire remote repo into your own OBS and maje a full boot strap. http://en.opensuse.org/openSUSE:OBS_Light_Obstag http://en.opensuse.org/openSUSE:Build_Service_private_instance_boot_strappin... - create a FakeOBS image of your target repos and work locally from there. http://en.opensuse.org/openSUSE:OBS_Light_Fakeobs Building from a link is very nice until the day where the link is down as at that time your system would be locked. Dominig ar Foll Senior Software Architect Open Source Technology Centre Intel SSG -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (5)
-
Adrian Schröter -
Daniel Gollub -
Dominig -
Henne Vogelsang -
Matthew Drobnak