Mailinglist Archive: opensuse-buildservice (123 mails)

< Previous Next >
[opensuse-buildservice] Spurious "401 unauthorized" errors in osc with 2.8.3 / LDAP backend

I'm a long time happy user of the OBS with LDAP auth, even though it was not
officially supported.
Since the update from 2.8.2 to 2.8.3 (which brought official LDAP support), my
users and I am seeing
spurious "401 Unauthorized" messages on osc commands.

Usually, a retry of the command then succeeds.

There is nothing suspicious at that time in production.log.

This is the LDAP config on my box (slightly edited to protect the guilty)

obs:/srv/www/obs/api # grep ^ldap config/options.yml
ldap_mode: :on
ldap_max_attempts: 10
ldap_user_memberof_attr: memberof
ldap_group_member_attr: member
ldap_ssl: :off
ldap_start_tls: :on
ldap_port: 389
ldap_referrals: :on
ldap_search_base: DC=my,DC=do,DC=main
ldap_search_attr: SAMAccountName
ldap_name_attr: displayName
ldap_mail_attr: mail
ldap_search_user: AD2LDAP@xxxxxxxxxx
ldap_search_auth: "V3rYS3Cr37P@ssw0rd"
ldap_authenticate: :ldap
ldap_auth_mech: :md5
ldap_auth_attr: userPassword
ldap_update_support: :off
ldap_object_class: inetOrgPerson
ldap_entry_base: ou=OBSUSERS,dc=EXAMPLE,dc=COM
ldap_sn_attr_required: :on
ldap_group_support: :off
ldap_group_search_base: ou=OBSGROUPS,dc=EXAMPLE,dc=COM
ldap_group_title_attr: cn
ldap_group_objectclass_attr: groupOfNames

LDAP server is Microsoft Active Directory.

My *guess* is, that the AD servers sometimes answer with some kind of "busy,
please try again" or "busy, please wait"
response and OBS treats this as "auth failed".

Any hints on where to look (or where to put debug code? ;-)

Best regards,

Stefan Seyfried

"For a successful technology, reality must take precedence over
public relations, for nature cannot be fooled." -- Richard Feynman
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >