Mailinglist Archive: opensuse-buildservice (123 mails)

< Previous Next >
Re: [opensuse-buildservice] Spurious "401 unauthorized" errors in osc with 2.8.3 / LDAP backend
On Dienstag, 19. September 2017, 08:30:04 CEST wrote Stefan Seyfried:

I'm a long time happy user of the OBS with LDAP auth, even though it was not
officially supported.
Since the update from 2.8.2 to 2.8.3 (which brought official LDAP support),
my users and I am seeing
spurious "401 Unauthorized" messages on osc commands.

Usually, a retry of the command then succeeds.

There is nothing suspicious at that time in production.log.

This is the LDAP config on my box (slightly edited to protect the guilty)

obs:/srv/www/obs/api # grep ^ldap config/options.yml
ldap_mode: :on
ldap_max_attempts: 10
ldap_user_memberof_attr: memberof
ldap_group_member_attr: member
ldap_ssl: :off
ldap_start_tls: :on
ldap_port: 389
ldap_referrals: :on
ldap_search_base: DC=my,DC=do,DC=main
ldap_search_attr: SAMAccountName
ldap_name_attr: displayName
ldap_mail_attr: mail
ldap_search_user: AD2LDAP@xxxxxxxxxx
ldap_search_auth: "V3rYS3Cr37P@ssw0rd"
ldap_authenticate: :ldap
ldap_auth_mech: :md5
ldap_auth_attr: userPassword
ldap_update_support: :off
ldap_object_class: inetOrgPerson
ldap_entry_base: ou=OBSUSERS,dc=EXAMPLE,dc=COM
ldap_sn_attr_required: :on
ldap_group_support: :off
ldap_group_search_base: ou=OBSGROUPS,dc=EXAMPLE,dc=COM
ldap_group_title_attr: cn
ldap_group_objectclass_attr: groupOfNames

LDAP server is Microsoft Active Directory.

My *guess* is, that the AD servers sometimes answer with some kind of "busy,
please try again" or "busy, please wait"
response and OBS treats this as "auth failed".

Any hints on where to look (or where to put debug code? ;-)

You have set

# Authentication with Windows 2003 AD requires
ldap_referrals: :on

in config/options.yml ?


Adrian Schroeter
email: adrian@xxxxxxx

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284
(AG Nürnberg)

Maxfeldstraße 5
90409 Nürnberg

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups