On Dienstag, 19. September 2017, 08:30:04 CEST wrote Stefan Seyfried:
Hi,
I'm a long time happy user of the OBS with LDAP auth, even though it was not officially supported. Since the update from 2.8.2 to 2.8.3 (which brought official LDAP support), my users and I am seeing spurious "401 Unauthorized" messages on osc commands.
Usually, a retry of the command then succeeds.
There is nothing suspicious at that time in production.log.
This is the LDAP config on my box (slightly edited to protect the guilty)
obs:/srv/www/obs/api # grep ^ldap config/options.yml ldap_mode: :on ldap_servers: ad0301.my.do.main ad0302.my.do.main ad0300.my.do.main ldap_max_attempts: 10 ldap_user_memberof_attr: memberof ldap_group_member_attr: member ldap_ssl: :off ldap_start_tls: :on ldap_port: 389 ldap_referrals: :on ldap_search_base: DC=my,DC=do,DC=main ldap_search_attr: SAMAccountName ldap_name_attr: displayName ldap_mail_attr: mail ldap_search_user: AD2LDAP@my.do.main ldap_search_auth: "V3rYS3Cr37P@ssw0rd" ldap_user_filter: "(memberof=cn=540d57e4fd84a07798000002,ou=DL,ou=MSX,ou=Resources,dc=my,dc=do,dc=main)" ldap_authenticate: :ldap ldap_auth_mech: :md5 ldap_auth_attr: userPassword ldap_update_support: :off ldap_object_class: inetOrgPerson ldap_entry_base: ou=OBSUSERS,dc=EXAMPLE,dc=COM ldap_sn_attr_required: :on ldap_group_support: :off ldap_group_search_base: ou=OBSGROUPS,dc=EXAMPLE,dc=COM ldap_group_title_attr: cn ldap_group_objectclass_attr: groupOfNames
LDAP server is Microsoft Active Directory.
My *guess* is, that the AD servers sometimes answer with some kind of "busy, please try again" or "busy, please wait" response and OBS treats this as "auth failed".
Any hints on where to look (or where to put debug code? ;-)
You have set # Authentication with Windows 2003 AD requires ldap_referrals: :on in config/options.yml ? -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org