Mailinglist Archive: opensuse-buildservice (123 mails)

< Previous Next >
Re: [opensuse-buildservice] Spurious "401 unauthorized" errors in osc with 2.8.3 / LDAP backend
On 19.09.2017 12:08, Evan Rolfe wrote:
On 19/09/17 07:30, Stefan Seyfried wrote:

Hi,

I'm a long time happy user of the OBS with LDAP auth, even though it was not
officially supported.
Since the update from 2.8.2 to 2.8.3 (which brought official LDAP support),
my users and I am seeing
spurious "401 Unauthorized" messages on osc commands.

Usually, a retry of the command then succeeds.

There is nothing suspicious at that time in production.log.

Hi Stefan, the code that attempts to authenticate a user via ldap occurs in
this method:

https://github.com/opensuse/open-build-service/blob/2.8/src/api/app/models/user_ldap_strategy.rb#L306

Yes, I found it (and that you probably broek it with 44df33c0 ;-)

Although you say there is nothing suspicious in the logs, could you provide a
copy of the logs around the time when one
of these spurious 401s occur? It would still be really helpful for us to
debug this..

The message basically is

I, [2017-09-19T10:42:25.796267 #15652] INFO -- :
[c6a0df55-e0e2-4d55-8bae-c36d15eab44d] [15652:6936.13] Search failed:
error -1: Can't contact LDAP server
I, [2017-09-19T11:04:18.648923 #15660] INFO -- :
[9de903f8-2aca-401d-9c45-41587d2c094b] [15660:8248.87] Search failed:
error -1: Can't contact LDAP server
I, [2017-09-19T12:30:04.264456 #3787] INFO -- :
[4984a994-ef51-468d-a66c-b829c3e9a23b] [3787:4483.55] Search failed:
error -1: Can't contact LDAP server

And reading the comments in
https://github.com/opensuse/open-build-service/blob/2.8/src/api/app/models/user_ldap_strategy.rb#L196
there should be a
retry in this case (and was, before 44df33c0 ;-) to catch this.

I had seen similar things years ago with OBS 2.3, which were fixed by updating
to 2.6 (or something like that, might be
even 2.4 did already fix it).
It actually looks the original fix was in 2.4, commit 920a731d96.

Would be nice to get this back in 2.8.4 :-)

Thanks,

Stefan
--
Stefan Seyfried

"For a successful technology, reality must take precedence over
public relations, for nature cannot be fooled." -- Richard Feynman
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups