Closed
Bug 905880
Opened 11 years ago
Closed 11 years ago
LDAP Queries failing for registration on python26-syncreg-1.0-3 on SL6.2
Categories
(Cloud Services :: Server: Registration, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: bobm, Assigned: bobm)
Details
(Whiteboard: [qa+])
Attachments
(1 file)
|
1.54 KB,
patch
|
rfkelly
:
feedback+
|
Details | Diff | Splinter Review |
LDAP Queries are failing for registration server python26-syncreg-1.0-3 running under SL6.2, but working correctly on Centos 5.5 with an identical configuration.
|
||
Updated•11 years ago
|
Whiteboard: [qa+]
|
Assignee | |
Comment 1•11 years ago
|
||
There are some key differences between the relevant package versions on these servers that may explain the issue.
Attachment #791056 -
Flags: feedback?(rfkelly)
|
|
Assignee | |
Comment 2•11 years ago
|
||
Traceback example from the /var/log/syncreg.log file:
2013-08-14 13:02:21,450 ERROR [syncserver] 542d0f1862d622cf462bf29f636bb92a
2013-08-14 13:02:21,451 ERROR [syncserver] Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/services/util.py", line 304, in __call__
return self.app(environ, start_response)
File "/usr/lib/python2.6/site-packages/paste/translogger.py", line 68, in __call__
return self.application(environ, replacement_start_response)
File "/usr/lib/python2.6/site-packages/webob/dec.py", line 147, in __call__
resp = self.call_func(req, *args, **self.kwargs)
File "/usr/lib/python2.6/site-packages/webob/dec.py", line 208, in call_func
return self.func(req, *args, **kwargs)
File "/usr/lib/python2.6/site-packages/services/baseapp.py", line 187, in __notified
response = func(self, request)
File "/usr/lib/python2.6/site-packages/services/baseapp.py", line 221, in __call__
response = self._dispatch_request(request)
File "/usr/lib/python2.6/site-packages/services/baseapp.py", line 273, in _dispatch_request
response = self._dispatch_request_with_match(request, match)
File "/usr/lib/python2.6/site-packages/services/baseapp.py", line 299, in _dispatch_request_with_match
result = function(request, **params)
File "/usr/lib/python2.6/site-packages/syncreg/controllers/user.py", line 96, in user_exists
uid = self.auth.get_user_id(request.user)
File "/usr/lib/python2.6/site-packages/services/user/mozilla_ldap.py", line 75, in get_user_id
self._get_dn(user)
File "/usr/lib/python2.6/site-packages/services/user/mozilla_ldap.py", line 354, in _get_dn
with self._conn() as conn:
File "/usr/lib64/python2.6/contextlib.py", line 16, in __enter__
return self.gen.next()
File "/usr/lib/python2.6/site-packages/services/ldappool.py", line 294, in connection
conn = self._get_connection(bind, passwd)
File "/usr/lib/python2.6/site-packages/services/ldappool.py", line 247, in _get_connection
conn = self._create_connector(bind, passwd)
File "/usr/lib/python2.6/site-packages/services/ldappool.py", line 227, in _create_connector
self._bind(conn, bind, passwd)
File "/usr/lib/python2.6/site-packages/services/ldappool.py", line 184, in _bind
conn.simple_bind_s(bind, passwd)
File "/usr/lib/python2.6/site-packages/services/ldappool.py", line 82, in simple_bind_s
clientctrls)
File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 781, in simple_bind_s
File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 207, in simple_bind_s
File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 422, in result
File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 426, in result2
File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 432, in result3
File "/usr/lib64/python2.6/site-packages/ldap/ldapobject.py", line 96, in _ldap_call
INVALID_CREDENTIALS: {'info': '', 'desc': 'Invalid credentials'}
|
||
Comment 3•11 years ago
|
||
Comment on attachment 791056 [details] [diff] [review] packages.diff So they're both using the same version of python-ldap. IIRC this is an RPM we build ourselves, correct? If so, what configuration is the build machine and which of web2 or web3 does it more closely resemble? "python26-1.0" seems like a very strange package name, I'd expect something more like "python26-2.6.2" as seen in the web2 package list. What about differences in the system-level LDAP libraries? It could be some binding issue between the ldap lib and the system lib.
|
|
||
Comment 4•11 years ago
|
||
Latest release of python-ldap package is 2.4.13, we should try upgrading to that as a first step (requires building against OpenLDAP 2.4.11 or greater)
|
|
Assignee | |
Comment 5•11 years ago
|
||
LDAP Packages on the current hosts: (Note they are Centos 5) openldap-clients-2.3.43-12.el5_6.7 nss_ldap-253-25.el5 nss_ldap-253-25.el5 php-ldap-5.2.9-2.rhel5 openldap-2.3.43-12.el5_6.7 python26-ldap-2.3.13pre-1moz openldap-2.3.43-12.el5_6.7 openldap-devel-2.3.43-12.el5_6.7 LDAP Packages on the replacement hosts: (Note: Scientific Linux 6.2) openldap-2.4.23-26.el6_3.2.x86_64 openldap-devel-2.4.23-26.el6_3.2.x86_64 pam_ldap-185-11.el6.x86_64 compat-openldap-2.3.43-2.el6.x86_64 nss-pam-ldapd-0.7.5-14.el6.x86_64 python26-ldap-2.3.13pre-1moz.x86_64 openldap-clients-2.4.23-26.el6_3.2.x86_64
|
|
Assignee | |
Comment 6•11 years ago
|
||
Note: ldap queries from ldapsearch do not work from the current hosts, but do from the replacement hosts. Current Host: ldapsearch -LLL -D uid=USERNAME,ou=logins,dc=mozilla -w PASSWORD -H ldap://master.ldap.phx1.svc.mozilla.com -b 'dc=mozilla' '(mail=USER@mozilla.com)' ldap_sasl_interactive_bind_s: No such attribute (16) Replacement Host: ldapsearch -LLL -D uid=USERNAME,ou=logins,dc=mozilla -w PASSWORD -H ldap://maste r.ldap.phx1.svc.mozilla.com -b 'dc=mozilla' '(mail=USER@mozilla.com)' dn: uidNumber=XXXX, etc. etc.
|
|
Assignee | |
Comment 7•11 years ago
|
||
Running this script works from both the current and replacement hosts:
import ldap
from services.ldappool import ConnectionManager
# Get these from the config file
ldapuri = "ldap://master.ldap.phx1.svc.mozilla.com"
bind = "uid=USER,ou=logins,dc=mozilla"
passwd = "PASSWORD"
dn = 'cn=maxuid,ou=users,dc=mozilla'
c = ConnectionManager(ldapuri, bind=bind, passwd=passwd)
with c.connection() as conn:
print conn.search_st(dn, ldap.SCOPE_BASE)
Current Host:
[('cn=maxuid,ou=users,dc=mozilla', {'uidNumber': ['NUMBER'], 'cn': ['maxuid']})]
Replacement Host:
[('cn=maxuid,ou=users,dc=mozilla', {'uidNumber': ['NUMBER'], 'cn': ['maxuid']})]|
|
||
Comment 8•11 years ago
|
||
Wait, is "current host" the one that is working and "replacement host" the one that is not, or is it the other way around? Or something even more complicated than that? :-)
|
|
||
Comment 9•11 years ago
|
||
Looks like the new hosts have a fresh enough version of openldap, that we could try building python-ldap 2.4.13 on them and see if it makes a different.
|
|
Assignee | |
Comment 10•11 years ago
|
||
(In reply to Ryan Kelly [:rfkelly] from comment #8) > Wait, is "current host" the one that is working and "replacement host" the > one that is not, or is it the other way around? Or something even more > complicated than that? :-) That's correct.
|
|
Assignee | |
Comment 11•11 years ago
|
||
Puppet was not running on these servers, Bug 908036 has been opened to resolve that issue. The credentials were not populated by Puppet, but by hand and were almost but not quite right. Once set to the proper credential testing an account worked. [THISISYOURSHELLPROMPTSPEAKING]$ curl http://web3.reg/user/1.0/USER 1 [THISISYOURSHELLPROMPTSPEAKING]$ curl http://web4.reg/user/1.0/USER 1 [THISISYOURSHELLPROMPTSPEAKING]$ curl http://web5.reg/user/1.0/USER 1
Assignee: nobody → bobm
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
|
||
Comment 12•11 years ago
|
||
Comment on attachment 791056 [details] [diff] [review] packages.diff clearing f? flag since bug is resolved
Attachment #791056 -
Flags: feedback?(rfkelly) → feedback+
You need to log in
before you can comment on or make changes to this bug.
Description
•