Bug 2173898

Summary: Can't login if LDAP server requires PIN+token authentication
Product: Red Hat Satellite Reporter: Evgeni Golov <egolov>
Component: LDAPAssignee: satellite6-bugs <satellite6-bugs>
Status: NEW --- QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.13.0Keywords: Triaged
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Evgeni Golov 2023-02-28 10:45:57 UTC
Description of problem:
We have an LDAP server that does not allow anonymous binds *and* requires PIN+token being used as the password when doing simple authentication (= the transferred password is different on every login).

Accessing said server works just fine with these conditions using ldapsearch, ldapvi and python-ldap, but not when using Ruby's Net::LDAP (and thus Satellite).

The problem seems to be that Net::LDAP doesn't keep the connection to the server open, and ends up needing more than one LDAP query, so also more than one connection and there the token doesn't match anymore and you can't login.

Version-Release number of selected component (if applicable):
6.11, 6.13 (that's the ones I tested with)

How reproducible:
100%

Steps to Reproduce:
1. setup ldap auth with the account field set to something like "uid=$login,ou=users,dc=redhat,dc=com" so that the bind happens with the logging in user
2. try to login

Actual results:
login not possible

Expected results:
login possible

Additional info:
This seems to be a known issue in Net::LDAP: https://github.com/ruby-ldap/ruby-net-ldap/issues/11