Bug 719651

Summary: LDAP authentication re-broken
Product: [Retired] Pulp Reporter: Chris St. Pierre <cstpierr>
Component: user-experienceAssignee: Jason Connor <jconnor>
Status: CLOSED CURRENTRELEASE QA Contact: Preethi Thomas <pthomas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: mmccune, pkilambi, skarmark
Target Milestone: ---Keywords: Triaged
Target Release: Sprint 26   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Patch to fix the described behavior
none
Patch that actually fixes the problem
none
Third time's the charm? none

Description Chris St. Pierre 2011-07-07 15:13:03 UTC 
Created attachment 511731 [details]
Patch to fix the described behavior

Description of problem:

When authenticating via LDAP, pulp first tries to check a local user.  But if there is no local saved password, then pulp.server.auth.password_util.check_password() can't split() the saved password, and a stack trace obtains.

Version-Release number of selected component (if applicable):

0.0.202, HEAD

How reproducible:

Every time.

Steps to Reproduce:

1. Configure pulp for LDAP authn
2. Try to authenticate as an LDAP user without a local password.
  
Actual results:

File "/usr/lib/python2.4/site-packages/pulp/server/webservices/controllers/decorators.py", line 48, in report_error
    return method(self, *args, **kwargs)
  File "/usr/lib/python2.4/site-packages/pulp/server/webservices/controllers/decorators.py", line 89, in _auth_decorator
    user = check_username_password(username, password)
  File "/usr/lib/python2.4/site-packages/pulp/server/auth/authentication.py", line 128, in check_username_password
    user = _check_username_password_local(username, password)
  File "/usr/lib/python2.4/site-packages/pulp/server/auth/authentication.py", line 111, in _check_username_password_local
    if not check_password(user[\'password\'], password):
  File "/usr/lib/python2.4/site-packages/pulp/server/auth/password_util.py", line 47, in check_password
    salt, hashed_password = saved_password_entry.split(",")

Expected results:

Local authn should fail silently, and LDAP authn should be attempted.

Additional info:

Patch attached.  Since check_password() requires a string for its first argument (the password), _check_username_password_local() can no longer be called without a second argument (the password), which was defaulting to None.  My patch makes _check_username_password_local() require two arguments, and check_username_password() will only call it if there's a local password.
Comment 1 Chris St. Pierre 2011-07-07 15:24:10 UTC 
Created attachment 511736 [details]
Patch that actually fixes the problem

I'm a doofus.  The new patch actually fixes the problem.  Sorry for the noise.
Comment 2 Chris St. Pierre 2011-07-07 15:44:01 UTC 
Created attachment 511746 [details]
Third time's the charm?

This time the patch actually works.  I swear.

Testing is so cool.  I apologize for being such a tosser.
Comment 3 Pradeep Kilambi 2011-07-13 16:09:47 UTC 
This patch is gonna break consumer authentication. Our consumer auth is cert based and if we return None we'll end up breaking the consumer logins. So we'll need additional checks to make sure its not an admin user or consumer but is ldap user.
Comment 4 Pradeep Kilambi 2011-07-19 14:27:34 UTC 
fixed! commit 02a0dc357cb49bf7c7f0846ac4854d25e7b2d70a

applied an enhanced patch to handle both ldap users and consumers
Comment 5 Jeff Ortel 2011-07-20 20:47:51 UTC 
build: 0.212
Comment 6 Preethi Thomas 2011-10-03 18:26:16 UTC 
verified
[root@preethi ~]# rpm -q pulp
pulp-0.0.237-1.fc15.noarch

[root@preethi ~]# pulp-admin auth login -u pulpuser1
Enter password: 

[root@preethi ~]# 

# external ldap for user authentication instead of pulp.
[ldap]
uri: ldap://prad.rdu.redhat.com
base: dc=rdu, dc=redhat, dc=com 
tls: no
#default_role: consumer-users
# Uncomment the "filter" directive to set a more restrictive LDAP
# filter to limit the LDAP users who can authenticate to pulp.
#filter: (gidNumber=200)

from pulp.log

2011-10-03 14:31:40,912 13631:140107755525888:
pulp.server.auth.authentication:ERROR: authentication:111 This is an ldap user
SON([(u'_id', u'0485145d-baa9-4d25-9abe-4ae6545f6270'), (u'name',
u'pulpuser1'), (u'roles', []), (u'_ns', u'users'), (u'login', u'pulpuser1'),
(u'password', None), (u'id', u'0485145d-baa9-4d25-9abe-4ae6545f6270')])
2011-10-03 14:31:41,173 13631:140107755525888: pulp.server.LDAPConnection:INFO:
LDAPConnection:173 Found user with id pulpuser1
2011-10-03 14:31:41,174 13631:140107755525888: pulp.server.LDAPConnection:INFO:
LDAPConnection:122 Found user with id pulpuser1 with matching credentials
Comment 7 Preethi Thomas 2012-02-24 20:17:50 UTC 
Pulp v1.0 is released
Closed Current Release.
Comment 8 Preethi Thomas 2012-02-24 20:18:37 UTC 
Pulp v1.0 is released.