Bug 1108833 - Enabling LDAP on one JBoss ON Server in HA Configuration is not propagated to another server(s) until their restart so the users cannot log in
Summary: Enabling LDAP on one JBoss ON Server in HA Configuration is not propagated to...
Alias: None
Product: JBoss Operations Network
Classification: JBoss
Component: Core Server
Version: JON 3.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: DR01
: JON 3.3.0
Assignee: Jay Shaughnessy
QA Contact: Mike Foley
Depends On: 1108835
TreeView+ depends on / blocked
Reported: 2014-06-12 16:02 UTC by bkramer
Modified: 2018-12-05 18:51 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
When LDAP was enabled on one JBoss ON Server in HA Configuration, the change was not propagated to other servers in the group until the servers were restarted. This prevented users from logging onto the other servers in the group. The fix reinstalls the JAAS login modules when the HA nodes detect a change in system settings. The check is performed every 60 seconds. If LDAP configuration is enabled or disabled in a HA group, the other servers are now aware of the change in 60 seconds.
Clone Of:
Last Closed: 2014-12-11 14:03:04 UTC
Type: Bug

Attachments (Terms of Use)

Description bkramer 2014-06-12 16:02:02 UTC
Description of problem:
Enabling LDAP on one JBoss ON Server in HA Configuration is not propagated to another server(s) until their restart so the users cannot log in

Version-Release number of selected component (if applicable):
JBoss ON 3.2.0, 3.2.1 

How reproducible:

Steps to Reproduce:
1. Install and configure JBoss ON server1;
2. Start server1;
3. Install and configure JBoss ON server2;
4. Start server2;
5. Confirm that everything works fine and that servers 1 and 2 are in HA mode;
6. Configure LDAP settings on server1;
7. Log out from JBoss ON UI and attempt to log in again using LDAP username/password;
8. Confirm that this worked fine;
9. Using the same username/password attempt to log in to the JBoss ON UI on the second server;

Actual results:
Log in to the second server will fail with the message "  The username or password provided does not match our records."

Expected results:
log in to the second server is successful.

Additional info:
If the server2 is restarted, the server will read the LDAP configuration and after this, the log in will work.

Comment 1 Jay Shaughnessy 2014-07-01 19:03:02 UTC
This is not really a use case we had in mind.  A change to LDAP settings would be picked up, but that actual enabling or disabling of LDAP auth requires a reconfiguration of the server's JAAS login modules.  It was anticipated that a restart would be required.

Having said that, since the customer considers this a bug, it looks like we were wrong and for some reason the HA nodes must stay up.  Looking to fix this...

Comment 2 Jay Shaughnessy 2014-07-02 01:13:54 UTC
master commit cde3c29b8e0b12d838de52453e1a4dc9bfb59d34
Author: Jay Shaughnessy <jshaughn@redhat.com>
Date:   Tue Jul 1 21:12:21 2014 -0400

    Enable/Disable of LDAP requires a system reconfigure (reinstall the JAAS
    login modules...). Change things such that the system reconfigure gets
    performed whenever HA nodes detect a change in system settings. So,
    this fix is a bit more general that the specific case listed here.  The
    system settings update check is every 60s, so HA nodes should pick up
    a change within a minute.

Comment 3 Simeon Pinder 2014-07-31 15:52:18 UTC
Moving to ON_QA as available to test with brew build of DR01: https://brewweb.devel.redhat.com//buildinfo?buildID=373993

Comment 4 Jeeva Kandasamy 2014-08-08 10:13:55 UTC
JBoss Operations Network
Version : 3.3.0.DR01
Build Number : 6468454:dda0a47
GWT Version : 2.5.0
SmartGWT Version : 3.0p

HA Setup:
Number of JON 3.3 servers: 2
Enabled LDAP on server 1, logged in success on server 1.
Was waiting for 60 seconds to update in server 2.

Updated within 60 seconds. Login successful in server 2 as well without restarting the server.

05:55:20,481 INFO  [org.rhq.enterprise.server.core.CustomJaasDeploymentService] (EJB default - 10) Security domain [RHQUserSecurityDomain] re-created with login modules..........

Comment 5 Jeeva Kandasamy 2014-08-08 10:15:15 UTC
Database: postgres (PostgreSQL) 8.4.11

Note You need to log in before you can comment on or make changes to this bug.