Bug 497573 - Failover test to multiple LDAP servers for authentication during token enrollment fails.
Failover test to multiple LDAP servers for authentication during token enroll...
Product: Dogtag Certificate System
Classification: Community
Component: TPS (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
Depends On:
Blocks: 443788
  Show dependency treegraph
Reported: 2009-04-24 15:12 EDT by Asha Akkiangady
Modified: 2015-01-04 18:38 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-22 19:34:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
tps debug log attached. (20.04 KB, text/plain)
2009-04-24 15:12 EDT, Asha Akkiangady
no flags Details
fix for ldap authentication failover (5.74 KB, patch)
2009-06-25 16:00 EDT, Christina Fu
no flags Details | Diff
not to do failover if user not found (5.85 KB, patch)
2009-06-25 16:54 EDT, Christina Fu
no flags Details | Diff
spec file diff (960 bytes, patch)
2009-06-25 17:20 EDT, Christina Fu
no flags Details | Diff
entire fix included for failover bug. (6.45 KB, patch)
2009-06-25 17:22 EDT, Christina Fu
no flags Details | Diff

  None (edit)
Description Asha Akkiangady 2009-04-24 15:12:40 EDT
Created attachment 341243 [details]
tps debug log attached.

Description of problem:
Failover test to multiple LDAP servers for authentication during token enrollment fails.

Version-Release number of selected component (if applicable):
CS 8.0

How reproducible:

Steps to Reproduce:
1. Setup ldap servers (example: dhcp-107.sjc.redhat.com:14721 and dhcp-107.sjc.redhat.com:389) create a user user#1 with the same credentials in both the databases.

2. tps CS.cfg is set with two ldap servers in the parameter.

3. restart tps server and enroll a toekn for user user#1. Authentication request is made to the second server dhcp-107.sjc.redhat.com:389 and enrollment succeeds.

4. Format the token so that user#1 is not associated with any token in the tps token db.

5. Shutdown ldap server dhcp-107.sjc.redhat.com:389

6. Perform enrollment using a clean token for user#1. 
Actual results:
ESC throws 'Smart card server can not validate your credentials' message. No requests made to ldap instance dhcp-107.sjc.redhat.com:14721.

Expected results:
Enrollment should succeed with authentication against ldap server dhcp-107.sjc.redhat.com:14721

Additional info:
Note: If an enrollment is performed with one ldap server its working fine. 
 auth.instance.0.hostport=dhcp-107.sjc.redhat.com:14721 OR 
Comment 1 Christina Fu 2009-06-23 17:40:53 EDT
Did you actually find documentation that explains what you did was the right way to set up the authentication failover?  If I just look at the CS.cfg of TPS, I'd guess that you will need to define a "ldap3" and then add "ldap3" to any of the profiles like


Isn't it?  Please provide link to the doc where you learned how to set this up.
Deon needs to be informed if the doc is incorrect.

so, Please show me the doc where you learned it.  If it indeed describes it the way you did it, then I'll help correct it.  If not, please read the doc and do the test again.  Thanks.
Comment 2 Christina Fu 2009-06-23 18:39:21 EDT
I found the doc.  It's in the CS.cfg itself.  Looks like it's using " " (a space) as a separator for the host port entry.
Comment 3 Deon Ballard 2009-06-23 18:41:28 EDT
The only thing I found for configuring LDAP auth is at

That doesn't have how to configure multiple lDAP directories.

However, the example for mapping tokens to different token types, at
has two LDAP directories given, but they're for different token types, so it's
not the same.

The formatting looks similar to configuring additional subsystems
but for subsystems, the failover instances are separated by spaces, not commas.
Does configuring multiple LDAP instances work if they're separated by spaces?

If it does, then I will add that information to the LDAP config section.
Comment 4 Deon Ballard 2009-06-23 18:42:12 EDT
Christina, my comment collided with your comment #2. :)

So, should I add this config to the admin guide?
Comment 5 Christina Fu 2009-06-23 18:55:16 EDT
let QE verify first.  we don't know if it even still works.
Comment 6 Asha Akkiangady 2009-06-23 22:05:50 EDT
Tried the test with " " (space), still same issue, unable to enroll a token.
Comment 7 Christina Fu 2009-06-25 16:00:02 EDT
Created attachment 349458 [details]
fix for ldap authentication failover

It's hard to believe that the feature ever worked before.  ldap_init does not actually contact the server, so building failover on top of the call is not going to do anything.

Jack please review.
Comment 8 Christina Fu 2009-06-25 16:54:35 EDT
Created attachment 349468 [details]
not to do failover if user not found
Comment 9 Christina Fu 2009-06-25 17:20:17 EDT
Created attachment 349474 [details]
spec file diff
Comment 10 Christina Fu 2009-06-25 17:22:31 EDT
Created attachment 349475 [details]
entire fix included for failover bug.

added the ldapssl_init that was missing originally
Comment 11 Jack Magne 2009-06-25 17:25:19 EDT
Attachment (id=349475) +jmagne.
Comment 12 Christina Fu 2009-06-25 17:29:39 EDT
[cfu@jaw authentication]$ svn commit LDAP_Authentication.cpp
Sending        LDAP_Authentication.cpp
Transmitting file data .
Committed revision 658.
[cfu@jaw authentication]$ pwd

[cfu@jaw tps]$ svn commit pki-tps.spec
Sending        pki-tps.spec
Transmitting file data .
Committed revision 659.
[cfu@jaw tps]$ pwd

Note You need to log in before you can comment on or make changes to this bug.