Created attachment 341243 [details] tps debug log attached. Description of problem: Failover test to multiple LDAP servers for authentication during token enrollment fails. Version-Release number of selected component (if applicable): CS 8.0 How reproducible: Steps to Reproduce: 1. Setup ldap servers (example: dhcp-107.sjc.redhat.com:14721 and dhcp-107.sjc.redhat.com:389) create a user user#1 with the same credentials in both the databases. 2. tps CS.cfg is set with two ldap servers in the parameter. auth.instance.0.hostport=dhcp-107.sjc.redhat.com:14721,dhcp-107.sjc.redhat.com:389 3. restart tps server and enroll a toekn for user user#1. Authentication request is made to the second server dhcp-107.sjc.redhat.com:389 and enrollment succeeds. 4. Format the token so that user#1 is not associated with any token in the tps token db. 5. Shutdown ldap server dhcp-107.sjc.redhat.com:389 6. Perform enrollment using a clean token for user#1. Actual results: ESC throws 'Smart card server can not validate your credentials' message. No requests made to ldap instance dhcp-107.sjc.redhat.com:14721. Expected results: Enrollment should succeed with authentication against ldap server dhcp-107.sjc.redhat.com:14721 Additional info: Note: If an enrollment is performed with one ldap server its working fine. auth.instance.0.hostport=dhcp-107.sjc.redhat.com:14721 OR auth.instance.0.hostport=dhcp-107.sjc.redhat.com:389
Did you actually find documentation that explains what you did was the right way to set up the authentication failover? If I just look at the CS.cfg of TPS, I'd guess that you will need to define a "ldap3" and then add "ldap3" to any of the profiles like ldap1,ldap3. Isn't it? Please provide link to the doc where you learned how to set this up. Deon needs to be informed if the doc is incorrect. so, Please show me the doc where you learned it. If it indeed describes it the way you did it, then I'll help correct it. If not, please read the doc and do the test again. Thanks.
I found the doc. It's in the CS.cfg itself. Looks like it's using " " (a space) as a separator for the host port entry.
The only thing I found for configuring LDAP auth is at http://elladeon.fedorapeople.org/RHCS/8.0/admin/configuring-tps.html#Configuring_LDAP_Authentication. That doesn't have how to configure multiple lDAP directories. However, the example for mapping tokens to different token types, at http://elladeon.fedorapeople.org/RHCS/8.0/admin/Setting_Token_Types_for_Specified_Smart_Cards.html#An_Example_with_Two_Different_Token_Types, has two LDAP directories given, but they're for different token types, so it's not the same. The formatting looks similar to configuring additional subsystems (http://elladeon.fedorapeople.org/RHCS/8.0/admin/Working_with_Multiple_Instances_of_a_Subsystem.html#Configuring_Failover_Support) but for subsystems, the failover instances are separated by spaces, not commas. Does configuring multiple LDAP instances work if they're separated by spaces? Like: auth.instance.0.hostport=dhcp-107.sjc.redhat.com:14721 dhcp-107.sjc.redhat.com:389 If it does, then I will add that information to the LDAP config section.
Christina, my comment collided with your comment #2. :) So, should I add this config to the admin guide?
let QE verify first. we don't know if it even still works.
Tried the test with " " (space), still same issue, unable to enroll a token.
Created attachment 349458 [details] fix for ldap authentication failover It's hard to believe that the feature ever worked before. ldap_init does not actually contact the server, so building failover on top of the call is not going to do anything. Jack please review.
Created attachment 349468 [details] not to do failover if user not found
Created attachment 349474 [details] spec file diff
Created attachment 349475 [details] entire fix included for failover bug. added the ldapssl_init that was missing originally
Attachment (id=349475) +jmagne.
[cfu@jaw authentication]$ svn commit LDAP_Authentication.cpp Sending LDAP_Authentication.cpp Transmitting file data . Committed revision 658. [cfu@jaw authentication]$ pwd /home/cfu/dogtag/src0/pki/base/tps/src/authentication [cfu@jaw tps]$ svn commit pki-tps.spec Sending pki-tps.spec Transmitting file data . Committed revision 659. [cfu@jaw tps]$ pwd /home/cfu/dogtag/src0/pki/dogtag/tps