Bug 497573 - Failover test to multiple LDAP servers for authentication during token enrollment fails.
Failover test to multiple LDAP servers for authentication during token enroll...
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: TPS (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-04-24 15:12 EDT by Asha Akkiangady
Modified: 2015-01-04 18:38 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:34:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
tps debug log attached. (20.04 KB, text/plain)
2009-04-24 15:12 EDT, Asha Akkiangady
no flags Details
fix for ldap authentication failover (5.74 KB, patch)
2009-06-25 16:00 EDT, Christina Fu
no flags Details | Diff
not to do failover if user not found (5.85 KB, patch)
2009-06-25 16:54 EDT, Christina Fu
no flags Details | Diff
spec file diff (960 bytes, patch)
2009-06-25 17:20 EDT, Christina Fu
no flags Details | Diff
entire fix included for failover bug. (6.45 KB, patch)
2009-06-25 17:22 EDT, Christina Fu
no flags Details | Diff

  None (edit)
Description Asha Akkiangady 2009-04-24 15:12:40 EDT
Created attachment 341243 [details]
tps debug log attached.

Description of problem:
Failover test to multiple LDAP servers for authentication during token enrollment fails.

Version-Release number of selected component (if applicable):
CS 8.0

How reproducible:


Steps to Reproduce:
1. Setup ldap servers (example: dhcp-107.sjc.redhat.com:14721 and dhcp-107.sjc.redhat.com:389) create a user user#1 with the same credentials in both the databases.

2. tps CS.cfg is set with two ldap servers in the parameter.
auth.instance.0.hostport=dhcp-107.sjc.redhat.com:14721,dhcp-107.sjc.redhat.com:389

3. restart tps server and enroll a toekn for user user#1. Authentication request is made to the second server dhcp-107.sjc.redhat.com:389 and enrollment succeeds.

4. Format the token so that user#1 is not associated with any token in the tps token db.

5. Shutdown ldap server dhcp-107.sjc.redhat.com:389

6. Perform enrollment using a clean token for user#1. 
  
Actual results:
ESC throws 'Smart card server can not validate your credentials' message. No requests made to ldap instance dhcp-107.sjc.redhat.com:14721.

Expected results:
Enrollment should succeed with authentication against ldap server dhcp-107.sjc.redhat.com:14721

Additional info:
Note: If an enrollment is performed with one ldap server its working fine. 
 auth.instance.0.hostport=dhcp-107.sjc.redhat.com:14721 OR 
 auth.instance.0.hostport=dhcp-107.sjc.redhat.com:389
Comment 1 Christina Fu 2009-06-23 17:40:53 EDT
Did you actually find documentation that explains what you did was the right way to set up the authentication failover?  If I just look at the CS.cfg of TPS, I'd guess that you will need to define a "ldap3" and then add "ldap3" to any of the profiles like

ldap1,ldap3.

Isn't it?  Please provide link to the doc where you learned how to set this up.
Deon needs to be informed if the doc is incorrect.

so, Please show me the doc where you learned it.  If it indeed describes it the way you did it, then I'll help correct it.  If not, please read the doc and do the test again.  Thanks.
Comment 2 Christina Fu 2009-06-23 18:39:21 EDT
I found the doc.  It's in the CS.cfg itself.  Looks like it's using " " (a space) as a separator for the host port entry.
Comment 3 Deon Ballard 2009-06-23 18:41:28 EDT
The only thing I found for configuring LDAP auth is at
http://elladeon.fedorapeople.org/RHCS/8.0/admin/configuring-tps.html#Configuring_LDAP_Authentication.

That doesn't have how to configure multiple lDAP directories.

However, the example for mapping tokens to different token types, at
http://elladeon.fedorapeople.org/RHCS/8.0/admin/Setting_Token_Types_for_Specified_Smart_Cards.html#An_Example_with_Two_Different_Token_Types,
has two LDAP directories given, but they're for different token types, so it's
not the same.

The formatting looks similar to configuring additional subsystems
(http://elladeon.fedorapeople.org/RHCS/8.0/admin/Working_with_Multiple_Instances_of_a_Subsystem.html#Configuring_Failover_Support)
but for subsystems, the failover instances are separated by spaces, not commas.
Does configuring multiple LDAP instances work if they're separated by spaces?
Like:
auth.instance.0.hostport=dhcp-107.sjc.redhat.com:14721
dhcp-107.sjc.redhat.com:389

If it does, then I will add that information to the LDAP config section.
Comment 4 Deon Ballard 2009-06-23 18:42:12 EDT
Christina, my comment collided with your comment #2. :)

So, should I add this config to the admin guide?
Comment 5 Christina Fu 2009-06-23 18:55:16 EDT
let QE verify first.  we don't know if it even still works.
Comment 6 Asha Akkiangady 2009-06-23 22:05:50 EDT
Tried the test with " " (space), still same issue, unable to enroll a token.
Comment 7 Christina Fu 2009-06-25 16:00:02 EDT
Created attachment 349458 [details]
fix for ldap authentication failover

It's hard to believe that the feature ever worked before.  ldap_init does not actually contact the server, so building failover on top of the call is not going to do anything.

Jack please review.
Comment 8 Christina Fu 2009-06-25 16:54:35 EDT
Created attachment 349468 [details]
not to do failover if user not found
Comment 9 Christina Fu 2009-06-25 17:20:17 EDT
Created attachment 349474 [details]
spec file diff
Comment 10 Christina Fu 2009-06-25 17:22:31 EDT
Created attachment 349475 [details]
entire fix included for failover bug.

added the ldapssl_init that was missing originally
Comment 11 Jack Magne 2009-06-25 17:25:19 EDT
Attachment (id=349475) +jmagne.
Comment 12 Christina Fu 2009-06-25 17:29:39 EDT
[cfu@jaw authentication]$ svn commit LDAP_Authentication.cpp
Sending        LDAP_Authentication.cpp
Transmitting file data .
Committed revision 658.
[cfu@jaw authentication]$ pwd
/home/cfu/dogtag/src0/pki/base/tps/src/authentication


[cfu@jaw tps]$ svn commit pki-tps.spec
Sending        pki-tps.spec
Transmitting file data .
Committed revision 659.
[cfu@jaw tps]$ pwd
/home/cfu/dogtag/src0/pki/dogtag/tps

Note You need to log in before you can comment on or make changes to this bug.