Hide Forgot
Created attachment 511731 [details] Patch to fix the described behavior Description of problem: When authenticating via LDAP, pulp first tries to check a local user. But if there is no local saved password, then pulp.server.auth.password_util.check_password() can't split() the saved password, and a stack trace obtains. Version-Release number of selected component (if applicable): 0.0.202, HEAD How reproducible: Every time. Steps to Reproduce: 1. Configure pulp for LDAP authn 2. Try to authenticate as an LDAP user without a local password. Actual results: File "/usr/lib/python2.4/site-packages/pulp/server/webservices/controllers/decorators.py", line 48, in report_error return method(self, *args, **kwargs) File "/usr/lib/python2.4/site-packages/pulp/server/webservices/controllers/decorators.py", line 89, in _auth_decorator user = check_username_password(username, password) File "/usr/lib/python2.4/site-packages/pulp/server/auth/authentication.py", line 128, in check_username_password user = _check_username_password_local(username, password) File "/usr/lib/python2.4/site-packages/pulp/server/auth/authentication.py", line 111, in _check_username_password_local if not check_password(user[\'password\'], password): File "/usr/lib/python2.4/site-packages/pulp/server/auth/password_util.py", line 47, in check_password salt, hashed_password = saved_password_entry.split(",") Expected results: Local authn should fail silently, and LDAP authn should be attempted. Additional info: Patch attached. Since check_password() requires a string for its first argument (the password), _check_username_password_local() can no longer be called without a second argument (the password), which was defaulting to None. My patch makes _check_username_password_local() require two arguments, and check_username_password() will only call it if there's a local password.
Created attachment 511736 [details] Patch that actually fixes the problem I'm a doofus. The new patch actually fixes the problem. Sorry for the noise.
Created attachment 511746 [details] Third time's the charm? This time the patch actually works. I swear. Testing is so cool. I apologize for being such a tosser.
This patch is gonna break consumer authentication. Our consumer auth is cert based and if we return None we'll end up breaking the consumer logins. So we'll need additional checks to make sure its not an admin user or consumer but is ldap user.
fixed! commit 02a0dc357cb49bf7c7f0846ac4854d25e7b2d70a applied an enhanced patch to handle both ldap users and consumers
build: 0.212
verified [root@preethi ~]# rpm -q pulp pulp-0.0.237-1.fc15.noarch [root@preethi ~]# pulp-admin auth login -u pulpuser1 Enter password: [root@preethi ~]# # external ldap for user authentication instead of pulp. [ldap] uri: ldap://prad.rdu.redhat.com base: dc=rdu, dc=redhat, dc=com tls: no #default_role: consumer-users # Uncomment the "filter" directive to set a more restrictive LDAP # filter to limit the LDAP users who can authenticate to pulp. #filter: (gidNumber=200) from pulp.log 2011-10-03 14:31:40,912 13631:140107755525888: pulp.server.auth.authentication:ERROR: authentication:111 This is an ldap user SON([(u'_id', u'0485145d-baa9-4d25-9abe-4ae6545f6270'), (u'name', u'pulpuser1'), (u'roles', []), (u'_ns', u'users'), (u'login', u'pulpuser1'), (u'password', None), (u'id', u'0485145d-baa9-4d25-9abe-4ae6545f6270')]) 2011-10-03 14:31:41,173 13631:140107755525888: pulp.server.LDAPConnection:INFO: LDAPConnection:173 Found user with id pulpuser1 2011-10-03 14:31:41,174 13631:140107755525888: pulp.server.LDAPConnection:INFO: LDAPConnection:122 Found user with id pulpuser1 with matching credentials
Pulp v1.0 is released Closed Current Release.
Pulp v1.0 is released.