Description of problem:
If you've configured an LDAP server for authentication or authorization and everything else but the LDAP server url is correct, you should not be able to save the system settings. You would be required to disable LDAP authentication until an LDAP server can be successfully connected.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Setup LDAP authentication and validate that login is correct.
2. Modify LDAP server url so that server url is incorrect.
3. Save the ldap configuration.
- You're able to save the LDAP configuration.
- You should not be able to save the system settings + ldap configuration.
I'm on the fence about this bug because it seems wrong to prevent the user from saving system settings that are correct BUT only that the the server is currently down. This feels like an administration only/documentation bug and this seems to be a a bit deeper validation than we do for other system settings.
- we don't give great messaging when the backend DB goes down.
- Additionally, why stop here? There are quite a few properties that need to be correct for LDAP auth or authentication to work correctly. See the Swing client in the "TroubleShooting" section below:
- If we want this fixed for 3.2 I think we should pull the swing client in as a full fledged Wizard. To do this right. What happens if the 'LDAP' Role is not configured/created? What about 'LDAP' group to role mapping? All these elements have a perceivable error state if not set correctly.
This needs to be triaged.
Can we at least print a warning in the top red/yellow/green bar saying that the LDAP server could not be reached and that the user should check if it is online?
Yes. That's not that difficult to do.
Does this mean that you want a thread constantly running in the client and
i)if ldap integration is enabled and
ii)cannot use credentials to successfully bind to LDAP server that we we should throw up a red error message?
Just once? Every 30 mins? On first login? All of the above?
Just wanted some more details on how you wanted this to work since we have to support LDAP servers that can disappear at any time.
In step 3 of the above description ("Save") we should validate if the url is "reachable" and if not show that warning.
So the user can investigate if that server is really down / firewalled or the user just mistyped the url
Ok. I'll make that change.
Moving into ER05 as didn't make the ER04 cut.
This is fixed with commit: 8004f67affd to release/jon3.3.x. Moving to MODIFIED for testing in next brew build.
(In reply to Simeon Pinder from comment #1)
> ...This feels like an administration only/documentation bug
> and this seems to be a a bit deeper validation than we do for other system
You're referring to internal only developer docs here, right Simeon?
@Jared, the scope of the fix was significantly reduced since Comment #1. This is now just one extra ui console message/note(as described in Comment 4) when the settings are saved AND the LDAP server is configured, but is not available for some reason. Putting it in the documentation might be a bit much but I'm not sure.
(In reply to Simeon Pinder from comment #9)
> @Jared, the scope of the fix was significantly reduced since Comment #1.
> This is now just one extra ui console message/note(as described in Comment
> 4) when the settings are saved AND the LDAP server is configured, but is not
> available for some reason. Putting it in the documentation might be a bit
> much but I'm not sure.
Yeah, I think that's safe not to include. The user would be presented with the message, and the message appears pretty self-explanatory.
Moving to ON_QA as available to test with the latest brew build:
Verified on Version :JON 3.3.0.ER05 Build Number : 92b6d6a:2cdb528
On saving LDAP configuration with incorrect LDAP server url, following warning message is shown in UI:
"The configured LDAP server is not currently reachable and may be down/firewalled/incorrectly configured. Alert system administrator."