Issue #310 resolved

LDAP login succeeds but scm-manager "Test Connection" and login fails

John Peacock
created an issue

We have configured LDAP authentication and as far as we can tell it is working, but LDAP users are not able to login to scm-manager. Turning up the log levels for Tomcat reveals this:

10:28:55.049 [http-8080-19] DEBUG sonia.scm.auth.ldap.LDAPConnection - send starttls request
10:28:55.055 [http-8080-19] DEBUG sonia.scm.auth.ldap.LDAPConnection - set bind credentials for dn uid=jpeacock,ou=employee,dc=messagesystems,dc=com
10:28:55.140 [http-8080-19] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - user uid=jpeacock,ou=employee,dc=messagesystems,dc=com successfully authenticated

So clearly, as far as LDAP is concerned, authentication has succeeded. But scm-manager does not work, either the "Test Connection" button or trying to actually login.

Running 1.23 (since we had problems getting plugins to work with 1.24).

Comments (13)

  1. John Peacock reporter

    I already posted the last bit on the original ticket, but here is the full listing:

    09:40:37.170 [http-8080-21] DEBUG sonia.scm.auth.ldap.LDAPConnection - create anonymous context
    09:40:37.171 [http-8080-21] DEBUG sonia.scm.auth.ldap.LDAPConnection - use follow as referral strategy
    09:40:37.173 [http-8080-21] DEBUG sonia.scm.auth.ldap.LDAPConnection - send starttls request
    09:40:37.234 [http-8080-21] DEBUG sonia.scm.auth.ldap.LDAPConnection - set bind credentials for dn cn=scm_manager,ou=ServiceAccounts,dc=messagesystems,dc=com
    09:40:37.281 [http-8080-21] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - using scope sub for user search
    09:40:37.281 [http-8080-21] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - search-filter for user search: (&(objectClass=posixAccount)(uid=jpeacock))
    09:40:37.281 [http-8080-21] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - saarch base for user search: ou=employee,dc=messagesystems,dc=com
    09:40:37.324 [http-8080-21] DEBUG sonia.scm.auth.ldap.LDAPConnection - create anonymous context
    09:40:37.324 [http-8080-21] DEBUG sonia.scm.auth.ldap.LDAPConnection - use follow as referral strategy
    09:40:37.325 [http-8080-21] DEBUG sonia.scm.auth.ldap.LDAPConnection - send starttls request
    09:40:37.331 [http-8080-21] DEBUG sonia.scm.auth.ldap.LDAPConnection - set bind credentials for dn uid=jpeacock,ou=employee,dc=messagesystems,dc=com
    09:40:37.415 [http-8080-21] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - user uid=jpeacock,ou=employee,dc=messagesystems,dc=com successfully authenticated
    

    I was tailing the log file when I tried to use the Test Connection button; there was a distinct hang (5 seconds or more) after the last log entry and when the dialog box popped up to state that the test had failed.

  2. Sebastian Sdorra repo owner

    Which ldap server do you use? Has the bind user (cn=scm_manager) enough permissions to read the attributes for username, mail, displayName of the user (uid=jpeacock)?

  3. John Peacock reporter

    We are using the Fedora Directory Server (389-ds).  While we don't allow anonymous binds, if you authenticate as anyone, you can read any field but password.  So, yes, scm_manager has the rights to read the cn field of jpeacock.

  4. Sebastian Sdorra repo owner

    Could you check the access log of your ldap server and post the output for a failed authentication? Are there errors in the error log of the directory server?

  5. John Peacock reporter

    No failures logged on the LDAP side at all. The admin did import our CA into the Java keystore before attempting to use TLS, FWIW.

    If I disable TLS, the "Test Connections" works fine. I don't see anything particularly helpful in the log after the test succeeds apart from:

    16:09:29.674 [http-8080-24] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - group filter is empty
    16:09:29.675 [http-8080-24] DEBUG sonia.scm.auth.ldap.LDAPAuthenticationContext - group attribute is empty
    

    We set up a stunnel instance to proxy the TLS connection and all is well for now.

    It appears you are not handling the rebind to the scm_manager user after authenticating with the user credentials when TLS is enabled

  6. John Peacock reporter

    I replaced OpenJDK with the Sun^WOracle 1.7 JDK and I still have the same problem. Of course, I have no idea how to confirm for certain that scm is using the correct JDK (I replaced the /usr/bin/java symlink to ultimately point to the jdk1.7.0 binary). Is there some diagnostic page I could trigger to see for certain which JDK is being used?

  7. Log in to comment