[solved] LDAP not working after oneadmin password change


(Jan "Yenya" Kasprzak) #1

Hello,

today we have changed password for “oneadmin” user (via Sunstone - logged in as “oneadmin” itself). I have also edited the ~oneadmin/.one/one_auth file to reflect the new password. We have also rebooted the host where oned is running. Since then, all our LDAP-authenticated users cannot log into Sunstone (“Invalid username or password”). Core-authenticated test user as well as oneadmin itself work as before. Only LDAP is broken.

I have also tried "oneuser login ", which failed with the following message:

[one.user.login] User couldn't be authenticated, aborting call.

Versions of the related components and OS (frontend, hypervisors, VMs):
ONE 5.4.0, CentOS 7

Is there more to do when changing oneadmin’s password? Why only LDAP-authenticated users are affected? Thanks!

-Yenya


(Jan "Yenya" Kasprzak) #2

More debug info:

Running strace -f -s 1000 oneuser login kas suggests that the XMLRPC request is being made, even with correct arguments, and the reply about incorrect login is from oned itself:

4657  write(7, "POST /RPC2 HTTP/1.1\r\nUser-Agent: XMLRPC::Client (Ruby 2.0.0)\r\nContent-Type: text/xml; charset=utf-8\r\nContent-Length: 348\r\nConnection: keep-alive\r\nAccept
-Encoding: identity\r\nAccept: */*\r\nHost: localhost:2633\r\n\r\n", 210) = 210
4657  write(7, "<?xml version=\"1.0\" ?><methodCall><methodName>one.user.login</methodName><params><param><value><string>kas:(my-correct-password)</string></value></param><param><value><st
ring>kas</string></value></param><param><value><string></string></value></param><param><value><i4>36000</i4></value></param><param><value><i4>-1</i4></value></param></params></me
thodCall>\n", 348) = 348
4657  fcntl(7, F_GETFL)                 = 0x2 (flags O_RDWR)
4657  fcntl(7, F_SETFL, O_RDWR|O_NONBLOCK) = 0
4657  read(7, 0x1b25040, 16384)         = -1 EAGAIN (Resource temporarily unavailable)
4657  select(8, [7], NULL, NULL, {30, 0}) = 1 (in [7], left {29, 995999})
4657  fcntl(7, F_GETFL)                 = 0x802 (flags O_RDWR|O_NONBLOCK)
4657  read(7, "HTTP/1.1 200 OK\r\nContent-type: text/xml; charset=utf-8\r\nContent-length: 351\r\nConnection: Keep-Alive\r\nKeep-Alive: timeout=15, max=30\r\nDate: Wed, 10 Jan 20
18 07:46:36 UTC\r\nServer: Xmlrpc-c_Abyss/1.40.0\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<methodResponse>\r\n<params>\r\n<param><value><array><data>\r\n<value><boole
an>0</boolean></value>\r\n<value><string>[one.user.login] User couldn't be authenticated, aborting call.</string></value>\r\n<value><i4>256</i4></value>\r\n<value><i4>-1</i4></va
lue>\r\n</data></array></value></param>\r\n</params>\r\n</methodResponse>\r\n", 16384) = 554
4657  write(1, "[one.user.login] User couldn't be authenticated, aborting call.", 63) = 63

Also, I tried to wrap /var/lib/one/remote/auth/ldap/authenticate and also /var/lib/one/tmp/auth/ldap/authenticate with a shell script which saves the arguments and the environment to the log file in /tmp to verify it is being executed, but no logfile got created, so I think it is not even executed during oneuser login kas command.


(Jan "Yenya" Kasprzak) #3

Okay, it was miscommunication between admins, i.e. an instance of PEBKAC problem. Sorry for the noise.