LDAP authentication – log OK even if it can reach the LDAP server


#1

I’m trying to use an LDAP server to authenticate the users in CF. during my test I notice a strange behavior leading to confusion.
It seems that some OK logs are generated even if CF is not able to reach the LDAP server. To reproduce that I set up a wrong port for my ldap server 15423 and then try to log on the UI.
In the “Audit log” section of the UI I have a log which may indicate that the logging was OK:

[----] I, [2017-01-27T15:46:32.150597 #3033:e47f8c] INFO – Success: MIQ(Common.settings_update_save) userid: [admin] - VMDB config updated (ldapport:[389] to [56])
[----] I, [2017-01-27T15:46:38.364219 #3033:e43108] INFO – Success: MIQ(Common.settings_update_save) userid: [admin] - VMDB config updated (ldapport:[56] to [15423])
[----] I, [2017-01-27T15:46:48.826632 #3055:e2fc84] INFO – Success: MIQ(Authenticator.authenticate) userid: [pcwalker] - User cn=pcwalker,ou=interactiveusers,dc=msp,dc=XXXXXXX,dc=net successfully validated by LDAP

Nevertheless when checking the other log “CFME log” in the UI I see an error when CF is trying to contact the LDAP server:

[----] I, [2017-01-27T15:46:49.712047 #3033:e42654] INFO – : MiqLdap.connection: Connecting to IP Address [172.24.65.97]
[----] E, [2017-01-27T15:46:49.716987 #3033:e42654] ERROR – : [Net::LDAP::Error]: unable to establish a connection to server Method:[rescue in authenticate]
[----] E, [2017-01-27T15:46:49.717351 #3033:e42654] ERROR – : /var/www/miq/vmdb/lib/miq_ldap.rb:97:in resolve_host'/var/www/miq/vmdb/lib/miq_ldap.rb:55:ininitialize’

This is normal since there is nothing on the port I choose but the other log in “Audit” is misleading. This led me to lose some time before I understand that the log “successfully validated by LDAP” was wrong and that there were an issue with my config.

I think it would be good to prevent the log “OK” in the audit if there is an error.


#2

Thanks for reporting this @Charles_Walker.
Could you open an issue in github: https://github.com/manageiq/manageiq/issues
This will make sure it gets into the proper developer’s hands to resolve.

When the issue is created, please post the link here so we know it’s being tracked.


#3

Thx for quick feedback.
Done.