LDAP Configuration

[Martin Dew-Hattens]

New to Review Board and trying to get LDAP config to work. 

in log file getting

2017-03-31 10:14:41,923 - WARNING -  - LDAP error: {'desc': "Can't contact LDAP server"}

I know the parameters I use are correct since they are used elsewhere 

ldap://host:389

Bindaccount  accountusedbefore

passwrd  passusedbefore

LDAP base  dc=company:dc=dtt, dc=ad

So how does one debug this ?

nmap tells me that port 389 is open 

[Christian Hammond]

What version of Review Board are you using?

Can you verify that the server can resolve that hostname from a terminal?

Christian

--
Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
---
You received this message because you are subscribed to the Google Groups "reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

-- 
Christian Hammond

President/CEO of Beanbag

Makers of Review Board

[Paul Mansfield]

I was testing my reviewboard backups are good, so I restored from the mysqldump, and copied over the saved settings_local.py

I can login as the admin user, and the ldap settings are the same as the live server, but I can't login using ldap, and I get this error in the log:

[Thu Sep 26 14:20:40.644378 2019] [:error] [pid 25293] 2019-09-26 14:20:40,644 - WARNING -  - root - Error authenticating with LDAP: {'desc': "Can't contact LDAP server"}

if I run tcpdump on the live server, I see a connection to the ldap server, but nothing is seen on the new standby server.

On the new machine, I can ping the FQDN (ldap.example.com) as well as just "ldap", so that means DNS is fine, as is the domain search list in /etc/resolv.conf

I checked that python-ldap package is installed on both, as is openldap package. Nothing obvious different when I run "pip list" on both.

I am not sure how to go further with diagnosing the problem and what is broken, any ideas gratefully received,

thanks

Paul

[Christian Hammond]

Hi Paul,

Does the LDAP server restrict access by IP address?

Christian

--

Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
---

You received this message because you are subscribed to the Google Groups "Review Board Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/0ff5c79f-7056-482a-8fd7-debbec676a8e%40googlegroups.com.

[Paul Mansfield]

Hi,

thanks for coming back to me.

I don't see any outbound packets to the ldap server on the new reviewboard server, but I do on the old one - I am looking for any outbound traffic to the ldap server, or, any traffic to tcp:389

If I compare the ldap settings page on both servers, they look identical, so I am wondering if there's another configuration file I need to tweak.

thanks

Paul

 - 

On Tuesday, 1 October 2019 19:32:00 UTC+1, Christian Hammond wrote:

Hi Paul,

Does the LDAP server restrict access by IP address?

Christian

On Thu, Sep 26, 2019 at 8:22 AM Paul Mansfield <paul.m...@agileanalog.com> wrote:

I was testing my reviewboard backups are good, so I restored from the mysqldump, and copied over the saved settings_local.py

I can login as the admin user, and the ldap settings are the same as the live server, but I can't login using ldap, and I get this error in the log:

[Thu Sep 26 14:20:40.644378 2019] [:error] [pid 25293] 2019-09-26 14:20:40,644 - WARNING -  - root - Error authenticating with LDAP: {'desc': "Can't contact LDAP server"}

if I run tcpdump on the live server, I see a connection to the ldap server, but nothing is seen on the new standby server.

On the new machine, I can ping the FQDN (ldap.example.com) as well as just "ldap", so that means DNS is fine, as is the domain search list in /etc/resolv.conf

I checked that python-ldap package is installed on both, as is openldap package. Nothing obvious different when I run "pip list" on both.

I am not sure how to go further with diagnosing the problem and what is broken, any ideas gratefully received,

thanks

Paul

--
Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
---
You received this message because you are subscribed to the Google Groups "Review Board Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to revie...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/0ff5c79f-7056-482a-8fd7-debbec676a8e%40googlegroups.com.

[Christian Hammond]

There’s nothing on our end that should be impacting this. It sounds more like a name resolution, routing, firewall, etc. sort of problem. Particularly if the same configuration worked on a different server.

Christian

To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/7fc40899-7fb3-4961-be28-d162b7e6d83e%40googlegroups.com.

--

[Paul Mansfield]

I found the problem. facepalm. I should have guessed. damn selinux.

I found it because I realised that the avatars weren't working as after fixing the directory permissions under .../htdocs/media they still didn't work, so I did a "setenforce permissive" and then discovered that, ldap login worked too.

Also, avatars were broken because the original reviewboard install was at rb.example.com and the restored one at rb2.example.com an I hadn't changed the URL in the General Settings. When I looked at the html source, the URL was fully qualified with the domain (https://rb.example.com/media/...blahblah) rather than being a relative URI. When I changed the general settings, the HTML reference also changed of course and avatars started working again.

So I guess the local avatar thing is probably a bug since it shouldn't really need to depend on a full URL unless that's a function of the way it's done in order to work with multiple avatar services.

[Stephen Gallagher]

On Tue, Oct 8, 2019 at 6:35 AM Paul Mansfield <paul.ma...@agileanalog.com> wrote:

I found the problem. facepalm. I should have guessed. damn selinux.

I found it because I realised that the avatars weren't working as after fixing the directory permissions under .../htdocs/media they still didn't work, so I did a "setenforce permissive" and then discovered that, ldap login worked too.

Do the SELinux instructions I added to 

https://www.reviewboard.org/docs/manual/dev/admin/installation/creating-sites/ need updating?

[Paul Mansfield]

BTW, the secret magic command is

sudo setsebool -P authlogin_nsswitch_use_ldap=1

[Paul Mansfield]

yes please, I had to use this flag: authlogin_nsswitch_use_ldap

I already had the other flags in my deployment scripts in puppet.

On Tuesday, 8 October 2019 11:54:38 UTC+1, Stephen Gallagher wrote: