LDAP Authentication Troubleshooting via foreman-rake - LdapFluff::Generic::UnauthenticatedException: Could not bind to ActiveDirectory user in Red Hat Satellite 6.

Solution Verified - Updated -

Environment

  • Red Hat Satellite 6.x

Issue

  • Usually, it is necessary to execute steps to confirm if Red Hat Satellite is correctly configured or just to enable the Authentication feature to the customer. On this document, we will present some commands to:
    • Test the connectivity between Red Hat Satellite and External Authentication Source
    • Test valid users and all information about them
    • Test valid groups and all information about this

Resolution

For more KB articles/solutions related to Red Hat Satellite 6.x Authentication Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Authentication Issues

Root Cause

  • It is necessary to analyze all LDAP Authentication configuration just to define the main reason.

Diagnostic Steps

  • Below are some commands just to check/test/debug our LDAP Authentication Source

    • Accessing foreman rake console
     [root@satellite ~]# foreman-rake console
/opt/theforeman/tfm/root/usr/share/gems/gems/foreman_theme_satellite-0.1.41/app/models/concerns/satellite_packages.rb:4: warning: already initialized constant Katello::Ping::PACKAGES
/opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.0.0.105/app/models/katello/ping.rb:7: warning: previous definition of PACKAGES was here
/usr/share/foreman/lib/tasks/console.rake:4: warning: already initialized constant ARGV
Loading production environment (Rails 4.1.5)
irb(main):001:0>
    • Command to see all Sources created on Red Hat Satellite Server. Please take a note about the AuthSourceLdap id.
     irb(main):001:0> pp AuthSourceLdap.all
 => #<ActiveRecord::Relation [#<AuthSourceLdap id: 3, type: "AuthSourceLdap", name: "w2k8", host: "10.12.211.58", port: 389, account: "administrator@domain", account_password: "encrypted-Y0Jud1FBM084Nk1TenEyV3gwRXZEZ2pCNHpGaFgy...", base_dn: "dc=domain,dc=example", attr_login: "sAMAccountName", attr_firstname: "givenName", attr_lastname: "sn", attr_mail: "mail", onthefly_register: true, tls: false, created_at: "2017-03-27 18:47:25", updated_at: "2017-03-27 19:11:56", ldap_filter: "", attr_photo: "jpegPhoto", server_type: "active_directory", groups_base: "", usergroup_sync: true>]>
irb(main):002:0>
    • Attributing the query output to source_now
      source_now = AuthSourceLdap.find_by_id()
      irb(main):002:0> source_now = AuthSourceLdap.find_by_id(3)
  => #<AuthSourceLdap id: 3, type: "AuthSourceLdap", name: "w2k8", host: "10.12.211.58", port: 389, account: "administrator@domain", account_password: "encrypted-Y0Jud1FBM084Nk1TenEyV3gwRXZEZ2pCNHpGaFgy...", base_dn: "dc=domain,dc=example", attr_login: "sAMAccountName", attr_firstname: "givenName", attr_lastname: "sn", attr_mail: "mail", onthefly_register: true, tls: false, created_at: "2017-03-27 18:47:25", updated_at: "2017-03-27 19:11:56", ldap_filter: "", attr_photo: "jpegPhoto", server_type: "active_directory", groups_base: "", usergroup_sync: true>
  irb(main):003:0>
    • Creating the connection
     irb(main):003:0> conn = source_now.ldap_con
 Successfully decrypted field for AuthSourceLdap w2k8
 => #<LdapFluff:0x000000096c9608 @ldap=#<LdapFluff::ActiveDirectory:0x000000096c34b0 @ldap=#<Net::LDAP:0x000000096c3460 @host="10.12.211.58", @port=389, @hosts=nil, @verbose=false, @auth={:method=>:anonymous}, @base="dc=domain,dc=example", @force_no_page=false, @encryption=nil, @connect_timeout=nil, @instrumentation_service=ActiveSupport::Notifications, @open_connection=nil>, @bind_user="administrator@domain", @bind_pass="Redhat1!", @anon=false, @attr_login="sAMAccountName", @base="dc=domain,dc=example", @group_base="dc=domain,dc=example", @member_service=#<LdapFluff::ActiveDirectory::MemberService:0x000000096c3438 @attr_login="sAMAccountName", @ldap=#<Net::LDAP:0x000000096c3460 @host="10.12.211.58", @port=389, @hosts=nil, @verbose=false, @auth={:method=>:anonymous}, @base="dc=domain,dc=example", @force_no_page=false, @encryption=nil, @connect_timeout=nil, @instrumentation_service=ActiveSupport::Notifications, @open_connection=nil>, @base="dc=domain,dc=example", @group_base="dc=domain,dc=example">>, @instrumentation_service=ActiveSupport::Notifications>
 irb(main):004:0>
    • Testing if this is one valid user on AD conn.valid_user?('')
     irb(main):004:0> conn.valid_user?('waldirio')
 => true
 irb(main):005:0>
    • Retrieving information from the AD user conn.find_user('')
     irb(main):011:0> pp conn.find_user('waldirio')
 => [#<Net::LDAP::Entry:0x00000008f55660 @myhash={:dn=>["CN=Waldirio Pinheiro,CN=Users,DC=domain,DC=example"], :objectclass=>["top", "person", "organizationalPerson", "user"], :cn=>["Waldirio Pinheiro"], :sn=>["Pinheiro"], :givenname=>["Waldirio"], :distinguishedname=>["CN=Waldirio Pinheiro,CN=Users,DC=domain,DC=example"], :instancetype=>["4"], :whencreated=>["20170328011139.0Z"], :whenchanged=>["20170328021241.0Z"], :displayname=>["Waldirio Pinheiro"], :usncreated=>["12727"], :usnchanged=>["12750"], :name=>["Waldirio Pinheiro"], :objectguid=>["\x9B6\a\xEE\x1Fv\xE0G\xA0`\x11R\x84\xA8\xEE\xB0"], :useraccountcontrol=>["66048"], :badpwdcount=>["0"], :codepage=>["0"], :countrycode=>["0"], :badpasswordtime=>["131351408863120239"], :lastlogoff=>["0"], :lastlogon=>["131351408965768419"], :pwdlastset=>["131351370995145728"], :primarygroupid=>["513"], :objectsid=>["\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x9B\x8CB!n\xDDX\xD1\xB2\xF5\x8C\xEFO\x04\x00\x00"], :accountexpires=>["9223372036854775807"], :logoncount=>["0"], :samaccountname=>["waldirio"], :samaccounttype=>["805306368"], :userprincipalname=>["waldirio@domain.example"], :objectcategory=>["CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=example"], :dscorepropagationdata=>["16010101000000.0Z"], :lastlogontimestamp=>["131351407246645400"], :mail=>["waldirio@redhat.com"]}>]
 irb(main):012:0>
    • Testing if this is one valid group on AD conn.valid_group?('')
     irb(main):021:0> conn.valid_group?('Satellite')
 => true
 irb(main):022:0>
    • Retrieving information from the AD group conn.find_group('')
     irb(main):022:0> pp conn.find_group('Satellite')
 => [#<Net::LDAP::Entry:0x00000007139c08 @myhash={:dn=>["CN=Satellite,CN=Users,DC=domain,DC=example"], :objectclass=>["top", "group"], :cn=>["Satellite"], :member=>["CN=Pedro Teixeira Pinheiro,CN=Users,DC=domain,DC=example", "CN=Waldirio Pinheiro,CN=Users,DC=domain,DC=example"], :distinguishedname=>["CN=Satellite,CN=Users,DC=domain,DC=example"], :instancetype=>["4"], :whencreated=>["20170330195625.0Z"], :whenchanged=>["20170330200155.0Z"], :usncreated=>["13041"], :usnchanged=>["13055"], :name=>["Satellite"], :objectguid=>["\xDE\xF9\xCC#\x8D\x820I\x96\xD84Q\x8F\xA8\xD6\xB5"], :objectsid=>["\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x9B\x8CB!n\xDDX\xD1\xB2\xF5\x8C\xEFQ\x04\x00\x00"], :samaccountname=>["Satellite"], :samaccounttype=>["268435456"], :grouptype=>["-2147483646"], :objectcategory=>["CN=Group,CN=Schema,CN=Configuration,DC=domain,DC=example"], :dscorepropagationdata=>["16010101000000.0Z"]}>]
 irb(main):023:0>
    • List all members of one specific AD group conn.user_list('')
     irb(main):015:0> conn.user_list('Satellite')
 => ["pedro", "waldirio"]
 irb(main):016:0>

  • In case of failure

    • There isn't the user waldiriofake
     irb(main):017:0> conn.valid_user?('waldiriofake')
 => false
    • If Red Hat Satellite try to retrieve the same user for any reason, we will face the issue according below
      irb(main):018:0> conn.find_user('waldiriofake')
  LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException: 
  LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException
from /opt/theforeman/tfm/root/usr/share/gems/gems/ldap_fluff-0.4.5/lib/ldap_fluff/generic_member_service.rb:20:in `find_user'
from /opt/theforeman/tfm/root/usr/share/gems/gems/ldap_fluff-0.4.5/lib/ldap_fluff/ldap_fluff.rb:77:in `block in find_user'
from /opt/theforeman/tfm/root/usr/share/gems/gems/ldap_fluff-0.4.5/lib/ldap_fluff/ldap_fluff.rb:94:in `block in instrument'
from /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/notifications.rb:159:in `block in instrument'
from /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/notifications/instrumenter.rb:20:in `instrument'
from /opt/rh/rh-ror41/root/usr/share/gems/gems/activesupport-4.1.5/lib/active_support/notifications.rb:159:in `instrument'
from /opt/theforeman/tfm/root/usr/share/gems/gems/ldap_fluff-0.4.5/lib/ldap_fluff/ldap_fluff.rb:93:in `instrument'
from /opt/theforeman/tfm/root/usr/share/gems/gems/ldap_fluff-0.4.5/lib/ldap_fluff/ldap_fluff.rb:76:in `find_user'
from (irb):18
from /opt/rh/rh-ror41/root/usr/share/gems/gems/railties-4.1.5/lib/rails/commands/console.rb:90:in `start'
from /opt/rh/rh-ror41/root/usr/share/gems/gems/railties-4.1.5/lib/rails/commands/console.rb:9:in `start'
from /usr/share/foreman/lib/tasks/console.rake:6:in `block in <top (required)>'
from /opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/task.rb:240:in `call'
from /opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/task.rb:240:in `block in execute'
from /opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/task.rb:235:in `each'
from /opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/task.rb:235:in `execute'
from /opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/task.rb:179:in `block in invoke_with_call_chain'
from /opt/rh/rh-ruby22/root/usr/share/ruby/monitor.rb:211:in `mon_synchronize'
from /opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/task.rb:172:in `invoke_with_call_chain'
from /opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/task.rb:165:in `invoke'
from /opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:150:in `invoke_task'
from /opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:106:in `block (2 levels) in top_level'
from /opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:106:in `each'
from /opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:106:in `block in top_level'
from /opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:115:in `run_with_threads'
from /opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:100:in `top_level'
from /opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:78:in `block in run'
from /opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:176:in `standard_exception_handling'
from /opt/rh/rh-ruby22/root/usr/share/gems/gems/rake-10.4.2/lib/rake/application.rb:75:in `run'
from /opt/rh/rh-ruby22/root/usr/bin/rake:33:in `<main>'irb(main):019:0>

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments