First Last Prev Next    This bug is not in your last search results.
Bug 47236 - [4.3] LDAP connection cache doesn't handle credentials change
[4.3] LDAP connection cache doesn't handle credentials change
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: HTTP-API (Kelvin)
UCS@school 4.2
Other Linux
: P5 normal (vote)
: UCS@school 4.3 v4
Assigned To: Daniel Tröder
Ole Schwiegert
:
: 46908 (view as bug list)
Depends on:
Blocks: 54135 47237
  Show dependency treegraph
 
Reported: 2018-06-22 13:10 CEST by Daniel Tröder
Modified: 2021-11-24 13:13 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.114
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Tröder univentionstaff 2018-06-22 13:10:46 CEST 
Admin and machine connections are cached in ucsschool/importer/utils/ldap_connection.py. When the machine accounts credentials change, uldap tries to reconnect using the old credentials.

Invalidate the connection caches when the password files change.
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2018-06-27 12:33:10 CEST 
(In reply to Daniel Tröder from comment #0)
> Invalidate the connection caches when the password files change.

Or restart gunicorn via password_change.d/ script?
Comment 2 Jürn Brodersen univentionstaff 2018-06-27 12:41:30 CEST 
I think I ran into similar problem before. See bug 44621 comment 12 especially commit "ad6c547c8f". In that case it was python-ldap that cached the credentials.
Comment 3 Daniel Tröder univentionstaff 2018-06-28 09:27:47 CEST 
Gunicorn is now restarted when the machine account password changes.
Cache refresh inside the running Python instance (to not restart it) is not required, as the process does not perform any critical operation. The import is run within Celery instances.

[4.3] f367c66f7 Bug #47236: restart Gunicorn when machine account password changes
[4.3] aabe8697f Bug #47236: advisory

ucs-school-import (16.0.2-17)
Comment 4 Ole Schwiegert univentionstaff 2018-06-29 08:42:22 CEST 
Advisory: OK
Changelog: OK
Gunicorn restarts when machine password is changed: OK
Comment 5 Daniel Tröder univentionstaff 2018-07-04 15:02:45 CEST 
*** Bug 46908 has been marked as a duplicate of this bug. ***
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2018-07-04 18:08:51 CEST 
UCS@school 4.3 v4 has been released.

https://docs.software-univention.de/changelog-ucsschool-4.3v4-de.html

If this error occurs again, please clone this bug.
First Last Prev Next    This bug is not in your last search results.