Univention Bugzilla – Bug 34353
Traceback when opening module: Authentication failed
Last modified: 2016-08-31 12:24:43 CEST
We received the following traceback via our feedback form. At the moment, it is unclear how to reproduce this behaviour. > The init function of the module has failed: authFail: Authentication failed Traceback (most recent call last): > File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/modserver.py", line 228, in handle > self.__handler.init() > File "/usr/lib/pymodules/python2.6/univention/management/console/modules/udm/__init__.py", line 85, in init > self.settings = UDM_Settings() > File "/usr/lib/pymodules/python2.6/univention/management/console/modules/udm/udm_ldap.py", line 842, in __init__ > self.read() > File "/usr/lib/pymodules/python2.6/univention/management/console/modules/udm/udm_ldap.py", line 845, in read > self._read_directories() > File "/usr/lib/pymodules/python2.6/univention/management/console/modules/udm/udm_ldap.py", line 123, in wrapper_func > lo = udm_uldap.access( host = ucr.get( 'ldap/master' ), base = ucr.get( 'ldap/base' ), binddn = _user_dn, bindpw = _password ) > File "/usr/lib/pymodules/python2.6/univention/admin/uldap.py", line 263, in __init__ > raise univention.admin.uexceptions.authFail, _( "Authentication failed" ) > authFail: Authentication failed
* Login as Administrator * Change your password * Kill udm (or wait for timeout) * Open UDM module
Traceback feedback. Probably related, although an error while UDM was already running...: Traceback: Execution of command 'udm/containers' has failed: Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/management/console/modules/__init__.py", line 204, in execute func( request ) File "/usr/lib/pymodules/python2.6/univention/management/console/modules/decorators.py", line 305, in _response result = _multi_response(self, request) File "/usr/lib/pymodules/python2.6/univention/management/console/modules/decorators.py", line 432, in _response for res in function(self, iterator, *nones): File "/usr/lib/pymodules/python2.6/univention/management/console/modules/decorators.py", line 271, in _fake_func yield function(self, *args) File "/usr/lib/pymodules/python2.6/univention/management/console/modules/udm/__init__.py", line 641, in containers containers += self.settings.containers( flavor ) File "/usr/lib/pymodules/python2.6/univention/management/console/modules/udm/udm_ldap.py", line 887, in containers self._read_directories() File "/usr/lib/pymodules/python2.6/univention/management/console/modules/udm/udm_ldap.py", line 170, in wrapper_func raise LDAP_ConnectionError( 'Opening LDAP connection failed: %s' % str( e ) ) LDAP_ConnectionError: Opening LDAP connection failed: Authentication failed
Internally, the LDAP connection is created using the user credentials. If the password is being changed and on logout is performed, the old credentials are still being used for connecting to the LDAP server.
reported again.
Reported again
LDAP_ConnectionError: Opening LDAP connection failed: Authentisierung fehlgeschlagen reported again
Reported again. We should check in the frontend if the username of the current edited user is the same as the logged in and if the password was changed. If so we should add a hint to the password change module OR make a relogin dialog.
I came up with a way more better solution than comment #7: The module now answers with a 401 Unauthorized status code. This forces UMC to display the login dialog. After setting up the credentials the UDM modules are useable like before. The login dialog will only occur after e.g. a module session timeout / killing of UDM module process. Otherwise the old connection is still usable. Fix: a little bit in svn r56420, changes to the UMC-server were required but not commited yet. Package: univention-management-console-module-udm (5.1.25-4) YAML: 2014-11-25-univention-management-console-module-udm.yaml Downgradeable to UCS 3.2-4: not so easy Reproduceable: Comment #1 Still open... Waiting for the other UMC erratas, then commit. The current output would just be a traceback which contains the string "Authentication failed".
Comment #8 has been implemented. YAML: 2014-12-04-univention-management-console.yaml Fix: svn r56465 There is no cross dependency between UMC and UDM package.
OK - works fine OK - umc changelog Missing: udm changelog But as discussed the yaml file need to be adapted: 2014-12-04-univention-management-console.yaml: - fix nr is missing 2014-11-25-univention-management-console-module-udm.yaml: - bug nr and description is missing
Created attachment 6516 [details] Traceback after ldap session timeout
Alex requested me to check what will happen if ldap session timeout occurs. As you can see at the screenshot I got both, a login dialog and a traceback: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/notifier/threads.py", line 82, in _run tmp = self._function() File "/usr/lib/pymodules/python2.7/notifier/__init__.py", line 104, in __call__ return self._function( *tmp, **self._kwargs ) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/__init__.py", line 448, in _thread module = get_module(request.flavor, ldap_dn) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/udm_ldap.py", line 123, in _decorated return func(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/udm_ldap.py", line 193, in wrapper_func ret = func(*args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/udm_ldap.py", line 1038, in get_module modules = udm_modules.objectType(None, ldap_connection, ldap_dn, module_base=base) File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 842, in objectType attr = lo.get( dn ) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 338, in get return self.lo.get(dn, attr, required) File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 272, in get '(objectClass=*)', attr ) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 559, in search_s return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 918, in search_ext_s return self._apply_method_s(SimpleLDAPObject.search_ext_s,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 865, in _apply_method_s self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 831, in reconnect self._apply_last_bind() File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 801, in _apply_last_bind func(self,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 215, in simple_bind_s resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 476, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 483, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) INVALID_CREDENTIALS: {'desc': 'Invalid credentials'} ---- How to reproduce: ucr set ldap/idletimeout="30" open the user module search for some user open the user that your are logged in with and change the password wait for the ldap timeout
As discussed here the latest traceback: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/notifier/threads.py", line 82, in _run tmp = self._function() File "/usr/lib/pymodules/python2.7/notifier/__init__.py", line 104, in __call__ return self._function( *tmp, **self._kwargs ) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/__init__.py", line 472, in _thread module = get_module(request.flavor, ldap_dn) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/udm/udm_ldap.py", line 175, in _decorated raise LDAP_AuthenticationFailed() LDAP_AuthenticationFailed: Die Authentifikation ist fehlgeschlagen
(In reply to Alexander Kramer from comment #12) > Alex requested me to check what will happen if ldap session timeout occurs. > As you can see at the screenshot I got both, a login dialog and a traceback: > > Traceback (most recent call last): > INVALID_CREDENTIALS: {'desc': 'Invalid credentials'} great find! I am now catching the exception which comes directly from LDAP. (In reply to Alexander Kramer from comment #13) > Traceback (most recent call last): > raise LDAP_AuthenticationFailed() > LDAP_AuthenticationFailed: Die Authentifikation ist fehlgeschlagen Oh, yes this was due to methods which are executed in a thread. UMC currently does not do any error handling for threaded methods. I implemented the error handling from the module server core into all UDM threads (Well this was planned more generic at Bug #37169)
OK - after ldap session timeout only the login dialog is shown / no traceback anymore
Reported again: 4.0-0 errata17 (Walle)
http://errata.univention.de/ucs/4.0/18.html
Reported again, 3.2-4 errata0 (Walle)
<http://errata.univention.de/ucs/4.0/44.html>
Reported again, 3.2-4 errata277 (Borgfeld)
Reported again, 3.2-4 errata273 (Borgfeld)
Reported again, 3.2-6 errata339 (Borgfeld)
Reported again, 3.2-6 errata336 (Borgfeld) authFail: Authentisierung fehlgeschlagen
Reported again, 3.2-8 errata410 (Borgfeld)
Reported again, 3.2-6 errata336 (Borgfeld)
Reported again, 3.2-8 errata441 (Borgfeld)