-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify when LDAP credentials get refreshed #53
Comments
This is the test code I'm talking about: https://github.com/AdRoll/hologram/blob/master/server/usercache_test.go#L154-L178. |
The intended behaviour of the server should be that when a signature comes in that cannot be verified with any of the keys that Hologram has in its cache, it will silently fail, re-load its cache from the backing store (in this case LDAP), and then try signature verification again. If this pass fails, then it will emit a failure message back to the client. For debugging purposes, I added signal support to Hologram before we released it: You can send Including this information would help us figure out what's going on here. I know that the system works properly at AdRoll, at least insofar as I haven't heard about it not working. 😺 |
Interesting. This is what I found with debug logging and a failed auth:
Even more oddly, sending
But doesn't say anything else beyond that (no list of users that I normally see on startup) and still fails authenticating me. Of course, reloading the service fixes the problem. The one odd thing about my setup is that I'm running my simple authorization code. I wonder if perhaps that's obstructing my usercache updates. Will check up and report back on anything I find! |
Hmm, now that I look more carefully I think that this if retUser == nil {
log.Debug("Could not find %s in the LDAP cache; updating from the server.", username)
luc.stats.Counter(1.0, "ldapCacheMiss", 1)
// We should update LDAP cache again to retry keys.
luc.Update()
return luc._verify(username, challenge, sshSig)
} needs error handling on the |
Yep, pretty sure the connection just drops after a while. I started a new server and sending it I'm guessing the AdRoll LDAP server is friendlier to long-lived connections. |
That's fine by me. Or keep a long-running connection going and if it died, |
Before this, Hologram dialed LDAP once and if that connection died, it would silently fail. This commit adds a new type that implements the same interface but pings behind the scenes and reconnects if needed. Fixes AdRoll#53.
Before this, Hologram dialed LDAP once and if that connection died, it would silently fail. This commit adds a new type that implements the same interface but reconnects and retries behind the scenes if we run into a network error the first time. Fixes AdRoll#53.
I see some code (and even tests) in the server for refreshing credentials when an authentication failure occurs, but it doesn't seem to be happening in practice for my running server. It's kind of hard to reduce other than saying that I have the whole thing running and working, but after adding keys to my LDAP server, Hologram won't let people authenticate with the new keys until I restart the daemon.
The text was updated successfully, but these errors were encountered: