Project

General

Profile

Bug #7253

LDAP does no longer properly fallback to local auth, obnoxious timeouts, unusable GUI

Added by Kill Bill about 2 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
High
Category:
Web Interface
Target version:
Start date:
02/11/2017
Due date:
% Done:

100%

Affected version:
2.3.3
Affected Architecture:
All

Description

No idea when this regressed, but I get this when AD in unreachable:

Warning: Invalid argument supplied for foreach() in /etc/inc/auth.inc on line 341 Call Stack: 0.0105 235752 1. {main}() /usr/local/www/pkg_edit.php:0 0.3432 3766320 2. include('/usr/local/www/head.inc') /usr/local/www/pkg_edit.php:601 0.3696 3865944 3. userHasPrivilege() /usr/local/www/head.inc:450 0.3696 3867504 4. get_user_privileges() /etc/inc/auth.inc:357 Warning: Invalid argument supplied for foreach() in /etc/inc/auth.inc on line 341 Call Stack: 0.0105 235752 1. {main}() /usr/local/www/pkg_edit.php:0 0.3432 3766320 2. include('/usr/local/www/head.inc') /usr/local/www/pkg_edit.php:601 56.5746 3867800 3. userHasPrivilege() /usr/local/www/head.inc:450 56.5746 3869288 4. get_user_privileges() /etc/inc/auth.inc:357 Warning: Invalid argument supplied for foreach() in /etc/inc/auth.inc on line 341 Call Stack: 0.0105 235752 1. {main}() /usr/local/www/pkg_edit.php:0 0.3432 3766320 2. include('/usr/local/www/head.inc') /usr/local/www/pkg_edit.php:601 85.2306 3867800 3. userHasPrivilege() /usr/local/www/head.inc:453 85.2306 3869288 4. get_user_privileges() /etc/inc/auth.inc:357

And in system log:

Feb 12 01:23:43 gw php-fpm[38519]: /index.php: ERROR! ldap_get_groups() could not bind to server Active Directory.
Feb 12 01:24:39 gw php-fpm[38519]: /index.php: ERROR! ldap_get_groups() could not bind to server Active Directory.
Feb 12 01:24:46 gw php-fpm[83219]: /index.php: ERROR! Could not bind to server Active Directory.
Feb 12 01:24:46 gw php-fpm[83219]: /index.php: Successful login for user 'admin' from: 192.168.0.15
Feb 12 01:25:10 gw php-fpm[38519]: /index.php: ERROR! ldap_get_groups() could not bind to server Active Directory.
Feb 12 01:25:20 gw php-fpm[33513]: /index.php: ERROR! ldap_get_groups() could not bind to server Active Directory.
Feb 12 01:26:16 gw php-fpm[33513]: /index.php: ERROR! ldap_get_groups() could not bind to server Active Directory.
Feb 12 01:26:48 gw php-fpm[33513]: /index.php: ERROR! ldap_get_groups() could not bind to server Active Directory.
Feb 12 01:28:16 gw php-fpm[80642]: /pkg_edit.php: ERROR! ldap_get_groups() could not bind to server Active Directory.
Feb 12 01:28:45 gw php-fpm[80642]: /pkg_edit.php: ERROR! ldap_get_groups() could not bind to server Active Directory.

Note that it takes a minute for the lookup to give up. Makes the GUI very much unusable.

History

#1 Updated by Jim Pingle about 2 months ago

What's your server timeout set to in the LDAP auth server settings? It should be defaulting to 25s, you can lower it to 5-10s if it usually responds fast.

#2 Updated by Kill Bill about 2 months ago

I never set up any timeout anywhere. The point is it tries to look up a local user in LDAP, over and over again, causing errors on every page in the GUI. Never seen this before. Clearly caused by the clear notices stuff in head.inc.

$display_notices = false;
$allow_clear_notices = false;

if (are_notices_pending()) {
        // Evaluate user privs to determine if notices should be displayed, and if the user can clear them.
        $user_entry = getUserEntry($_SESSION['Username']);
        if (userHasPrivilege($user_entry, "user-view-clear-notices") || userHasPrivilege($user_entry, "page-all")) {
                $display_notices = true;
                $allow_clear_notices = true;
        } elseif (userHasPrivilege($user_entry, "user-view-notices")) {
                $display_notices = true;
        }
}

#3 Updated by Kill Bill about 2 months ago

Nuked the above code, sanity restored. It's evil, get it out of the head.inc please. (Plus, get_user_privileges() obviously shouldn't be looking up local users in LDAP.)

Introduced by https://github.com/pfsense/pfsense/pull/3322

#4 Updated by Phillip Davis about 2 months ago

I made PR https://github.com/pfsense/pfsense/pull/3538 to cache group/priv information within get_user_privileges() in the same way it is done in getAllowedPages()
That should keep it happy to check if (userHasPrivilege()) without constantly going back to the (not responding) LDAP or RADIUS server.

Can you test and comment?

(Code changes needed for 2.3.3 should be similar to what is in the PR for 2.4)

#5 Updated by Kill Bill about 2 months ago

Phillip Davis wrote:

(Code changes needed for 2.3.3 should be similar to what is in the PR for 2.4)

The patch applies "as is" without any problems on 2.3.3. Yes, it works (except for the warnings noise), commented on the PR. Thanks.

#6 Updated by Phillip Davis about 2 months ago

See PR https://github.com/pfsense/pfsense/pull/3539 for a bug in ldap_get_groups() where it can return something that is not an array or false. That should be fixed regardless, and I would have thought is causing issues when LDAP is down in certain ways/settings.

#7 Updated by Phillip Davis about 2 months ago

I added a commit to https://github.com/pfsense/pfsense/pull/3538 that checks the $allowed_groups actually is an array. That will silence the warnings noise.

And a little bit of code formatting.

All in a clean single commit now as Pull Request https://github.com/pfsense/pfsense/pull/3540

#8 Updated by Renato Botelho about 1 month ago

  • Status changed from New to Feedback
  • Assignee set to Renato Botelho
  • Target version changed from 2.4.0 to 2.3.3
  • % Done changed from 0 to 100

I've applied both PRs to RELENG_2_3_3. Could you please confirm the fix on next snapshot?

#9 Updated by Renato Botelho about 1 month ago

  • Target version changed from 2.3.3 to 2.4.0

My bad, I did to revert it because the field that controls cache time is a 2.4.0 only feature. Sorry about the noise.

#10 Updated by Kill Bill about 1 month ago

Can we just revert https://github.com/pfsense/pfsense/pull/3322 for 2.3.3? This non-issue with displayed notices that users cannot clear has been there for ages.

#11 Updated by Phillip Davis about 1 month ago

Yes, the easy fix is to revert 3322 from 2.3.3. The extra functionality is not that exciting!

And this issue should probably be set to target version 2.3.3 so that it shows up in the 2.3.3 open issues.

#12 Updated by Jim Pingle about 1 month ago

  • Target version changed from 2.4.0 to 2.3.3

#13 Updated by Renato Botelho about 1 month ago

Change reverted from RELENG_2_3 and RELENG_2_3_3

#14 Updated by Renato Botelho about 1 month ago

  • Status changed from Feedback to Resolved

Seems OK after revert

#15 Updated by Kill Bill about 1 month ago

Yep, usable again. Thanks.

Also available in: Atom PDF