https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162017-02-11T18:42:49ZpfSense bugtrackerpfSense - Bug #7253: LDAP does no longer properly fallback to local auth, obnoxious timeouts, unusable GUIhttps://redmine.pfsense.org/issues/7253?journal_id=314682017-02-11T18:42:49ZJim Pingle
<ul></ul><p>What's your server timeout set to in the LDAP auth server settings? It should be defaulting to 25s, you can lower it to 5-10s if it usually responds fast.</p> pfSense - Bug #7253: LDAP does no longer properly fallback to local auth, obnoxious timeouts, unusable GUIhttps://redmine.pfsense.org/issues/7253?journal_id=314692017-02-11T18:44:29ZKill Bill
<ul></ul><p>I never set up any timeout anywhere. The point is it tries to look up a <strong>local</strong> user in LDAP, over and over again, causing errors on every page in the GUI. Never seen this before. Clearly caused by the clear notices stuff in head.inc.</p>
<pre>
$display_notices = false;
$allow_clear_notices = false;
if (are_notices_pending()) {
// Evaluate user privs to determine if notices should be displayed, and if the user can clear them.
$user_entry = getUserEntry($_SESSION['Username']);
if (userHasPrivilege($user_entry, "user-view-clear-notices") || userHasPrivilege($user_entry, "page-all")) {
$display_notices = true;
$allow_clear_notices = true;
} elseif (userHasPrivilege($user_entry, "user-view-notices")) {
$display_notices = true;
}
}
</pre> pfSense - Bug #7253: LDAP does no longer properly fallback to local auth, obnoxious timeouts, unusable GUIhttps://redmine.pfsense.org/issues/7253?journal_id=314722017-02-11T18:54:17ZKill Bill
<ul></ul><p>Nuked the above code, sanity restored. It's evil, get it out of the head.inc please. (Plus, get_user_privileges() obviously shouldn't be looking up local users in LDAP.)</p>
<p>Introduced by <a class="external" href="https://github.com/pfsense/pfsense/pull/3322">https://github.com/pfsense/pfsense/pull/3322</a></p> pfSense - Bug #7253: LDAP does no longer properly fallback to local auth, obnoxious timeouts, unusable GUIhttps://redmine.pfsense.org/issues/7253?journal_id=314812017-02-12T11:17:40ZPhillip Davisphil@jankaritech.com
<ul></ul><p>I made PR <a class="external" href="https://github.com/pfsense/pfsense/pull/3538">https://github.com/pfsense/pfsense/pull/3538</a> to cache group/priv information within get_user_privileges() in the same way it is done in getAllowedPages()<br />That should keep it happy to check if (userHasPrivilege()) without constantly going back to the (not responding) LDAP or RADIUS server.</p>
<p>Can you test and comment?</p>
<p>(Code changes needed for 2.3.3 should be similar to what is in the PR for 2.4)</p> pfSense - Bug #7253: LDAP does no longer properly fallback to local auth, obnoxious timeouts, unusable GUIhttps://redmine.pfsense.org/issues/7253?journal_id=314822017-02-12T11:45:19ZKill Bill
<ul></ul><p>Phillip Davis wrote:</p>
<blockquote>
<p>(Code changes needed for 2.3.3 should be similar to what is in the PR for 2.4)</p>
</blockquote>
<p>The patch applies "as is" without any problems on 2.3.3. Yes, it works (except for the warnings noise), commented on the PR. Thanks.</p> pfSense - Bug #7253: LDAP does no longer properly fallback to local auth, obnoxious timeouts, unusable GUIhttps://redmine.pfsense.org/issues/7253?journal_id=314852017-02-12T21:12:39ZPhillip Davisphil@jankaritech.com
<ul></ul><p>See PR <a class="external" href="https://github.com/pfsense/pfsense/pull/3539">https://github.com/pfsense/pfsense/pull/3539</a> for a bug in ldap_get_groups() where it can return something that is not an array or false. That should be fixed regardless, and I would have thought is causing issues when LDAP is down in certain ways/settings.</p> pfSense - Bug #7253: LDAP does no longer properly fallback to local auth, obnoxious timeouts, unusable GUIhttps://redmine.pfsense.org/issues/7253?journal_id=314862017-02-12T21:14:33ZPhillip Davisphil@jankaritech.com
<ul></ul><p>I added a commit to <a class="external" href="https://github.com/pfsense/pfsense/pull/3538">https://github.com/pfsense/pfsense/pull/3538</a> that checks the $allowed_groups actually is an array. That will silence the warnings noise.</p>
<p>And a little bit of code formatting.</p>
<p>All in a clean single commit now as Pull Request <a class="external" href="https://github.com/pfsense/pfsense/pull/3540">https://github.com/pfsense/pfsense/pull/3540</a></p> pfSense - Bug #7253: LDAP does no longer properly fallback to local auth, obnoxious timeouts, unusable GUIhttps://redmine.pfsense.org/issues/7253?journal_id=314882017-02-13T05:20:44ZRenato Botelhorenato@netgate.com
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>Assignee</strong> set to <i>Renato Botelho</i></li><li><strong>Target version</strong> changed from <i>2.4.0</i> to <i>2.3.3</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>I've applied both PRs to RELENG_2_3_3. Could you please confirm the fix on next snapshot?</p> pfSense - Bug #7253: LDAP does no longer properly fallback to local auth, obnoxious timeouts, unusable GUIhttps://redmine.pfsense.org/issues/7253?journal_id=314892017-02-13T05:26:27ZRenato Botelhorenato@netgate.com
<ul><li><strong>Target version</strong> changed from <i>2.3.3</i> to <i>2.4.0</i></li></ul><p>My bad, I did to revert it because the field that controls cache time is a 2.4.0 only feature. Sorry about the noise.</p> pfSense - Bug #7253: LDAP does no longer properly fallback to local auth, obnoxious timeouts, unusable GUIhttps://redmine.pfsense.org/issues/7253?journal_id=314912017-02-13T06:10:51ZKill Bill
<ul></ul><p>Can we just revert <a class="external" href="https://github.com/pfsense/pfsense/pull/3322">https://github.com/pfsense/pfsense/pull/3322</a> for 2.3.3? This non-issue with displayed notices that users cannot clear has been there for ages.</p> pfSense - Bug #7253: LDAP does no longer properly fallback to local auth, obnoxious timeouts, unusable GUIhttps://redmine.pfsense.org/issues/7253?journal_id=314922017-02-13T06:57:05ZPhillip Davisphil@jankaritech.com
<ul></ul><p>Yes, the easy fix is to revert 3322 from 2.3.3. The extra functionality is not that exciting!</p>
<p>And this issue should probably be set to target version 2.3.3 so that it shows up in the 2.3.3 open issues.</p> pfSense - Bug #7253: LDAP does no longer properly fallback to local auth, obnoxious timeouts, unusable GUIhttps://redmine.pfsense.org/issues/7253?journal_id=314972017-02-13T08:20:32ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>2.4.0</i> to <i>2.3.3</i></li></ul> pfSense - Bug #7253: LDAP does no longer properly fallback to local auth, obnoxious timeouts, unusable GUIhttps://redmine.pfsense.org/issues/7253?journal_id=315042017-02-13T09:59:28ZRenato Botelhorenato@netgate.com
<ul></ul><p>Change reverted from RELENG_2_3 and RELENG_2_3_3</p> pfSense - Bug #7253: LDAP does no longer properly fallback to local auth, obnoxious timeouts, unusable GUIhttps://redmine.pfsense.org/issues/7253?journal_id=315312017-02-15T03:27:28ZRenato Botelhorenato@netgate.com
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>Seems OK after revert</p> pfSense - Bug #7253: LDAP does no longer properly fallback to local auth, obnoxious timeouts, unusable GUIhttps://redmine.pfsense.org/issues/7253?journal_id=315322017-02-15T03:34:29ZKill Bill
<ul></ul><p>Yep, usable again. Thanks.</p>