Skip to content

Migrate LDAP to new server with GSSAPI authentication#384

Open
hluk wants to merge 1 commit intorelease-engineering:masterfrom
hluk:ldap-gssapi
Open

Migrate LDAP to new server with GSSAPI authentication#384
hluk wants to merge 1 commit intorelease-engineering:masterfrom
hluk:ldap-gssapi

Conversation

@hluk
Copy link
Copy Markdown
Member

@hluk hluk commented Apr 14, 2026

Some groups are only available in LDAP, so we cannot rely solely on OIDC token groups. Migrate to new IPA LDAP server with GSSAPI authentication, following the same approach as product-listings-manager.

Keep existing OIDC groups check as the first path to avoid unnecessary LDAP queries when groups are available in the token. Downgrade LDAP fallback log messages from warnings to debug since falling back to LDAP is now expected behavior.

Fix HTTP status codes for LDAP connection errors from 401 Unauthorized to 502 Bad Gateway, since these are server-side failures.

JIRA: RHELWF-13972

Assisted-by: Claude Code (claude-opus-4-6)

@hluk
Migrate LDAP to new server with GSSAPI authentication
06c4f87 
Some groups are only available in LDAP, so we cannot rely solely on
OIDC token groups. Migrate to new IPA LDAP server with GSSAPI
authentication, following the same approach as product-listings-manager.

Keep existing OIDC groups check as the first path to avoid unnecessary
LDAP queries when groups are available in the token. Downgrade LDAP
fallback log messages from warnings to debug since falling back to LDAP
is now expected behavior.

Fix HTTP status codes for LDAP connection errors from 401 Unauthorized
to 502 Bad Gateway, since these are server-side failures.

JIRA: RHELWF-13972

Assisted-by: Claude Code (claude-opus-4-6)
lslebodn
lslebodn reviewed Apr 14, 2026
View reviewed changes
waiverdb/authorization.py
con = ldap.initialize(ldap_host)
if use_gssapi:
_init_gssapi_credentials()
con.sasl_interactive_bind_s("", ldap.sasl.gssapi())
Copy link
Copy Markdown

@lslebodn lslebodn Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It worked for me even without your init function

(venv) sh$ rpm -qa | grep sasl
cyrus-sasl-lib-2.1.28-30.fc42.x86_64
cyrus-sasl-2.1.28-30.fc42.x86_64
cyrus-sasl-devel-2.1.28-30.fc42.x86_64
cyrus-sasl-gssapi-2.1.28-30.fc42.x86_64
(venv) sh$ klist 
klist: No credentials cache found (filename: /tmp/krb5cc_1000)
(venv) sh$ pip freeze
pyasn1==0.6.3
pyasn1_modules==0.4.2
python-ldap==3.4.5
(venv) sh$ python
Python 3.13.3 (main, Apr 22 2025, 00:00:00) [GCC 15.0.1 20250418 (Red Hat 15.0.1-0)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> 
(venv) sh$ export KRB5_CLIENT_KTNAME=/tmp/my_sa_name.keytab
(venv) sh$ python
Python 3.13.3 (main, Apr 22 2025, 00:00:00) [GCC 15.0.1 20250418 (Red Hat 15.0.1-0)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ldap
>>> ldap_conn = ldap.initialize('ldap://ldap.example.com')
>>> ldap_conn.sasl_non_interactive_bind_s('GSSAPI')
>>> ldap_conn.whoami_s()
'dn: uid=my_sa_name,ou=users,dc=example,dc=com'

(venv) sh$ klist 
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: my_sa_name@EXAMPLE.COM

Valid starting       Expires              Service principal
04/14/2026 13:46:43  04/14/2026 23:46:43  krbtgt/EXAMPLE.COM@EXAMPLECOM
        renew until 04/21/2026 13:46:42
04/14/2026 13:46:43  04/14/2026 23:46:43  ldap/ldap.example.com@
        renew until 04/21/2026 13:46:42
        Ticket server: ldap/ldap.example.com@EXAMPLE.COM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@lslebodn lslebodn lslebodn left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hluk @lslebodn