1536: Enabling Active Directory causes complete lockout (even local superuser cannot log back in)

sierragol*********@gmai***** (Google Code) (Is this you? Claim this profile.)
Sept. 4, 2010
I can set up a site, create an admin user with a name that I know is 
not in my Active Directory, set RB to use AD, then become totally locked 
out of that site. 

AD doesn't work and the admin login doesn't work anymore. 

I have to just delete the site and recreate it using "rb-site 
install". 

I even tried turning logging on before switching AD logins on and, 
well, after I got the generic startup messages (2 lines total) nothing 
appeared in the log.
 
No errors, no failure messages, *nothing at all*. 

I can use various LDAP browsers to connect to the domain controller and 
browse around, so I figure I don't need encryption or any additional 
permissions. 



What version are you running?
1.5 beta 1

What's the URL of the page containing the problem?
(internal server)

What steps will reproduce the problem?
1. Create a RB site and set up a local superuser 
2. Set the site to use Active Directory for logins.
3. Log out. 
4. You will not be able to log back in.

What operating system are you using? What browser?
The site is running on Python 2.5 / Apache 2.2.15 on Windows Server 2008 
Standard Edition. 
I've tried logging in using both IE7 and Firefox 3.6 on Win XP

Please provide any additional information below.
(none)
chipx86
#1 chipx86
  • -Priority-Medium
    +Priority-High
    +Milestone-Release1.5
#2 Jan.Ko*******@gmai***** (Google Code) (Is this you? Claim this profile.)
This could be problem caused for issue 1611 
chipx86
#3 chipx86
I don't know if you ever found a good solution to this problem or if it's happened since, but the only cases I've found where this would happen is when the Active Directory server had an entry for the admin user you're trying to log in as, which would take precedence and prevent the login from the built-in user database. That would also explain the lack of log messages, because as far as the auth backend is concerned, the user *does* exist and the password was simply wrong. There's nothing we can do about this.

Any way you can check if this is indeed the problem?
  • +NeedInfo
  • +Component-Accounts
#4 sierragol*********@gmai***** (Google Code) (Is this you? Claim this profile.)
I even tried several times to make up admin users with random strings as their names (e.g. "djfskhkfshfsd") so unless AD has some sort of wildcard capability or I was really (un)lucky there's no way the users could have existed.
chipx86
#5 chipx86
Can you try something on your end? You'd need to either modify your installed copy (when nobody's using it, if possible) or have a test dev environment to play with.

Edit reviewboard/accounts/backends.py. Find the 'authenticate' function in 'ActiveDirectoryBackend'.

Look for the line that says 'user_data = self.search_ad(......)'. Right after that, add:

    if not user_data:
        return None

Then restart your web server and try again.
chipx86
#6 chipx86
Any update on this?
chipx86
#7 chipx86
Hopefully fixed on master (8e6e7e9) for Review Board 1.5. Please let us know if you continue to hit it in 1.5 RC2 or newer.
  • -NeedInfo
    +Fixed
#8 xum***@gmai***** (Google Code) (Is this you? Claim this profile.)
Review Board 1.7.9

The same issue after adding AD Authentication
Debug log:
2013-06-20 10:48:16,431 - WARNING -  - Active Directory: Failed login for user admin

Also, it permit me to login with admin some times :)
#9 sama*****@gmai***** (Google Code) (Is this you? Claim this profile.)
If you look at https://www.reviewboard.org/docs/manual/dev/admin/configuration/authentication-settings/#active-directory-authentication-settings
then you can see this command will reset the authentication method to the default