Possible Bug while using AUTH_LDAP_MIRROR_GROUPS? #10284
-
|
I've been having an odd issue with the API for several weeks on my production deployment of Netbox, which has not affected my test environment and of course after rebuilding my production environment today I found the only configuration that was different between them which resolved the issue. Both "AUTH_LDAP_MIRROR_GROUPS" and "AUTH_LDAP_FIND_GROUP_PERMS" were enabled in the ldap_config.py in production, but not in test. At random with the setting(s) enabled, I was getting a 504 gateway timeout from nginx when using GET on any of the API endpoints. Furthermore, the API token used was associated with a local account and not a LDAP account. I unfortunately cannot pinpoint when the issue first started, however I do know it was present in NetBox 3.2.8 and still persists in NetBox 3.3.2. I am running Ubuntu 20.04 with the latest updates and python version 3.8.10. Has anyone else run into this issue, or able to test in their environment to see if they get the same results? I want to be sure others are able to reproduce the issue before I submit a bug request. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
When AUTH_LDAP_FIND_GROUP_PERMS is enabled the AD is queried on every API request regardless of what user (there's no actual concept of local vs LDAP user in netbox). When the AD doesn't respond for whatever reason the request will hang. When happening at random an example of a cause would be when the DNS entry for the AD has multiple IPs associated which will be used at random. If one or more of the IPs are inaccessible (blocked in firewall or not routed) the API will hang at random. I recommend not using AUTH_LDAP_FIND_GROUP_PERMS unless absolutely necessary. |
Beta Was this translation helpful? Give feedback.
-
|
We are using LDAP load balancing, and your comment made me remember that some maintenance was done recently by another team, so I will look into that. Thanks for that! To be honest, with my current implementation I shouldn't need to mirror the groups, it was just an oversight on my part from when I was testing granular permissions. Thanks again! |
Beta Was this translation helpful? Give feedback.
-
|
I did pinpoint the issue down to the AUTH_LDAP_FIND_GROUP_PERMS more specifically, which makes sense since I am logging into NetBox with a local account. Still haven't found why it only started happening recently, and the LDAP logging for NetBox, nor other logs (LDAP, firewall, etc) point to the problem (other than saying it can't find the local account within LDAP, which again makes sense). |
Beta Was this translation helpful? Give feedback.
When AUTH_LDAP_FIND_GROUP_PERMS is enabled the AD is queried on every API request regardless of what user (there's no actual concept of local vs LDAP user in netbox). When the AD doesn't respond for whatever reason the request will hang.
When happening at random an example of a cause would be when the DNS entry for the AD has multiple IPs associated which will be used at random. If one or more of the IPs are inaccessible (blocked in firewall or not routed) the API will hang at random.
I recommend not using AUTH_LDAP_FIND_GROUP_PERMS unless absolutely necessary.