Problem: API Import: Authentication failed

api
ucsschool
ucs-4-1
import
ucsschool-r2
problem

#1

Current information as from 09/2018: The referenced bug is fixed and will be released in a future version. After that the import users will be named “importhttpapi-HOSTNAME”.

Problem

The API import run reports an authentication error:

 File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 328, in __init__
    raise univention.admin.uexceptions.authFail(_("Authentication failed"))
authFail: Authentication failed

Solution

Reset the password for the import user. The user name is “importhttpapi”; the password can be changed via UDM or in the UMC module “LDAP”. The changed password must then be entered unencrypted in the third field of the local file /etc/ucsschool-import/ldap_unprivileged.secret (master AND backup).

Note: Both UDM and UMC follow the password guidelines, so it is better not to re-use the password from the file. Instead, generate a new one.

Root Cause

The Importer is always started on the Master. However, the Importer is usually installed on backup hosts, too. So they can take over the functionality in case of failure of the master. The join script creates a random password for the import user “importhttpap”, writes it into the LDAP and saves it locally (unencrypted) in the file /etc/ucsschool-import/ldap_unprivileged.secret.

If the importer is now installed on the backup after it is installed on the master, the local password on the master no longer matches the LDAP password and there are errors above.

To verify if the stored password works or not execute the following on the master:

DN="$(cut -f 1 -d : /etc/ucsschool-import/ldap_unprivileged.secret)" BASE="$(cut -f 2 -d : /etc/ucsschool-import/ldap_unprivileged.secret)" PW="$(cut -f 3 -d : /etc/ucsschool-import/ldap_unprivileged.secret)""
ldapsearch -LLL -x -D $DN -b $BASE -w $PW uid=Administrator dn

If you get “Invalid Credentials”, the password is wrong and must be reset.

Bug #47683