Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v16] Improve troubleshooting for LDAP authentication errors #48946

Merged
merged 1 commit into from
Nov 14, 2024
Merged

[v16] Improve troubleshooting for LDAP authentication errors #48946

merged 1 commit into from
Nov 14, 2024

Conversation

zmb3
Copy link
Collaborator

@zmb3 zmb3 commented Nov 13, 2024

This introduces two small changes:

  1. Use an aggregate error to make sure the original error is included along with our attempt at providing a better error message. This change should help distinguish between bad authn/invalid cert and valid authentication but insufficient user permissions.
  2. Make the CRL Distribution Point in Windows certs optional. This metadata is required in the certs we issue for users to RDP, but it doesn't need to be present in the certs we use to authenticate our service account. The problem with including it when it is not needed is it causes windows to perform a revocation check and log a failure, which can lead to wasted time when troubleshooting.

Backports #42948

@zmb3
Improve troubleshooting for LDAP authentication errors
b0c7029 
This introduces two small changes:

1. Use an aggregate error to make sure the original error is included
   along with our attempt at providing a better error message. This
   change should help distinguish between bad authn/invalid cert
   and valid authentication but insufficient user permissions.
2. Make the CRL Distribution Point in Windows certs optional. This
   metadata is required in the certs we issue for users to RDP,
   but it doesn't need to be present in the certs we use to
   authenticate our service account. The problem with including it
   when it is not needed is it causes windows to perform a revocation
   check and log a failure, which can lead to wasted time when
   troubleshooting.
@aws-amplify-us-west-2 AWS Amplify (us-west-2)
Copy link

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-48946.d212ksyjt6y4yg.amplifyapp.com

@zmb3 zmb3 added the no-changelog Indicates that a PR does not require a changelog entry label Nov 14, 2024
@zmb3 zmb3 added this pull request to the merge queue Nov 14, 2024
Merged via the queue into branch/v16 with commit 13d6fe1 Nov 14, 2024
41 of 43 checks passed
@zmb3 zmb3 deleted the auto-backport/42948-to-branch/v16 branch November 14, 2024 22:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@probakowski probakowski probakowski approved these changes

@gabrielcorado gabrielcorado gabrielcorado approved these changes

Assignees
No one assigned
Labels
backport desktop-access no-changelog Indicates that a PR does not require a changelog entry size/sm tctl tctl - Teleport admin tool
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zmb3 @gabrielcorado @probakowski