[IGN-13784, IGN-13799, IGN-13846, IGN-14121] AD and Postgres issues on 8.3 Upgrade

Jesse_Van_Hill · August 1, 2025, 3:29pm

BluegelMarius -

Is it possible that your config has a role search base defined and your role(s) fall outside the search base? For example if you have this config:

roleSearchBase: ou=orgunit,dc=acme,dc=org

and your LDAP user has:

memberOf: cn=role1,dc=acme,dc=org

the role will not be returned in 8.3 as it falls outside the role search base.

BluegelMarius · August 4, 2025, 11:14am

no I checked this. Both had been correctly configured in 8.1 and I am also able to get the roles into the email attribute if I set this to "memberOf".

cmallonee · August 13, 2025, 7:36pm

The AD concern with the User Role Name Attribute field erroneously mapping to the User Name Attribute field has been fixed, and will be available starting with Beta4.

mquinn · August 27, 2025, 7:55pm

Just upgraded to the 8.3.0-rc1 to see if the Postgres issue is resolved and it seems to be unchanged. I can’t get mutual TLS authenticaion to work to the database no matter what I do. I know this thread is marked as solved on account of the AD issues being resolved. These should have probably been two threads for the two issues. Should I start another for the ongoing Postgres issue? Is there any update on the progress to replicate/resolve that?

cmallonee · August 29, 2025, 3:41pm

I don’t see that anyone ever actually opened a ticket for the POSTGRES issue. I have done so now and alerted the relevant development team.

jspecht · August 29, 2025, 11:04pm

mquinn:

This was working perfectly before the upgrade. My connection parameters are:
"?ssl=true;sslmode=verify-full;sslrootcert=/etc/step/certs/root_ca.crt;sslcert=/etc/step/certs/ssl-cert.pem;sslkey=/etc/step/certs/ssl-cert.key.pk8"
Note the quotation marks around the whole thing. Those weren't there initially when this was imported and I had to add them to even get this far.

@mquinn - What happens if you remove the leading and trailing double quotes? I am also suspicious about the leading question mark character.

ggross · September 2, 2025, 4:55pm

I can’t get mutual TLS authenticaion to work to the database no matter what I do

We are looking into this and want to confirm what we are seeing is what you are running into. In attempting to reproduce this, I am not seeing quotes being added but I am working on getting a copy you provided earlier.

What I am seeing is there is a behavior change from 8.1 → 8.3 where:

A username is provided,
A password isn’t set

The username isn’t being sent with the connection request. This is causing the client cert authentication to occur with the username of the user Ignition is running as.

Can you please try the following:

If quotes are added to the beginning and end of your connection properties, please remove them and all escaping.
Set an embedded password of a single space and save the connection.

Garth

mquinn · September 2, 2025, 8:33pm

I tried with the embedded password of a single space and the connection is valid. That’s using this connection string:

?ssl=true;sslmode=verify-full;sslrootcert=/etc/step/certs/root_ca.crt;sslcert=/etc/step/certs/ssl-cert.pem;sslkey=/etc/step/certs/ssl-cert.key.pk8

I assume that the devs can fix it so that the correct username gets sent.

ggross · September 2, 2025, 9:12pm

Thank you for confirming that this works. We will have a fix for that issue but it likely will not come until 8.3.1. I just wanted to confirm that there isn't anything that we might have missed.

Garth