LDAP authnetication issues
58 views
Skip to first unread message
Gilles O
Jul 4, 2016, 7:26:22 AM7/4/16
to scalr-discuss
Hi,
this is what i get when authneticating using LDAP credentials :
Could not perform ldap_search. Protocol error35:19 - LdapClient v-0.535:19 - isValidUser is called.
35:19 - LDAP Server is:ldap://server.example.com port:389 - OK
35:19 - Bind username:UID=loginname,OU=User,OU=People,DC=example,DC=com password:********* - OK
35:19 - Query baseDn (2):UID=loginname,OU=User,OU=People,DC=example,DC=com filter:(&(&(objectClass=posixAccount))(UID=*)), attributes: dn, memberof, mail, givenname - OK
35:19 - Query result count: 1
35:19 - Email has been retrieved: first...@example.com
35:19 - Full name has been retrieved: givenNameValue
35:19 - Query result memberofDn: 1
35:19 - Query result DN: uid=loginname,ou=User,ou=People,dc=example,dc=com
35:19 - Bind username:uid=loginname,ou=User,ou=People,dc=example,dc=com password:********* - OK
35:19 - getUserGroups is called.
35:19 - Query user's groups baseDn:OU=CloudProject,OU=Group,DC=example,DC=com filter: - Failed
A manual LDAP search made (anonymously) returns :
ldapsearch -H ldap://localhost -x -b ou=CloudProject,ou=Group,dc=example,dc=com '(&(objectClass=groupOfNames))' cn
# extended LDIF
#
# LDAPv3
# base <ou=CloudProject,ou=Group,dc=example,dc=com> with scope subtree
# filter: (&(objectClass=groupOfNames))
# requesting: cn
#
# Audes, AUDES, Enedis, Group, enedis.oper
dn: cn=groupname,ou=businessUnitName,ou=CloudProject,ou=Group,dc=example,dc=com
cn: groupname
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
This is my scalr-server.rb config
:ldap => {
# Tells Scalr what LDAP server to connect to
:bind_type => 'openldap',
:host => 'ldap://server.example.com',
:port => '389',
# Tells Scalr where to look at for users and groups
:base_dn => 'OU=User,OU=People,DC=example,DC=com',
:base_dn_groups => 'OU=cloudProject,OU=Group,DC=example,DC=com',
# Tells Scalr what attributes to look at
:username_attribute => 'UID',
:groupname_attribute => 'CN',
# Tells Scalr the attribute that contains the user's fullName attribute
:fullname_attribute => 'givenName',
:mail_attribute => 'mail',
# Tells Scalr how group membership is represented
:group_member_attribute_type => 'member',
:group_nesting => 0 ,
# Tells Scalr to use filters to speed up queries
:filter => {
:users => '(&(objectClass=posixAccount))',
:groups => '(&(objectClass=groupOfNames))',
},
# Uncomment for debug output if you can't login
:debug => 1,
}
I understand that :
- the initial bind is successful (it says password is ok, and the additional attributes (libke mail and givenname) are clean.
- the subsequent getUserGroups routine call seems to be using a wrong filter somehow
Other symptoms i've got :
when creating teams, no members are fetched whatever the filter value i setup.
Is there something i can have a look into ? Do you have some suggestions ?
Thanks
Marc O'Brien
Jul 5, 2016, 6:17:41 PM7/5/16
to scalr-discuss
Hi Gilles,
Could you confirm your Scalr version?
Many thanks,
Wm. Marc O'Brien
Scalr Technical Support
Could you confirm your Scalr version?
Many thanks,
Wm. Marc O'Brien
Scalr Technical Support
Gilles O
Jul 6, 2016, 2:37:35 AM7/6/16
to scalr-discuss
Hi MArc,
Scalr version i run is :
Thanks
5.11.22 (Community Edition)
3fb5fbe (Fri, 24 Jun 2016 13:44:50 +0300)
3fb5fbe4372a6c5ab75bd9c42f75a169f864c4d4
Thanks
G
Marc O'Brien
Jul 6, 2016, 9:14:50 PM7/6/16
to scalr-discuss
Hi Gilles,
Could you also provide an example of your user and group objects from AD?
Could you also provide an example of your user and group objects from AD?
Many thanks,
Wm. Marc O'Brien
Scalr Technical Support
Jay Farschman
Jul 7, 2016, 9:29:53 AM7/7/16
to scalr-discuss
Gilles,
I woke up this morning had some coffee and looked at your scale-server.rb file again. I believe you have a problem here
:bind_type => 'openldap',
The bind_type options are "simple" or "regular" and I'm not sure what would happen if you placed a value like "openldap" in that field. I suspect it would use the default which is "regular" and you probably want to use "Simple" There is more information about this in Advanced Configuration page of the Wiki:
I hope that helps.
Gilles O
Jul 8, 2016, 3:13:57 AM7/8/16
to scalr-discuss
Hi Jay, Marc,
Thanks for pointing these out.
- i changed :bind_type to simple
- using the full DN as login (uid=xyz,ou=User,ou=People,dc=example,dc=com), it was possible to authenticate. But i still can't login...
- using the full DN as login (uid=xyz,ou=User,ou=People,dc=example,dc=com), it was possible to authenticate. But i still can't login...
Message now is a bit different :
You don't have access to any account. 49:25 - LdapClient v-0.5
49:25 - isValidUser is called.
49:25 - LDAP Server is:ldap://server.example.com port:389 - OK
49:25 - Bind username:uid=xyz,ou=user,ou=people,dc=example,dc=com password:********* - OK
49:25 - Query baseDn (2):uid=xyz,ou=user,ou=people,dc=example,dc=com filter:(&(&(objectClass=posixAccount))(uid=*)), attributes: dn, memberof, mail, givenname - OK
49:25 - Query result count: 1
49:25 - Email has been retrieved: firstname...@example.com
49:25 - Full name has been retrieved: xyz
49:25 - Query result memberofDn: 1
49:25 - Query result DN: uid=xyz,ou=User,ou=People,dc=example,dc=com
49:25 - Bind username:uid=xyz,ou=User,ou=People,dc=example,dc=com password:********* - OK
49:25 - getUserGroups is called.
49:25 - Query user's groups baseDn:OU=scalR1,OU=ABC,DC=example,DC=com filter:(&(&(objectClass=groupOfNames))(member=uid=xyz,ou=User,ou=People,dc=examples,dc=com)) - OK
49:25 - Found groups: Group1
49:25 - isValidUser is called.
49:25 - LDAP Server is:ldap://server.example.com port:389 - OK
49:25 - Bind username:uid=xyz,ou=user,ou=people,dc=example,dc=com password:********* - OK
49:25 - Query baseDn (2):uid=xyz,ou=user,ou=people,dc=example,dc=com filter:(&(&(objectClass=posixAccount))(uid=*)), attributes: dn, memberof, mail, givenname - OK
49:25 - Query result count: 1
49:25 - Email has been retrieved: firstname...@example.com
49:25 - Full name has been retrieved: xyz
49:25 - Query result memberofDn: 1
49:25 - Query result DN: uid=xyz,ou=User,ou=People,dc=example,dc=com
49:25 - Bind username:uid=xyz,ou=User,ou=People,dc=example,dc=com password:********* - OK
49:25 - getUserGroups is called.
49:25 - Query user's groups baseDn:OU=scalR1,OU=ABC,DC=example,DC=com filter:(&(&(objectClass=groupOfNames))(member=uid=xyz,ou=User,ou=People,dc=examples,dc=com)) - OK
49:25 - Found groups: Group1
So it seems my user is not bound to any account.
How can this be done ?
How do LDAP users display in the users management screens ? How are individual ldap users or ldap groups bound to teams ?
I noticed that once LDAP is configured, it's no more possible to create a new user (the button is gone away).
Thanks for any further advice.
Rgds,
G
Vitaliy Demidov
Jul 8, 2016, 3:27:20 AM7/8/16
to scalr-...@googlegroups.com
Hi Gillies,
Is "Group1" attached to any Environment of your Account (see ACCESSIBLE BY LDAP GROUPS). It can be done by admin user on Environment page. Admin user is still able to sign in to Scalr using login and password.
Vitaliy
--
You received this message because you are subscribed to the Google Groups "scalr-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to scalr-discus...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Gilles O
Jul 13, 2016, 10:58:22 AM7/13/16
to scalr-discuss
Apologies for my silence ;
i think i understood how it works now.
Thanks for pointing this out.
Reply all
Reply to author
Forward
0 new messages