[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: syncing ldap groups with openshift 1.4



Hi Rodrigo,

Yea, I figured as much. I am kinda tearing my hair out. Its certainly possible there's something wrong with my user input but trying to figure out why its having problem is really difficult. I have actually started tracing through the actual go code to see if i can figure out why its having such problems. Here's my latest configuration. Its not much different then what you have except the groupNameAttributes is set to cn instead of ou. I even tcpdumped the LDAP communication -- nada. 

kind: LDAPSyncConfig
apiVersion: v1
url: ldap://server:389 
insecure: true 
rfc2307:
    groupsQuery:
        baseDN: "ou=Group,dc=acme,dc=net"
        scope: sub 
        derefAliases: never
        pageSize: 0
        filter: (objectClass=posixGroup)
    groupUIDAttribute: dn  
    groupNameAttributes: [ cn ] 
    groupMembershipAttributes: [ memberUid ] 
    usersQuery:
        baseDN: "ou=People,dc=acme,dc=net"
        scope: sub 
        derefAliases: never
        pageSize: 0
    userUIDAttribute: dn
    userNameAttributes: [ uid ]
    tolerateMemberNotFoundErrors: false
    tolerateMemberOutOfScopeErrors: false

It successfully finds the group and the list users in the group. But when it tries to do a membership lookup it fails with the following. I don't know why its having this particular problem with the DN. Is it somehow having an issue trying to create the user DN and matching that to the memberUID attribute in the group?  

membership lookup for user "jdoe" in group "cn=staff,ou=Group,dc=acme,dc=net" failed because of "could not search by dn, invalid dn value: DN ended with incomplete type, value pair"


Here are the logs.

I0321 14:26:17.070608  130788 groupsyncer.go:56] Listing with &{[cn=staff,ou=Group,dc=acme,dc=net]}
I0321 14:26:17.070699  130788 groupsyncer.go:62] Sync ldapGroupUIDs [cn=staff,ou=Group,dc=acme,dc=net]
I0321 14:26:17.070707  130788 groupsyncer.go:65] Checking LDAP group cn=staff,ou=Group,dc=acme,dc=net
I0321 14:26:17.071770  130788 query.go:228] searching LDAP server with config {Scheme: ldap Host: server:389 BindDN:  len(BbindPassword): 0 Insecure: true} with dn="cn=staff,ou=Group,dc=acme,dc=net" and scope 0 for (objectClass=*) requesting [cn dn memberUid]I0321 14:26:17.075034  130788 query.go:245] found dn="cn=staff,ou=Group,dc=acme,dc=net"
I0321 14:26:17.075052  130788 query.go:198] found dn="cn=staff,ou=Group,dc=acme,dc=net" for (objectClass=*)
Error determining LDAP group membership for "cn=staff,ou=Group,dc=acme,dc=net": membership lookup for user "jgutierr" in group "cn=staff,ou=Group,dc=acme,dc=net" failed because of "could not search by dn, invalid dn value: DN ended with incomplete type, value pair".
apiVersion: v1
items: []
kind: List 
metadata: {}
membership lookup for user "jdoe" in group "cn=staff,ou=Group,dc=acme,dc=net" failed because of "could not search by dn, invalid dn value: DN ended with incomplete type, value pair"

On Tue, Mar 21, 2017 at 2:23 PM, Rodrigo Bersa <rbersa redhat com> wrote:
Hi Joseph,

Yes, it's not possible do a sync without an objectClass, but you it's possible to use DN as objectClass. I had some problems syncing the LDAPGroups in a client before, and after change the scopes and attributes a lot of times, I got to this LDAPSyncConfig, to work correctly. I think that you just need to find the right parameters =).

kind: LDAPSyncConfig
apiVersion: v1
url: "ldap://ldapserver.client.com.br"
insecure: true
bindDN: "uid=openShiftAdm,ou=openShift,ou=accounts,O=CLIENT.COM"
bindPassword: "password"
rfc2307:
    groupsQuery:
        baseDN: "ou=openShift,ou=accounts,o=client.com"
        scope: sub
        derefAliases: never
        filter: (objectClass=groupOfNames)
    groupUIDAttribute: dn
    groupNameAttributes: [ ou ]
    groupMembershipAttributes: [ member ]
    usersQuery:
        baseDN: "O=CLIENT.COM"
        scope: sub
        derefAliases: never
    userUIDAttribute: dn
    userNameAttributes: [ uid ]
    tolerateMemberNotFoundErrors: false
    tolerateMemberOutOfScopeErrors: false

Hope this can help!!

Regards,


Rodrigo Bersa
Cloud Consultant | Red Hat Brasil
rbersa@redhat.com | M: +55 11 9 9557-5841
Av. Brigadeiro Faria Lima 3900, 8° Andar. São Paulo, Brasil.
RED HAT | TRIED. TESTED. TRUSTED. Saiba porque em redhat.com
Red Hat

On Tue, Mar 21, 2017 at 10:02 AM, Joseph Lorenzini <jaloren gmail com> wrote:
Hi all,

I am following the documentation here:


I used a yaml config here:


Which failed with:

error: validation of LDAP sync config failed: usersQuery.filter: Invalid value: "(objectclass=inetOrgPerson)": cannot specify a filter when using "dn" as the UID attribute

Seems like the bug here in the docs has not actually been fixed.

But okay so you can't use DN with a object class filter that's fine. So then I tried it without an object class but left everything else the same and now I see this:

error: validation of LDAP sync config failed: groupsQuery.filter: Invalid value: "": invalid query filter: LDAP Result Code 201 "": ldap: filter does not start with an '('

So if I can't use an object class with a DN as the UID attribute and I can't do a sync without an object class, my questions are: how does one get this to work where the DN is the UID attribute and if DN is not acceptable for the UID attribute, then what is?

Thanks,

Joe


_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]