[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: users Digest, Vol 56, Issue 44 -ldap sync



Hi Joseph,

Have you tried setting both of these to cn?  Or changing both to uid?

    userUIDAttribute: dn
    userNameAttributes: [ uid ]

I think we changed all of our attributes to cn for example to get it working.

attributes:
    id: ['cn']
    name: ['cn']
    preferredUsername: ['cn']


-----Original Message-----
From: users-bounces lists openshift redhat com [mailto:users-bounces lists openshift redhat com] On Behalf Of users-request lists openshift redhat com
Sent: Tuesday, March 21, 2017 2:47 PM
To: users lists openshift redhat com
Subject: users Digest, Vol 56, Issue 44

Send users mailing list submissions to
users lists openshift redhat com

To subscribe or unsubscribe via the World Wide Web, visit
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openshift.redhat.com%2Fopenshiftmm%2Flistinfo%2Fusers&data=01%7C01%7Ctodd_walters%40unigroup.com%7C9de4083828e54cf9856708d4709316d5%7C259bdc2f86d3477b8cb34eee64289142%7C1&sdata=ZUZGgYePHkH2EwA7Qk4xUKeSNVb6NG5yJ8nYfrhmg3s%3D&reserved=0
or, via email, send a message with subject or body 'help' to
users-request lists openshift redhat com

You can reach the person managing the list at
users-owner lists openshift redhat com

When replying, please edit your Subject line so it is more specific than "Re: Contents of users digest..."


Today's Topics:

   1. Re: syncing ldap groups with openshift 1.4 (Joseph Lorenzini)
   2. Re: syncing ldap groups with openshift 1.4 (Rodrigo Bersa)


----------------------------------------------------------------------

Message: 1
Date: Tue, 21 Mar 2017 14:34:28 -0500
From: Joseph Lorenzini <jaloren gmail com>
To: Rodrigo Bersa <rbersa redhat com>
Cc: users lists openshift redhat com
Subject: Re: syncing ldap groups with openshift 1.4
Message-ID:
<CAMvD0VJjHxkRDtb-LqA-hPULF-V2imvisaz1Akdkf4N305noLg mail gmail com>
Content-Type: text/plain; charset="utf-8"

Hi Rodrigo,

Yea, I figured as much. I am kinda tearing my hair out. Its certainly possible there's something wrong with my user input but trying to figure out why its having problem is really difficult. I have actually started tracing through the actual go code to see if i can figure out why its having such problems. Here's my latest configuration. Its not much different then what you have except the groupNameAttributes is set to cn instead of ou. I even tcpdumped the LDAP communication -- nada.

kind: LDAPSyncConfig
apiVersion: v1
url: ldap://server:389
insecure: true
rfc2307:
    groupsQuery:
        baseDN: "ou=Group,dc=acme,dc=net"
        scope: sub
        derefAliases: never
        pageSize: 0
        filter: (objectClass=posixGroup)
    groupUIDAttribute: dn
    groupNameAttributes: [ cn ]
    groupMembershipAttributes: [ memberUid ]
    usersQuery:
        baseDN: "ou=People,dc=acme,dc=net"
        scope: sub
        derefAliases: never
        pageSize: 0
    userUIDAttribute: dn
    userNameAttributes: [ uid ]
    tolerateMemberNotFoundErrors: false
    tolerateMemberOutOfScopeErrors: false


It successfully finds the group *and *the list users in the group. But when it tries to do a membership lookup it fails with the following. I don't know why its having this particular problem with the DN. Is it somehow having an issue trying to create the user DN and matching that to the memberUID attribute in the group?

membership lookup for user "jdoe" in group "cn=staff,ou=Group,dc=acme,dc=net" failed because of "could not search by dn, invalid dn value: DN ended with incomplete type, value pair"


Here are the logs.

I0321 14:26:17.070608  130788 groupsyncer.go:56] Listing with &{[cn=staff,ou=Group,dc=acme,dc=net]}
I0321 14:26:17.070699  130788 groupsyncer.go:62] Sync ldapGroupUIDs [cn=staff,ou=Group,dc=acme,dc=net]
I0321 14:26:17.070707  130788 groupsyncer.go:65] Checking LDAP group cn=staff,ou=Group,dc=acme,dc=net
I0321 14:26:17.071770  130788 query.go:228] searching LDAP server with config {Scheme: ldap Host: server:389 BindDN:  len(BbindPassword): 0
Insecure: true} with dn="cn=staff,ou=Group,dc=acme,dc=net" and scope 0 for
(objectClass=*) requesting [cn dn memberUid]I0321 14:26:17.075034  130788 query.go:245] found dn="cn=staff,ou=Group,dc=acme,dc=net"
I0321 14:26:17.075052  130788 query.go:198] found dn="cn=staff,ou=Group,dc=acme,dc=net" for (objectClass=*) Error determining LDAP group membership for
"cn=staff,ou=Group,dc=acme,dc=net": membership lookup for user "jgutierr"
in group "cn=staff,ou=Group,dc=acme,dc=net" failed because of "could not search by dn, invalid dn value: DN ended with incomplete type, value pair".
apiVersion: v1
items: []
kind: List
metadata: {}
membership lookup for user "jdoe" in group "cn=staff,ou=Group,dc=acme,dc=net" failed because of "could not search by dn, invalid dn value: DN ended with incomplete type, value pair"



########################################################################
The information contained in this message, and any attachments thereto,
is intended solely for the use of the addressee(s) and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination, copying, or other use of the transmitted information is
prohibited. If you received this in error, please contact the sender
and delete the material from any computer. UNIGROUP.COM
########################################################################



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]