Error -- can't find user

egmsft · October 26, 2023, 1:40pm

OOD with OIDC login is failing. The user account does exist in the environment, but when the user tries to login they get this message:

error – can’t find user

I am pretty new to ood, and would deeply appreciate any help getting past this issue so that the user can access the environment.

jeff.ohrstrom · October 26, 2023, 7:15pm

Hi and welcome!

So what’s happening is we’re trying to map the user from the OIDC system to the local system. The fact that there’s no user there in the message is a clue (it should specify the user like error – can’t find user ktrout).

So that leads me to believe you’re mapping the REMOTE_USER to an empty string. The setting from the OIDC docs you’re looking for is oidc_remote_user_claim. I would guess that it defaults to preferred_username (a quick glance/spot check confirmed this).

So - either the user has no preferred_username (or it’s an empty string) or you’ve set oidc_remote_user_claim to a value that the OIDC system does not have.

https://osc.github.io/ood-documentation/latest/authentication/oidc.html

jeff.ohrstrom · October 27, 2023, 4:35pm

Additionally - you can set the lua_log_level to debug and you’ll see messages about how we’re mapping the REMOTE_USER.

Though you’re likely to just see messages that say what we already know like

mapped user johrstrom@osc.edu => ''

egmsft · October 30, 2023, 12:45pm

I apologize - I omitted part of the error message to not include the username. You are correct that the error message looks more like this:

Error – can’t find user for myuser
Run ‘nginx_stage --help’ to see a full list of available command line options.

Does this error indicate that there is an issue mapping the user from the OIDC system to the local system?

jeff.ohrstrom · October 30, 2023, 1:15pm

OK - let’s use myuser as the example. It appears that myuser is not a local/LDAP system user.

If you have a shell session on the webnode can you issue id myuser (replacing myuser with your actual user). This spot check should tell us if the user is available locally. I would guess that it isn’t.

That said - what version and OS are you running? I do know there’s an issue with 2.0 (maybe 1.8?) and less with some SSSD mappings.

egmsft · October 30, 2023, 3:32pm

Hi, the OOD version is 2.0.29 and the OS is CentOS 7.9. The user is available locally since the output of id myuser looks something like this:

id myuser
uid=NUMBER (myuser) gid=NUMBER (group1) groups=NUMBER (group1), NUMBER (group2)

note - in this case NUMBER is being used to omit the actual values of the uid/gids associated with the user locally.

As root, I can also su as the user in the local environment.

jeff.ohrstrom · October 30, 2023, 3:45pm

OK - I would say increase the lua_log_level to debug in ood_portal.yml and see what the messages around mapping are.

You should see something like this in your /var/log/httpd-httpd24/ logs.

mapped user johrstrom@osc.edu => 'myuser'

I’m also wondering if you’re running into this issue. Looks like we patched it in 2.0.23 - but it appears to be running this after you’ve initialized the user. You can look through this topic on strategies to debug in irb, but the TLDR is that the SSSD configs aren’t quite right (they keep the domain on the username).

github.com/OSC/ondemand

Error configuring Open ondemand for our small RedHat 7.9 HPC cluster

opened 01:45PM - 07 Jan 22 UTC

closed 05:33PM - 07 Feb 22 UTC

Aworwui

Dear All, Kindly help me resolve this issue below. I deployed a new open OnDeman…d system on our small redhat HPC cluster. the ood is running on centOS 7.9 configured with OnDemand-dex with freeipa IdM which integrate with Microsoft AD such that some users account are directly create on freeipa and others from the Microsoft AD. All users can ssh through ood node terminal to the cluster. However, only the user login created in freeipa can login through ood web UI. secondly, these successful logins also gives the error message below. Error -- nginx: [emerg] bind() to unix:/var/run/ondemand-nginx/mftest@mendy.mrc.gm/passenger.sock failed (98: Address already in use) nginx: [emerg] bind() to unix:/var/run/ondemand-nginx/mftest@mendy.mrc.gm/passenger.sock failed (98: Address already in use) nginx: [emerg] bind() to unix:/var/run/ondemand-nginx/mftest@mendy.mrc.gm/passenger.sock failed (98: Address already in use) nginx: [emerg] bind() to unix:/var/run/ondemand-nginx/mftest@mendy.mrc.gm/passenger.sock failed (98: Address already in use) nginx: [emerg] bind() to unix:/var/run/ondemand-nginx/mftest@mendy.mrc.gm/passenger.sock failed (98: Address already in use) nginx: [emerg] still could not bind() ┆Issue is synchronized with this [Asana task](https://app.asana.com/0/1201735133575781/1201737341353196) by [Unito](https://www.unito.io)

egmsft · October 31, 2023, 7:27pm

Hey Jeff,

After reviewing the linked issue. I recalled a peculiarity about the user that is facing the problem I reported. All of the users in the environment have a username that looks like this:

firstname.lastname

However, the user in question had a fairly long name and reached a character limit in the OOD environment. Consequently, his user account is more like this:
firstname.lastn

Essentially, we omitted the last few characters from his username. I suspect that what is going on is that when the user tries to auth via oidc, OOD is expecting firstname.lastn for the username and instead it’s getting something like: firstname.lastname.

What would you recommend that I do to confirm that this is what is happening, and how can I ensure that OOD can map the user appropriately?

jeff.ohrstrom · October 31, 2023, 7:48pm

You’ve been omitting the names throughout this thread - but to confirm this is what happening, I’d spot check the error message. It should look like this: I.e., the full string with lastname completely.

error – can’t find user for username.lastname

What OIDC system are you using and are you able to change this users’ preferred_username attribute? I think that would be the simplest/straight forward thing to do. (perhaps you can edit the same field in LDAP?)

Forcing your OIDC system to return firstname.lastn instead of firstname.lastname is the best bet here, otherwise you’re going to get a bit hacky to take care of this edge case, which I can tell you, but I’d like to try this first.

system · April 28, 2024, 7:49pm

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
LUA Error -- 500 Get Help	12	43	December 17, 2024
LDAP authentication issues - user not found Get Help question	13	8591	May 26, 2022
Keycloak user mapping error Get Help question	3	149	May 25, 2024
OIDC+SSSD error on login Get Help	27	60	December 16, 2024
Map_fail_uri: "/register" stopped working Get Help ondemand2 , question	2	942	September 4, 2023

Error -- can't find user

Related topics