i installed ondemand in rocky with a valid domaine name and certificate, however none of openID services can login to ondemand, all have te same error after succing login in the openID provider. it cannot redirect to open ondemand session “Error – failed to map user …”.
i tried; keycloak, dex ith ldap, google id, all the same error
As long as you have ondemand-dex installed it’ll use some defaults. If you’re trying to use google directly (which is fine), then you have to remove that package first.
Once you remove that package, I’m sure keycloak or google directly would work.
Thank you for responce, yes i have remove ondemand-dex and sometime i create new machines without installed it in at all. however, even when i can identify with keycloak and others but when it redirect to ondemand the error show up “Error – failed to map user …”
maybe there is problem in vm rocky, permission, really i don’t understund.
my setup:
vm_1: rocky 8.7 with domain name and ssl (i have tested the same also in ubuntu)
vm_2: keycloak with domaine name for example
install ondemand 3.0 as in intstructions
create client ondemand, and create some users in keycloak
user_map_match: ‘.*’
when enter to ondemand, it redirect me to keycloak, then i succeed to loging but then the error come
With this config, you should be able to map any user. In fact you should be getting a different error about not being able to find the nassim09@gmail.com user.
The only thing I can think of is you’re using user_map_cmd and that’s overriding user_map_match.
If you search the conf file for MATCH, what does this return? What’s being used in the apache config?
[root@3384d5b1413f ~]# grep MATCH /etc/httpd/conf.d/ood-portal.conf
SetEnv OOD_USER_MAP_MATCH "^([^@]+)@.*$"
i have generate another vm and installed ondemand from scratch and without dex, configured with open id and test it with keyckoak and google, and the same error apear !!!
i have this output (SELINUX disable):
[rocky@ondemand ~]$ sudo grep MATCH /etc/httpd/conf.d/ood-portal.conf
SetEnv OOD_USER_MAP_MATCH “.*”
sometimes when i play with user_map_match or cmd using simple scripr mapping i have this errors:
Error – can’t find user for nassim09
Run ‘nginx_stage --help’ to see a full list of available command line options.
LOGS:
@/opt/ood/mod_ood_proxy/lib/ood/user_map.lua(21): Mapped ‘nassim09@gmail.com’ => ‘nassim09’ [13.879 ms]
…
AH01487: request_rec->dispatching info → lua_CFunction
[Wed Apr 12 08:56:45.887083 2023] [lua:info] [pid 98960:tid 140395515041536] [client 41.110.187.86:50709] req_handler=“” req_protocol=“HTTP/1.1” req_origin=“” res_content_length=“116” res_content_language=“” res_content_disp=“” req_filename=“/var/www/html/pun” req_accept_encoding=“gzip, deflate, br” req_accept_language=“fr” req_accept=“text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7” req_method=“GET” allowed_hosts=“plateforms” res_content_location=“” req_hostname=“plateforms” req_is_https=“true” res_location=“” log_id=“ZDZyRtDoEpM08@EME0-jBgAAAIQ” req_cache_control=“max-age=0” req_content_type=“” req_server_name=“plateforms” local_user=“nassim09” res_content_encoding=“” req_is_websocket=“false” req_user_ip= " req_uri=“/pun/sys/dashboard” time_user_map=“13.879” time_proxy=“0” log_time=“2023-04-12T08:56:45.886174.0Z” res_content_type=“” req_referer=“” req_port=“443” remote_user="nassim09@gmail.com" req_status=“404” req_accept_charset=“” log_hook=“ood” req_user_agent=“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.62”
The configuration that got you here is good. This is what you’d want to see. Of course you need to actually have the the Linux local user nassim09. That’s what this error is referring to, we’re able to map you correctly to a user, only that user doesn’t exist on the system. Without tying into an LDAP you’d have to create these users manually.
