We are trying to authenticate our users with LDAP for the ood and we have encountered some issues.
I should mention that, our LDAP service doesn’t provide uid/shell/home/directory, rather it only provides specific groups and user authentication. What we want here is that users get authenticated with LDAP and just use the cluster uid/gids/home-dirs that were assigned to them. This should be similar to the “/opt/rh/httpd24/root/etc/httpd/.htpasswd” $USER where $USER configs are defined already in the cluster. All we need here is to switch the authentication part to the LDAP server, not using uid/gid/etc from LDAP.
We are able to search the ldap database and retrive information on the users. We bind ldap with a permitted user first, and then retrieve information from ldap. The problem occurs when we modify /etc/ood/config/ood_portal.yml
update and restart, no user can authenticate. Looking at /var/log/httpd24/error_log I can see this message:
user … not found: /pun/sys/dashboard
Which means the binding part went OK, but then ldap cannot find the user? while it appears in ldap search query?
We would really appreciate any comment/feedback/help on how we can go about debugging this.
Here are some items to look at from this topic. One is setting debug logs, the other being sure that your query is right. Your suspicion is likely correct, binding works, but the query or result is somehow wrong.
NP! And yea, the second bit of that post is about ensuring the ldap query string is correct. My hint is to hack around with the ldapsearch command and try to find a user with the appropriate base dn and attributes manually then translate that into an apache config.
Yeah thanks for the second part It’s helpful. I think it’s about the attribute now. Each LDAP server is unique in terms of what it uses for the attributes, from what I see it’s neither uid nor sammaccount for us but it’s sth like “name”.
Now after the latest update to the attributes I get this error- Any thoughts?
Error – nginx: [emerg] bind() to unix:/var/run/ondemand-nginx/*/passenger.sock failed (98: Address already in use)
nginx: [emerg] bind() to unix:/var/run/ondemand-nginx//passenger.sock failed (98: Address already in use)
Seems like sock is busy elsewhere. How can I reset and redo this part?
Ok, thanks, great I am able to do the authentication now.
but the same error appears for other users.
Is it important that the binder username/password is a different service account?
For testing purposes, I am using my account to do the binding…
Do you have a sample on how to specify usage of "users’ creds for authorization? I tried a few things but could only get Auth binding with user password to work.
other users issue still exists. I can get queries from other users using the same base dn. I don’t put the attribute part in the query (?name) in this case.
When I authenticate as my account, things look normal. I can see in the logs that the authentication is accepted.
but with other users, here is the error:
[Tue Feb 25 11:42:59.810470 2020] [authnz_ldap:info] [pid 9876] [client ] AH01695: auth_ldap authenticate: user $USER authentication failed; URI /pun/sys/dashboard [User not found][No such object]
[Tue Feb 25 11:42:59.810519 2020] [auth_basic:error] [pid 9876] [client ] AH01618: user $USER not found: /pun/sys/dashboard
any ideas what to look for?
the only difference I could say is that I initially set up simple http passwd authentication for my account. Later on it’s changed to ldap which works now.
Thanks for all the help. I finally got this working for another user too. Here are the settings that worked for us:
Note the AuthLDAPURL does not have “CN” in our case. Also binding with an admin account was necessary.