LDAP authentication issues - user not found

Hi All,

We are trying to authenticate our users with LDAP for the ood and we have encountered some issues.
I should mention that, our LDAP service doesn’t provide uid/shell/home/directory, rather it only provides specific groups and user authentication. What we want here is that users get authenticated with LDAP and just use the cluster uid/gids/home-dirs that were assigned to them. This should be similar to the “/opt/rh/httpd24/root/etc/httpd/.htpasswd” $USER where $USER configs are defined already in the cluster. All we need here is to switch the authentication part to the LDAP server, not using uid/gid/etc from LDAP.

We are able to search the ldap database and retrive information on the users. We bind ldap with a permitted user first, and then retrieve information from ldap. The problem occurs when we modify /etc/ood/config/ood_portal.yml
update and restart, no user can authenticate. Looking at /var/log/httpd24/error_log I can see this message:
user … not found: /pun/sys/dashboard

Which means the binding part went OK, but then ldap cannot find the user? while it appears in ldap search query?

We would really appreciate any comment/feedback/help on how we can go about debugging this.

Here are some items to look at from this topic. One is setting debug logs, the other being sure that your query is right. Your suspicion is likely correct, binding works, but the query or result is somehow wrong.

Thanks for the quick response.
Can you please tell me what needs to be added exactly for the debug logging level? I added below but the service doesn’t restart. I think the syntax is not correct…

cat /opt/rh/httpd24/root/etc/httpd/conf.d/ldap_debug.conf
Loglevel mod_authnz_ldap:debug

You’re absolutely right! Here’s the correct config, and I’ll update the other post as well.

Loglevel ldap_module:debug
Loglevel authnz_ldap_module:debug

Thanks for the update. With the additional debugging layer, it seems like ldap doesn’t find the object:

[authnz_ldap:info] [pid 15985] [client ***] AH01695: auth_ldap authenticate: user *** authentication failed; URI /pun/sys/dashboard [User not found][No such object]

NP! And yea, the second bit of that post is about ensuring the ldap query string is correct. My hint is to hack around with the ldapsearch command and try to find a user with the appropriate base dn and attributes manually then translate that into an apache config.

Yeah thanks for the second part It’s helpful. I think it’s about the attribute now. Each LDAP server is unique in terms of what it uses for the attributes, from what I see it’s neither uid nor sammaccount for us but it’s sth like “name”.
Now after the latest update to the attributes I get this error- Any thoughts?
Error – nginx: [emerg] bind() to unix:/var/run/ondemand-nginx/*/passenger.sock failed (98: Address already in use)
nginx: [emerg] bind() to unix:/var/run/ondemand-nginx/
/passenger.sock failed (98: Address already in use)
Seems like sock is busy elsewhere. How can I reset and redo this part?

Remove that file /var/run/ondemand-nginx/$USER/passenger.sock, looks like it gets created before we’re sure you’re a legit user and doesn’t get cleaned up.

Ok, thanks, great I am able to do the authentication now.
but the same error appears for other users.
Is it important that the binder username/password is a different service account?
For testing purposes, I am using my account to do the binding…

I don’t think so, but I’m not sure. I know there’s this setting that uses the users’ credentials to authorize. That way you don’t have to save passwords in the file.

As to the issue with other users, I’d just be sure the same base dn/attribute query can find them too.

Do you have a sample on how to specify usage of "users’ creds for authorization? I tried a few things but could only get Auth binding with user password to work.

other users issue still exists. I can get queries from other users using the same base dn. I don’t put the attribute part in the query (?name) in this case.
When I authenticate as my account, things look normal. I can see in the logs that the authentication is accepted.

but with other users, here is the error:
[Tue Feb 25 11:42:59.810470 2020] [authnz_ldap:info] [pid 9876] [client ] AH01695: auth_ldap authenticate: user $USER authentication failed; URI /pun/sys/dashboard [User not found][No such object]

[Tue Feb 25 11:42:59.810519 2020] [auth_basic:error] [pid 9876] [client ] AH01618: user $USER not found: /pun/sys/dashboard

any ideas what to look for?
the only difference I could say is that I initially set up simple http passwd authentication for my account. Later on it’s changed to ldap which works now.

What else could I be missing here?

use this config

AuthLDAPSearchAsUser on

instead of

AuthLDAPBindDN someTestUser
AuthLDAPBindPassword someTestPassword

Maybe it could be your AuthLDAPBindDN that is the issue? I mean if you’re binding to a different base DN than the rest of your users?

You’re sure they have this attribute, name?

Can you show us the entire config? Feel free to obfuscate things with ‘host’ and ‘a’ ‘b’ ‘c’ and so on. With LDAP, there is always some very simple reason things fail.
I would suggest these things.

  1. try binding with AuthLDAPSearchAsUser
  2. confirm name attributes exist for other users
  3. Are you logs on debug? they should indicate how many objects are returned from you ldap query. Confirm the number of objects returned for you (I’m guessing 1) and for your failing users.

Thanks for all the help. I finally got this working for another user too. Here are the settings that worked for us:
Note the AuthLDAPURL does not have “CN” in our case. Also binding with an admin account was necessary.

[root@host ~]# cat /etc/ood/config/ood_portal.yml

auth:

  • ‘AuthType Basic’
  • ‘AuthName “private”’
  • ‘AuthBasicProvider ldap’
  • ‘AuthLDAPURL “ldaps://ldaps…/OU=<user_name>,DC=<dc_dir>,DC=<dc_org>?name”’
  • ‘AuthLDAPGroupAttribute cn’
  • ‘AuthLDAPGroupAttributeIsDN on’
  • ‘Require valid-user’
  • ‘AuthLDAPBindDN “cn=<cn_admin>,ou=<ou_users_name>,dc=<dc_name>,dc=<dc_org>”’
  • ‘AuthLDAPBindPassword ***’
1 Like