I need some help to resolve the issue of authenticating a user through ood through FreeIPA connected to AD and having its user accounts.
I cannot authenticate login users from FreeIPA server LDAP with the open OnDemand using OnDemand-dex configured with freeipa.
I followed the instructions to installed and configured OnDemand for our small HPC cluster with IdP(FreeIPA Server). The web interface is running, and I can ssh with user login in the freeIPA into the ood node and access the home folder of the login user.
tried login through web browser gives error
“Your mendy hpc username and/or password do not match.”
below is the old configuration in the old_portal.yml:
Thanks very much for the help. After making the suggested changes. It is still cannot bind with the initial user of the admin account. This login is correct, and I can login into the freeipa server web interface and kinit with this account.
Below is the error message
Internal Server Error
Login error: ldap: initial bind for user “cn=admin,dc=mendy,dc=mrc,dc=gm” failed: LDAP Result Code 49 “Invalid Credentials”:
I changed a few of the configuration values in the connector as below. I retrieved the freeipa server IdP database entry but got another error about a missing “mail” attribute.
- type: ldap
usernamePrompt: Mendy HPC Username
- userAttr: DN
The new error is
Internal Server Error
Login error: ldap: entry “uid=XXXXXXX,cn=users,cn=compat,dc=XXXXXXXXXX,dc=XXXXXXX,dc=XXXX” missing following required attribute(s): [“mail”]
How can I get the mail attribute from the freeipa as one of the attribute retrieved
I hope you don’t mind me adding more ideas, but I had two things:
What does this command show? It should give you the name of the email attribute.
ipa user-show <username> --raw --all
I noticed that you are using the compat tree. We initially used this, but then ran into sync issues between our servers. After posting on the freeIPA forms, it was suggested to not use the compat tree. Just something to keep in mind if you run into issues.
So it appears that the user you are using to bind with does not have proper permissions to read the necessary attributes, as @jeff.ohrstrom hinted at. We ran into something similar when we were setting up our ood-dex and freeIPA. We ended up creating “service” accounts that have the proper permissions. This way we could better trace who was elevating into the system. Here is an example ldapsearch that provides the mail attribute for us after fixing the permissions: