Dear All
I need some help to resolve the issue of authenticating a user through ood through FreeIPA connected to AD and having its user accounts.
I cannot authenticate login users from FreeIPA server LDAP with the open OnDemand using OnDemand-dex configured with freeipa.
I followed the instructions to installed and configured OnDemand for our small HPC cluster with IdP(FreeIPA Server). The web interface is running, and I can ssh with user login in the freeIPA into the ood node and access the home folder of the login user.
tried login through web browser gives error
“Your mendy hpc username and/or password do not match.”
below is the old configuration in the old_portal.yml:
Also check the configuration with
$ldapsearch -x -h xxxxxxxxxxxxxxx -b ’ dc=xxxxxxx,dc=xxxx,dc=xxx’ | less
indicated the the query is executed successfully:
extended LDIF
LDAPv3
base <dc=xxxxxx,dc=xxxxx,dc=xxx> with scope subtree
Hi and welcome! The error message does seem to indicate that it’s an LDAP lookup failure.
You have cn=groups in your dex baseDN but you’re example of ldapsearch doesn’t include this. I’m not an LDAP expert but I’ve usually just seen dc and ou items in the base searches, not cn.
I wonder if that’s throwing this off? Also I’m not sure why you’re filtering off of posixGroup. Shouldn’t you filter only valid users?
Hi Jeff,
Thanks very much for the help. After making the suggested changes. It is still cannot bind with the initial user of the admin account. This login is correct, and I can login into the freeipa server web interface and kinit with this account.
Below is the error message
Internal Server Error
Login error: ldap: initial bind for user “cn=admin,dc=mendy,dc=mrc,dc=gm” failed: LDAP Result Code 49 “Invalid Credentials”:
I changed a few of the configuration values in the connector as below. I retrieved the freeipa server IdP database entry but got another error about a missing “mail” attribute.
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: XXXXXXXXXXXXXXXXXXXXX:636
insecureSkipVerify: false
bindDN: uid=XXXXXXXXXXXXXXXX,cn=users,cn=compat,dc=XXXXXXX,dc=XXXXXXXX,dc=XXXXXXXX
bindPW: XXXXXXXXXXX
usernamePrompt: Mendy HPC Username
userSearch:
baseDN: cn=users,cn=compat,dc=XXXXXXX,dc=XXXXXXXX,dc=XXXXXXXX
filter: “(objectClass=posixAccount)”
username: uid
idAttr: uid
emailAttr: mail
nameAttr: gecos
preferredUsernameAttr: uid
groupSearch:
baseDN: cn=users,cn=compat,dc=XXXXXXXX,dc=XXXXXXXX,dc=XXXXXXXX
filter: “(|(objectClass=posixGroup)(objectClass=group))”
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn
frontend:
theme: ondemand
dir: /usr/share/ondemand-dex/web
The new error is
Internal Server Error
Login error: ldap: entry “uid=XXXXXXX,cn=users,cn=compat,dc=XXXXXXXXXX,dc=XXXXXXX,dc=XXXX” missing following required attribute(s): [“mail”]
How can I get the mail attribute from the freeipa as one of the attribute retrieved
I hope you don’t mind me adding more ideas, but I had two things:
What does this command show? It should give you the name of the email attribute.
ipa user-show <username> --raw --all
I noticed that you are using the compat tree. We initially used this, but then ran into sync issues between our servers. After posting on the freeIPA forms, it was suggested to not use the compat tree. Just something to keep in mind if you run into issues.
So it appears that the user you are using to bind with does not have proper permissions to read the necessary attributes, as @jeff.ohrstrom hinted at. We ran into something similar when we were setting up our ood-dex and freeIPA. We ended up creating “service” accounts that have the proper permissions. This way we could better trace who was elevating into the system. Here is an example ldapsearch that provides the mail attribute for us after fixing the permissions: