Problem with user mapping

Host OS: RHEL 8.4
OOD deployed with Puppet OOD module

I’m setting up OOD to authenticate through ACCESS and I’m having an issue with user mapping. After going through ACCESS, I get an error instead of being sent to the dashboard.

### Puppet config
openondemand::oidc_remote_user_claim: "eppn"
openondemand::user_map_cmd: "/opt/ood/ood_auth_map/bin/ood_auth_map.mapfile -f /sw/admin/grid-security/oauth-mapfile.cron"

It appears the OOD is receiving the user claim (eppn) correctly, from the error message:

Error -- failed to map user (

And the mapping script works properly on its own (I’m using the OOD shipped script):

# /opt/ood/ood_auth_map/bin/ood_auth_map.mapfile -f /sw/admin/grid-security/oauth-mapfile.cron 'yan'

And I’m not seeing anything in HTTPD error logs.

Could you suggest where else I might look and what could be the issue here?


I saw Issue using user_map_cmd and tried to do some debugging:

  elseif user_map_cmd ~= nil then
    r:debug("mapping command: " .. user_map_cmd .. " '" .. (remote_user) .. "'")
    local handle = io.popen(user_map_cmd .. " '" .. (remote_user) .. "'")
    sys_user = handle:read()

It still isn’t matching for me…

[Mon Feb 27 17:27:20.540467 2023] [lua:debug] [pid 40959] @/opt/ood/mod_ood_proxy/lib/ood/user_map.lua(17): [client] mapping command: /opt/ood/ood_auth_map/bin/ood_auth_map.mapfile -f /sw/admin/grid-security/oauth-mapfile.cron ''
[Mon Feb 27 17:27:20.602247 2023] [lua:debug] [pid 40959] @/opt/ood/mod_ood_proxy/lib/ood/user_map.lua(24): [client] Mapped '' => '' [61.771 ms]
# /opt/ood/ood_auth_map/bin/ood_auth_map.mapfile -f /sw/admin/grid-security/oauth-mapfile.cron ''

Hi and welcome!

Your timing is excellent! Remote user is being URL encoded, so what’s being passed during the actual execution is not but is in fact

I’ve updated our 2.1 documentation and will update our latest documentation tomorrow (2-28).

I’m using 2.0.28 and it appears that the mapping script doesn’t support the encoded string:

# /opt/ood/ood_auth_map/bin/ood_auth_map.mapfile -f /sw/admin/grid-security/test/grid-mapfile.yanzhan2_test ''

# cat /sw/admin/grid-security/test/grid-mapfile.yanzhan2_test
"" yanzhan2

I then made my own script to parse the encoded string:

# /opt/ood/custom/ ''

But I still can’t get it to match:

[Tue Feb 28 10:04:14.429398 2023] [lua:debug] [pid 41291] @/opt/ood/mod_ood_proxy/lib/ood/user_map.lua(15): [client] Mapping command: /opt/ood/custom/ ''
[Tue Feb 28 10:04:14.448394 2023] [lua:debug] [pid 41291] @/opt/ood/mod_ood_proxy/lib/ood/user_map.lua(22): [client] Mapped '' => '' [18.989 ms]

I would say

  • It’s good to use your own mapping script. We stopped shipping our own, and it’s unclear how long ood_auth_map.mapfile has worked and indeed if it even continues to work.
  • Check /var/log/httpd24-httpd/error_log for any errors that script may throw. I’m thinking loading/library errors from python. The environment this is executed under is limited in the sense that it may not have all the things you’ve loaded in a shell environment.
  • Use the syslogger if you can to print any errors or debug information to journalctl.

Okay, I tried logging to syslog and found that the script didn’t finish.


import sys
import syslog
syslog.syslog("importing urllib")
import urllib.parse as urlparse

syslog.syslog("finished import")


syslog.syslog("input user: "+inputuser)


for line in open(mapfile,'r'):
    (authuser,mapped) = line.split()

syslog.syslog("finished reading "+str(len(usermapping))+" entries")

if inputuser in usermapping:
    syslog.syslog("mapped "+inputuser+" to "+usermapping[inputuser])
    syslog.syslog("unable to map "+inputuser)


Feb 28 10:45:22 /[42122]: importing urllib
Feb 28 10:45:22 /[42122]: finished import
Feb 28 10:45:22 /[42122]: input user:

So looks like it didn’t have problems loading libraries but for some reason stopped at the for loop loading the mapfile. Is there a memory restriction here?

I don’t think so. I just tested against just over 3,000 entries. I’d guess there’s some sort of error it encountered. Is there anything in /var/log/httpd24-httpd/error_log? If not, add a try and except block and log the error.

Feb 28 17:08:47 97b05dc2ed01 /[733]: importing urllib
Feb 28 17:08:47 97b05dc2ed01 /[733]: finished import
Feb 28 17:08:47 97b05dc2ed01 /[733]: input user: jeff@localhost
Feb 28 17:08:47 97b05dc2ed01 /[733]: finished reading 3017 entries
Feb 28 17:08:47 97b05dc2ed01 /[733]: mapped jeff@localhost to jeff

I’m not sure what the equivalent of /var/log/httpd24-httpd/error_log on RHEL 8 is but I’m not seeing any errors in /var/log/httpd/_error_ssl.log.

Let me see if I can catch anything with a try-except.

Sorry, I can never tell who’s on what system. It would be /var/log/httpd/error_log. Just error_log with no extension or ssl or hostname in the filename.

Also I’m finding that /opt/ood/ood_auth_map/bin/ood_auth_map.mapfile does continue to work, although just with the test file I generated - 3,000 users generated from random strings. So there could be something I’m missing in the test file generation.

Ah… maybe it’s our config but I don’t have an “error_log” without hostname. My Lua messages go to the log file with the hostname.

As for try-except - it looks like it failed on the first entry:

Feb 28 11:23:12 /[43339]: importing urllib
Feb 28 11:23:12 /[43339]: finished import
Feb 28 11:23:12 /[43339]: input user:
Feb 28 11:23:12 /[43339]: failed to read mapping
Feb 28 11:23:12 /[43339]: finished reading 2 entries
Feb 28 11:23:12 /[43339]: unable to map

Maybe there is some kind of restriction on Apache on our end. There are 1800 entries and it runs fine on its own, as you tested:

Feb 28 11:31:46 /[43661]: importing urllib
Feb 28 11:31:46 /[43661]: finished import
Feb 28 11:31:46 /[43661]: input user:
Feb 28 11:31:46 /[43661]: finished reading 1800 entries
Feb 28 11:31:46 /[43661]: mapped to yanzhan2

Got it, yea it’s likely encoding like the LANG environment variable is C_ASCII - that’s not right, I’m blanking on what the bad/old encoding LANG could be, but you’d see it in a crontab output. in any case, it’s not UTF-8.

Try forcing utf-8 encoding here when you’re rading the file.

for line in open(mapfile,'r', encoding="utf-8"):

I found out why :man_facepalming: It failed at the line to open the mapfile. Likely a permission issue.

Edit: permission issue indeed.

1 Like