Hi all. I’m having an issue mapping certain users. These are users from AD but they are contained in the /etc/passwd file. I’m currently using a mapfile to rule out any issues with regex.
I login with my institutional id via OpenID. This works fine.
Map my institutional id to a user only on the Linux machine works fine. The user is listed in /etc/passwd like :
jennifer:x:1000:1000::/home/jennifer:/bin/bash.
the mapfile for this situation looks like this:
“user@institution.edu” localLinuxUser
If I map my institutional id to an ad user who is locally listed in etc/passwd, I get a failure. The /etc/passwd entry for these users is like:
username@ad.institution.edu:*:IDS:username:/mnt/location/home/user@ad.institution.edu/:/bin/bash.
Debug logging just says:
Mapped ‘user@institution.edu’ => ‘’
The mapfile for this situation looks like this:
“user@institution.edu” user@ad.institution.edu
I’m not sure why the first situation works but the second doesn’t. Are these users not considered local even though they have an entry in /etc/passwd? How does Open on Demand determine this?
Is there a workaround anyone is using for this situation?
Hi and welcome!
What is the configuration in ood_portal.yml
you’re using to map users? It seems to me the script you’re using to map users doesn’t account for the second use case. How you’ve configured user mapping is how Open OnDemand determines how to map users, so I’d need to see that configuration and potentially the script that uses the lookup maps.
Hi.
The relevant portion of the ood_portal file is this:
user_map_cmd: “/opt/ood/ood_auth_map/bin/ood_auth_map.mapfile”
map_fail_uri: “/register”
I didn’t make any changes to /opt/ood/ood_auth_map/bin/ood_auth_map.mapfile. Here are the contents:
#!/usr/bin/env bash
# The purpose of this script is to wrap up the necessary environment for the
# per-user NGINX (PUN) processes to run under. The PUN requires the ondemand
# Software Collection.
# Root directory for this library
ROOT_DIR=“$(dirname “$(dirname “$(readlink -f “${BASH_SOURCE[0]}”)”)”)”
SCL_PKGS=${SCL_PKGS:-“ondemand”}
SCL_SOURCE=“$(command -v scl_source)”
[[ “${SCL_SOURCE}” ]] && source “${SCL_SOURCE}” enable ${SCL_PKGS}
# Environment is set, so call Ruby now
#
exec
/usr/bin/env ruby
-I"${ROOT_DIR}/lib"
-rood_auth_map/mapfile
-e “Mapfile.run”
– “${@}”
Thank you!
Thanks. We don’t ship that library anymore, but there could be a bug in it.
I’ll look into it shortly, but I’m not sure how/if you want to patch it and continue to use it (again we removed it so you’d have to copy it somewhere to continue to use it) or if you want to make something better yourself.
Thanks for the response. If the library is no longer supported, it seems like a waste of your time looking into it (unless you’re very curious.) What’s the equivalent library currently shipping?
Thank you,
Jennifer
I’m happy to look into it for you.
From the release notes you have to write your own, we stopped providing an equivalent. Of course if you continue to use that library you have to copy and move around those ruby files when I’d bet that a shell script with grep
would work much more simply.
https://osc.github.io/ood-documentation/latest/release-notes/v2.0-release-notes.html#no-longer-providing-ood-auth-map-regex
It doesn’t appear that user_map_match
can work for you because given user@institution.edu
you have no idea if that’s supposed to map to localLinuxUser
or user@ad.institution.edu
.
The regular expression we’re looking for doesn’t account for @
or .
characters. You can apply this patch to /opt/ood/ood_auth_map/lib/ood_auth_map/helpers.rb
and it should start working (I was using the same scheme you are to test)
diff --git a/ood_auth_map/lib/ood_auth_map/helpers.rb b/ood_auth_map/lib/ood_auth_map/helpers.rb
index f18a0de1..096c8c30 100644
--- a/ood_auth_map/lib/ood_auth_map/helpers.rb
+++ b/ood_auth_map/lib/ood_auth_map/helpers.rb
@@ -9,7 +9,7 @@ class OodAuthMap
# @param auth_user [String] authenticated username
# @return [String, nil] mapped user name or {nil} if no match
def parse_mapfile(file, auth_user)
- parse_file(file, %r[^"#{Regexp.quote auth_user}" (\w+)$])
+ parse_file(file, %r[^"#{Regexp.quote auth_user}" ([\w@\.]+)$])
end
# Parse a file using a given regular expression pattern and output the
What’s more is, re-reading the release notes, we don’t distribute ood_auth_map.regex
anymore but it appears we still distribute ood_auth_map.mapfile
so looks like I’ve got to patch it and you can continue to use it given we’re still distributing it - sorry for the confusion there!
The patch is working great. Thanks so much for your help Jeff!
No problem. Also, this patch will be making it’s way in 3.1.8
. So if you update to that when it comes out (in the next few weeks) you won’t have to reapply the patch.