"failed to map user" error

We have OOD setup so that users log in using Shibboleth, together with a custom missing_home_directory.html page. This has been working without problems for some time. We now have a case where a user is directed to the SSO page, and after logging in, when they expect to get the dashboard, they instead get an error message: Error -- failed to map user (<username>)

I have checked logs for this username on the OOD server and all I can find are typical apache logs of the form "GET /pun/sys/dashboard HTTP/1.1" 404 44 ..." in the access logs (and nothing in the error logs). We have confirmed that this user is able to login to the cluster as expected (using the same account). The only difference I’ve noticed between this user and the accounts for which login is working, is that the username contains a hyphen in this case. It is possible that OOD is not handling this character? What else should I check?


The hyphen could be throwing it off. Do you use a user_map_cmd with /opt/ood/ood_auth_map/bin/ood_auth_map.regex in ood_portal.yml?

If so, let us know what the regex you use.

I don’t believe the default example of \w+ would correctly map hyphenated users. If my hunch is correct here are a couple options:

# \w+ grabs evertying _after_ the hyphen. no user 'o', want to map to 'jeff-o'
irb(main):001:0> /(\w+)@osc.edu/.match("jeff-o@osc.edu")
=> #<MatchData "o@osc.edu" 1:"o">

# this could work well, \w may work with latin characters well (as a pose to using [A-Za-z-])
irb(main):002:0> /([\w-]+)@osc.edu/.match("jeff-o@osc.edu")
=> #<MatchData "jeff-o@osc.edu" 1:"jeff-o">

# .+ may be a bit _too_ inclusive but would automatically pick up the next user
# to say, have an underscore like 'jeff_o'. 
irb(main):003:0> /(.+)@osc.edu/.match("jeff-o@osc.edu")
=> #<MatchData "jeff-o@osc.edu" 1:"jeff-o">

Yes, we were using (\w+). Changing this to ([A-Za-z0-9-_]+) resolved the issue, thanks!

Glad to hear! Taking another look at the docs, \w is the same as [A-Za-z0-9_] so it wouldn’t work better with latin characters after all.