Login error with ood-dex and Freeipa LDAP on CentOS 7

Dear All
I need some help to resolve the issue of authenticating a user through ood through FreeIPA connected to AD and having its user accounts.
I cannot authenticate login users from FreeIPA server LDAP with the open OnDemand using OnDemand-dex configured with freeipa.
I followed the instructions to installed and configured OnDemand for our small HPC cluster with IdP(FreeIPA Server). The web interface is running, and I can ssh with user login in the freeIPA into the ood node and access the home folder of the login user.
tried login through web browser gives error
“Your mendy hpc username and/or password do not match.”
below is the old configuration in the old_portal.yml:

ssl:

  • ‘SSLCertificateFile “/etc/pki/tls/certs/xxxxxnxnxxnxnxn.pem”’
  • ‘SSLCertificateKeyFile “/etc/pki/tls/private/xxxxxnxnxxnxnxn.key”’

maintenance_ip_whitelist:

  • XXX.XXX…

auth:

  • ‘AuthType openid-connect’
  • ‘Require valid-user’

oidc_uri: ‘/oidc’

dex:
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: XXXXX.xxxxxxx.xxxx.xxx:636
insecureSkipVerify: false
bindDN: cn=aaaaaa,dc=xxxxxx,dc=xxxxx,dc=xxx
bindPW: XXXXXXXXXXXXXXXXXXXXX
usernamePrompt: Username
userSearch:
baseDN: cn=users,dc=xxxxxx,dc=xxxxx,dc=xxx
filter: “(objectClass=posixAccount)”
username: uid
idAttr: uid
emailAttr: mail
nameAttr: gecos
preferredUsernameAttr: uid
groupSearch:
baseDN: cn=groups,dc=xxxxxx,dc=xxxxx,dc=xxx
filter: “(objectClass=posixGroup)”
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn
frontend:
theme: ondemand
dir: /usr/share/ondemand-dex/web

Also check the configuration with
$ldapsearch -x -h xxxxxxxxxxxxxxx -b ’ dc=xxxxxxx,dc=xxxx,dc=xxx’ | less
indicated the the query is executed successfully:

extended LDIF

LDAPv3

base <dc=xxxxxx,dc=xxxxx,dc=xxx> with scope subtree

filter: (objectclass=*)

requesting: ALL

users, compat, xxxxxx.xxxxx.xxx

dn: cn=users,cn=compat,dc=xxxxxx,dc=xxxxx,dc=xxx
objectClass: extensibleObject
cn: users

Hi and welcome! The error message does seem to indicate that it’s an LDAP lookup failure.

You have cn=groups in your dex baseDN but you’re example of ldapsearch doesn’t include this. I’m not an LDAP expert but I’ve usually just seen dc and ou items in the base searches, not cn.

I wonder if that’s throwing this off? Also I’m not sure why you’re filtering off of posixGroup. Shouldn’t you filter only valid users?

Hi Jeff,
Thanks very much for the help. After making the suggested changes. It is still cannot bind with the initial user of the admin account. This login is correct, and I can login into the freeipa server web interface and kinit with this account.
Below is the error message

Internal Server Error

Login error: ldap: initial bind for user “cn=admin,dc=mendy,dc=mrc,dc=gm” failed: LDAP Result Code 49 “Invalid Credentials”:

This looks like the username/password you’re trying to bind with to make LDAP queries is wrong.

These settings here seem to be wrong.

I changed a few of the configuration values in the connector as below. I retrieved the freeipa server IdP database entry but got another error about a missing “mail” attribute.
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: XXXXXXXXXXXXXXXXXXXXX:636
insecureSkipVerify: false
bindDN: uid=XXXXXXXXXXXXXXXX,cn=users,cn=compat,dc=XXXXXXX,dc=XXXXXXXX,dc=XXXXXXXX
bindPW: XXXXXXXXXXX
usernamePrompt: Mendy HPC Username
userSearch:
baseDN: cn=users,cn=compat,dc=XXXXXXX,dc=XXXXXXXX,dc=XXXXXXXX
filter: “(objectClass=posixAccount)”
username: uid
idAttr: uid
emailAttr: mail
nameAttr: gecos
preferredUsernameAttr: uid
groupSearch:
baseDN: cn=users,cn=compat,dc=XXXXXXXX,dc=XXXXXXXX,dc=XXXXXXXX
filter: “(|(objectClass=posixGroup)(objectClass=group))”
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn
frontend:
theme: ondemand
dir: /usr/share/ondemand-dex/web

The new error is

Internal Server Error

Login error: ldap: entry “uid=XXXXXXX,cn=users,cn=compat,dc=XXXXXXXXXX,dc=XXXXXXX,dc=XXXX” missing following required attribute(s): [“mail”]
How can I get the mail attribute from the freeipa as one of the attribute retrieved

I assume the “mail” attribute exists in IPA or it isn’t named something else?

You set emailAttr to mail - is it called something different in your LDAP?

Yes, from all the check, below is example ipa user-add jsmith --first=John --last=Smith --email=johnls@example.com --addattr=mail=johnnys@me.com --addattr=mail=admin@example.com

Why do you have --email and --attattr=mail. Why add the mail attribute when you could just use the exisisting email attribute.

1 Like

I hope you don’t mind me adding more ideas, but I had two things:

  1. What does this command show? It should give you the name of the email attribute.
    ipa user-show <username> --raw --all

  2. I noticed that you are using the compat tree. We initially used this, but then ran into sync issues between our servers. After posting on the freeIPA forms, it was suggested to not use the compat tree. Just something to keep in mind if you run into issues.

Thank you @msgambati-INL. Ideas are always welcome. Yes please, anyone should feel free to chime in especially if you run freeIPA (which we don’t)!

this is just to add multiple email addresses.

ipa user-show --raw --all

output
email attribute as
mail:
correctly

What does an ldapsearch on that system show using that bindDN, baseDN, and filter?

ldapsearch bindDN, baseDN output:# extended LDIF

LDAPv3

base <uid=admin,cn=users,cn=compat,dc=XXXXXXXX,dc=xxxxx,dc=xxx> with scope subtree

filter: (objectclass=*)

requesting: ALL

admin, users, compat, XXXXXXXX.xxxxxxx.xxx

dn: uid=aaaaaaaa,cn=users,cn=compat,dc=XXXXXXXX,dc=xxxxxxx,dc=xxx
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gecos: Administrator
cn: Administrator
uidNumber: NNNNNNNNNNNN
gidNumber: NNNNNNNNNNNN
loginShell: /bin/bash
homeDirectory: /home/aaaaaaaa
ipaAnchorUUID:: OklQQTptZW5keS5tcmMuZ206ODk3MWU5YjQtMWRhMy0xMWVhLWIzMGMtMDA1MD
U2OGNiM2Ri
uid: aaaaaaaa

search result

search: 2
result: 0 Success

numResponses: 2

numEntries: 1

I don’t see mail or email there. Did you authenticate to get that result? Maybe you need to to get those values.

The freeipa docs say

FreeIPA allows multi-valued attributes, based on attributes in LDAP that are allowed to have multiple values.

So I’d focus our investigation on FreeIPA & your LDAP provider and confirm that email addresses are being stored and if so, under what attribute name.

So it appears that the user you are using to bind with does not have proper permissions to read the necessary attributes, as @jeff.ohrstrom hinted at. We ran into something similar when we were setting up our ood-dex and freeIPA. We ended up creating “service” accounts that have the proper permissions. This way we could better trace who was elevating into the system. Here is an example ldapsearch that provides the mail attribute for us after fixing the permissions:

ldapsearch -h <freeIPA_hostname> -x -D "cn=<service_account>,...." -W -b cn=users,.... "(objectClass=posixaccount)"

I hope this helps.

2 Likes