Dear All
I need some help to resolve the issue of authenticating a user through ood through FreeIPA connected to AD and having its user accounts.
I cannot authenticate login users from FreeIPA server LDAP with the open OnDemand using OnDemand-dex configured with freeipa.
I followed the instructions to installed and configured OnDemand for our small HPC cluster with IdP(FreeIPA Server). The web interface is running, and I can ssh with user login in the freeIPA into the ood node and access the home folder of the login user.
tried login through web browser gives error
âYour mendy hpc username and/or password do not match.â
below is the old configuration in the old_portal.yml:
Also check the configuration with
$ldapsearch -x -h xxxxxxxxxxxxxxx -b â dc=xxxxxxx,dc=xxxx,dc=xxxâ | less
indicated the the query is executed successfully:
extended LDIF
LDAPv3
base <dc=xxxxxx,dc=xxxxx,dc=xxx> with scope subtree
Hi and welcome! The error message does seem to indicate that itâs an LDAP lookup failure.
You have cn=groups in your dex baseDN but youâre example of ldapsearch doesnât include this. Iâm not an LDAP expert but Iâve usually just seen dc and ou items in the base searches, not cn.
I wonder if thatâs throwing this off? Also Iâm not sure why youâre filtering off of posixGroup. Shouldnât you filter only valid users?
Hi Jeff,
Thanks very much for the help. After making the suggested changes. It is still cannot bind with the initial user of the admin account. This login is correct, and I can login into the freeipa server web interface and kinit with this account.
Below is the error message
Internal Server Error
Login error: ldap: initial bind for user âcn=admin,dc=mendy,dc=mrc,dc=gmâ failed: LDAP Result Code 49 âInvalid Credentialsâ:
I changed a few of the configuration values in the connector as below. I retrieved the freeipa server IdP database entry but got another error about a missing âmailâ attribute.
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: XXXXXXXXXXXXXXXXXXXXX:636
insecureSkipVerify: false
bindDN: uid=XXXXXXXXXXXXXXXX,cn=users,cn=compat,dc=XXXXXXX,dc=XXXXXXXX,dc=XXXXXXXX
bindPW: XXXXXXXXXXX
usernamePrompt: Mendy HPC Username
userSearch:
baseDN: cn=users,cn=compat,dc=XXXXXXX,dc=XXXXXXXX,dc=XXXXXXXX
filter: â(objectClass=posixAccount)â
username: uid
idAttr: uid
emailAttr: mail
nameAttr: gecos
preferredUsernameAttr: uid
groupSearch:
baseDN: cn=users,cn=compat,dc=XXXXXXXX,dc=XXXXXXXX,dc=XXXXXXXX
filter: â(|(objectClass=posixGroup)(objectClass=group))â
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn
frontend:
theme: ondemand
dir: /usr/share/ondemand-dex/web
The new error is
Internal Server Error
Login error: ldap: entry âuid=XXXXXXX,cn=users,cn=compat,dc=XXXXXXXXXX,dc=XXXXXXX,dc=XXXXâ missing following required attribute(s): [âmailâ]
How can I get the mail attribute from the freeipa as one of the attribute retrieved
I hope you donât mind me adding more ideas, but I had two things:
What does this command show? It should give you the name of the email attribute.
ipa user-show <username> --raw --all
I noticed that you are using the compat tree. We initially used this, but then ran into sync issues between our servers. After posting on the freeIPA forms, it was suggested to not use the compat tree. Just something to keep in mind if you run into issues.
I donât see mail or email there. Did you authenticate to get that result? Maybe you need to to get those values.
The freeipa docs say
FreeIPA allows multi-valued attributes, based on attributes in LDAP that are allowed to have multiple values.
So Iâd focus our investigation on FreeIPA & your LDAP provider and confirm that email addresses are being stored and if so, under what attribute name.
So it appears that the user you are using to bind with does not have proper permissions to read the necessary attributes, as @jeff.ohrstrom hinted at. We ran into something similar when we were setting up our ood-dex and freeIPA. We ended up creating âserviceâ accounts that have the proper permissions. This way we could better trace who was elevating into the system. Here is an example ldapsearch that provides the mail attribute for us after fixing the permissions: