New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenLDAP: Result Code 32 "No Such Object" #35259
Comments
Duplicate of #17854 |
I'm re-opening this to track the newest PR submitted for this issue - #38736. |
Release noteCredit goes to github user @JRial95 for developing the fix to this issue. |
Validation TemplateRoot CauseUsers on certain LDAP setups do not have the permissions to search as their user. This lead to the error outlined in the issue (Result code 32), since Rancher attempted to bind as their user to perform searches (in order to show the user only the groups/users that they could see as part of their auth configs). What was fixed, or what change have occurredThe code to login as a user now has a fallback case where, if it gets a 32 result code on attempting to search under the user's authority, it will bind/search as the service account instead. Areas or cases that should be testedBasic LDAP functionality on a LDAP setup which does not give users permission to search the LDAP setup, including:
Basic regression test (above scenarios should work) on a standard LDAP setup where users can search. What areas could experience regressionsBasic ldap functionality (user login, user/group search, user refresh). Are the repro steps accurate/minimal?No. They are included here:
|
After further review of the user-submitted PR, we've decided to pull this out and re-evaluate the functionality. There were some concerns raised that the current functionality could cause adverse impacts, outlined below, that made us uncertain about leaving this in. We do intend to re-evaluate Rancher's functionality in this area in the future, and hopefully present a better solution. For background, Rancher today (in the case of most auth providers) always attempts to scope its searches to the permissions of the requesting user. It does this so that when users attempt to add new permissions to a user/group for a cluster/project, they can only see the objects that they could see outside of Rancher. This way, Rancher doesn't become an "attack vector", allowing users to effectively escalate their permissions in the auth providers. However, we recognize that this approach does not account for typical setups (such as LDAP) where users have no permissions in the authentication provider and the service account is used as a way of tightly controlling read permissions from the application. We see these configurations as legitimate use cases, and want to better support them. To this end, we are going to consider a more comprehensive solution to this issue. One potential solution would be to expose a field on the auth config ( I apologize to users who have been waiting for this functionality, and hope that we can fix this issue soon. |
test plan: perquisite
bug scope
Basic LDAP functionality on a LDAP setup which does not give users permission to search the LDAP setup, including: regression areas-
|
@MbolotSuse and @martyav - Since we've release v2.7.7 and the release notes PR was merged, are we able to close this issue or does it need to be moved to a future milestone? Otherwise 2.7.7 is already tagged for community use, so I'd like to close that milestone if possible. |
@Jono-SUSE-Rancher I'm ok with closing. From my perspective, it's already in a published page and is also mentioned in the now-closed PR if we want to track it down later from GH. |
As the issue has been release noted, and it's not a simple bug fix. I am closing this issue in favor of a feature ticket. |
Rancher Server Setup
Information about the Cluster
Describe the bug
When I try to configure the OpenLDAP authentication provider, I get an error: Result Code 32 "No Such Object".
To Reproduce
Go to Rancher's OpenLDAP authentication provider configuration page.
Fill these following fields:
Use a valid LDAP user for the test.
Submit form by clicking on "Enable" button.
Result
Check Rancher logs using the following command:
You should see something like this:
Expected Result
The OpenLDAP authentication should be enabled.
Additional context
By investigating the code and from my understanding, I think the problem comes from the request that is made on lines 71 to 78 in
ldap_client.go
. Unfortunately, I don't know how to solve the problem. Do you have an idea?rancher/pkg/auth/providers/ldap/ldap_client.go
Lines 71 to 78 in 64c748d
The text was updated successfully, but these errors were encountered: