Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP: Error Found 'Test User' but this user has no groups... #17

Closed
jgomezrubio opened this issue May 13, 2015 · 4 comments
Closed

LDAP: Error Found 'Test User' but this user has no groups... #17

jgomezrubio opened this issue May 13, 2015 · 4 comments

Comments

@jgomezrubio
Copy link

This error occurs with OpenLDAP 2.4.39 server and SCOT 3.4.0 - Hindenberg. Ubuntu 14.04.2 LTS.

Error:Found 'Test User', but this user has no groups. Please check your 'User ID Attribute' and 'Membership Attr'

What's are correct parameters on the User Authentication page for LDAPS for OpenLDAP 2.4?
@toddbruner
Copy link
Contributor

Do you have a "Test User" in you LDAP and if so is that "Test User" a member of any groups? I think that the error is saying, I was able to find 'Test User' in LDAP, but I didn't get back any groups. Reasons for this include invalid User ID attribute, invalid membership attribute, or "Test User" is not in any groups.

We will probably need to know more about your LDAP setup to debug this one.

@jgomezrubio
Copy link
Author

Thank you for your quick reply.

Below is my results of my ldapsearch -x -H ldaps://ht-ldap-0.it.anl.gov:636 command:

extended LDIF

LDAPv3

base <dc=it,dc=anl,dc=gov> (default) with scope subtree

filter: (objectclass=*)

requesting: ALL

it.anl.gov

dn: dc=it,dc=anl,dc=gov
objectClass: organization
objectClass: dcObject
dc: it
o: it

People, it.anl.gov

dn: ou=People,dc=it,dc=anl,dc=gov
objectClass: organizationalUnit
ou: People

group, it.anl.gov

dn: ou=group,dc=it,dc=anl,dc=gov
objectClass: organizationalUnit
ou: group

SUDOers, it.anl.gov

dn: ou=SUDOers,dc=it,dc=anl,dc=gov
objectClass: organizationalUnit
ou: SUDOers

ht-test-stage-0, SUDOers, it.anl.gov

dn: cn=ht-test-stage-0,ou=SUDOers,dc=it,dc=anl,dc=gov
objectClass: sudoRole
cn: ht-test-stage-0
description: root
sudoHost: ht-test-stage-0.it.anl.gov
sudoCommand: ALL
sudoRunAsUser: ALL
sudoUser: cfm

ht-scot-0, SUDOers, it.anl.gov

dn: cn=ht-scot-0,ou=SUDOers,dc=it,dc=anl,dc=gov
objectClass: sudoRole
cn: ht-scot-0
sudoHost: ht-scot-0
sudoCommand: ALL
sudoRunAsUser: ALL
description: root
sudoUser: mcampos

cfm, group, it.anl.gov

dn: cn=cfm,ou=group,dc=it,dc=anl,dc=gov
objectClass: posixGroup
description: cfm
gidNumber: 678
cn: cfm

cfm, People, it.anl.gov

dn: cn=cfm,ou=People,dc=it,dc=anl,dc=gov
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
homeDirectory: /home/cfm
loginShell: /bin/bash
uid: cfm
cn: cfm
gecos: cfm
uidNumber: 678
gidNumber: 678
sn: cfm

sys-kenobi, group, it.anl.gov

dn: cn=sys-kenobi,ou=group,dc=it,dc=anl,dc=gov
objectClass: posixGroup
description: sys-kenobi
gidNumber: 13356
cn: sys-kenobi

Mario Campos, People, it.anl.gov

dn: cn=Mario Campos,ou=People,dc=it,dc=anl,dc=gov
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
homeDirectory: /home/mcampos
loginShell: /bin/bash
uid: mcampos
cn: Mario Campos
gecos: M. Campos
uidNumber: 554
gidNumber: 13356
sn: Campos
givenName: Mario

search result

search: 2
result: 0 Success

numResponses: 11

numEntries: 10

As you can see, I am using objectClasses posixAccount, posixGroup to provide LDAP servers to our Linux machines. Is there another option I can enter for the “Membership Attr” field instead of “memberOf”? Since, my LDAP server is not using the OpenLDAP ‘memberof’ overlay? Below are the values during SCOT LDAP setup:

LDAP Server: ldaps://ht-ldap-0.it.anl.gov
Base Domain: dc=it,dc=anl,dc=gov
User ID Attribute: uid
Membership Attr: memberOf
Bind DN: cn=cfm,ou=People,dc=it,dc=anl,dc=gov
Bind Password: password
Test User: cfm

Thank you for helping me troubleshoot OpenLDAP integration.

Jose

From: Todd Bruner <notifications@github.commailto:notifications@github.com>
Reply-To: sandialabs/scot <reply@reply.github.commailto:reply@reply.github.com>
Date: Wednesday, May 13, 2015 at 11:57 AM
To: sandialabs/scot <scot@noreply.github.commailto:scot@noreply.github.com>
Cc: jgomezrubio <jgomezrubio@anl.govmailto:jgomezrubio@anl.gov>
Subject: Re: [scot] LDAP: Error Found 'Test User' but this user has no groups... (#17)

Do you have a "Test User" in you LDAP and if so is that "Test User" a member of any groups? I think that the error is saying, I was able to find 'Test User' in LDAP, but I didn't get back any groups. Reasons for this include invalid User ID attribute, invalid membership attribute, or "Test User" is not in any groups.

We will probably need to know more about your LDAP setup to debug this one.


Reply to this email directly or view it on GitHubhttps://github.com//issues/17#issuecomment-101746393.

@jgomezrubio
Copy link
Author

After changing OpenLDAP to support rfc2703bis schema and using the memberOf overlay, finally was able to successfully validate against SCOT LDAP auth using the admin account. How do I use LDAP credentials for the SCOT HTTP basic authentication? Do I use the username@localdomain syntax?

From: Todd Bruner <notifications@github.commailto:notifications@github.com>
Reply-To: sandialabs/scot <reply@reply.github.commailto:reply@reply.github.com>
Date: Wednesday, May 13, 2015 at 11:57 AM
To: sandialabs/scot <scot@noreply.github.commailto:scot@noreply.github.com>
Cc: jgomezrubio <jgomezrubio@anl.govmailto:jgomezrubio@anl.gov>
Subject: Re: [scot] LDAP: Error Found 'Test User' but this user has no groups... (#17)

Do you have a "Test User" in you LDAP and if so is that "Test User" a member of any groups? I think that the error is saying, I was able to find 'Test User' in LDAP, but I didn't get back any groups. Reasons for this include invalid User ID attribute, invalid membership attribute, or "Test User" is not in any groups.

We will probably need to know more about your LDAP setup to debug this one.


Reply to this email directly or view it on GitHubhttps://github.com//issues/17#issuecomment-101746393.

@toddbruner
Copy link
Contributor

We have an update I need to apply that should help with your original problem. I'm glad you have got it to work though.

As for your second question, I apologize if I am not understanding the question, but SCOT looks for a session cookie, if it is not present, then you will get 401 which will prompt the browser to provide a basic auth popup. There you will enter username / password combination. I've never tried "username@domain" as a login, but it might work. It should be passed on to LDAP and if it can parse it, then we should be fine.

Hope that helps...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@toddbruner @jgomezrubio