Hi Rodrigo, Yea, I figured as much. I am kinda tearing my hair out. Its certainly possible there's something wrong with my user input but trying to figure out why its having problem is really difficult. I have actually started tracing through the actual go code to see if i can figure out why its having such problems. Here's my latest configuration. Its not much different then what you have except the groupNameAttributes is set to cn instead of ou. I even tcpdumped the LDAP communication -- nada.
kind: LDAPSyncConfig apiVersion: v1 url: ldap://server:389 insecure: true rfc2307: groupsQuery: baseDN: "ou=Group,dc=acme,dc=net" scope: sub derefAliases: never pageSize: 0 filter: (objectClass=posixGroup) groupUIDAttribute: dn groupNameAttributes: [ cn ] groupMembershipAttributes: [ memberUid ] usersQuery: baseDN: "ou=People,dc=acme,dc=net" scope: sub derefAliases: never pageSize: 0 userUIDAttribute: dn userNameAttributes: [ uid ] tolerateMemberNotFoundErrors: false tolerateMemberOutOfScopeErrors: false It successfully finds the group *and *the list users in the group. But when it tries to do a membership lookup it fails with the following. I don't know why its having this particular problem with the DN. Is it somehow having an issue trying to create the user DN and matching that to the memberUID attribute in the group? membership lookup for user "jdoe" in group "cn=staff,ou=Group,dc=acme,dc=net" failed because of "could not search by dn, invalid dn value: DN ended with incomplete type, value pair" Here are the logs. I0321 14:26:17.070608 130788 groupsyncer.go:56] Listing with &{[cn=staff,ou=Group,dc=acme,dc=net]} I0321 14:26:17.070699 130788 groupsyncer.go:62] Sync ldapGroupUIDs [cn=staff,ou=Group,dc=acme,dc=net] I0321 14:26:17.070707 130788 groupsyncer.go:65] Checking LDAP group cn=staff,ou=Group,dc=acme,dc=net I0321 14:26:17.071770 130788 query.go:228] searching LDAP server with config {Scheme: ldap Host: server:389 BindDN: len(BbindPassword): 0 Insecure: true} with dn="cn=staff,ou=Group,dc=acme,dc=net" and scope 0 for (objectClass=*) requesting [cn dn memberUid]I0321 14:26:17.075034 130788 query.go:245] found dn="cn=staff,ou=Group,dc=acme,dc=net" I0321 14:26:17.075052 130788 query.go:198] found dn="cn=staff,ou=Group,dc=acme,dc=net" for (objectClass=*) Error determining LDAP group membership for "cn=staff,ou=Group,dc=acme,dc=net": membership lookup for user "jgutierr" in group "cn=staff,ou=Group,dc=acme,dc=net" failed because of "could not search by dn, invalid dn value: DN ended with incomplete type, value pair". apiVersion: v1 items: [] kind: List metadata: {} membership lookup for user "jdoe" in group "cn=staff,ou=Group,dc=acme,dc=net" failed because of "could not search by dn, invalid dn value: DN ended with incomplete type, value pair" On Tue, Mar 21, 2017 at 2:23 PM, Rodrigo Bersa <[email protected]> wrote: > Hi Joseph, > > Yes, it's not possible do a sync without an objectClass, but you it's > possible to use DN as objectClass. I had some problems syncing the > LDAPGroups in a client before, and after change the scopes and attributes a > lot of times, I got to this LDAPSyncConfig, to work correctly. I think that > you just need to find the right parameters =). > > kind: LDAPSyncConfig > apiVersion: v1 > url: "ldap://ldapserver.client.com.br"; > insecure: true > bindDN: "uid=openShiftAdm,ou=openShift,ou=accounts,O=CLIENT.COM" > bindPassword: "password" > rfc2307: > groupsQuery: > baseDN: "ou=openShift,ou=accounts,o=client.com" > scope: sub > derefAliases: never > filter: (objectClass=groupOfNames) > groupUIDAttribute: dn > groupNameAttributes: [ ou ] > groupMembershipAttributes: [ member ] > usersQuery: > baseDN: "O=CLIENT.COM" > scope: sub > derefAliases: never > userUIDAttribute: dn > userNameAttributes: [ uid ] > tolerateMemberNotFoundErrors: false > tolerateMemberOutOfScopeErrors: false > > Hope this can help!! > > Regards, > > > Rodrigo Bersa > Cloud Consultant | Red Hat Brasil > [email protected] | M: +55 11 9 9557-5841 > Av. Brigadeiro Faria Lima 3900, 8° Andar. São Paulo, Brasil. > RED HAT | TRIED. TESTED. TRUSTED. Saiba porque em redhat.com > <https://www.redhat.com/pt-br/about/trusted> > <http://www.redhat.com/es/about/trusted> > [image: Red Hat] <http://www.redhat.com.br> > > On Tue, Mar 21, 2017 at 10:02 AM, Joseph Lorenzini <[email protected]> > wrote: > >> Hi all, >> >> I am following the documentation here: >> >> https://docs.openshift.org/latest/install_config/syncing_gro >> ups_with_ldap.html >> >> >> I used a yaml config here: >> >> https://gist.github.com/jaloren/ec7b76feea980dd23d757c477680f751 >> >> >> Which failed with: >> >> error: validation of LDAP sync config failed: usersQuery.filter: Invalid >> value: "(objectclass=inetOrgPerson)": cannot specify a filter when using >> "dn" as the UID attribute >> >> Seems like the bug here in the docs has not actually been fixed. >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1381674 >> >> But okay so you can't use DN with a object class filter that's fine. So >> then I tried it without an object class but left everything else the same >> and now I see this: >> >> error: validation of LDAP sync config failed: groupsQuery.filter: Invalid >> value: "": invalid query filter: LDAP Result Code 201 "": ldap: filter does >> not start with an '(' >> >> So if I can't use an object class with a DN as the UID attribute and I >> can't do a sync without an object class, my questions are: how does one get >> this to work where the DN is the UID attribute and if DN is not acceptable >> for the UID attribute, then what is? >> >> Thanks, >> >> Joe >> >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >> >
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
