Hi Joseph!
In the logs we can see:
Error determining LDAP group membership for "cn=staff,ou=Group,dc=acme,dc=net":
membership lookup for user "jgutierr" in group
"cn=staff,ou=Group,dc=acme,dc=net" failed because of "could not search by
dn, invalid dn value: DN ended with incomplete type, value pair".
And the usersQuery is set to:
baseDN: "ou=People,dc=acme,dc=net"
Maybe you can try setting the baseDN to a higher level, like
dc=acme,dc=net, so the ldapsearch can search/find anything below this.
Rodrigo Bersa
Cloud Consultant | Red Hat Brasil
[email protected] | M: +55 11 9 9557-5841
Av. Brigadeiro Faria Lima 3900, 8° Andar. São Paulo, Brasil.
RED HAT | TRIED. TESTED. TRUSTED. Saiba porque em redhat.com
<https://www.redhat.com/pt-br/about/trusted>
<http://www.redhat.com/es/about/trusted>
[image: Red Hat] <http://www.redhat.com.br>
On Tue, Mar 21, 2017 at 4:34 PM, Joseph Lorenzini <[email protected]> wrote:
> Hi Rodrigo,
>
> Yea, I figured as much. I am kinda tearing my hair out. Its certainly
> possible there's something wrong with my user input but trying to figure
> out why its having problem is really difficult. I have actually started
> tracing through the actual go code to see if i can figure out why its
> having such problems. Here's my latest configuration. Its not much
> different then what you have except the groupNameAttributes is set to cn
> instead of ou. I even tcpdumped the LDAP communication -- nada.
>
> kind: LDAPSyncConfig
> apiVersion: v1
> url: ldap://server:389
> insecure: true
> rfc2307:
> groupsQuery:
> baseDN: "ou=Group,dc=acme,dc=net"
> scope: sub
> derefAliases: never
> pageSize: 0
> filter: (objectClass=posixGroup)
> groupUIDAttribute: dn
> groupNameAttributes: [ cn ]
> groupMembershipAttributes: [ memberUid ]
> usersQuery:
> baseDN: "ou=People,dc=acme,dc=net"
> scope: sub
> derefAliases: never
> pageSize: 0
> userUIDAttribute: dn
> userNameAttributes: [ uid ]
> tolerateMemberNotFoundErrors: false
> tolerateMemberOutOfScopeErrors: false
>
>
> It successfully finds the group *and *the list users in the group. But
> when it tries to do a membership lookup it fails with the following. I
> don't know why its having this particular problem with the DN. Is it
> somehow having an issue trying to create the user DN and matching that to
> the memberUID attribute in the group?
>
> membership lookup for user "jdoe" in group "cn=staff,ou=Group,dc=acme,dc=net"
> failed because of "could not search by dn, invalid dn value: DN ended with
> incomplete type, value pair"
>
>
> Here are the logs.
>
> I0321 14:26:17.070608 130788 groupsyncer.go:56] Listing with
> &{[cn=staff,ou=Group,dc=acme,dc=net]}
> I0321 14:26:17.070699 130788 groupsyncer.go:62] Sync ldapGroupUIDs
> [cn=staff,ou=Group,dc=acme,dc=net]
> I0321 14:26:17.070707 130788 groupsyncer.go:65] Checking LDAP group
> cn=staff,ou=Group,dc=acme,dc=net
> I0321 14:26:17.071770 130788 query.go:228] searching LDAP server with
> config {Scheme: ldap Host: server:389 BindDN: len(BbindPassword): 0
> Insecure: true} with dn="cn=staff,ou=Group,dc=acme,dc=net" and scope 0
> for (objectClass=*) requesting [cn dn memberUid]I0321 14:26:17.075034
> 130788 query.go:245] found dn="cn=staff,ou=Group,dc=acme,dc=net"
> I0321 14:26:17.075052 130788 query.go:198] found
> dn="cn=staff,ou=Group,dc=acme,dc=net" for (objectClass=*)
> Error determining LDAP group membership for
> "cn=staff,ou=Group,dc=acme,dc=net":
> membership lookup for user "jgutierr" in group
> "cn=staff,ou=Group,dc=acme,dc=net" failed because of "could not search by
> dn, invalid dn value: DN ended with incomplete type, value pair".
> apiVersion: v1
> items: []
> kind: List
> metadata: {}
> membership lookup for user "jdoe" in group "cn=staff,ou=Group,dc=acme,dc=net"
> failed because of "could not search by dn, invalid dn value: DN ended with
> incomplete type, value pair"
>
>
> On Tue, Mar 21, 2017 at 2:23 PM, Rodrigo Bersa <[email protected]> wrote:
>
>> Hi Joseph,
>>
>> Yes, it's not possible do a sync without an objectClass, but you it's
>> possible to use DN as objectClass. I had some problems syncing the
>> LDAPGroups in a client before, and after change the scopes and attributes a
>> lot of times, I got to this LDAPSyncConfig, to work correctly. I think that
>> you just need to find the right parameters =).
>>
>> kind: LDAPSyncConfig
>> apiVersion: v1
>> url: "ldap://ldapserver.client.com.br";
>> insecure: true
>> bindDN: "uid=openShiftAdm,ou=openShift,ou=accounts,O=CLIENT.COM"
>> bindPassword: "password"
>> rfc2307:
>> groupsQuery:
>> baseDN: "ou=openShift,ou=accounts,o=client.com"
>> scope: sub
>> derefAliases: never
>> filter: (objectClass=groupOfNames)
>> groupUIDAttribute: dn
>> groupNameAttributes: [ ou ]
>> groupMembershipAttributes: [ member ]
>> usersQuery:
>> baseDN: "O=CLIENT.COM"
>> scope: sub
>> derefAliases: never
>> userUIDAttribute: dn
>> userNameAttributes: [ uid ]
>> tolerateMemberNotFoundErrors: false
>> tolerateMemberOutOfScopeErrors: false
>>
>> Hope this can help!!
>>
>> Regards,
>>
>>
>> Rodrigo Bersa
>> Cloud Consultant | Red Hat Brasil
>> [email protected] | M: +55 11 9 9557-5841
>> Av. Brigadeiro Faria Lima 3900, 8° Andar. São Paulo, Brasil.
>> RED HAT | TRIED. TESTED. TRUSTED. Saiba porque em redhat.com
>> <https://www.redhat.com/pt-br/about/trusted>
>> <http://www.redhat.com/es/about/trusted>
>> [image: Red Hat] <http://www.redhat.com.br>
>>
>> On Tue, Mar 21, 2017 at 10:02 AM, Joseph Lorenzini <[email protected]>
>> wrote:
>>
>>> Hi all,
>>>
>>> I am following the documentation here:
>>>
>>> https://docs.openshift.org/latest/install_config/syncing_gro
>>> ups_with_ldap.html
>>>
>>>
>>> I used a yaml config here:
>>>
>>> https://gist.github.com/jaloren/ec7b76feea980dd23d757c477680f751
>>>
>>>
>>> Which failed with:
>>>
>>> error: validation of LDAP sync config failed: usersQuery.filter: Invalid
>>> value: "(objectclass=inetOrgPerson)": cannot specify a filter when using
>>> "dn" as the UID attribute
>>>
>>> Seems like the bug here in the docs has not actually been fixed.
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1381674
>>>
>>> But okay so you can't use DN with a object class filter that's fine. So
>>> then I tried it without an object class but left everything else the same
>>> and now I see this:
>>>
>>> error: validation of LDAP sync config failed: groupsQuery.filter:
>>> Invalid value: "": invalid query filter: LDAP Result Code 201 "": ldap:
>>> filter does not start with an '('
>>>
>>> So if I can't use an object class with a DN as the UID attribute and I
>>> can't do a sync without an object class, my questions are: how does one get
>>> this to work where the DN is the UID attribute and if DN is not acceptable
>>> for the UID attribute, then what is?
>>>
>>> Thanks,
>>>
>>> Joe
>>>
>>> _______________________________________________
>>> users mailing list
>>> [email protected]
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>>>
>>
>
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
