Hi Joseph,
Have you tried setting both of these to cn? Or changing both to uid?
userUIDAttribute: dn
userNameAttributes: [ uid ]
I think we changed all of our attributes to cn for example to get it working.
attributes:
id: ['cn']
name: ['cn']
preferredUsername: ['cn']
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of
[email protected]
Sent: Tuesday, March 21, 2017 2:47 PM
To: [email protected]
Subject: users Digest, Vol 56, Issue 44
Send users mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openshift.redhat.com%2Fopenshiftmm%2Flistinfo%2Fusers&data=01%7C01%7Ctodd_walters%40unigroup.com%7C9de4083828e54cf9856708d4709316d5%7C259bdc2f86d3477b8cb34eee64289142%7C1&sdata=ZUZGgYePHkH2EwA7Qk4xUKeSNVb6NG5yJ8nYfrhmg3s%3D&reserved=0
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific than "Re:
Contents of users digest..."
Today's Topics:
1. Re: syncing ldap groups with openshift 1.4 (Joseph Lorenzini)
2. Re: syncing ldap groups with openshift 1.4 (Rodrigo Bersa)
----------------------------------------------------------------------
Message: 1
Date: Tue, 21 Mar 2017 14:34:28 -0500
From: Joseph Lorenzini <[email protected]>
To: Rodrigo Bersa <[email protected]>
Cc: [email protected]
Subject: Re: syncing ldap groups with openshift 1.4
Message-ID:
<camvd0vjjhxkrdtb-lqa-hpulf-v2imvisaz1akdkf4n305n...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi Rodrigo,
Yea, I figured as much. I am kinda tearing my hair out. Its certainly possible
there's something wrong with my user input but trying to figure out why its
having problem is really difficult. I have actually started tracing through the
actual go code to see if i can figure out why its having such problems. Here's
my latest configuration. Its not much different then what you have except the
groupNameAttributes is set to cn instead of ou. I even tcpdumped the LDAP
communication -- nada.
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://server:389
insecure: true
rfc2307:
groupsQuery:
baseDN: "ou=Group,dc=acme,dc=net"
scope: sub
derefAliases: never
pageSize: 0
filter: (objectClass=posixGroup)
groupUIDAttribute: dn
groupNameAttributes: [ cn ]
groupMembershipAttributes: [ memberUid ]
usersQuery:
baseDN: "ou=People,dc=acme,dc=net"
scope: sub
derefAliases: never
pageSize: 0
userUIDAttribute: dn
userNameAttributes: [ uid ]
tolerateMemberNotFoundErrors: false
tolerateMemberOutOfScopeErrors: false
It successfully finds the group *and *the list users in the group. But when it
tries to do a membership lookup it fails with the following. I don't know why
its having this particular problem with the DN. Is it somehow having an issue
trying to create the user DN and matching that to the memberUID attribute in
the group?
membership lookup for user "jdoe" in group "cn=staff,ou=Group,dc=acme,dc=net"
failed because of "could not search by dn, invalid dn value: DN ended with
incomplete type, value pair"
Here are the logs.
I0321 14:26:17.070608 130788 groupsyncer.go:56] Listing with
&{[cn=staff,ou=Group,dc=acme,dc=net]}
I0321 14:26:17.070699 130788 groupsyncer.go:62] Sync ldapGroupUIDs
[cn=staff,ou=Group,dc=acme,dc=net]
I0321 14:26:17.070707 130788 groupsyncer.go:65] Checking LDAP group
cn=staff,ou=Group,dc=acme,dc=net
I0321 14:26:17.071770 130788 query.go:228] searching LDAP server with config
{Scheme: ldap Host: server:389 BindDN: len(BbindPassword): 0
Insecure: true} with dn="cn=staff,ou=Group,dc=acme,dc=net" and scope 0 for
(objectClass=*) requesting [cn dn memberUid]I0321 14:26:17.075034 130788
query.go:245] found dn="cn=staff,ou=Group,dc=acme,dc=net"
I0321 14:26:17.075052 130788 query.go:198] found
dn="cn=staff,ou=Group,dc=acme,dc=net" for (objectClass=*) Error determining
LDAP group membership for
"cn=staff,ou=Group,dc=acme,dc=net": membership lookup for user "jgutierr"
in group "cn=staff,ou=Group,dc=acme,dc=net" failed because of "could not search
by dn, invalid dn value: DN ended with incomplete type, value pair".
apiVersion: v1
items: []
kind: List
metadata: {}
membership lookup for user "jdoe" in group "cn=staff,ou=Group,dc=acme,dc=net"
failed because of "could not search by dn, invalid dn value: DN ended with
incomplete type, value pair"
########################################################################
The information contained in this message, and any attachments thereto,
is intended solely for the use of the addressee(s) and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination, copying, or other use of the transmitted information is
prohibited. If you received this in error, please contact the sender
and delete the material from any computer. UNIGROUP.COM
########################################################################
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
