[katello-devel] LDAP Authentication in Katello

Bryan Kearney bkearney at redhat.com
Wed Sep 26 12:22:46 UTC 2012 

I assume htis made it on the wiki :)

-- bk

On 09/26/2012 06:41 AM, Dmitri Dolguikh wrote:
> Did you get this figured out? Also, pls. see below my answers...
>
> On 24/09/12 07:20 PM, James Labocki wrote:
>> I worked with Dmitri over IRC just now. We changed /etc/ldap_fluff.yml
>> to reference base_dn without cn=users,cn=accounts.
>>
>> /etc/ldap_fluff.yml
>>
>> ---
>> host: idm.server.example.com
>> port: 389
>> encryption:
>> base_dn: dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
>> group_base: cn=groups,cn=accounts,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
>> server_type: :free_ipa
>> service_user:
>> uid=admin,cn=users,cn=accounts,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
>> service_pass: password
>> anon_queries: false
>> ad_domain:
>>
>> After that we ran into this error in the UI when attempting to log
>> into https://systemengine/katello/
>>
>> Could not bind to FreeIPA Query User
>> (LdapFluff::FreeIPA::UnauthenticatedFreeIPAException)
>>
>> Dmitri suggested that the log was complaining about groups. I edited
>> /etc/katello/katello.yml and changed ldap_roles to "false" and then
>> `katello-service restart`. We can now log in as a user "admin", but we
>> do not see any organizations and don't have administrator privileges
>> with that user. What is the next step to troubleshoot this?
>>
>> Also, some other questions.
>>
>> 1. How do users get mapped to groups?
> On login, User instance is updated with roles from ldap (that are
> located at dn specified by 'group_base' configuration parameter). The
> user keeps non-ldap roles assigned to it.
>
>> 2. How do users get assigned to organizations?
>
> No changes compared to non-ldap logins.
>
>> 3. How does katello detect the administrator via ldap?
> See my answer to #1.
>
> Pls. let me know if this helps, or you have questions,
> -d
>>
>> -James
>>
>>
>>
>>
>> ----- Original Message -----
>>> From: "Dmitri Dolguikh" <dmitri at redhat.com>
>>> Cc: katello-devel at redhat.com
>>> Sent: Monday, September 24, 2012 11:08:32 AM
>>> Subject: Re: [katello-devel] LDAP Authentication in Katello
>>>
>>> On 24/09/12 03:59 PM, James Labocki wrote:
>>>> Thanks Dmitri,
>>>>
>>>> I changed the /etc/ldap_fluff.yml to the following
>>>>
>>>> ---
>>>> host: rhc-idm.lab.eng.bos.redhat.com
>>>> port: 389
>>>> encryption:
>>>> base_dn: cn=users,cn=accounts,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
>>>> group_base:
>>>> cn=groups,cn=accounts,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
>>>> server_type: :free_ipa
>>>> service_user:
>>>> uid=admin,cn=users,cn=accounts,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
>>>> service_pass: password
>>>> anon_queries: false
>>>> ad_domain:
>>>>
>>>> unfortunately it still does not allow me to log in as the user
>>>> (jsmith) I have created. The only log entry in
>>>> /var/log/katello/*.log when I try to login is the following:
>>> Hrm. I assume you can bind using jsmith? You could try authentication
>>> from rails console (start by running 'script/rails c'). You can see
>>> the
>>> code in lib/ldap.rb.
>>>
>>> Alternatively, if you have an ssh running on this box, I could take a
>>> look too.
>>> -d
>>>
>>>> ==> /var/log/katello/production.log <==
>>>> [ WARN: 2012-09-24 10:51:38 #951] Request is unauthenticated_ui for
>>>> 127.0.0.1
>>>>
>>>> I have verified I have a user jsmith in the base_dn via ldapsearch:
>>>>
>>>> (dn:uid=jsmith,cn=users,cn=accounts,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com)
>>>>
>>>>
>>>> Is there somewhere else I can look for why the authentication
>>>> request failed?
>>>>
>>>> Does katello not recursively search the directory under the base_dn
>>>> for users?
>>>>
>>>>
>>>> -James
>>>>
>>>>
>>>>
>>>>
>>>> ----- Original Message -----
>>>>> From: "Dmitri Dolguikh" <dmitri at redhat.com>
>>>>> To: katello-devel at redhat.com
>>>>> Sent: Monday, September 24, 2012 10:30:15 AM
>>>>> Subject: Re: [katello-devel] LDAP Authentication in Katello
>>>>>
>>>>> I'd check base_dn.
>>>>>
>>>>> User dn is arrived at by joining user id and base_dn. I suspect
>>>>> you
>>>>> can't log in because warden is looking for the user in
>>>>> "dc=lab,dc=eng,dc=bos,dc=redhat,dc=com", while its actual location
>>>>> is
>>>>> "cn=users,cn=accounts,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com".
>>>>>
>>>>> -d
>>>>>
>>>>> On 21/09/12 09:45 PM, James Labocki wrote:
>>>>>> I am attempting to get LDAP authentication with katello working.
>>>>>>
>>>>>> I changed the default /etc/katello/katello.yml to have the
>>>>>> following:
>>>>>>
>>>>>> common:
>>>>>>
>>>>>>      warden:  ldap
>>>>>>      ldap_roles: true
>>>>>>
>>>>>>
>>>>>> I changed the default /etc/ldap_fluff.yml to have the following:
>>>>>>
>>>>>> ---
>>>>>> host: rhc-idm.lab.eng.bos.redhat.com
>>>>>> port: 389
>>>>>> encryption:
>>>>>> base_dn: dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
>>>>>> group_base:
>>>>>> cn=groups,cn=accounts,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
>>>>>> server_type: :free_ipa
>>>>>> service_user:
>>>>>> uid=admin,cn=users,cn=accounts,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com
>>>>>> service_pass: mypassword
>>>>>> anon_queries: false
>>>>>> ad_domain:
>>>>>>
>>>>>> When I restart the katello service I am unable to login using my
>>>>>> local or ldap user. I receive the following error message:
>>>>>>
>>>>>> "You have entered an incorrect username/password combination, or
>>>>>> your account may currently be disabled. Please try again or
>>>>>> contact your administrator."
>>>>>>
>>>>>> I am able to bind to the directory server with the following
>>>>>> command:
>>>>>>
>>>>>> ldapsearch -D
>>>>>> "uid=admin,cn=users,cn=accounts,dc=lab,dc=eng,dc=bos,dc=redhat,dc=com"
>>>>>>
>>>>>> -w mypassword -p 389 -h rhc-idm.lab.eng.bos.redhat.com -b
>>>>>> "dc=lab,dc=eng,dc=bos,dc=redhat,dc=com"
>>>>>>
>>>>>> What am I doing wrong?
>>>>>>
>>>>>> -James
>>>>>> m: 440.503.9996
>>>>>>
>>>>>> _______________________________________________
>>>>>> katello-devel mailing list
>>>>>> katello-devel at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/katello-devel
>>>>> _______________________________________________
>>>>> katello-devel mailing list
>>>>> katello-devel at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/katello-devel
>>>>>
>>> _______________________________________________
>>> katello-devel mailing list
>>> katello-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/katello-devel
>>>
>
> _______________________________________________
> katello-devel mailing list
> katello-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/katello-devel

More information about the katello-devel mailing list