Freeipa ldap group problem

Rancher 2.x
1

rancher v2.2.3
FreeIPA, Version: 4.7.90

LDIF data of freeipa (shortened to relevant attributes):

  • user example
    dn: uid=fmax.test,cn=users,cn=accounts,dc=domain,dc=com
    uid: fmax.test
    cn: fmax test
    objectClass: person
    objectClass: organizationalperson
    objectClass: inetorgperson
    objectClass: inetuser
    objectClass: posixaccount
    memberOf: cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com
    memberOf: cn=developers,cn=groups,cn=accounts,dc=domain,dc=com
    memberOf: cn=testgruppe1,cn=groups,cn=accounts,dc=domain,dc=com

  • group example
    dn: cn=developers,cn=groups,cn=accounts,dc=domain,dc=com
    objectClass: posixgroup
    objectClass: nestedgroup
    objectClass: groupofnames
    cn: developers
    member: uid=fmax.test,cn=users,cn=accounts,dc=domain,dc=com

enabled debug for rancher: https://rancher.com/docs/rancher/v2.5/en/faq/technical/

site access setting: Allow members of Clusters, Projects, plus Authorized Users and Organizations
developers (searching for groups is working)

when i try to login with user fmax.test which is member of group developers it doesn’t work.

in the logs you could see the search result and users group query:

2019/05/29 15:36:44 [DEBUG] SearchResult memberOf attribute {[cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com cn=developers,cn=groups,cn=accounts,dc=domain,dc=com]}
2019/05/29 15:36:44 [DEBUG] Ldap: Query for pulling user’s groups: (&(objectClass=groupofnames)(|(entrydn=cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com)(entrydn=cn=developers,cn=groups,cn=accounts,dc=domain,dc=com)))

and that seems to be the problem.
that’s with default settings of gui menu customize schema
i did a lot of tries with different ldap attributes, but didn’t get it working.

changing attribute for Group DN Attribute also changes the debug output - example: member.
so you get logs with Ldap: Query for pulling user’s groups: (&(objectClass=groupofnames)(|(member=cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com)(member=cn=developers,cn=groups,cn=accounts,dc=domain,dc=com)))

but i think this should get to use the users DN instead of group DN:
member=uid=fmax.test,cn=users,cn=accounts,dc=domain,dc=com

i also tried to set user search base to cn=accounts,dc=domain,dc=com and cn=users,cn=accounts,dc=domain,dc=com
also with group search base let empty or set to cn=groups,cn=accounts,dc=domain,dc=com

sadly nothing does work as expected.
has someone a working setup with rancher v2.2.3 and could tell me please?

sh2
sh21234×965 41.9 KB

2

I have the same problem as you, have you solved it?

3

I have the same problem. Rancher version is v2.5.8