rancher v2.2.3
FreeIPA, Version: 4.7.90
LDIF data of freeipa (shortened to relevant attributes):
-
user example
dn: uid=fmax.test,cn=users,cn=accounts,dc=domain,dc=com
uid: fmax.test
cn: fmax test
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com
memberOf: cn=developers,cn=groups,cn=accounts,dc=domain,dc=com
memberOf: cn=testgruppe1,cn=groups,cn=accounts,dc=domain,dc=com -
group example
dn: cn=developers,cn=groups,cn=accounts,dc=domain,dc=com
objectClass: posixgroup
objectClass: nestedgroup
objectClass: groupofnames
cn: developers
member: uid=fmax.test,cn=users,cn=accounts,dc=domain,dc=com
enabled debug for rancher: https://rancher.com/docs/rancher/v2.5/en/faq/technical/
site access setting: Allow members of Clusters, Projects, plus Authorized Users and Organizations
developers (searching for groups is working)
when i try to login with user fmax.test which is member of group developers it doesn’t work.
in the logs you could see the search result and users group query:
2019/05/29 15:36:44 [DEBUG] SearchResult memberOf attribute {[cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com cn=developers,cn=groups,cn=accounts,dc=domain,dc=com]}
2019/05/29 15:36:44 [DEBUG] Ldap: Query for pulling user’s groups: (&(objectClass=groupofnames)(|(entrydn=cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com)(entrydn=cn=developers,cn=groups,cn=accounts,dc=domain,dc=com)))
and that seems to be the problem.
that’s with default settings of gui menu customize schema
i did a lot of tries with different ldap attributes, but didn’t get it working.
changing attribute for Group DN Attribute also changes the debug output - example: member.
so you get logs with Ldap: Query for pulling user’s groups: (&(objectClass=groupofnames)(|(member=cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com)(member=cn=developers,cn=groups,cn=accounts,dc=domain,dc=com)))
but i think this should get to use the users DN instead of group DN:
member=uid=fmax.test,cn=users,cn=accounts,dc=domain,dc=com
i also tried to set user search base to cn=accounts,dc=domain,dc=com and cn=users,cn=accounts,dc=domain,dc=com
also with group search base let empty or set to cn=groups,cn=accounts,dc=domain,dc=com
sadly nothing does work as expected.
has someone a working setup with rancher v2.2.3 and could tell me please?