LDAP group mapping

Rancher
1

I’m currently testing a new Rancher installation set up via helm on a three node Kubernetes cluster. The installation itself was pretty straight forward and works so far. But now I also want to add users authenticated via ActiveDirectory.

For this I configured a proper “Auth Provider” like:

  • Login with the “local-admin” credentials and click on “User & Authentication”
  • Choose “Auth Provider”
  • Click on “ActiveDirectory” and configure following parameters
    • Hostname: our-ldap.server.com
    • Port: 3269
    • TLS: enabled
    • Certificate: use our “root-ca” (in “BEGIN CERTIFICATE/END CERTIFICATE” format)
    • Service Account Distinguished Name: our-domain\some-ro-account
    • Service Account Password: somepassword
    • User Search Base: DC=domain,DC=tld
    • Group Search Base: DC=domain,DC=tld
    • Login Attribute: userPrincipalName
    • User Member Attribute: memberOf
    • Search Attribute (for Users): userPrincipalName
    • Search Attribute (for Groups): sAMAccountName
    • Test and Enable Authentication
      • Username: myadminuser@our-domain.com with my password

Then I selected “Restrict access to only the authorized users & groups” and added two groups to the “Authorized Users & Groups” section (lets call them “normal-user” and “admin-user”.

Then I logged in with “myadminuser@our-domain.com” - everything looking fine so far.

Additionally I now added two “Groups”

  • “normal-user” should map to the “User Base” role
  • “admin-user” should map to the “Admin” role

After that I logged in from another browser in incognito mode with my “normal-user”. The new user was immediately created BUT the groups-mapping didn’t work at all. The logs didn’t show anything. My “normal-user” was created with “Standard User” global role
Then I asked a colleague to login with his admin-user - same problem, Rancher created his account also as “Standard User” even though the “Groups” config should set him as “Admin”

I checked the “Auth Provider” config again and spotted that the “User Member Attribute” was empty - I tried to set it several times, it somehow is not saved. Is this maybe the issue?

Also I tried several times pushing the “Refresh Group Memberships” buttons in “Users” and “Groups”, but they seem to do nothing.

So what am I doing wrong? Do I understand something wrong?

I’m currently testing with v2.8.5 as I want to later test some upgrades but searching through the past changelogs, I could not find that any issues with LDAP/ActiveDirectory were mentioned that could indicate to this issue.

Any help desperately appreciated :frowning:

2

I now did several tests and reset the rancher-cluster several times. It looks like it is working and all the confusion is “intentional”.

Again I set the auth-provider and this time I used for the “testing”-account that is becoming a admin-account (whoever thought this is a cool idea should be 24/7 slapped imho) the same account configured as service account for connecting to the LDAP-server.

  • Then I changed the default role template to be used for new users to be the “User-Base” role.
  • I also again added a group for “normal-user” (pointing to “user-base”) and “admin-user”.
  • Logged in with my admin-user and I’m seeing the “local” cluster - so I guess the admin-mapping works.
    • Checking the created “user” it has the “User-Base” permissions. So theoretically if this groups stuff would not work, I wouldn’t see the “local” cluster
  • Logged in with my normal-user - and I do not see the “local” cluster. Even the buttons for creating a cluster are missing - goood!
    • Checking the created “user” it has the “User-Base” permissions.
    • Changed the “normal-user” group to “Standard User” and logged in again
      • didn’t see the “local” cluster, but the “Create” button appeared
      • changed the group back to the initial setting - “Create” button disappeared

This is sooo strange and confusing - this design is imho very broken and should not be like that