OpenLDAP Access Control

Testing OpenLDAP with rancher. But haven’t been able to get the groups working. Not the most familiar with LDAP. So i think the issue is how im filtering for groups. Below are some example ldapsearch commands and output I’ve been using to try to configure with. And my config settings. Anyone have an idea of what I am doing wrong?

Groups/Roles

 ldapsearch -H ldaps://ldap.us.onelogin.com:636 -D "cn=ops-team@company.co,ou=users,dc=company,dc=onelogin,dc=com" -b "cn=coolguys,cn=groups,dc=company,dc=onelogin,dc=com"
# coolguys, roles, company.onelogin.com
dn: cn=coolguys, cn=roles, dc=company, dc=onelogin, dc=com
cn: coolguys
objectClass: groupOfNames
member: cn=person1@company.co,ou=users,dc=company,dc=onel1ogin,dc=com
member: cn=person2@company.co,ou=users,dc=company,dc=onelogin,dc=com
member: cn=person3@company.co,ou=users,dc=company,dc=onelogin,dc=com

Users

ldapsearch -H ldaps://ldap.us.onelogin.com:636 -D "cn=ops-team@company.co,ou=users,dc=company,dc=onelogin,dc=com" -b "ou=users,dc=company,dc=onelogin,dc=com"
# ops-team@company.co, users, company.onelogin.com
dn: cn=ops-team@company.co, ou=users, dc=company, dc=onelogin, dc=com
username: ops-team
loginShell: /bin/bash
homeDirectory: /Users/ops-team@company.co
cn: ops-team@company.co
mail: ops-team@company.co
givenName: SVC
uid: 31812504
surname: OPS-TEAM
objectClass: top
objectClass: inetOrgPerson
objectClass: ldapsubentry
objectClass: subentry
name: SVC OPS-TEAM
uidNumber: 31812504
samaccountname:
gidNumber: 99419

So first a couple of suggestions: Did you try with the defaults for Group Member User Attribute and Group DN field which was entryDN. I just left the defaults and the groups worked for me. Also do your individual users have a memberof attribute with the group?

Second, when you say you haven’t been able to get groups working, what exactly are you saying. You are trying to login as a group or after you authenticate, you can’t add or see groups in the drop-down?

I did try with the defaults. But I don’t remember exactly when I tested. Ill give it another shot.

Yes, so I login, and then go to add a group to an environment and there’s no groups.

And the answer is no. The defaults for the groups don’t work. I’m able to login but not see any groups.

Another couple of things:

  1. The only groups you will see in the drop-down is a group that you are apart of. So who-ever you are logged in, has to have the “memberof” attribute set for that group. But even if you are not a member of that group, you should still be able to add them and users should be able to log in (can you add them and can users log in?)
  2. If your user is member of that group, but doesn’t have the “memberof” attribute set, then there is a current issue with that, it will be fixed in 1.4.

I’ve still unfortunately not had a lot of luck with this. I am admittedly not the best with ldap. Can I get an explanation for what rancher is looking for with:

Group Member User Attribute
Group DN Field

It would also be helpful if anyone had some example ldapsearches (or links to them in the docs somewhere, haven’t personally seen any), that we could use to validate we even have the data structured right.

Update:

For fun I went back to an older version (v1.1.3) because I saw some posts that sound like some changes broke some things.

And our settings and groups do correctly show up in 1.1.3. But not anything newer it seems.

Moar Updates:

Here I am messing around with things. And I see a new tag uploaded to docker hub (v1.4.0-rc3). And this fixes my issues.

@dishcandanty - Yes we fixed the memberof missing attribute for 1.4.0, glad that was the issue and it is now resolved.