AnsweredAssumed Answered

LDAP authorization group acquisition failure

Question asked by John Crockett on Oct 27, 2015
Latest reply on Dec 3, 2015 by John Crockett

This is for HCS version 8.2 running on Rhel 7.0 (Maipo) with straight up openLDAP (no AD at all).

 

I know what the problem is I just don't know how to fix it or if it's even possible, so perhaps this should be a bug fix or feature request but i'd thought i'd throw it out here first.

 

As you can see below in the hcmds64checkauth output Group acquisition is failing.  I do see the domain listed under the group folder in "users and permissions" however when I click add group and enter the DN for the group and click "Check DN" it says "The specified Distinguished Name could not be found."  I dug into the logs on the LDAP server and see the following LDAP search query that the hcmds64checkauth generated:

 

[26/Oct/2015:15:32:01 -0700] conn=2004492 op=1 SRCH base="cn=SST,ou=Groups,o=adbe" scope=0 filter="(objectClass=group)" attrs=ALL

 

The problem is in the filter section of the query...

 

Here is a LDIF dump of the SST group:

 

dn: cn=SST,ou=Groups,o=#####

objectClass: groupOfUniqueNames

objectClass: posixGroup

objectClass: top

cn: SST

gidNumber: 65180

 

The objectClass value is "posixGroup" for the SST group and the filter is looking for "group" thus the query returns nothing.  Is there a way to alter the LDAP query filter to accommodate this?

I'll also note that authentication works just fine (as seen below) it's just the authorization bit thats hanging me up.

 

# ./hcmds64checkauth

KAPM09100-I Enter a value for the option. (option name = user)

######

 

KAPM09100-I Enter a value for the option. (option name = pass)

**********

 

KAPM15003-I The configuration check of Phase1 will now start.

type : ldap

server : ldap3.da2.#####.net

KAPM15227-I Group linkage is enabled.

KAPM15004-I The result of the configuration check of Phase1 was normal.

KAPM15003-I The configuration check of Phase2 will now start.

KAPM15006-I The configuration of the server ldap3.da2.#####.net will now be checked.

KAPM15007-I The result of the configuration check of the server ldap3.da2.#####.net was normal.

KAPM15004-I The result of the configuration check of Phase2 was normal.

KAPM15003-I The configuration check of Phase3 will now start.

KAPM15010-I The connection to the server ldap3.da2.#####.net will now be checked. (host = ldap3.da2.#####.net, port = 389, protocol = ldap)

KAPM15011-I The server ldap3.da2.#####.net can be connected to normally.

KAPM15004-I The result of the configuration check of Phase3 was normal.

KAPM15003-I The configuration check of Phase4 will now start.

KAPM15229-I Group acquisition for the server will now be checked. (server name = ldap3.da2.#####.net, host = ldap3.da2.#####.net, port = 389, protocol = ldap)

KAPM15231-E Group acquisition failed.

KAPM15005-E The result of the configuration check of Phase4 was abnormal.

KAPM15238-E Group acquisition failed. (server name = ldap3.da2.#####.net)

 

Content of exauth.properties:

auth.server.type=ldap

auth.server.name=ldap3.da2.#####.net

auth.group.mapping=true

auth.ldap.ldap3.da2.#####.net.protocol=ldap

auth.ldap.ldap3.da2.#####.net.host=ldap3.da2.#####.net

auth.ldap.ldap3.da2.#####.net.port=389

auth.ldap.ldap3.da2.#####.net.timeout=15

auth.ldap.ldap3.da2.#####.net.attr=cn

auth.ldap.ldap3.da2.#####.net.basedn=ou=Users,o=####

auth.ldap.ldap3.da2.#####.net.retry.interval=1

auth.ldap.ldap3.da2.#####.net.retry.times=20

auth.ldap.ldap3.da2.#####.net.domain.name=#####.net

auth.ldap.ldap3.da2.#####.net.dns_lookup=true

Outcomes