I'm attaching the relevant portion of my scalr-server.rb configuration
file, in the hopes that someone can point me in the right direction. I
followed the "Enabling LDAP Authentication" document on the scalr wiki,
including "API Key authentication when using LDAP" which talks about adding
scalr.connections.ldap.user and scalr.connections.ldap.pass. Incidentally,
the description of ldap.user in the Advanced Configuration document on the
wiki says "... if you intend to use APIv1 with LDAP auth", no mention of
APIv2. But I can confirm that APIv2 throws an error if those config
parameters aren't included.
I want to reiterate, based on Vitaliy's response above - my environments
are set up and tied into LDAP correctly. I didn't have any issues setting
up LDAP-based authentication, or adding LDAP groups to the "Accessible by
LDAP groups" field in the environment configuration - until I enabled APIv2
and added ldap.user and ldap.pass. Even with APIv2 enabled and ldap.user &
ldap.pass configured, there are no issues with authentication or access for
*existing* groups in *existing* environments. I just can't make any changes
to existing environments, create new environments with any LDAP group
access, etc unless I comment out ldap.user & ldap.pass and reconfigure
first. Obviously I can work around this issue, but I don't want to disable
API access every time I need to create a new environment or configure
access.
app[:configuration] = {
"scalr" => {
"system" => {
"api" => {
"enabled" => true,
"allowed_origins" => "*"
},
},
# Tells Scalr to use LDAP for authentication
"auth_mode" => "ldap",
"connections" => {
"ldap" => {
# Tells Scalr what LDAP server to connect to
"bind_type" => "openldap",
"host" => "ldaps://ipa.example.com",
"port" => "636",
"fullname_attribute" => "cn",
"mail_attribute" => "mail",
"domain" => "example.com",
"user" => "scalr-api",
"pass" => "***REDACTED***",
# Tells Scalr where to look for users and groups
"base_dn" => "cn=users,cn=accounts,dc=example,dc=com",
"base_dn_groups" => "cn=groups,cn=accounts,dc=example,dc=com",
# Tells Scalr what attributes to look at
"username_attribute" => "uid",
"groupname_attribute" => "cn",
# Tells Scalr how group membership is represented
"group_member_attribute_type" => "user_dn",
# Tells Scalr to use filters to speed up queries
"filter" => {
"users" => "(objectClass=person)",
"groups" => "(objectClass=groupofnames)",
},
# Uncomment for debug output if you can"t login
#:debug => 1,
}
}
}
}
The scalr-api user has read-only access to the entire LDAP server - I
wanted to use a service account by passing the full DN to ldap.user, but it
seemed to require a uid in the base_dn.
--
You received this message because you are subscribed to the Google Groups
"scalr-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
