Hi James, If you add these two lines just after invoking $ldapGroups = $ldap-> getGroupsDetails($teams); you'll be able to see in Browser's Developer Tools (response headers) what it actually receives from LDAP.
$this->response->varDump($ldapGroups); $this->response->varDump($teams); Please provide me with the output. Vitaliy. On Tue, Oct 25, 2016 at 4:34 PM, James Smith <[email protected]> wrote: > I'm attaching the relevant portion of my scalr-server.rb configuration > file, in the hopes that someone can point me in the right direction. I > followed the "Enabling LDAP Authentication" document on the scalr wiki, > including "API Key authentication when using LDAP" which talks about adding > scalr.connections.ldap.user and scalr.connections.ldap.pass. Incidentally, > the description of ldap.user in the Advanced Configuration document on the > wiki says "... if you intend to use APIv1 with LDAP auth", no mention of > APIv2. But I can confirm that APIv2 throws an error if those config > parameters aren't included. > > I want to reiterate, based on Vitaliy's response above - my environments > are set up and tied into LDAP correctly. I didn't have any issues setting > up LDAP-based authentication, or adding LDAP groups to the "Accessible by > LDAP groups" field in the environment configuration - until I enabled APIv2 > and added ldap.user and ldap.pass. Even with APIv2 enabled and ldap.user & > ldap.pass configured, there are no issues with authentication or access for > *existing* groups in *existing* environments. I just can't make any > changes to existing environments, create new environments with any LDAP > group access, etc unless I comment out ldap.user & ldap.pass and > reconfigure first. Obviously I can work around this issue, but I don't want > to disable API access every time I need to create a new environment or > configure access. > > app[:configuration] = { > "scalr" => { > "system" => { > "api" => { > "enabled" => true, > "allowed_origins" => "*" > }, > }, > # Tells Scalr to use LDAP for authentication > "auth_mode" => "ldap", > > "connections" => { > "ldap" => { > # Tells Scalr what LDAP server to connect to > "bind_type" => "openldap", > "host" => "ldaps://ipa.example.com", > "port" => "636", > "fullname_attribute" => "cn", > "mail_attribute" => "mail", > "domain" => "example.com", > "user" => "scalr-api", > "pass" => "***REDACTED***", > > # Tells Scalr where to look for users and groups > "base_dn" => "cn=users,cn=accounts,dc=example,dc=com", > "base_dn_groups" => "cn=groups,cn=accounts,dc=example,dc=com", > > # Tells Scalr what attributes to look at > "username_attribute" => "uid", > "groupname_attribute" => "cn", > > # Tells Scalr how group membership is represented > "group_member_attribute_type" => "user_dn", > > # Tells Scalr to use filters to speed up queries > "filter" => { > "users" => "(objectClass=person)", > "groups" => "(objectClass=groupofnames)", > }, > > # Uncomment for debug output if you can"t login > #:debug => 1, > } > } > } > } > > > The scalr-api user has read-only access to the entire LDAP server - I > wanted to use a service account by passing the full DN to ldap.user, but it > seemed to require a uid in the base_dn. > > -- > You received this message because you are subscribed to the Google Groups > "scalr-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "scalr-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
