1. Trying to add the "sales" group to an environment that already
includes "devops" and "devs":
2.
3. X-Scalr-Debug:
[{"var":"Array\n(\n [devops] => \n [devs] => \n [sales] =>
\n)\n"},{"var":"Array\n(\n [0] => devops\n [1] => devs\n [2] =>
sales\n)\n"}]
Error message Team 'devops' is not found on the directory server
On Tuesday, October 25, 2016 at 9:49:57 AM UTC-5, Vitaliy Demidov wrote:
>
> Hi James,
> If you add these two lines just after invoking $ldapGroups = $ldap->
> getGroupsDetails($teams);
> you'll be able to see in Browser's Developer Tools (response headers) what
> it actually receives from LDAP.
>
> $this->response->varDump($ldapGroups);
> $this->response->varDump($teams);
>
> Please provide me with the output.
>
> Vitaliy.
>
>
> On Tue, Oct 25, 2016 at 4:34 PM, James Smith <[email protected]
> <javascript:>> wrote:
>
>> I'm attaching the relevant portion of my scalr-server.rb configuration
>> file, in the hopes that someone can point me in the right direction. I
>> followed the "Enabling LDAP Authentication" document on the scalr wiki,
>> including "API Key authentication when using LDAP" which talks about adding
>> scalr.connections.ldap.user and scalr.connections.ldap.pass. Incidentally,
>> the description of ldap.user in the Advanced Configuration document on the
>> wiki says "... if you intend to use APIv1 with LDAP auth", no mention of
>> APIv2. But I can confirm that APIv2 throws an error if those config
>> parameters aren't included.
>>
>> I want to reiterate, based on Vitaliy's response above - my environments
>> are set up and tied into LDAP correctly. I didn't have any issues setting
>> up LDAP-based authentication, or adding LDAP groups to the "Accessible by
>> LDAP groups" field in the environment configuration - until I enabled APIv2
>> and added ldap.user and ldap.pass. Even with APIv2 enabled and ldap.user &
>> ldap.pass configured, there are no issues with authentication or access for
>> *existing* groups in *existing* environments. I just can't make any
>> changes to existing environments, create new environments with any LDAP
>> group access, etc unless I comment out ldap.user & ldap.pass and
>> reconfigure first. Obviously I can work around this issue, but I don't want
>> to disable API access every time I need to create a new environment or
>> configure access.
>>
>> app[:configuration] = {
>> "scalr" => {
>> "system" => {
>> "api" => {
>> "enabled" => true,
>> "allowed_origins" => "*"
>> },
>> },
>> # Tells Scalr to use LDAP for authentication
>> "auth_mode" => "ldap",
>>
>> "connections" => {
>> "ldap" => {
>> # Tells Scalr what LDAP server to connect to
>> "bind_type" => "openldap",
>> "host" => "ldaps://ipa.example.com",
>> "port" => "636",
>> "fullname_attribute" => "cn",
>> "mail_attribute" => "mail",
>> "domain" => "example.com",
>> "user" => "scalr-api",
>> "pass" => "***REDACTED***",
>>
>> # Tells Scalr where to look for users and groups
>> "base_dn" => "cn=users,cn=accounts,dc=example,dc=com",
>> "base_dn_groups" => "cn=groups,cn=accounts,dc=example,dc=com",
>>
>> # Tells Scalr what attributes to look at
>> "username_attribute" => "uid",
>> "groupname_attribute" => "cn",
>>
>> # Tells Scalr how group membership is represented
>> "group_member_attribute_type" => "user_dn",
>>
>> # Tells Scalr to use filters to speed up queries
>> "filter" => {
>> "users" => "(objectClass=person)",
>> "groups" => "(objectClass=groupofnames)",
>> },
>>
>> # Uncomment for debug output if you can"t login
>> #:debug => 1,
>> }
>> }
>> }
>> }
>>
>>
>> The scalr-api user has read-only access to the entire LDAP server - I
>> wanted to use a service account by passing the full DN to ldap.user, but it
>> seemed to require a uid in the base_dn.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "scalr-discuss" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"scalr-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
