Hi James, You need to add into your ldap config in scalr-server.rb file new parameter: *group_displayname_attribute* what should be equal to the attribute name with group name on AD.
Regards, Igor On 25 October 2016 at 08:32, James Smith <[email protected]> wrote: > > 1. Trying to add the "sales" group to an environment that already > includes "devops" and "devs": > 2. > 3. X-Scalr-Debug: > [{"var":"Array\n(\n [devops] => \n [devs] => \n [sales] => > \n)\n"},{"var":"Array\n(\n [0] => devops\n [1] => devs\n [2] => > sales\n)\n"}] > > Error message Team 'devops' is not found on the directory server > > On Tuesday, October 25, 2016 at 9:49:57 AM UTC-5, Vitaliy Demidov wrote: >> >> Hi James, >> If you add these two lines just after invoking $ldapGroups = $ldap-> >> getGroupsDetails($teams); >> you'll be able to see in Browser's Developer Tools (response headers) >> what it actually receives from LDAP. >> >> $this->response->varDump($ldapGroups); >> $this->response->varDump($teams); >> >> Please provide me with the output. >> >> Vitaliy. >> >> >> On Tue, Oct 25, 2016 at 4:34 PM, James Smith <[email protected]> wrote: >> >>> I'm attaching the relevant portion of my scalr-server.rb configuration >>> file, in the hopes that someone can point me in the right direction. I >>> followed the "Enabling LDAP Authentication" document on the scalr wiki, >>> including "API Key authentication when using LDAP" which talks about adding >>> scalr.connections.ldap.user and scalr.connections.ldap.pass. Incidentally, >>> the description of ldap.user in the Advanced Configuration document on the >>> wiki says "... if you intend to use APIv1 with LDAP auth", no mention of >>> APIv2. But I can confirm that APIv2 throws an error if those config >>> parameters aren't included. >>> >>> I want to reiterate, based on Vitaliy's response above - my environments >>> are set up and tied into LDAP correctly. I didn't have any issues setting >>> up LDAP-based authentication, or adding LDAP groups to the "Accessible by >>> LDAP groups" field in the environment configuration - until I enabled APIv2 >>> and added ldap.user and ldap.pass. Even with APIv2 enabled and ldap.user & >>> ldap.pass configured, there are no issues with authentication or access for >>> *existing* groups in *existing* environments. I just can't make any >>> changes to existing environments, create new environments with any LDAP >>> group access, etc unless I comment out ldap.user & ldap.pass and >>> reconfigure first. Obviously I can work around this issue, but I don't want >>> to disable API access every time I need to create a new environment or >>> configure access. >>> >>> app[:configuration] = { >>> "scalr" => { >>> "system" => { >>> "api" => { >>> "enabled" => true, >>> "allowed_origins" => "*" >>> }, >>> }, >>> # Tells Scalr to use LDAP for authentication >>> "auth_mode" => "ldap", >>> >>> "connections" => { >>> "ldap" => { >>> # Tells Scalr what LDAP server to connect to >>> "bind_type" => "openldap", >>> "host" => "ldaps://ipa.example.com", >>> "port" => "636", >>> "fullname_attribute" => "cn", >>> "mail_attribute" => "mail", >>> "domain" => "example.com", >>> "user" => "scalr-api", >>> "pass" => "***REDACTED***", >>> >>> # Tells Scalr where to look for users and groups >>> "base_dn" => "cn=users,cn=accounts,dc=example,dc=com", >>> "base_dn_groups" => "cn=groups,cn=accounts,dc=example,dc=com", >>> >>> # Tells Scalr what attributes to look at >>> "username_attribute" => "uid", >>> "groupname_attribute" => "cn", >>> >>> # Tells Scalr how group membership is represented >>> "group_member_attribute_type" => "user_dn", >>> >>> # Tells Scalr to use filters to speed up queries >>> "filter" => { >>> "users" => "(objectClass=person)", >>> "groups" => "(objectClass=groupofnames)", >>> }, >>> >>> # Uncomment for debug output if you can"t login >>> #:debug => 1, >>> } >>> } >>> } >>> } >>> >>> >>> The scalr-api user has read-only access to the entire LDAP server - I >>> wanted to use a service account by passing the full DN to ldap.user, but it >>> seemed to require a uid in the base_dn. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "scalr-discuss" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > You received this message because you are subscribed to the Google Groups > "scalr-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "scalr-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
