Igor, that worked. Thanks! On Tuesday, October 25, 2016 at 10:37:04 AM UTC-5, DicsyDel wrote: > > Hi James, > > You need to add into your ldap config in scalr-server.rb file new > parameter: *group_displayname_attribute* what should be equal to the > attribute name with group name on AD. > > Regards, > Igor > > > On 25 October 2016 at 08:32, James Smith <[email protected] <javascript:>> > wrote: > >> >> 1. Trying to add the "sales" group to an environment that already >> includes "devops" and "devs": >> 2. >> 3. X-Scalr-Debug: >> [{"var":"Array\n(\n [devops] => \n [devs] => \n [sales] => >> \n)\n"},{"var":"Array\n(\n [0] => devops\n [1] => devs\n [2] => >> sales\n)\n"}] >> >> Error message Team 'devops' is not found on the directory server >> >> On Tuesday, October 25, 2016 at 9:49:57 AM UTC-5, Vitaliy Demidov wrote: >>> >>> Hi James, >>> If you add these two lines just after invoking $ldapGroups = $ldap-> >>> getGroupsDetails($teams); >>> you'll be able to see in Browser's Developer Tools (response headers) >>> what it actually receives from LDAP. >>> >>> $this->response->varDump($ldapGroups); >>> $this->response->varDump($teams); >>> >>> Please provide me with the output. >>> >>> Vitaliy. >>> >>> >>> On Tue, Oct 25, 2016 at 4:34 PM, James Smith <[email protected]> wrote: >>> >>>> I'm attaching the relevant portion of my scalr-server.rb configuration >>>> file, in the hopes that someone can point me in the right direction. I >>>> followed the "Enabling LDAP Authentication" document on the scalr wiki, >>>> including "API Key authentication when using LDAP" which talks about >>>> adding >>>> scalr.connections.ldap.user and scalr.connections.ldap.pass. Incidentally, >>>> the description of ldap.user in the Advanced Configuration document on the >>>> wiki says "... if you intend to use APIv1 with LDAP auth", no mention of >>>> APIv2. But I can confirm that APIv2 throws an error if those config >>>> parameters aren't included. >>>> >>>> I want to reiterate, based on Vitaliy's response above - my >>>> environments are set up and tied into LDAP correctly. I didn't have any >>>> issues setting up LDAP-based authentication, or adding LDAP groups to the >>>> "Accessible by LDAP groups" field in the environment configuration - until >>>> I enabled APIv2 and added ldap.user and ldap.pass. Even with APIv2 enabled >>>> and ldap.user & ldap.pass configured, there are no issues with >>>> authentication or access for *existing* groups in *existing* environments. >>>> I just can't make any changes to existing environments, create new >>>> environments with any LDAP group access, etc unless I comment out >>>> ldap.user >>>> & ldap.pass and reconfigure first. Obviously I can work around this issue, >>>> but I don't want to disable API access every time I need to create a new >>>> environment or configure access. >>>> >>>> app[:configuration] = { >>>> "scalr" => { >>>> "system" => { >>>> "api" => { >>>> "enabled" => true, >>>> "allowed_origins" => "*" >>>> }, >>>> }, >>>> # Tells Scalr to use LDAP for authentication >>>> "auth_mode" => "ldap", >>>> >>>> "connections" => { >>>> "ldap" => { >>>> # Tells Scalr what LDAP server to connect to >>>> "bind_type" => "openldap", >>>> "host" => "ldaps://ipa.example.com", >>>> "port" => "636", >>>> "fullname_attribute" => "cn", >>>> "mail_attribute" => "mail", >>>> "domain" => "example.com", >>>> "user" => "scalr-api", >>>> "pass" => "***REDACTED***", >>>> >>>> # Tells Scalr where to look for users and groups >>>> "base_dn" => "cn=users,cn=accounts,dc=example,dc=com", >>>> "base_dn_groups" => "cn=groups,cn=accounts,dc=example,dc=com", >>>> >>>> # Tells Scalr what attributes to look at >>>> "username_attribute" => "uid", >>>> "groupname_attribute" => "cn", >>>> >>>> # Tells Scalr how group membership is represented >>>> "group_member_attribute_type" => "user_dn", >>>> >>>> # Tells Scalr to use filters to speed up queries >>>> "filter" => { >>>> "users" => "(objectClass=person)", >>>> "groups" => "(objectClass=groupofnames)", >>>> }, >>>> >>>> # Uncomment for debug output if you can"t login >>>> #:debug => 1, >>>> } >>>> } >>>> } >>>> } >>>> >>>> >>>> The scalr-api user has read-only access to the entire LDAP server - I >>>> wanted to use a service account by passing the full DN to ldap.user, but >>>> it >>>> seemed to require a uid in the base_dn. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "scalr-discuss" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "scalr-discuss" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > >
-- You received this message because you are subscribed to the Google Groups "scalr-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
