Description of problem: According to the RFC, the uniqueMember LDAP attribute is a full DN path: http://tools.ietf.org/html/rfc4519#section-2.40 Example: uniqueMember: uid=username,ou=team,o=example.local oo-admin-ctl-team however expect this to be a UID only, for example: uniqueMember: uid=username Version-Release number of selected component (if applicable): 2.1 How reproducible: Always Steps to Reproduce: 1. create group on LDAP server using uniqueMember for groups 2. create a team 3. try to sync users Actual results: process fails with error Getting user: "uid=username,ou=team,o=example.local" /usr/sbin/oo-admin-ctl-team:412:in `get_user': Could not find an entry matching "username,ou" (Exception) from /usr/sbin/oo-admin-ctl-team:381:in `block (2 levels) in get_users_in_group' from /usr/sbin/oo-admin-ctl-team:379:in `each' from /usr/sbin/oo-admin-ctl-team:379:in `block in get_users_in_group' from /usr/sbin/oo-admin-ctl-team:369:in `each' from /usr/sbin/oo-admin-ctl-team:369:in `get_users_in_group' from /usr/sbin/oo-admin-ctl-team:228:in `block in sync_to_file' from /usr/sbin/oo-admin-ctl-team:227:in `each' from /usr/sbin/oo-admin-ctl-team:227:in `sync_to_file' from /usr/sbin/oo-admin-ctl-team:521:in `<main>' Expected results: users imported successfully Additional info: get_user function splits the value using separator "=" and uses only the second value of the resulting array which is not correct: def get_user(user_id) puts "Getting user: \"#{user_id}\"" user_id = user_id.split("=")[1] if user_id.include? "=" base = @ldap_config["Get-User"]["Base"] filter = Net::LDAP::Filter.construct(@ldap_config["Get-User"]["Filter"].gsub("<user_id>", user_id)) attributes = @ldap_config["Get-User"]["Attributes"] entries = @ldap.search(:base => base, :filter => filter, :attributes => attributes) raise Exception.new("Could not find an entry matching \"#{user_id}\"") if entries.count < 1 raise Exception.new("Found more than one entry matching \"#{user_id}\"") if entries.count > 1 entry = entries.first puts "Found user dn:\"#{entry.dn}\"" return entry[@ldap_config["Openshift-Username"]].first end
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/512e3eb7cfb4b208dd888e363b49989187bde2b0 Support full DNs in LDAP group members Split first using commas. Assumes there's no ',' or '=' in the uid. Bug 1165775 oo-admin-ctl-team does not parse uniqueMember LDAP ...
Check on puddle [2.2.z/2014-12-08.1] 1. add group and member cat >member.ldif <<EOF dn: cn=group1,ou=Groups,dc=my-domain,dc=com objectclass: groupOfUniqueNames cn: group1 uniqueMember: uid=zzhao,ou=People,dc=my-domain,dc=com dn: uid=zzhao,ou=People,dc=my-domain,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: Firstname Lastname uid: zzhao uidNumber: 3001 gidNumber: 3001 homeDirectory: /home/adminhomedir loginShell: /bin/bash userPassword: 214214 EOF # ldapadd -x -D "cn=Manager,dc=my-domain,dc=com" -W -f member.ldif 2. Create one config.yml in /usr/local/tmp on broker cat >config.yml <<EOF Host: ec2-54-83-240-44.compute-1.amazonaws.com # change to your LDAP instance Port: 636 Encryption: true #Username: cn=Manager,dc=my-domain,dc=com #Password: redhat Get-Group: Base: dc=my-domain,dc=com Filter: (cn=<group_cn>) Get-Group-Users: Base: <group_dn> Attributes: [uniqueMember] Get-User: Base: dc=my-domain,dc=com Filter: (uid=<user_id>) Attributes: [uid] Openshift-Username: uid EOF 3. reproduce this issue # vim /usr/sbin/oo-admin-ctl-team 431 #user_id = user_id.split(",")[0] if user_id.include? "," # oo-admin-ctl-team -c create --groups "group1" --config-file config.yml # oo-admin-ctl-team -c sync --create-new-users --config-file config.yml /usr/sbin/oo-admin-ctl-team:437:in `get_user': Could not find an entry matching "zzhao,ou" (Exception) from /usr/sbin/oo-admin-ctl-team:405:in `block (2 levels) in get_users_in_group' 4. check new feature # vim /usr/sbin/oo-admin-ctl-team 431 user_id = user_id.split(",")[0] if user_id.include? "," # oo-admin-ctl-team -c sync --create-new-users --config-file config.yml Getting users in group: "cn=group1,ou=Groups,dc=my-domain,dc=com" Getting user: "uid=zzhao,ou=People,dc=my-domain,dc=com" Found user dn:"uid=zzhao,ou=People,dc=my-domain,dc=com" Found users: ["zzhao"] Adding new user: "zzhao" It works, so move it to VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0019.html