rancher: ActiveDirectory Authentication/Site Access Settings Broken

What kind of request is this (question/bug/enhancement/feature request): bug

Steps to reproduce (least amount of steps as possible):

  1. Add Activedirectory authentication
  2. submit activedirectory authentication with test user

Result:

  1. You cannot add any group the test user is not part of
  2. You cannot add any user
  3. when logging in to rancher U.I. with another admin level user, you can only add the groups you are part of to the authentication section.

Other details that may be helpful: It appears that when it calculates/compares principals, it only compares it to the currently logged in user.

I tested using another AD user in the test section and had the same trouble, I could only add groups he was in.

logs of failed attempt

2018/10/26 08:40:13 [DEBUG] Impersonating user user-5qw69, groups [activedirectory_group://.....redactedstuff system:authenticated]
2018/10/26 08:40:13 [DEBUG] REST GET apis/management.cattle.io/v3//authconfigs/activedirectory
2018/10/26 08:40:13 [DEBUG] Failed to determine if object is type: activedirectory_group
2018/10/26 08:40:13 [DEBUG] Failed to determine if object is type: user
2018/10/26 08:40:13 [DEBUG] Query for getPrincipal(): (objectClass=group)
2018/10/26 08:40:13 [DEBUG] Now creating Ldap connection
2018/10/26 08:40:13 [DEBUG] Failed to determine if object is type: user
2018/10/26 08:40:13 [DEBUG] Failed to determine if object is type: user
2018/10/26 08:40:13 [DEBUG] Failed to determine if object is type: group
2018/10/26 08:40:13 [ERROR] Unknown error: Failed to get attributes for

Environment information

  • Rancher version: 2.1.1

  • Installation option (single install/HA): Single install

  • Docker:

Containers: 2
 Running: 1
 Paused: 0
 Stopped: 1
Images: 1
Server Version: 18.06.1-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-116-generic
Operating System: Ubuntu 16.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 3.859GiB
Name: ..
ID: ..
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 18 (4 by maintainers)

Most upvoted comments

Any news on this… It has been open for a while now and the misbehaviour is still there.

+1
drewboswell on May 22, 2019
Read more comments on GitHub
← rancher: A Network error is seen in Rancher when logging in after deploying rancher, and user has to refresh page to get to Home page
rancher: AD authenticated user loses permissions and is duplicated when the distinguishedName changes →