Do you have a "Test User" in you LDAP and if so is that "Test User" a member of any groups? I think that the error is saying, I was able to find 'Test User' in LDAP, but I didn't get back any groups. Reasons for this include invalid User ID attribute, invalid membership attribute, or "Test User" is not in any groups.

We will probably need to know more about your LDAP setup to debug this one.

from scot.

Thank you for your quick reply.

Below is my results of my ldapsearch -x -H ldaps://ht-ldap-0.it.anl.gov:636 command:

extended LDIF

LDAPv3

base <dc=it,dc=anl,dc=gov> (default) with scope subtree

filter: (objectclass=*)

requesting: ALL

it.anl.gov

dn: dc=it,dc=anl,dc=gov
objectClass: organization
objectClass: dcObject
dc: it
o: it

People, it.anl.gov

dn: ou=People,dc=it,dc=anl,dc=gov
objectClass: organizationalUnit
ou: People

group, it.anl.gov

dn: ou=group,dc=it,dc=anl,dc=gov
objectClass: organizationalUnit
ou: group

SUDOers, it.anl.gov

dn: ou=SUDOers,dc=it,dc=anl,dc=gov
objectClass: organizationalUnit
ou: SUDOers

ht-test-stage-0, SUDOers, it.anl.gov

dn: cn=ht-test-stage-0,ou=SUDOers,dc=it,dc=anl,dc=gov
objectClass: sudoRole
cn: ht-test-stage-0
description: root
sudoHost: ht-test-stage-0.it.anl.gov
sudoCommand: ALL
sudoRunAsUser: ALL
sudoUser: cfm

ht-scot-0, SUDOers, it.anl.gov

dn: cn=ht-scot-0,ou=SUDOers,dc=it,dc=anl,dc=gov
objectClass: sudoRole
cn: ht-scot-0
sudoHost: ht-scot-0
sudoCommand: ALL
sudoRunAsUser: ALL
description: root
sudoUser: mcampos

cfm, group, it.anl.gov

dn: cn=cfm,ou=group,dc=it,dc=anl,dc=gov
objectClass: posixGroup
description: cfm
gidNumber: 678
cn: cfm

cfm, People, it.anl.gov

dn: cn=cfm,ou=People,dc=it,dc=anl,dc=gov
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
homeDirectory: /home/cfm
loginShell: /bin/bash
uid: cfm
cn: cfm
gecos: cfm
uidNumber: 678
gidNumber: 678
sn: cfm

sys-kenobi, group, it.anl.gov

dn: cn=sys-kenobi,ou=group,dc=it,dc=anl,dc=gov
objectClass: posixGroup
description: sys-kenobi
gidNumber: 13356
cn: sys-kenobi

Mario Campos, People, it.anl.gov

dn: cn=Mario Campos,ou=People,dc=it,dc=anl,dc=gov
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
homeDirectory: /home/mcampos
loginShell: /bin/bash
uid: mcampos
cn: Mario Campos
gecos: M. Campos
uidNumber: 554
gidNumber: 13356
sn: Campos
givenName: Mario

search result

search: 2
result: 0 Success

numResponses: 11

numEntries: 10

As you can see, I am using objectClasses posixAccount, posixGroup to provide LDAP servers to our Linux machines. Is there another option I can enter for the “Membership Attr” field instead of “memberOf”? Since, my LDAP server is not using the OpenLDAP ‘memberof’ overlay? Below are the values during SCOT LDAP setup:

LDAP Server: ldaps://ht-ldap-0.it.anl.gov
Base Domain: dc=it,dc=anl,dc=gov
User ID Attribute: uid
Membership Attr: memberOf
Bind DN: cn=cfm,ou=People,dc=it,dc=anl,dc=gov
Bind Password: password
Test User: cfm

Thank you for helping me troubleshoot OpenLDAP integration.

Jose

From: Todd Bruner <[email protected]mailto:[email protected]>
Reply-To: sandialabs/scot <[email protected]mailto:[email protected]>
Date: Wednesday, May 13, 2015 at 11:57 AM
To: sandialabs/scot <[email protected]mailto:[email protected]>
Cc: jgomezrubio <[email protected]mailto:[email protected]>
Subject: Re: [scot] LDAP: Error Found 'Test User' but this user has no groups... (#17)

Do you have a "Test User" in you LDAP and if so is that "Test User" a member of any groups? I think that the error is saying, I was able to find 'Test User' in LDAP, but I didn't get back any groups. Reasons for this include invalid User ID attribute, invalid membership attribute, or "Test User" is not in any groups.

We will probably need to know more about your LDAP setup to debug this one.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/17#issuecomment-101746393.

from scot.

After changing OpenLDAP to support rfc2703bis schema and using the memberOf overlay, finally was able to successfully validate against SCOT LDAP auth using the admin account. How do I use LDAP credentials for the SCOT HTTP basic authentication? Do I use the username@localdomain syntax?

From: Todd Bruner <[email protected]mailto:[email protected]>
Reply-To: sandialabs/scot <[email protected]mailto:[email protected]>
Date: Wednesday, May 13, 2015 at 11:57 AM
To: sandialabs/scot <[email protected]mailto:[email protected]>
Cc: jgomezrubio <[email protected]mailto:[email protected]>
Subject: Re: [scot] LDAP: Error Found 'Test User' but this user has no groups... (#17)

Do you have a "Test User" in you LDAP and if so is that "Test User" a member of any groups? I think that the error is saying, I was able to find 'Test User' in LDAP, but I didn't get back any groups. Reasons for this include invalid User ID attribute, invalid membership attribute, or "Test User" is not in any groups.

We will probably need to know more about your LDAP setup to debug this one.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/17#issuecomment-101746393.

from scot.

We have an update I need to apply that should help with your original problem. I'm glad you have got it to work though.

As for your second question, I apologize if I am not understanding the question, but SCOT looks for a session cookie, if it is not present, then you will get 401 which will prompt the browser to provide a basic auth popup. There you will enter username / password combination. I've never tried "username@domain" as a login, but it might work. It should be passed on to LDAP and if it can parse it, then we should be fine.

Hope that helps...

from scot.