Mailinglist Archive: opensuse-buildservice (132 mails)

< Previous Next >
[opensuse-buildservice] Can't get group information from LDAP
Hi!

I install standalone version OBS in corporate environment. We use OpenLDAP for
identification. Users' authentication runs well, but webui does not even ask
information about groups. I looked at tcpdump output, OpenLDAP log &
production.log. What can be a problem? ( configuration connection with LDAP are
shown below)

ldap_mode: :on

# LDAP Servers separated by ':'.
# OVERRIDE with your company's ldap servers. Servers are picked randomly for
# each connection to distribute load.
ldap_servers: ldap.mysite.com

# Max number of times to attempt to contact the LDAP servers
ldap_max_attempts: 15

# The attribute the user memberof is stored in
# ldap_user_memberof_attr: memberof

# Perform the group_user search with the member attribute of group entry or
memberof attribute of user entry
# It depends on your ldap define
# The attribute the group member is stored in
ldap_group_member_attr: member

# If you're using ldap_authenticate=:ldap then you should ensure that
# ldaps is used to transfer the credentials over SSL or use the StartTLS
extension
ldap_ssl: :on

# Use StartTLS extension of LDAP
ldap_start_tls: :off

# LDAP port defaults to 636 for ldaps and 389 for ldap and ldap with StartTLS
#ldap_port:
# Authentication with Windows 2003 AD requires
ldap_referrals: :off

# OVERRIDE with your company's ldap search base for the users who will use OBS
ldap_search_base: ou=People, dc=mysite, dc=com
# Sam Account Name is the login name for LDAP
ldap_search_attr: uid
# The attribute the users name is stored in
ldap_name_attr: cn
# The attribute the users email is stored in
ldap_mail_attr: mail
# Credentials to use to search ldap for the username
ldap_search_user: ""
ldap_search_auth: ""

# By default any LDAP user can be used to authenticate to the OBS
# In some deployments this may be too broad and certain criteria should
# be met; eg group membership
#
# To allow only users in a specific group uncomment this line:
ldap_user_filter: (mail=*@mysite.com)
#
# Note this is joined to the normal selection like so:
# (&(#{dap_search_attr}=#{login})#{ldap_user_filter})
# giving an ldap search of:
# (&(sAMAccountName=#{login})(memberof=CN=group,OU=Groups,DC=Domain Component))
#
# Also note that openLDAP must be configured to use the memberOf overlay

# ldap_authenticate says how the credentials are verified:
# :ldap = attempt to bind to ldap as user using supplied credentials
# :local = compare the credentials supplied with those in
# LDAP using #{ldap_auth_attr} & #{ldap_auth_mech}
# if :local is used then ldap_auth_mech can be
# :md5
# :cleartext
ldap_authenticate: :ldap
ldap_auth_mech: :md5
# This is a string
ldap_auth_attr: userPassword

# Whether to update the user info to LDAP server, it does not take effect
# when ldap_mode is not set.
# Since adding new entry operation are more depend on your slapd db define, it
might not
# compatiable with all LDAP server settings, you can use other LDAP client
tools for your specific usage
ldap_update_support: :off
# ObjectClass, used for adding new entry
ldap_object_class: inetOrgPerson
# Base dn for the new added entry
ldap_entry_base: ou=OBSUSERS,dc=EXAMPLE,dc=COM
# Does sn attribute required, it is a necessary attribute for most of people
objectclass,
# used for adding new entry
ldap_sn_attr_required: :on

# Whether to search group info from ldap, it does not take effect
# when LDAP_GROUP_SUPPOR is not set.
# Please also set below LDAP_GROUP_* configs correctly to ensure the operation
works properly
ldap_group_support: :on
# OVERRIDE with your company's ldap search base for groups
ldap_group_search_base:
site=jenkins.mysite.com,ou=devops,ou=Technology,ou=MYSITE,ou=Projects
# The attribute the group name is stored in
ldap_group_title_attr: op
# The value of the group objectclass attribute, leave it as "" if objectclass
attr doesn't exist
ldap_group_objectclass_attr: iponwebPermission--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages