search

aws / res

Research and Engineering Studio (RES) is an AWS supported open source product that enables IT administrators to provide an easy-to-use web portal for scientists and engineers to run technical computing workloads on AWS.
https://github.com/aws/res
Apache License 2.0
81 stars 16 forks source link

[BUG] Active Directory sync uses `cn` instead of `sAMAccountName` #32

Closed manics closed 6 months ago

manics commented 8 months ago

Describe the bug If a new Active Directory user is created with a Firstname and Surname they can not be added to RES

Steps to reproduce Steps to reproduce the behavior:

  1. Create a new Active Directory user with a First name and Last name, User logon name and email
  2. Wait for the RES AD hourly sync to run
  3. Check the cluster-manager logs, they contain [ERROR] [ad-sync] Error while adding user Firstname Surname to RES. Error: [INVALID_PARAMS] Invalid params: user.username must match regex: ^(?=.{3,20}$)(?![_.])(?!.*[_.]{2})[a-z0-9._]+(?<![_.])$

Expected behavior User should be added to RES with a username taken from User logon name

Actual behavior User is not added to RES due to the above error

Screenshots/Video image

Screenshot 2024-03-06 at 16 48 41

Environment (please complete the following information):

Additional context

It looks like RES uses the cn attribute as the username: https://github.com/aws/res/blob/2024.01.01/source/idea/idea-cluster-manager/src/ideaclustermanager/app/adsync/adsync_service.py#L214

but in Active Directory this is Firstname Surname (if those fields are set), which is an invalid RES username, and also isn't guaranteed to be unique. sAMAccountName should be more suitable: https://serverfault.com/questions/567776/which-field-to-use-when-authenticating-against-active-directory

Mohjeet commented 7 months ago

The fix for this issue (Active Directory sync using sAMAccountName instead of cn) is currently in progress.

junbo75 commented 6 months ago

This issue was fixed in the RES 2024.04 release.