search

rackslab / Slurm-web

Open source web dashboard for Slurm HPC clusters
https://slurm-web.com
GNU General Public License v3.0
340 stars 97 forks source link

RFL's ldap.py not pulling user_name_attribute from gateway.ini #340

Closed rseaman2016 closed 2 months ago

rseaman2016 commented 3 months ago

I'm working on configuring slurm-web in a multi-cluster setup and have set sAMAccountName as the user_name_attribute in the gateway.ini file for use against Active Directory. However, ldap.py in the RFL package does not seem to respect that custom setting (setting it statically in ldap.py works)

My gateway.ini file (Internal information hidden):

[ui]
host=slurm-web.companydomain.org
enabled=True

[agents]
url=
  https://slurmwebagent.companydomain.org/agent

[authentication]
enabled=true
method=ldap

[ldap]
uri=ldaps://fqdn:636
cacert=/etc/ssl/certs/ca.cer
user_base=OU=Enterprise,DC=redacted,DC=redacted,DC=org
group_base=DC=redacted,DC=redacted,DC=org
user_class=person
user_name_attribute=sAMAccountName
group_name_attribute=cn
bind_dn=CN=svc_slurmweb,OU=Service Accounts,OU=Enterprise,DC=redacted,DC=redacted,DC=org
bind_password=redacted

The error I receive when I run slurm-web-ldap-check --debug --debug-flags rfl is [ERROR] ⸬slurmweb.apps.ldap:45 ↦ LDAP error: Unable to extract user uid from user entries

Thanks!

Originally posted by @rseaman2016 in https://github.com/rackslab/Slurm-web/issues/305#issuecomment-2307292079

rezib commented 3 months ago

What are your versions of slurm-web-gateway and python3-rfl-authentication packages?

rseaman2016 commented 3 months ago

Hi @rezib, slurm-web-gateway is version 3.1.0-1.ubuntu2404 and python3-rfl-authentication is 1.0.2-1.ubuntu2404.

I also re-read the documentation (it's been a bit since I last looked at it) and realized it's only been verified with Ubuntu 24.04 - I am running Ubuntu 22.04. If Ubuntu 22.04 isn't officially supported, I'm happy to spin up a Rocky 9 server to test and get back to you, as our organization is not quite ready to deploy Ubuntu 24.04.

Thanks!

rezib commented 3 months ago

Hi @rezib, slurm-web-gateway is version 3.1.0-1.ubuntu2404 and python3-rfl-authentication is 1.0.2-1.ubuntu2404.

:+1:

I found the bug, it is actually specific to slurm-web-ldap-check command. The Slurm-web gateway service should properly use your sAMAccountName attribute anyway. I will fix this in Slurm-web 3.2.0.

I also re-read the documentation (it's been a bit since I last looked at it) and realized it's only been verified with Ubuntu 24.04 - I am running Ubuntu 22.04. If Ubuntu 22.04 isn't officially supported, I'm happy to spin up a Rocky 9 server to test and get back to you, as our organization is not quite ready to deploy Ubuntu 24.04.

Yes, you can find a short statement about the current situation for Ubuntu 22.04 support: https://github.com/rackslab/Slurm-web/discussions/338#discussioncomment-10396015

rseaman2016 commented 3 months ago

Thanks for the clarification! I went ahead and stood up a Rocky 9 server for the gateway and I'm still having issues with authentication against Active Directory. For the sake of troubleshooting, I statically set sAMAccountName in place of uid in ldap.py. This got me a new error: [ERROR] ⸬slurmweb.apps.ldap:45 ↦ LDAP error: Unable to extract user primary group with gidNumber attribute from user entries

Navigating to the login page and entering credentials, I get:

Screenshot 2024-08-23 at 1 23 57 PM Screenshot 2024-08-23 at 1 24 09 PM

Thanks!

rezib commented 2 months ago

Hello @rseaman2016,

I went ahead and stood up a Rocky 9 server for the gateway and I'm still having issues with authentication against Active Directory. For the sake of troubleshooting, I statically set sAMAccountName in place of uid in ldap.py. This got me a new error: [ERROR] ⸬slurmweb.apps.ldap:45 ↦ LDAP error: Unable to extract user primary group with gidNumber attribute from user entries

[…]

FYI, I fixed the original bug of this issue (in slurm-web-ldap-check) with commit 4f1d5df, and I just opened #342 for what looks like another bug regarding AD support.