search

sassoftware / viya4-ark

SAS Viya Administration Resource Kit for Containerized Deployments. Tools and utilities to help SAS Customers with SAS Viya running in containers.
Apache License 2.0
33 stars 13 forks source link

issues with sitedefault.yaml example file #159

Closed juergenschroeder closed 2 years ago

juergenschroeder commented 2 years ago

Hi all,

if I take the yaml default file from

https://github.com/sassoftware/viya-ark/blob/master/playbooks/ldap-validator/sitedefault_sample_openldap.yml

I find two issues. First: the port is given as a string port: '389', which results in a python error. it should just be a number, port: 389

Second: the last line specifying the administrator sas.identities: administrator: 'your_user_id'

results in a validation error using open LDAP for any user specified

2021-11-24 02:33:05,159 - ldap_validator.py[line:273] - DEBUG: LDAP Query: search_base=ou=user,dc=ldap,dc=localdomain, search_filter=(&(objectClass=user)(sAMAccountName =ldapadm))verify=True 2021-11-24 02:33:05,160 - ldap_validator.py[line:277] - ERROR: LDAP search failed with the following error: invalid class in objectClass attribute: user

looking at the python code in ldap_validator.py at line 200 the search string hard coded to

searchstring = '(&(objectClass=user)(sAMAccountName=' + ldap_defaultadmin_user + '))'**
if (not perform_ldap_query(ldap_logger, ldap_server_host,  ldap_user_basedn, searchstring, True)):
    failTestSuite(ldap_logger)

these objects are only found in active directory but not in open LDAP

So my question is, are they needed, and / or is it only working using AD?

my sitedefault.yaml looks like the following

config: application: sas.identities.providers.ldap.connection: host: 'centosmaster.localdomain' port: 389 url: 'ldap://${sas.identities.providers.ldap.connection.host}:${sas.identities.providers.ldap.connection.port}' anonymousBind: 'false' userDN: "cn=ldapadm,dc=ldap,dc=localdomain" password: "" sas.identities.providers.ldap.group: accountId: 'name' baseDN: "ou=groups,dc=ldap,dc=localdomain" createdDate: 'createTimestamp' distinguishedName: 'none' member: 'member' modifiedDate: 'modifyTimestamp' objectClass: 'groupOfNames' objectFilter: '(objectClass=groupOfNames)' searchFilter: 'dn={0}' sas.identities.providers.ldap.user: accountId: 'uid' baseDN: "ou=user,dc=ldap,dc=localdomain" createdDate: 'createTimestamp' distinguishedName: 'none' memberOf: 'memberOf' modifiedDate: 'modifyTimestamp' objectClass: 'inetOrgPerson' objectFilter: '(objectClass=inetOrgPerson)' searchFilter: 'uid={0}' sas.identities: administrator: 'ldapadm'

which I call with the following command

python3 viya-ark.py ldap_validator -s ../sysPrep/sitedefault.yaml -d

erharb commented 2 years ago

The sample sitedefault yaml URL referenced is from the Viya 3 version of Viya ARK, but the python tool reference by this issue is for Viya 4 version of Viya ARK which does not provide a sample sitedefault yaml file. I assume the Viya 3 sample version is different because it used in Ansible playbooks. I think the expectation of the Viya 4 ARK is that you use the sample sitedefault included in your order generated manifests.

juergenschroeder commented 2 years ago

Will it work with open LDAP then? or just with AD?

markha73 commented 2 years ago

Currently, the script only supports AD. I will take a look at what changes are needed to provide support for OpenLDAP.

AlissaSchleich commented 2 years ago

We have opened a request to support OpenLDAP.