bek-afs
commented
7 months ago Figured out the credentials and posting this here for reference for anyone else that may have issues.
- Exec onto the openldap pod with with
kubectl -n <sas viya namespace> exec -it openldap-xxxx-xxx -- bin/bash1.1 Find the exact name of the openldap pod withkubectl -n <sas viya namespace> get pods - Run
printenvto print all environment variables - Find the
LDAP_DOMAINandLDAP_ADMIN_PASSWORDentries - Run the ldapsearch command to verify credentials
ldapsearch -x H ldap://localhost -b dc=example,dc=com -D "cn=admin,dc=example,dc=com" -w <LDAP_ADMIN_PASSWORD>4.1. Note that the-band-Dflags assume theLDAP_DOMAINvalue isexample.com. Update the flags accordingly if your value forLDAP_DOMAINis different - You can use
ldapaddandldapmodifyto update the LDAP. For example, if you want to create auser3and add it to theusersgroup, run the following commands: 5.1 Create auser3.ldiffile which creates the LDAP metadata for the newuser3user:cat << EOT >> user3.ldif dn: uid=user3,ou=people,dc=example,dc=com changetype: add objectClass: inetOrgPerson objectclass: extensibleObject uid: user3 uidNumber: 7003 gidNumber: 1000 cn: user3 sn: Tester distinguishedName: uid=user3,ou=people,dc=example,dc=com displayName: Test User 3 userPassword: Password123 homeDirectory: /home/user3 mail: user3@example.com EOT5.2 Apply the file so
user3is added to the LDAP:ldapadd -x -H ldap://localhost -D "cn=admin,dc=example,dc=com" -w <LDAP_ADMIN_PASSWORD> -f user3.ldif5.3 Create ausers-group.ldiffile to adduser3as a member of theusersgroup:cat << EOT >> users-group.ldif
Hope this helps someone else who might be new to LDAP! Closing this issue. dn: cn=users,ou=groups,dc=example,dc=com changetype: modify add: uniqueMember uniqueMember: uid=user3,ou=people,dc=example,dc=com EOT
5.4 Apply the file so `user3` is added to the `users` group: `ldapmodify -x -H ldap://localhost -D "cn=admin,dc=example,dc=com" -w <LDAP_ADMIN_PASSWORD> -f users-group.ldif`
5.5. Run the same ldapsearch command as before to verify the additions to the LDAP
Hope this helps someone who might be new to LDAP! Closing this issue.
Viya4 Deployment Version Details
6.8.0
Ansible Variable File Details
V4_CFG_EMBEDDED_LDAP_ENABLE: true
Steps to Reproduce
In ansible-vars.yaml I'm setting
V4_CFG_EMBEDDED_LDAP_ENABLE: true. I'm using the sitedefault.yaml file as-is, but setting my own passwords for the ldap password and logon initial password.When I deploy SAS Viya, I see the openldap pod that is provisioned and exec onto it with
kubectl -n sas-viya exec -it openldap-xxxx-xxx -- bin/bash. In the README of the osixia/openldap GitHub repo (which is the image that is being used to install openldap), they have a command in the Quick Start to run an ldapsearch:docker exec my-openldap-container ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w adminSince I'm already exec'ed into the openldap pod, I'm running:
ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w adminwhich returns:
ldap_bind: Invalid credentials (49).I then realized that maybe the ldap password that I set in the
sitedefault.yamlmay be overriding the default password ofadminthat the image supplies. I tried the same command with that password but same error. I've also tried supplying-H ldap://ldap-svc:389 -b dc=example,dc=com -D "cn=admin,dc=example,dc=com"to match what is in thesitedefault.yamlbut receive the same error.Could you please provide some direction as to what the viya4-deployment is overriding in the openldap deployment and how to authenticate with the ldap in order to run ldapsearch, ldapadd, ldapmodify, etc commands?
Expected Behavior
Receive output like
from the ldapsearch command
Actual Behavior
ldap_bind: Invalid credentials (49)errorAdditional Context
No response
References
No response
Code of Conduct