CDash icon indicating copy to clipboard operation
CDash copied to clipboard

Published 20 hours ago verified publisher icon Kitware

Various issues using LDAP authentication from docker

Open skrussell opened this issue 3 years ago • 2 comments

After attempting to migrate from a CDash 2.7 instance to 3.0.2, using the latest docker hub image and docker compose, I had quite a few issues with the LDAP set-up (other than the lack of up-to-date documentation). I have catalogued them here in one ticket (along with the workarounds that I ultimately ended-up having to use, for other people to reference, in case anyone else is having the same issues).

Problem 1. The "CDASH_" gets stripped from "CDASH_AUTHENTICATION_PROVIDER=ldap" when it is migrated into the .env file, but the "CDASH_" full variable name is still required (including prefix) to activate use of LDAP mode. Workaround: Declare $$CDASH_CDASH_AUTHENTICATION_PROVIDER='ldap', (yes, with the deliberate double prefix).

Problem 2. When there is more than one LDAP_HOSTS entry, then they are declared as a space separated list. However, when this is parsed by the migration script, the quotes are removed, and an invalid value is put into .env, that results in the error: "Failed to parse dotenv file due to unexpected whitespace." Work around: Declare the LDAP_HOSTS value wrapped in two lots of quotes, i.e.: $$CDASH_LDAP_HOSTS='"ldap1.example.com ldap2.example.com"'

Problem 3. Boolean values, when declared in (i.e. $$CDASH_LDAP_USE_TLS = true;), are incorrectly translated into integer values in the .env file (i.e. LDAP_USE_TLS=1). This results in the error: "Option use_tls must be a boolean". Workaround: Wrap the boolean value in quotes, to force it to pass through the migration process as a string: $$CDASH_LDAP_USE_TLS = 'true';

Problem 4. Despite the default LDAP_PROVIDER being set to 'openldap', the default value for LDAP_BIND_USERS_BY is 'distinguishedname', which isn't valid for OpenLDAP - this should be correctly set as 'dn'. Arguably 'LDAP_LOCATE_USERS_BY' defaulting to 'mail' is also wrong in this context too, but at least that does work out of the box. Workaround: Declare $$CDASH_LDAP_BIND_USERS_BY = 'dn'; (Note: this doesn't appear to be documented anywhere).

If you'd prefer, I can break these out into individual issues.

skrussell avatar Mar 29 '21 15:03 skrussell

Related: https://github.com/Kitware/CDash/issues/1086

seanm avatar May 06 '21 19:05 seanm

@skrussell I'm wondering how you succeed to keep your admin account working to create new projects, add users... with ldap configured (see #1230)

fspindle avatar Mar 27 '22 16:03 fspindle