rancher

rancher copied to clipboard

Rancher Server Setup

• Rancher version: 2.6.4
• Installation option (Docker install/Helm Chart): Helm Chart Upgrade (from 2.5.9)
  • Helm Chart v2.6.4, K8S v1.21.10-rancher1-1, RKE1
• Proxy/Cert Details:

Information about the Cluster

• Kubernetes version: 1.21.10-rancher1-1
• Cluster Type (Local):

User Information

• What is the role of the user logged in? Admin

Describe the bug After upgraded from 2.5.9, and upgrade of K8S from 1.20.4-rancher1-1, using Shibboleth auth with OpenLDAP rancher is no longer doing group searches. LDAP settings are valid as they were the same before and after upgrade.

To Reproduce Shibboleth auth with valid user and group settings. Attempt to add group to any resource produces "No results found"

Result Searches being done against LDAP are only including "uid", when setting specify group as well.

filter = "(&(objectClass=inetOrgPerson)(|(uid=*GROUP OR USER NAME*)))" attrs="distinguishedName isMemberOf objectClass inetorgperson XXXXXshortid cn "

Expected Result Search should include group search. 2.5.x searches look like this: (some attr obfuscated)

filter="(&(objectClass=XXXXXgroup)(XXXXXGroupRDN=*GROUP OR USER NAME*))" attrs="XXXXXShortID objectClass groupname XXXXXShortID XXXXXGroupRDN XXXXXGroupRDN"
filter="(&(objectClass=inetOrgPerson)(|(uid=GROUP OR USER NAME*) attrs="distinguishedName isMemberOf objectClass inetorgperson XXXXXShortID cn "

Which produces group results in the search. The documentation specifies this is the expected behavior in 2.6 using Shibboleth backed by OpenLDAP.

I have a similar issue. Configuring LDAP via the rancher GUI, when I set the user or group search filter values and press save, they end up blank & the filter seems not to work.

My rancher version is v2.3.2

Reconfirmed with another update from 2.5.9 to 2.6.4.

When adding a member to a project using the Shibboleth/OpenLDAP settings that worked on 2.5.9 the LDAP searches that are performed are for the user context only. The group search is not done at all.

An additional note: Assign Global Roles under User & Authentication will do both user and group searches against LDAP and allow that group to be assigned a global role. This is interesting, but not helpful for assigning resources within a cluster.

Any suggestions where to look next?

Confirmed with debug logging that the group search is not being triggered on 2.6.4 for Shib/OpenLDAP. Updating title for clarification on version. I'd include the logs, but it's only logging the user search and no other error. Should I try trace level logging?

Hi @brtduvally here are the steps I tried and see the groups search works for me.

1. Installed rancher v2.5.13 and enabled OpenLdap auth as auth provider
2. While enabling auth Select the option Search direct and nested group memberships under the customize schema
3. Add a group from the auth as cluster member by creating a downstream cluster.
4. Upgrade rancher version to v2.6-head 8a31d3c
5. Upgrade k8s version from 1.21.12-rancher1-1
6. Navigate to cluster members >> Add a group as a cluster member >> Search results the groups and groups are added as cluster Owners --> returns groups without any errors

is this happening for users other than admins? eg., cluster owners[standard users]

Hi @anupama2501 , Thanks for looking into this.

I'm using the Shib auth provider with OpenLDAP, not the OpenLDAP provider. There isn't a Search direct... option for the Shibboleth auth provider in v2.5.9 or in v2.6.4.

In v2.6.4 I can see that option only under the OpenLDAP provider, not the Shibboleth provider. I don't have an instance of v2.5.x to check.

The v2.5.9 install Shib provider automatically uses the nested group membership search when using the OpenLDAP Search Configuation settings.

I'm concerned about this issue going stale. If Shibboleth no longer supports group search, docs should be updated.

This repository uses an automated workflow to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the issue in 14 days. Thank you for your contributions.

If Shibboleth no longer supports group search, docs should be updated.

This repository uses an automated workflow to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the issue in 14 days. Thank you for your contributions.

This is still relevant. Groups auth for Shibboleth is broken in 2.6.x

This repository uses an automated workflow to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the issue in 14 days. Thank you for your contributions.

This is still relevant. Groups auth for Shibboleth is broken in 2.6.x and 2.7.5