[BUG] Issue with ldap authentication when using salt-api

[duncanupton]

Description In both 3006.8 and 3006.9 when trying to use ldap authentication for salt-api there is an error we get related to python-ldap module even though python-ldap is installed. The error is in the /var/log/salt/master file.

2024-08-27 08:08:57,417 [salt.loaded.int.auth.ldap:341 ][ERROR ][326502] LDAP authentication requires python-ldap module

Setup additional settings in salt-master: rest_cherrypy: port: 8080 ssl_crt: /etc/pki/tls/certs/localhost.crt ssl_key: /etc/pki/tls/certs/localhost.key

external_auth: ldap: root: - '*' added these settings in ldap.conf in /etc/salt/master.d auth.ldap.server: localhost

Port to connect via

auth.ldap.port: 389

Use TLS when connecting

auth.ldap.tls: False

Use STARTTLS when connecting

auth.ldap.starttls: False

LDAP scope level, almost always 2

auth.ldap.scope: 2

Server specified in URI format

auth.ldap.uri: '' # Overrides .ldap.server, .ldap.port, .ldap.tls above

Verify server's TLS certificate

auth.ldap.no_verify: False

Bind to LDAP anonymously to determine group membership

Active Directory does not allow anonymous binds without special configuration

In addition, if auth.ldap.anonymous is True, empty bind passwords are not permitted.

auth.ldap.anonymous: False

FOR TESTING ONLY, this is a VERY insecure setting.

If this is True, the LDAP bind password will be ignored and

access will be determined by group membership alone with

the group memberships being retrieved via anonymous bind

auth.ldap.auth_by_group_membership_only: False

Require authenticating user to be part of this Organizational Unit

This can be blank if your LDAP schema does not use this kind of OU

auth.ldap.groupou: 'Groups'

Object Class for groups. An LDAP search will be done to find all groups of this

class to which the authenticating user belongs.

auth.ldap.groupclass: 'posixGroup'

Unique ID attribute name for the user

auth.ldap.accountattributename: 'memberUid'

These are only for Active Directory

auth.ldap.activedirectory: False auth.ldap.persontype: 'person'

auth.ldap.minion_stripdomains: []

Redhat Identity Policy Audit

auth.ldap.freeipa: False

I then started salt-master and salt-api I did not configure a ldap server to communicate with as the issue appears to be loading the python-ldap module. That said a customer I am working with on this issue did have an ldap server that was properly configured and they are also getting the error.

Please be as specific as possible and give set-up details.

• [x ] on-prem machine
• [ ] VM (Virtualbox, KVM, etc. please specify)
• [ ] VM running on a cloud service, please be explicit and add details
• [ ] container (Kubernetes, Docker, containerd, etc. please specify)
• [ ] or a combination, please be explicit
• [ ] jails if it is FreeBSD
• [ ] classic packaging
• [ x] onedir packaging
• [ ] used bootstrap to install

Steps to Reproduce the behavior (Include debug logs if possible and relevant)

Run a command such as curl -sSk https://:8080/login -H 'Accept: application/x-yaml' -d username= -d password= -d eauth=ldap

Expected behavior A clear and concise description of what you expected to happen. ldap auth should be used by salt-api calls and we should not get this error message.

Screenshots If applicable, add screenshots to help explain your problem.

Versions Report

salt --versions-report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

salt-call pip.list local: ---------- CherryPy: 18.10.0 Jinja2: 3.1.4 MarkupSafe: 2.1.2 PyJWT: 2.9.0 PyYAML: 6.0.1 SSEAPE: 8.16.1.3 certifi: 2024.7.4 cffi: 1.14.6 charset-normalizer: 3.2.0 cheroot: 8.5.2 contextvars: 2.4 croniter: 2.0.5 cryptography: 42.0.5 distro: 1.5.0 idna: 3.7 immutables: 0.15 importlib-metadata: 6.0.0 jaraco.classes: 3.2.1 jaraco.collections: 3.4.0 jaraco.functools: 2.0 jaraco.text: 3.5.1 jmespath: 1.0.1 lief: 0.15.1 looseversion: 1.0.2 more-itertools: 5.0.0 msgpack: 1.0.2 packaging: 22.0 pika: 1.3.2 pip: 23.3.2 portend: 2.4 psutil: 5.8.0 pyOpenSSL: 24.0.0 pyasn1: 0.6.0 pyasn1_modules: 0.4.0 pycparser: 2.21 pycryptodomex: 3.19.1 python-dateutil: 2.8.1 python-gnupg: 0.4.8 python-ldap: 3.4.4 pytz: 2022.1 pyzmq: 23.2.0 relenv: salt-master --versions Salt Version: Salt: 3006.9

Python Version: Python: 3.10.14 (main, Jun 26 2024, 11:44:37) [GCC 11.2.0]

Dependency Versions: cffi: 1.14.6 cherrypy: 18.10.0 cryptography: 42.0.5 dateutil: 2.8.1 docker-py: Not Installed gitdb: Not Installed gitpython: Not Installed Jinja2: 3.1.4 libgit2: Not Installed looseversion: 1.0.2 M2Crypto: Not Installed Mako: Not Installed msgpack: 1.0.2 msgpack-pure: Not Installed mysql-python: Not Installed packaging: 22.0 pycparser: 2.21 pycrypto: Not Installed pycryptodome: 3.19.1 pygit2: Not Installed python-gnupg: 0.4.8 PyYAML: 6.0.1 PyZMQ: 23.2.0 relenv: 0.17.0 smmap: Not Installed timelib: 0.2.4 Tornado: 4.5.3 ZMQ: 4.3.4

Salt Extensions: SSEAPE: 8.16.1.3

System Versions: dist: centos 9 locale: utf-8 machine: x86_64 release: 5.14.0-496.el9.x86_64 system: Linux

My customer is also running 3006.8 but I do not have their versions report (can get it though if needed)

PASTE HERE

Additional context Add any other context about the problem here.

[welcome[bot]]

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

• Community Wiki
• Salt’s Contributor Guide
• Join our Community Slack
• IRC on LiberaChat
• Salt Project YouTube channel
• Salt Project Twitch channel

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. If you have additional questions, email us at [email protected]. We’re glad you’ve joined our community and look forward to doing awesome things with you!

[Sxderp]

python-ldap module is not shipped with Salt. You need to install it with salt-pip. A system level install is insufficient. Salt does not see / load system level Python modules.

salt-pip install python-ldap

That /should/ work, but it may not. See: https://github.com/saltstack/salt/issues/65025

Once installed, it likely won't load. You'll get missing symbols. See: https://github.com/saltstack/salt/issues/64962 See: https://github.com/saltstack/relenv/pull/187

In short. LDAP is broken.

[doesitblend]

@Sxderp Seems we are probably running into issues with relenv as you mentioned. Thanks for your comment.