LDAP Auth configuration sample
Dear Sir
Is it possible to provide LDAP(goauth) configuration sample in go-d.ini? I've referenced the old issue and documentation, but it's hard to understand for me.
Sorry I hate to bother you with this but I really have to use LDAP for our environment.
※because different time zone, I'll late to reply
Comments (56)
-
repo owner -
reporter Sir, my configuration is here. Do you have any further suggestion? Chrome Dev Console Messages: Request error ../user/bind 401 Unauthorized #######################Authentication ####################### auth_policy: 'goauth' # LDAP ldap_host: 172.20.10.1 ldap_port: 389 ldap_dn: "dc=mydomain,dc=com" ldap_base_dn_filter: 'ou=it,ou=user,ou=mydomain' ldap_base_dn_group_filter: 'ou=it,ou=user,ou=mydomain' ldap_admin_dn: 'cn=acct0001,ou=rd,ou=sys,ou=it,ou=user,ou=mydomain,dc=mydomain,dc=com' ldap_admin_password: 'xxxx' ldap: # Use ldaps (check that ldap_port matches ssl port of the ldap server) ssl: false # LDAP field mapping fields: homeDirectory: 'HomeDirectory' # Fields use to map user login against ldap entries ids: - 'sAMAccountName' - 'mail' ######Error message in godweb.log###### 2018-05-30 08:23:08,961 ERROR [godweb][DummyThread-19] list index out of range Traceback (most recent call last): File "/opt/go-docker/plugins/goauth.py", line 147, in __get_ldap_user_info userId = entry['uid'][0] IndexError: list index out of range 2018-05-30 08:23:08,961 ERROR [godweb][DummyThread-19] list index out of range Traceback (most recent call last): File "/opt/go-docker/plugins/goauth.py", line 147, in __get_ldap_user_info userId = entry['uid'][0] IndexError: list index out of range
-
reporter Sir, Finally, I've modified the goauth.py followed the Issue
#59discussion. It's success login to godweb. Is this must be modifies when you use LDAP auth ? -
reporter Another Question, The option "admin = root" in production.ini(go-docker-web), Is it workable set the LDAP user?
-
repo owner Regarding admin in production.ini, it is the list of user ids that are considered as admin, it can be any ldap user. Ids are the one used to login.
-
repo owner Regarding ldap you use active directory? Don't your ldap users have uid and uidnumber/gidnumber attributes? In logs seems that auth binding was ok but did not find a uid attribute in ldap response. Godocker auths user against ldap and run job with his linux account uid and gid. Patch in issue 59 was to force a uid/gid for all users because ldap did not define the posix account schema. When ldap have posix accounts, goauth can be used without modification.
The problem with this fix is all jobs are executed with the same uid/gid, so users have the same rights and may read/overwrite some other users data. This must be used only in trusted env.
I could add an option for a default user mapping for non posix accounts
-
reporter Sir, Thank you for reply. Q1:admin option => is case-sentivie issue Q2 : I'll try to create ActiveDirectory attributes mapping UID/GID that it's more security at production env.
-
repo owner Yes, it is case sensitive. At login, goauth extracts from login the attributes uid, uidNumber, gidNumber. The uid is used as the user identifier, and is compared to "admin" in production.ini (case sensitive). If you patched according to
#59, then uid would be the sAMAccountName field. This field is also shown as your user identifier in web interface.uid/uidNumber/gidNumber are then used at job time, in container, to create a local container user and job script is executed with this local user.
-
reporter - changed status to resolved
Thanks Olivier great support at this issue.
-
repo owner I have updated in branch develop goauth to support non posix LDAPs.
You can try updates if you want: https://bitbucket.org/osallou/go-docker/commits/c0f5ae0d155edc45a1b6482eaad336e850fa36af it updates go-d.ini.sample and plugins/goauth.py
In go-d.ini impact would be in your case:
ldap: # Use ldaps (check that ldap_port matches ssl port of the ldap server) ssl: false # LDAP field mapping fields: homeDirectory: 'HomeDirectory' # Fields use to map user login against ldap entries ids: - 'sAMAccountName' - 'mail' # if ldap does not have a uid attribute, use this attribute # to get user identifier (sAMAccountName for example with AD) fallback_user_id_attribute: 'sAMAccountName' # if ldap does not define POSIX account template and do not have uidNumber # and gidNumber attributes, use those default values # *WARNING*: all users will, in this case, use the same uid/gid, so must be # used in trusted environments only!! fallback_user_uidNumber: null fallback_user_gidNumber: null
if you don't have uidNumber/gidNumber, you could set fallback_user_uidNumber/gidNumber to an arbitrary value (1001 for example) that would be used for all users (like in issue
#59) -
reporter Is it possible to mapping uid/gid when computing node join domain(like samba)? Let uid/gid use samba mapping range.
samba option: idmap config * : range = 1000 - 200000000
-
repo owner I don't really understand the question, I don't use samba.
goauth requests info from ldap then uses those information to create user in container. request occurs on godocker web server and user is created in container on compute nodes.
if some information comes from an other system than ldap, then you can customiez goauth (or create an other authorization plugin based on goauth).
in goauth.py, when trying to set :
... uidNumber = entry['uidNumber'][0] gidNumber = entry['gidNumber'][0] ....
you could get information for any requested system.
In localauth, for example, we get uid and gid directly from local system
if uid is None: uid = pwd.getpwnam(login).pw_uid if gid is None: gid = pwd.getpwnam(login).pw_gid if sgids is None: sgids = self.get_groups(login)
if you need some information from ldap and other from local server or any other system, then you can customize goauth to do this.
For samba itself, I don't know how it works.
-
repo owner looks like however that if you use samba, your ldap should already contain uidNumber and the gidNumber, so using goauth as is should be ok. if only missing info is uid , with my last commit , filling
fallback_user_id_attribute: 'sAMAccountName'
would be enough, and uidNumber and gidNumber would be fetched from ldap.
-
reporter try to the develop goauth.py & go-d.ini Traceback (most recent call last): File "/opt/go-docker/plugins/goauth.py", line 165, in __get_ldap_user_info homeDirectory = entry[homeDirectoryField][0] IndexError: list index out of range 2018-05-30 16:50:28,518 ERROR [godweb][DummyThread-3] list index out of range Traceback (most recent call last): File "/opt/go-docker/plugins/goauth.py", line 165, in __get_ldap_user_info homeDirectory = entry[homeDirectoryField][0] IndexError: list index out of range
-
repo owner entry[homeDirectoryField][0] is not found
You should define in god.ini the field where home directory is defined in your ldap. Default is homeDirectory but you can specify a different field name in ldap fields homedirectory section.
-
reporter could you give me a sample about homeDirectory setting at go-d.ini?
Default is homeDirectory => you mean /home/UID?
-
repo owner you should update homeDirectory field to match the field in your ldap that contains the user home directory (/home/UID or equivalent).
ldap: # Use ldaps (check that ldap_port matches ssl port of the ldap server) ssl: false # LDAP field mapping fields: homeDirectory: 'field_name_in_your_ldap'
field_name_in_your_ldap depends on your ldap schema
-
reporter I think If you could design this attribute like fallback_user_id_attribute, It may be more easy to the setting.
-
repo owner I can't change without breaking existing install
or I could change fallback_user_id_attribute to be in ldap/fields, something like:
ldap: # Use ldaps (check that ldap_port matches ssl port of the ldap server) ssl: false # LDAP field mapping fields: homeDirectory: 'field_name_in_your_ldap' uid: 'sAMAccountName'
just keeping fallbvack for uidNumber and gidNumber where we define non existing ldap fields
-
repo owner I have updated code to define mapping as above, uidNumber and gidNumber fallbacks are kept
-
reporter Sorry Sir, about quota setting I've config as below, But the user quota information always show 0s and 0% # Quotas ################################### quotas: # Kill running jobs if quota is reached kill_on_limit: true defaults: users: quota_time: 10000 quota_cpu: 3600 quota_ram: 48 quota_gpu: 3600
-
repo owner Defaults are put in user info at first user login. Did you set defaults before first login? Else it used 0 as default.
New users should get your defaults. Existing users in godocker can be updated by web ui / api or removing user from mongo (at login will recreate user). Only admin modify them of course
-
reporter Sir, Thank you for quick reply. I thought that's change by next login.
-
repo owner Defaults in general are only applied at first login.
-
reporter - attached quota.png
-
reporter Sir, The job always show quota reached When I set the quota(like attachment).
-
repo owner When you execute job, it is rejected due to quota? You use default project? What is in scheduler logs?
-
repo owner Could you try setting 0 instead of 0s for ram?
-
reporter When you execute job, => after quota setting (I've removed the user) it is rejected due to quota? ( => yes) You use default project? (yes, but I am not set the project quota) What is in scheduler logs? => (no thing about this. I use the tail command to follow log output)
※attach the job status capture
-
reporter - attached quota_reached.png
-
repo owner 0s should be the issue, i just tested
-
reporter quota setting as below(go-d.ini): I've tried another new user the job submit is ok. Which log file could check about quota reached limitation? # Quotas ################################### quotas: # Kill running jobs if quota is reached kill_on_limit: true defaults: users: quota_time: 1000000 quota_cpu: 360000 quota_ram: 0 quota_gpu: 360000
-
repo owner if not set, set debug log level to debug in go-d.ini:
... 'watcher': 'class': 'logging.FileHandler' 'filename': 'godwatcher.log' 'formatter': 'generic' 'level': 'DEBUG' 'scheduler': 'class': 'logging.FileHandler' 'filename': 'godscheduler.log' 'formatter': 'generic' 'level': 'DEBUG' .... 'godocker-watcher': 'level': 'DEBUG' 'handlers': - 'console' - 'watcher' 'godocker-scheduler': 'level': 'DEBUG' 'handlers': - 'console' - 'scheduler'
then execute a job
in godscheduler log file you should see something like:
Quota:IsReached:xxxx
-
repo owner could you also give the json of the task (can extract it from network tab of your browser developper tools)
-
repo owner You says: "I've tried another new user the job submit is ok."
you mean it is ok for a new user? It shows correct quotas info, and job is scheduled.
so pb seems to be link to user created before setting quotas? maybe there was an issue in manually updated quota.
-
reporter - attached 241.json
-
reporter Sir, please check the attach name 241.json
-
repo owner I don't understand, your projects quotas are set to 0 (which is fine for default project), and your user quota are correctly set in task. So it seems it finds some reason to reject, though the GUI shows 0% of use...
-
repo owner For debug only, could you modify godocker/godscheduler.py:
reject = reject or quotaTools.is_quota_exceeded(task, get_usage) => reject = reject or quotaTools.is_quota_exceeded(task, get_usage, logger=self.logger)
and godocker/quotaTools.py
def is_quota_exceeded(task, get_usage, duration=0): => def is_quota_exceeded(task, get_usage, duration=0, logger=None): ... if __is_quota_present(requirements, mapping): usage = get_usage(user[key], kind) + if logger: + logger.warn("##QUOTA " + str(kind) + "," + str(usage))
goscheduler.log should display the found quotas for your task
-
reporter debug message: ##QUOTA user,{'total_time': 1960200.0, 'total_cpu': 1963604.0, 'total_gpu': 4161.0, 'total_ram': 1987671.0} This user has submitted a hundred jobs (my test account) before setting the default quota(remove the user), the all submit record still exist in "webpage overjobs table". Is it a reason give rise to quota reached?
-
repo owner It indeed gets some past usage info, so quota is indeed reached and user tasks rejected. What i don't understand is why it shows 0% of use in web ui. Quot is calculated on a sliding window. You can delete his past usage in redis if needed, or in the meanwhile, set this user quota back to 0s
-
reporter The quota usage always shows 0% in another new user. Maybe something wrong with my environment, btw let me disable quota limit
-
repo owner Usage info are fetched from user info page, should see network request sent to server. Could i get user and usage json? (to see if a display error or request pb).
-
repo owner Will do a check on my side
-
reporter - attached user.json
- attached usage.json
-
reporter Sir, The files was upload. I've masked some personal information.
-
repo owner Thanks, data looks good, so may be a display issue, will do some local testing.
-
repo owner Date field i usage looks strange but will compare with local setup
-
repo owner this was indeed a bug after a change in quota display, I am fixing it. I created a new issue for that in go-docker-web
https://bitbucket.org/osallou/go-docker-web/issues/51/invalid-user-quota-display
-
reporter Hi Sir, thank you very much. a question, Is the Quotas & priorities real-time display after refresh page?
I've submitted multi-job then monitor by dev console check the usage, It seems always keep at 1% and same value(watch in usage json)
-
repo owner It counts only terminated jobs, not jobs in progress
-
reporter If it's counted terminated jobs, so the quota limit is calculated by daily?
-
repo owner no, quota limit is checked during job execution, but display is only on terminated jobs because it would need to do a lot of requests/computation to get current status, and is not really effective for a web request. But godwatcher calculates current quota for the current job. However it counts only past usage + current task (not what other running tasks are using)
-
reporter it counts only past usage + current task => In this Conditions If the quota is full how could be reset the quota? (Resetful to reset by user?)
-
repo owner What do you mean? Quota is calculted on last X days (X is configured in god.ini and a sliding window). So will count for example past usage during last 30 days. This is not calendar based (reset the 1st of the month for example)
Api and godocker cli provides projet quota full reset, but i don't think there is one for user. I think should add one.
-
reporter Sir, thank you for much kindly support.
- Log in to comment
well, it depends on your ldap (openldap, activedirectory, secure or not...) but here is an example:
for anonymous find/bind, and users defined in "sub tree" People