Non posix LDAP homeDirectory field check

Issue #76 closed

IT Expert created an issue 2018-06-19

Hi, Olivier.

Have tested new feature "Non posix LDAP overrides", and found that homeDirectory in our LDAP is empty for users.

So it leads to following errors:

2018-06-19 04:43:28,234 DEBUG [godweb][DummyThread-6] uidNumber not found for user test_user, test for fallbacks
2018-06-19 04:43:28,234 DEBUG [godweb][DummyThread-6] uidNumber not found for user test_user, test for fallbacks
2018-06-19 04:43:28,235 DEBUG [godweb][DummyThread-6] using fallbacks for test_user
2018-06-19 04:43:28,235 DEBUG [godweb][DummyThread-6] using fallbacks for test_user
2018-06-19 04:43:28,236 ERROR [godweb][DummyThread-6] list index out of range
Traceback (most recent call last):
  File "/opt/go-docker/plugins/goauth.py", line 171, in __get_ldap_user_info
    homeDirectory = entry[homeDirectoryField][0]
IndexError: list index out of range
2018-06-19 04:43:28,236 ERROR [godweb][DummyThread-6] list index out of range
Traceback (most recent call last):
  File "/opt/go-docker/plugins/goauth.py", line 171, in __get_ldap_user_info
    homeDirectory = entry[homeDirectoryField][0]
IndexError: list index out of range

So, could you, please add additional check for this field, on line 171 goauth.py something like:

if 'homeDirectory' not in entry or len(entry['homeDirectory']) == 0:
    homeDirectory = '/home/' + str(userId)

because default home path in UNIX systems is /home/user, so if it not installed in LDAP let it be default.

Thank you.

Comments (8)

IT Expert reporter
- edited description
- 2018-06-19T05:15:27+00:00
Olivier Sallou repo owner
There is no home directory field (even with different field name) in your ldap?

In this case, there should be no home at all, no? (could manage to disable home directory if not available).

If godocker sets a default like /home/userid, it won't exists on compute node and user won't be able to access it.
- 2018-06-19T06:02:19+00:00
IT Expert reporter
There is no home directory field (even with different field name) in your ldap?

There is homeDirectory field, but it always empty. This is about how Microsoft AD working.

But we running containers on Linux servers, and use MS AD only for authenticate users. Thus, homeDirectory is always empty (i think it in 99% MS AD systems) and by default in MS Windows it is c:\Users\username

and /home/username in Linux

If godocker sets a default like /home/userid, it won't exists on compute node and user won't be able to access it.

Yes, and it is not needed at all. As far as I look, it may need in case of ssh keys, but you don't use it in code anyway.

go-docker/godocker/godscheduler.py
```
   if not task['container']['root']:
                cmd += "chown -R " + user_id + ":" + str(task['user']['gid']) + " /home/" + user_id + "\n"
                cmd += "chmod 644 /home/" + user_id + "/.ssh/authorized_keys\n"
```
And of course, you could use -m, --create-home option for useradd
- 2018-06-19T06:50:21+00:00
Olivier Sallou repo owner
ok, so as I see it, I propose to add in go-d.ini a config option, if ldap home directory is not set:
- do not use home dir at all
- or use config defined expression like /home/userid (and in this case directory must exist)
- 2018-06-19T07:18:27+00:00
Olivier Sallou repo owner
- changed status to closed
manage case where ldap does not provide a homeDirectory, Closes ~~#76~~

→ <<cset 6d1444c8a4bc>>
- 2018-06-19T08:00:57+00:00
IT Expert reporter
Any kind of solution is better than nothing :) In our case we always run containers with root option, so home is always /root. However, any of this option will prevent errors or needs to patch goauth.py after each update.

But if you want be clear with all cases like copying ssh keys, etc... This is about question how clearly match host user and container user, and Will you give the user a choice of homeDir, or it should be always /home/userId

then back to godocker.sh
```
MYUSER=`getent passwd "1001" | cut -d: -f1`
if [ "r$MYUSER" != "r" ]; then
    userdel $MYUSER
fi
groupadd --gid 1001 user ; useradd --uid 1001 --gid 1001 user
usermod -pAPI_KEY  user
```
So, there are no options. User will be created, or already exists. Ok, then if already exists what it homeDir ? (it could be /opt/users/username) Then you constructions like ssh_dir = "/home/" + user_id + "/.ssh" may not work.

if not exist why not create user + homeDir ?
```
 useradd **-m -d homeDirectory.var** --uid 1001 --gid 1001 user 
```
- 2018-06-19T08:02:08+00:00
Olivier Sallou repo owner
in fact user home is mounted in different location (referred via GOD_HOME env var). this is because a local (in container) user is created (with same uid/gid/...) and ssh keys are created in a local home directory (/home/userid). This behavior will be done whether ldap home dir exists or not

When user launch a job and ask to mount is home, it is mounted in container at $GOD_HOME location. The /home/userid is only a local container/temporary home that should not be used by user (but he can).

The patch I have pushed simply accept a null homedirectory in ldap and sets it to null (or defined value in config). If home is null, then it is not mounted in container.

Fake home in container will still exist.
- 2018-06-19T08:34:12+00:00
IT Expert reporter
Understood. Thank you very much!
- 2018-06-19T10:15:37+00:00
Log in to comment

Assignee: –

Type: bug

Priority: minor

Status: closed

Votes: 0

Watchers: 1