- edited description
Non posix LDAP homeDirectory field check
Hi, Olivier.
Have tested new feature "Non posix LDAP overrides", and found that homeDirectory in our LDAP is empty for users.
So it leads to following errors:
2018-06-19 04:43:28,234 DEBUG [godweb][DummyThread-6] uidNumber not found for user test_user, test for fallbacks
2018-06-19 04:43:28,234 DEBUG [godweb][DummyThread-6] uidNumber not found for user test_user, test for fallbacks
2018-06-19 04:43:28,235 DEBUG [godweb][DummyThread-6] using fallbacks for test_user
2018-06-19 04:43:28,235 DEBUG [godweb][DummyThread-6] using fallbacks for test_user
2018-06-19 04:43:28,236 ERROR [godweb][DummyThread-6] list index out of range
Traceback (most recent call last):
File "/opt/go-docker/plugins/goauth.py", line 171, in __get_ldap_user_info
homeDirectory = entry[homeDirectoryField][0]
IndexError: list index out of range
2018-06-19 04:43:28,236 ERROR [godweb][DummyThread-6] list index out of range
Traceback (most recent call last):
File "/opt/go-docker/plugins/goauth.py", line 171, in __get_ldap_user_info
homeDirectory = entry[homeDirectoryField][0]
IndexError: list index out of range
So, could you, please add additional check for this field, on line 171 goauth.py something like:
if 'homeDirectory' not in entry or len(entry['homeDirectory']) == 0:
homeDirectory = '/home/' + str(userId)
because default home path in UNIX systems is /home/user, so if it not installed in LDAP let it be default.
Thank you.
Comments (8)
-
reporter -
repo owner There is no home directory field (even with different field name) in your ldap?
In this case, there should be no home at all, no? (could manage to disable home directory if not available).
If godocker sets a default like /home/userid, it won't exists on compute node and user won't be able to access it.
-
reporter There is no home directory field (even with different field name) in your ldap?
There is homeDirectory field, but it always empty. This is about how Microsoft AD working.
But we running containers on Linux servers, and use MS AD only for authenticate users. Thus, homeDirectory is always empty (i think it in 99% MS AD systems) and by default in MS Windows it is c:\Users\username
and /home/username in Linux
If godocker sets a default like /home/userid, it won't exists on compute node and user won't be able to access it.
Yes, and it is not needed at all. As far as I look, it may need in case of ssh keys, but you don't use it in code anyway.
go-docker/godocker/godscheduler.py
if not task['container']['root']: cmd += "chown -R " + user_id + ":" + str(task['user']['gid']) + " /home/" + user_id + "\n" cmd += "chmod 644 /home/" + user_id + "/.ssh/authorized_keys\n"
And of course, you could use -m, --create-home option for useradd
-
repo owner ok, so as I see it, I propose to add in go-d.ini a config option, if ldap home directory is not set:
- do not use home dir at all
- or use config defined expression like /home/userid (and in this case directory must exist)
-
repo owner - changed status to closed
manage case where ldap does not provide a homeDirectory, Closes
#76→ <<cset 6d1444c8a4bc>>
-
reporter Any kind of solution is better than nothing :) In our case we always run containers with root option, so home is always /root. However, any of this option will prevent errors or needs to patch goauth.py after each update.
But if you want be clear with all cases like copying ssh keys, etc... This is about question how clearly match host user and container user, and Will you give the user a choice of homeDir, or it should be always /home/userId
then back to godocker.sh
MYUSER=`getent passwd "1001" | cut -d: -f1` if [ "r$MYUSER" != "r" ]; then userdel $MYUSER fi groupadd --gid 1001 user ; useradd --uid 1001 --gid 1001 user usermod -pAPI_KEY user
So, there are no options. User will be created, or already exists. Ok, then if already exists what it homeDir ? (it could be /opt/users/username) Then you constructions like ssh_dir = "/home/" + user_id + "/.ssh" may not work.
if not exist why not create user + homeDir ?
useradd **-m -d homeDirectory.var** --uid 1001 --gid 1001 user
-
repo owner in fact user home is mounted in different location (referred via GOD_HOME env var). this is because a local (in container) user is created (with same uid/gid/...) and ssh keys are created in a local home directory (/home/userid). This behavior will be done whether ldap home dir exists or not
When user launch a job and ask to mount is home, it is mounted in container at $GOD_HOME location. The /home/userid is only a local container/temporary home that should not be used by user (but he can).
The patch I have pushed simply accept a null homedirectory in ldap and sets it to null (or defined value in config). If home is null, then it is not mounted in container.
Fake home in container will still exist.
-
reporter Understood. Thank you very much!
- Log in to comment