issues with sitedefault.yaml example file

Question

issues with sitedefault.yaml example file

juergenschroeder opened this issue 3 years ago · 4 comments

Hi all,

if I take the yaml default file from

https://github.com/sassoftware/viya-ark/blob/master/playbooks/ldap-validator/sitedefault_sample_openldap.yml

I find two issues.
First: the port is given as a string port: '389', which results in a python error. it should just be a number, port: 389

Second: the last line specifying the administrator
sas.identities:
administrator: 'your_user_id'

results in a validation error using open LDAP for any user specified

2021-11-24 02:33:05,159 - ldap_validator.py[line:273] - DEBUG: LDAP Query: search_base=ou=user,dc=ldap,dc=localdomain, search_filter=(&(objectClass=user)(sAMAccountName
=ldapadm))verify=True
2021-11-24 02:33:05,160 - ldap_validator.py[line:277] - ERROR: LDAP search failed with the following error: invalid class in objectClass attribute: user

looking at the python code in ldap_validator.py at line 200 the search string hard coded to

searchstring = '(&(objectClass=user)(sAMAccountName=' + ldap_defaultadmin_user + '))'**
if (not perform_ldap_query(ldap_logger, ldap_server_host,  ldap_user_basedn, searchstring, True)):
    failTestSuite(ldap_logger)

these objects are only found in active directory but not in open LDAP

So my question is, are they needed, and / or is it only working using AD?

my sitedefault.yaml looks like the following

config:
application:
sas.identities.providers.ldap.connection:
host: 'centosmaster.localdomain'
port: 389
url: 'ldap://${sas.identities.providers.ldap.connection.host}:${sas.identities.providers.ldap.connection.port}'
anonymousBind: 'false'
userDN: "cn=ldapadm,dc=ldap,dc=localdomain"
password: ""
sas.identities.providers.ldap.group:
accountId: 'name'
baseDN: "ou=groups,dc=ldap,dc=localdomain"
createdDate: 'createTimestamp'
distinguishedName: 'none'
member: 'member'
modifiedDate: 'modifyTimestamp'
objectClass: 'groupOfNames'
objectFilter: '(objectClass=groupOfNames)'
searchFilter: 'dn={0}'
sas.identities.providers.ldap.user:
accountId: 'uid'
baseDN: "ou=user,dc=ldap,dc=localdomain"
createdDate: 'createTimestamp'
distinguishedName: 'none'
memberOf: 'memberOf'
modifiedDate: 'modifyTimestamp'
objectClass: 'inetOrgPerson'
objectFilter: '(objectClass=inetOrgPerson)'
searchFilter: 'uid={0}'
sas.identities:
administrator: 'ldapadm'

which I call with the following command

python3 viya-ark.py ldap_validator -s ../sysPrep/sitedefault.yaml -d

Answer 1 · 2021-11-29T15:53:02.000Z

The sample sitedefault yaml URL referenced is from the Viya 3 version of Viya ARK, but the python tool reference by this issue is for Viya 4 version of Viya ARK which does not provide a sample sitedefault yaml file. I assume the Viya 3 sample version is different because it used in Ansible playbooks. I think the expectation of the Viya 4 ARK is that you use the sample sitedefault included in your order generated manifests.

Answer 2 · 2021-11-29T15:59:12.000Z

Will it work with open LDAP then? or just with AD?

Answer 3 · 2021-11-29T16:10:51.000Z

Currently, the script only supports AD. I will take a look at what changes are needed to provide support for OpenLDAP.

Answer 4 · 2021-12-17T15:52:44.000Z

We have opened a request to support OpenLDAP.