Skip to content

OpenLDAP: Result Code 32 "No Such Object" #35259

New issue
New issue
Closed
Closed
OpenLDAP: Result Code 32 "No Such Object"#35259
Assignees
crobbyAndrewHoffmanQAMbolotSuse
Labels
QA/Sarea/authenticationcommunity-prUsed to track issues with have associated PR(s) from the communityrelease-noteNote this issue in the milestone's release notesstatus/release-note-addedteam/area3
Milestone
v2.7.7
@JRial95

Description

@JRial95
JRial95
opened on Oct 25, 2021

Rancher Server Setup

  • Rancher version: v2.6.2
  • Installation option (Docker install/Helm Chart): Helm Chart
    • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc): RKE2
  • Proxy/Cert Details:

Information about the Cluster

  • Kubernetes version: v1.21.5+rke2r2
  • Cluster Type (Local/Downstream): Local

Describe the bug

When I try to configure the OpenLDAP authentication provider, I get an error: Result Code 32 "No Such Object".

To Reproduce

  1. Go to Rancher's OpenLDAP authentication provider configuration page.

  2. Fill these following fields:

    • Hostname
    • Port
    • TLS (check)
    • Certificate
    • Service Account Distinguished Name
    • Service Account Password
    • User Search Base

  3. Use a valid LDAP user for the test.

  4. Submit form by clicking on "Enable" button.

Result

Check Rancher logs using the following command:

kubectl -n cattle-system logs -l app=rancher -c rancher --follow

You should see something like this:

2021/10/25 09:51:20 [ERROR] API error response 401 for POST /v3/openLdapConfigs/openldap?action=testAndApply. Cause: LDAP Result Code 32 "No Such Object":

Expected Result

The OpenLDAP authentication should be enabled.

Additional context

By investigating the code and from my understanding, I think the problem comes from the request that is made on lines 71 to 78 in ldap_client.go. Unfortunately, I don't know how to solve the problem. Do you have an idea?

rancher/pkg/auth/providers/ldap/ldap_client.go

Lines 71 to 78 in 64c748d

searchOpRequest := ldapv2.NewSearchRequest(userDN,
ldapv2.ScopeWholeSubtree, ldapv2.NeverDerefAliases, 0, 0, false,
fmt.Sprintf("(%v=%v)", ObjectClass, config.UserObjectClass),
operationalAttrList, nil)
opResult, err := lConn.Search(searchOpRequest)
if err != nil {
return v3.Principal{}, nil, httperror.WrapAPIError(err, httperror.Unauthorized, "authentication failed") // need to reload this error
}

Metadata

Metadata

Assignees

Labels

QA/Sarea/authenticationcommunity-prUsed to track issues with have associated PR(s) from the communityrelease-noteNote this issue in the milestone's release notesstatus/release-note-addedteam/area3

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions