Chef Manage - LDAP no longer works


#1

I had Chef manage working with LDAP (MS Server 2012 r2) and now it can no longer find any users? I have executed an ldapsearch and this returns exactly what I expect with a result success of 0.

Where are the logs for the LDAP mechanism so I can see what Chef thinks is actually going on?

Here is the LDAP search and subsequent return (No data obfuscation as this is a test system):

ldapsearch -x -h 192.168.5.10 -b 'OU=Chef Users,DC=sv,DC=local' "(objectClass=user)" saMaccountname, mail  -D 'ldap.bind@sv.local' -w 'Sysadm1n'
# extended LDIF
#
# LDAPv3
# base <OU=Chef Users,DC=sv,DC=local> with scope subtree
# filter: (objectClass=user) 
# requesting: saMaccountname, mail 
#

# Sean Vucich, Chef Users, sv.local
dn: CN=Sean Vucich,OU=Chef Users,DC=sv,DC=local
mail: sean.vucich@sv.local

# Ross Taylor, Chef Users, sv.local
dn: CN=Ross Taylor,OU=Chef Users,DC=sv,DC=local
mail: ross.taylor@sv.local

# Sean A. Vucich, Chef Users, sv.local
dn: CN=Sean A. Vucich,OU=Chef Users,DC=sv,DC=local

# chef user, Chef Users, sv.local
dn: CN=chef user,OU=Chef Users,DC=sv,DC=local
mail: chef.user@sv.local

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4`

Here is my (previously) working LDAP config, that incidentally works with 1 user, but not any others.

ldap['base_dn'] = 'OU=Chef Users,DC=sv,DC=local'
ldap['bind_dn'] = 'ldap.bind@sv.local'
ldap['bind_password'] = 'Sysadm1n'
ldap['group_dn'] = 'CN=Chef Logon,OU=Groups,DC=sv,DC=local'
ldap['host'] = '192.168.5.10'
ldap['login_attribute'] = 'sAMAccountName'
ldap['port'] = '389'
ldap['system_adjective'] = 'LDAP-Authentication'
ldap['ldap_timeout'] = 300

Here is what I get now, when inviting a user to the system:


#2

So I have done a wireshark trace and I can see that the Chef server isn’t connecting on the correct ports, but the LDAP search is connecting using the correct ports.


#3

So, I have decided that the LDAP implementation is, much like many things I have found in Chef - Full of bugs, creates more issues than it solves and is poorly documented - Once again…


#4

Asking for help with Manage issues on here or in Slack is totally okay, but be aware that this is a volunteer-based support space and many of us either haven’t use the commercial products as much or don’t have the expertise to debug them. If you want to reach Chef Software’s support team to file an issue under your license with them you can email support@chef.io or contact your TAM (or whatever they are called now if it’s something else :slight_smile:


#5

I am aware of how the support works - But to get the monies to get this past a proof of concept, I have to show a working system…

I don’t think once has the system been 100% functional. I did not change this config, it literally just decided to stop using the correct ports (Wireshark trace confirmed this). I am unsure where chef logs this to? If it was documented, ya know, then I could just help my self…


#6

I believe the user has to login first and then you can add them via manage. When a user logs in with their LDAP they are given the option to Create and account of link an existing chef account.


#7

Not sure why it’s not working for you, but you can follow the logs with chef-server-ctl tail and for Manage with chef-manage-ctl tail. Manage is just the front-end Rails app, and it’s just making requests to the Chef Server, so if there are useful logs coming out it’s more likely that they would be seen from chef-server-ctl tail but trying both won’t hurt.


#8

Thanks @smith - I will have a look at that shortly.