LDAP breaks create permissions


#1

I have enabled LDAP and attached my admin user to an LDAP user - And at first run, things look good. I can add cookbooks, change node/client run lists etc - BUT, when I try and bootstrap a new client I get the following:

knife bootstrap windows winrm node3.sv.local -x 'sv\sysadmin' -P Sysadm1n -N windows-node3.sv.local
Creating new client for windows-node3.sv.local
Creating new node for windows-node3.sv.local
ERROR: You authenticated successfully to https://chef.sv.local/organizations/organization as sysadmin but you are not authorized for this action
Response:  missing create permission

If I look in the GUI for the chef server I can see that I have all the correct permissions, including admin groups etc. Seems that LDAP breaks the permissions rendering the server near on useless to me.

I have tried a simple reset of the users key, but that doesn’t seem to do the trick. I have also tested the LDAP config on 2 servers with the same end result.

When I turn of the LDAP and reconfigure the server to JUST use local accounts, all goes back to normal :frowning:

I am using Chef server 12.10.0

Anyone know why this is happening or assist in shedding some light please?


#2

It sounds like your user/group via LDAP doesn’t have the right rights to be able to work on that node object. I’d first check to make sure it didn’t already exist (if it does, remove it and retry), and it doesn’t, then check to make sure your account has the ability to create and manage new nodes. I haven’t actually done this in a while so I don’t have a good test setup to repro it, however.


#3

This isn’t a node authentication issue. This is an issue with the Chef-Server and adding an LDAP logon/authentication to the chef server. I can run remote winrm requests of the node independent of chef/bootstrap - Thus showing authentication to the node/client is working. But when I try and bootstrap the node/client, I get the ‘Response: missing create permission’ error. When I turn off LDAP login to the chef server I still get the create error and now cannot add any machines/nodes/clients to the chef-server.

So, here is what happened.

1 - Deployed test chef instance, tested bootstrap of node - Working as expected

2 - Added LDAP login to chef server, now get error when trying to bootstrap machines, error as follows:

ERROR: You authenticated successfully to https://chef.sv.local/organizations/organization as sysadmin but you are not authorized for this action
Response:  missing create permission

3 - Remove LDAP config from chef server. Still getting error as follows when trying to bootstrap the machine

ERROR: You authenticated successfully to https://chef.sv.local/organizations/organization as sysadmin but you are not authorized for this action
Response:  missing create permission

Further this, I have been digging using the local (to the chef serer) cli commands and found that all my previous LDAP users are still showing up in the cli but not the GUI???

sudo chef-server-ctl user-list

pivotal
ross_taylor
sysadmin
user_0
user_1

sysadmin should be the only user left in the org that I care about, the others were me working through the sign up process for other users. - Also should be an admin.

Then I run the list-server-admins command to see what shows up there:

sudo chef-server-ctl list-server-admins

pivotal
sysadmin

So we can see that the user ‘sysadmin’ is on the server, is enabled for the admin group, but is still unable to create nodes/clients via bootstrap w/or w/out LDAP enabled - But only after LDAP has been enabled once. Prior to this, it was all working as expected.

I have also just tried the following:

sudo chef-server-ctl user-create sv firstname lastname email@domain 'P@55word!'

Then

sudo chef-server-ctl grant-server-admin-permissions sv

And also

sudo chef-server-ctl org-user-add bravura sv --admin

Which now shows my user as a server admin, but gives me the same result as before.

ERROR: You authenticated successfully to https://chef.sv.local/organizations/organization as sysadmin but you are not authorized for this action
Response: missing create permission

#4

I understand the issue. But it’s entirely possible to have a Chef Manage user that can’t edit/create nodes, that’s what I was referring to… the rights of the user vs the ACL of the node object. I’d suggest filing a support ticket with the Chef folks, assuming you’re not using the <= 25 node free version.


#5

Might have to scrap the system and move on. Unfortunately our corporate IT has to have LDAP as a requirement. LDAP breaks create permission for all users including admin users. I can’t get monies to buy the licenses until I have a working system :frowning:


#6

Well, LDAP integration is only really useful for Chef Manage (or the other premium features). Without LDAP you can just do everything with chef-server-ctl and knife, since everything else uses the keys instead of passwords. Not sure if that changes anything. Others might have more thoughts, but really the only people who likely have enabled LDAP are the folks who are using the premium features, which typically entails support access.


#7

Although this may be true - Now, even with LDAP OFF - I get permissions errors. I could live with LDAP off, if it worked still, but it doesn’t.


#8

Just to be clear. I had a working system with no LDAP. I turned LDAP on, it broke, so I turned LDAP off and it is still broken.


#9

OK - I have resolved the issue. It seems that there are hidden ACL’s (to avoid over complicating the GUI apparently).

I installed the ACL Ruby GEM via the following command:

chef gem install knife-acl

Then, I need to add the required ‘create’ permissions to each of the acl containers, example as follows:

knife acl add group admins containers clients create
knife acl add group admins containers nodes create

This resolved my immediate issue with bootstrapping a node and also allows me to add the permissions with a working LDAP enabled on the chef-manage server where the LDAP breaks the existing ACL’s.

Credit to the work done here which gave me all I needed.


#10

Lastly, I also had to add the following ‘client’ permission:

knife acl add group clients containers nodes create

#11

Sorry I wasn’t more clear before… the ACLs were exactly what I was referring to. I couldn’t remember if there was a knife gem for it or if you just normally tweaked it with knife raw, though.


#12

All good - IT IS WORKING - And I feel much better now as I don’t have to scrap the work I have already done.

So, I am happy, IT will be happy as I can meet their requirements and long term chef will be happy as I can prove my POC is all good and get funding for more licenses…