LDAP integration with chefserver


#1

we have integrated chef-server standalone with our IdM-LDAP, when I try to login from chef-manage console using LDAP user, I'm getting
"Welcome! It looks like this is the first time you have logged into Chef using your corporate login. You may now link your account to proceed.
But erchef log shows the following info.
/var/log/opscode/opscode-erchef/erchef.log
[error] {<<"method=GET; path=/users/test_user; status=404; ">>,"Not Found"}

And request log contains
/var/log/opscode/opscode-erchef/requests.log.1 <==
2018-11-07T16:21:17Z erchef@127.0.0.1 method=POST; path=/authenticate_user; status=200; req_id=g3IAA2QAEGVyY2hlZkAxMjcuMC4wLjEDAADP4gAAAAEAAAAA; couchdb_groups=false; couchdb_organizations=false; couchdb_containers=false; couchdb_acls=false; 503_mode=false; couchdb_associations=false; couchdb_association_requests=false; req_time=8; rdbms_time=0; rdbms_count=3; user=pivotal; req_api_version=0;
2018-11-07T16:21:17Z erchef@127.0.0.1 method=GET; path=/users/test_user; status=404; req_id=g3IAA2QAEGVyY2hlZkAxMjcuMC4wLjEDAADQBgAAAAEAAAAA; msg=user_not_found; couchdb_groups=false; couchdb_organizations=false; couchdb_containers=false; couchdb_acls=false; 503_mode=false; couchdb_associations=false; couchdb_association_requests=false; req_time=2; rdbms_time=0; rdbms_count=2; user=pivotal; req_api_version=0;

It looks like chefserver trying to re-authenticate using it's local database.
Is this how chefserver with ldap works? is there a way we can avoid Local authentication
Can somebody help us.


#2

Everything looks good. The next step to link your account (technically it will create a user within Chef) and then you have to invite the new users to a Chef organization.

If you are the first user then login to Chef server and user this: chef-server-ctl org-user-add ORG_NAME USER_NAME

More details here: https://docs.chef.io/server_users.html#org-user-add


#3

That means it is beating the concept of SSO using external LDAP
I was expecting when i integrate with LDAP, chefserver automatically synchronize with LDAP database and login in single shot. Which is not the case as i have to provide credentials twice now.


#4

But it works. You logged in with your LDAP account and Chef prompted you a window where it informed that you are not a member of any organizations. That invitation step can be managed via Chef UI by a Chef administrator or as I described in the previous comment.

You can write a simple script to automate the organization invitation with the next logic:

  • if a user is member of the Chef specific LDAP group then do an invitation

#5

Well, it's not that straight. as I'm automating all these. I was expecting all LDAP users are found in local chefserver as part of LDAP sync
Can you point me to any ruby script which can check LDAP users and create in local chefserver, while provisioning time?
Also I don't want to do any operation thru UI, except for logging using LDAP user name, most of our provisioning is automated using cookbook.