LDAP integration with chefserver

akdasari · November 8, 2018, 10:06am

we have integrated chef-server standalone with our IdM-LDAP, when I try to login from chef-manage console using LDAP user, I'm getting
"Welcome! It looks like this is the first time you have logged into Chef using your corporate login. You may now link your account to proceed.
But erchef log shows the following info.
/var/log/opscode/opscode-erchef/erchef.log
[error] {<<"method=GET; path=/users/test_user; status=404; ">>,"Not Found"}

And request log contains
/var/log/opscode/opscode-erchef/requests.log.1 <==
2018-11-07T16:21:17Z erchef@127.0.0.1 method=POST; path=/authenticate_user; status=200; req_id=g3IAA2QAEGVyY2hlZkAxMjcuMC4wLjEDAADP4gAAAAEAAAAA; couchdb_groups=false; couchdb_organizations=false; couchdb_containers=false; couchdb_acls=false; 503_mode=false; couchdb_associations=false; couchdb_association_requests=false; req_time=8; rdbms_time=0; rdbms_count=3; user=pivotal; req_api_version=0;
2018-11-07T16:21:17Z erchef@127.0.0.1 method=GET; path=/users/test_user; status=404; req_id=g3IAA2QAEGVyY2hlZkAxMjcuMC4wLjEDAADQBgAAAAEAAAAA; msg=user_not_found; couchdb_groups=false; couchdb_organizations=false; couchdb_containers=false; couchdb_acls=false; 503_mode=false; couchdb_associations=false; couchdb_association_requests=false; req_time=2; rdbms_time=0; rdbms_count=2; user=pivotal; req_api_version=0;

It looks like chefserver trying to re-authenticate using it's local database.
Is this how chefserver with ldap works? is there a way we can avoid Local authentication
Can somebody help us.

mrimoczy · November 8, 2018, 10:32am

Everything looks good. The next step to link your account (technically it will create a user within Chef) and then you have to invite the new users to a Chef organization.

If you are the first user then login to Chef server and user this: chef-server-ctl org-user-add ORG_NAME USER_NAME

More details here: https://docs.chef.io/server_users.html#org-user-add

akdasari · November 8, 2018, 10:44am

That means it is beating the concept of SSO using external LDAP
I was expecting when i integrate with LDAP, chefserver automatically synchronize with LDAP database and login in single shot. Which is not the case as i have to provide credentials twice now.

mrimoczy · November 8, 2018, 10:50am

But it works. You logged in with your LDAP account and Chef prompted you a window where it informed that you are not a member of any organizations. That invitation step can be managed via Chef UI by a Chef administrator or as I described in the previous comment.

You can write a simple script to automate the organization invitation with the next logic:

if a user is member of the Chef specific LDAP group then do an invitation

akdasari · November 8, 2018, 11:08am

Well, it's not that straight. as I'm automating all these. I was expecting all LDAP users are found in local chefserver as part of LDAP sync
Can you point me to any ruby script which can check LDAP users and create in local chefserver, while provisioning time?
Also I don't want to do any operation thru UI, except for logging using LDAP user name, most of our provisioning is automated using cookbook.

Topic		Replies	Views
Chef-server LDAP integration issues Chef Infra (archive)	1	418	June 21, 2018
Enterprise Chef: Chef Manager doesn't seem to use LDAP? Chef Infra (archive)	6	306	December 19, 2013
Chef Server/Manage external LDAP Auth? Chef Infra (archive)	2	957	April 19, 2016
Chef Manage - LDAP no longer works Chef Infra (archive)	7	1506	February 21, 2017
Chef Automate LDAP integration not working Chef Automate	7	2272	August 22, 2016

LDAP integration with chefserver

Related Topics