Loading...
Loading...
Scenario Configuring LDAP services for ScaleIO in either the MDM cluster or the Gateway with a single Active Directory domain. While also configuring Users and the ScaleIO group in different OUs within the same domain this problem can happen. Symptoms User is in CN=testuser,OU=Users,OU=IT Dept,DC=swlab,DC=local The group is: CN=Sio_Admin_Role,OU=GlobalGroups,OU=Groups,DC=swlab,DC=local We can find the following warning messages in the MDM or gateway trace log. The error message in gateway-trace.log is: 2017-06-14 11:49:46,587 [http-nio-443-exec-6] ERROR c.e.s.s.w.s.ScaleIOSecurityUtils - User testuser was not found in group CN=Sio_Admin_Role,OU=GlobalGroups,OU=Groups,DC=swlab,DC=local Impact Some users are unable to log in to the ScaleIO system or Gateway using LDAP authentication.
Root cause The root cause of this issue is that the "--ldap_base_dn" parameter that was used when the LDAP service was added to the ScaleIO cluster was at too low of a level. See the below configuration for the above example issue: scli --add_ldap_service --ldap_service_uri "ldap://swlab.local" --ldap_base_dn "OU=GlobalGroups,OU=Groups,DC=swlab,DC=local" --ldap_service_name testldap scli --assign_ldap_groups_to_roles --administrator_role_dn "CN=Sio_Admin_Role,OU=GlobalGroups,OU=Groups,DC=swlab,DC=local" --monitor_role_dn "CN=Sio_Admin_Role,OU=GlobalGroups,OU=Groups,DC=swlab,DC=local" --ldap_service_name testldap This places the base dn to start searching too low in the AD hive schema. When starting at "swlab.local/Groups/GlobalGroups" LDAP cannot query for a user at a higher level. So in this case the "testuser" exists in "swlab.local/IT Dept/Users/testuser" so when the group "Sio_Admin_Role" is queried it tries to find the member user under the base_dn again. The user does not exist there, and the login does not succeed.
Workaround To resolve this issue, re-create the LDAP service in ScaleIO and use a higher level base_dn. For the above example the following could be changed in the "add_ldap_service" scli command. scli --add_ldap_service --ldap_service_uri "ldap://swlab.local" --ldap_base_dn "DC=swlab,DC=local" --ldap_service_name testldap By changing the base_dn to be the root of the domain, LDAP can query any OU or CN for the appropriate user that is a member of the SIO role group.
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.