By: Sergio Plasencia user 13 Nov 2015 at 4:54 a.m. CST

11 Responses
Sergio Plasencia gravatar
I have a problem when enabling authentication with an external backend OpenLDAP server. I have Cache Refresh working well and Keep external persons enabled. Then, when I change authentication to use our external openLDAP server, I can't login anymore with the admin user and I can't set any other user from the LDAP as an admin (I followed several tickets about it). After debugging, I realized that Gluu is looking for admin user membership in the external OpenLDAP instead of looking into the internal OpenDJ. Is looking for the admin user in this path in OpenLDAP: ou=people,o=@!50AA.FB61.AB71.8E2F!0001!4792.066E,o=gluu Of course, this path does not exist in the external openLDAP. So, I see two possible solutions here. Set up Gluu for looking up the admin group membership in the internal OpenDJ server or load the Gluu schema into and populate our external OpenLDAP server For us, the ideal solution would be the second option: to completely replace the internal OpenDJ with our external OpenLDAP (and don't use cache refresh at all). I tried to load your schema for OpenLDAP (101-ox.ldif) and it fails because of duplicated OIDs and collision with standard attributes (like memberOf). I modified it and managed to make it work (I don't know if the file 101-ox.ldif is completely up to date and if my modifications will work ok but at least it loads well), but still need to know how to populate it. In summary, we would appreciate some help for setting up an external OpenLDAP server as the default LDAP server (so, not using Chache Refresh at all) or at least making Gluu look for admin membership in OpenDJ so we can have external authentication but still login as an admin user in Gluu.

By Mohib Zico staff 13 Nov 2015 at 5:10 a.m. CST

Mohib Zico gravatar
How about this.... If you can login to your Gluu Server with your own OpenLDAP credential, then add this user in 'gluuManager' group. In that way, you won't have to worry and troubleshoot much about user 'admin' because you will be able to accomplish all Gluu Server administration even with your OpenLDAP credential.

By Sergio Plasencia user 13 Nov 2015 at 5:25 a.m. CST

Sergio Plasencia gravatar
This is exactly the problem. The OpenLDAP admin user is already included in the OpenDJ gluuManager group. I can login to the Gluu UI with my OpenLDAP admin user and is properly authenticated but I don't see the admin dashboard because Gluu does not consider the user as an admin (it does an LDAP lookup to gather admin group membersip to the OpenLDAP server instead of using the OpenDJ server and it returns nothing because the gluuManager group does not exist on the OpenLDAP server)

By Mohib Zico staff 13 Nov 2015 at 6 a.m. CST

Mohib Zico gravatar
>> Gluu does not consider the user as an admin (it does an LDAP lookup to gather admin group membersip to the OpenLDAP server instead of using the OpenDJ server and it returns nothing because the gluuManager group does not exist on the OpenLDAP server) That should never happen. Gluu Server only connect to backend OpenLDAP just for authentication, nothing else. Whether an user is 'Gluu Server admin' or not totally depends if this user is inside gluuManager group or not.

By Sergio Plasencia user 13 Nov 2015 at 10:42 a.m. CST

Sergio Plasencia gravatar
I do agree. That should never happen, but indeed is happening. I think is a bug I took a tcpdump network capture, and I can clearly see how the Gluu server is asking the OpenLDAP server for admin group membership: 10.1.65.70 10.1.65.189 LDAP 222 searchRequest(3) "ou=people,o=@!50AA.FB61.AB71.8E2F!0001!4792.066E,o=gluu" wholeSubtree Clearly, this is the reason why I don't see the admin dashboard when login. To summarize, this is a default installation in which I only configured the Cache Refresh, added an external LDAP user to the gluuManager group in the internal LDAP and changed the Authentication to use the external LDAP. Nothing else has been changed from the default installation.

By Mohib Zico staff 13 Nov 2015 at 10:49 a.m. CST

Mohib Zico gravatar
We will try to reproduce the issue.

By Aliaksandr Samuseu staff 13 Nov 2015 at 11:10 a.m. CST

Aliaksandr Samuseu gravatar
Hi, Sergio. Can I ask which Linux distribution you are using on the host where Gluu is installed, and which version of Gluu package you have installed? Regards, Alex.

By Sergio Plasencia user 16 Nov 2015 at 5 a.m. CST

Sergio Plasencia gravatar
Hello, I'm using Ubuntu 14.04.3 LTS. I installed Gluu via apt-get on last friday. I don't know exactly the version (sorry, I can't check right now) but it has to be the latest one. Regards, Sergio.

By Sergio Plasencia user 16 Nov 2015 at 5:18 a.m. CST

Sergio Plasencia gravatar
I just check the GLuu package version: gluu-server 2.3.4-2

By Aliaksandr Samuseu staff 16 Nov 2015 at 9:14 a.m. CST

Aliaksandr Samuseu gravatar
Understood. Most likely you are facing the known issue affecting authentication against LDAP backend: [https://github.com/GluuFederation/oxAuth/issues/64](Understood. Most likely you are facing the known issue affecting authentication against LDAP backend: https://github.com/GluuFederation/oxAuth/issues/64 It was fixed in the latest Gluu CE package which is almost ready to be released (the deadline is this Tuesday), so I would recommend to wait for it and switch to this new version. Upgrading your current instance will be not easy, due to substantial changes in ways how configuration is being stored there now. I) It was fixed in the latest Gluu CE package which is almost ready to be released (the deadline is this Tuesday), so I would recommend to wait for it and switch to this new version. Upgrading your current instance will be not easy, do to substantial changes in ways how configuration is being stored there now. I'm not aware whether or not this problem (in-place automatic upgrade from 2.3.x to 2.4.x) has been attended by out dev team, I'll try to find out.

By Sergio Plasencia user 16 Nov 2015 at 11:13 a.m. CST

Sergio Plasencia gravatar
Great. Please, let us know when you have feedback regarding the automatic upgrade. We will check for package updates tomorrow

By Aliaksandr Samuseu staff 17 Nov 2015 at 9:42 a.m. CST

Aliaksandr Samuseu gravatar
Hi, Sergio. > let us know when you have feedback regarding the automatic upgrade Unfortunately, at the moment there is no such thing. Perhaps a manual upgrade guide will be developed soon, and may be at some point in the future it will be transformed in some kind of a script. If you can afford a clean reinstall that would probably be your best option at the moment.