St2-auth-backend-ldap, I think it is not connecting to the server remote_addr='127.0.0.1'


(Peter Michael Gits) #1

Don’t know if you are able to assist me, I am using the open source version for ldap, following these directions [GitHub - StackStorm/st2-auth-backend-ldap: Authentication backend for StackStorm which reads authentication information from a LDAP server.] and I suspect that the remove_addr='127.0.0.1' is making it fail. I am using the docker version of stackstorm (st2 2.10.1, on Python 2.7.6). Below are the logs st2auth.log, I have also attached the st2.config section of auth below and the ldap.con. Any guidance would certainly help. I have been able to do a ldapsearch successfully from the command line in linux given the tools I installed from the link above.

      2019-02-28 23:49:12,500 140315568086864 INFO logging [-] cc51af9b-a9ab-4dd0-bd30-4a307c3433b2 - POST /tokens with query={} (remote_addr='127.0.0.1',method='POST',request_id='cc51af9b-a9ab-4dd0-bd30-4a307c3433b2',query={},path='/tokens')
    2019-02-28 23:49:12,505 140315568086864 AUDIT handlers [-] Invalid credentials provided (remote_addr='127.0.0.1',auth_backend='LDAPAuthenticationBackend')
    2019-02-28 23:49:12,506 140315568086864 ERROR router [-] Failed to call controller function "post" for operation "st2auth.controllers.v1.auth:token_controller.post": Invalid or missing credentials
    Traceback (most recent call last):
      File "/opt/stackstorm/st2/local/lib/python2.7/site-packages/st2common/router.py", line 516, in __call__
        resp = func(**kw)
      File "/opt/stackstorm/st2/local/lib/python2.7/site-packages/st2auth/controllers/v1/auth.py", line 78, in post
        **kwargs)
      File "/opt/stackstorm/st2/local/lib/python2.7/site-packages/st2auth/handlers.py", line 223, in handle_auth
        abort_request()
      File "/opt/stackstorm/st2/local/lib/python2.7/site-packages/st2auth/handlers.py", line 39, in abort_request
        return abort(status_code, message)
      File "/opt/stackstorm/st2/local/lib/python2.7/site-packages/st2common/router.py", line 80, in abort
        raise exc.status_map[status_code](message)
    HTTPUnauthorized: Invalid or missing credentials
    2019-02-28 23:49:12,507 140315568086864 INFO logging [-] cc51af9b-a9ab-4dd0-bd30-4a307c3433b2 - 401 55 7.747ms (content_length=55,request_id='cc51af9b-a9ab-4dd0-bd30-4a307c3433b2',runtime=7.747,**remote_addr='127.0.0.1'**,status=401,method='POST',path='/tokens')

/etc/st2/st2.conf


[auth]
    host = 10.XX.X.XXX
    port = 9100
    debug = True
    use_ssl = True
    cert = /etc/ssl/XXX/CertificateBundle1.pem
    key = /etc/ssl/XXX/privatekey.key
    enable = True
    logging = /etc/st2/logging.auth.conf
    mode = standalone
    backend = ldap
    backend_kwargs = { "ldap_uri": "ldap://ldap.networks.com", "use_tls": false, "bind_dn": "XXX@fnetworks.com", "bind_pw": "XXXXX", "user":{ "base_dn": "DC=XXfnetworks,DC=com", "scope": "subtree", "search_filter": "(&(sAMAccountName={username})(!(userAccountControl:X.X.XXX.XXXXXX.1.4.803:=2)))" } }



    # Base URL to the API endpoint excluding the version (e.g. http://myhost.net:9101/)
    api_url =http://127.0.0.1:9101
    service_token_ttl=86400

/etc/ldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE	dc=fnetworks,dc=com
URI	ldap://ldap.fnetworks.com:389
#SIZELIMIT	12
#TIMELIMIT	15
#DEREF		never

# TLS certificates (needed for GnuTLS)
TLS_CACERT	/etc/ssl/certs/ca-certificates.crt

my next step is to debug the python code from the open source, I just don’t think it is picking up the ldap_url properly. Any thoughts or guidance would be welcome.

Thanks,

Peter M. Gits


(W Chan) #2

Maybe another community members be able to help you. We do not provide technical support for the open source version of the LDAP backend.


(W Chan) #3

There is a LDAP backend that comes with the enterprise version of StackStorm. Since we developed and continuously test that version, it is easier for us to provide support for that.


(Peter Michael Gits) #4

understood. Thanks.

Peter M. Gits