[OOD-users] Dashboard not available for active directory accounts

Franz, Eric efranz at osc.edu
Wed Oct 10 12:14:46 EDT 2018 

Andre,

For OnDemand a requirement is that each authenticated user has their own separate system account. This is because web servers run as the user and assume they are running as the user (and acting on behalf of the user). To implement this mapping, see https://osc.github.io/ood-documentation/master/authentication/overview.html and in particular https://osc.github.io/ood-documentation/master/authentication/overview/map-user.html

And https://osc.github.io/ood-documentation/master/infrastructure/ood-portal-generator/configuration.html#ood-portal-generator-configuration the user_map_cmd and user_env (which refers to the Apache named variable that will contain the information in that request necessary for the user_map_cmd to produce a corresponding system user). If you modify the ood-portal-generator config you will need to run the ood-portal-generator script that re-generates the corresponding Apache config.

Note that user_map_cmd could be any shell script you deploy on the web node, so if you can’t use a regular expression and instead need to look up the corresponding system user for the given AD user in a database or gridmap file this is an option: /opt/ood/ood_auth_map/bin/ood_auth_map.mapfile

Here is a description of the grid-mapfile file: http://toolkit.globus.org/toolkit/docs/2.4/gsi/grid-mapfile_v11.html

> The grid-mapfile file is plain text file, containing a quoted GSI Credential Name (the subject of an X509 certificate) and an unquoted local user name.

For example, you could do use this script and having a map file have a line like:

"john.smith" jsmith

Assuming that jsmith was the system user corresponding to john.smith AD user.

Thanks,
Eric

---
Eric Franz, Senior Web & Interface App Engineer
Ohio Supercomputer Center
An Ohio Technology Consortium (OH-TECH) Member
1224 Kinnear Road
Columbus, OH 43212
email: efranz at osc.edu

From: Andre Torres <andre.torres at ibmc.up.pt>
Date: Wednesday, October 10, 2018 at 11:49 AM
To: "Franz, Eric" <efranz at osc.edu>
Subject: Re: [OOD-users] Dashboard not available for active directory accounts

I don’t have a system account named john.smith. Is it necessary to have a system account ? I think I can’t create a system account with the same name from an existing AD user.
How can I map an AD user to a system account ?

Thanks,
Andre





From: "Franz, Eric" <efranz at osc.edu>
Date: Wednesday, 10 October 2018 at 15:36
To: Andre Torres <andre.torres at ibmc.up.pt>, User support mailing list for Open OnDemand <ood-users at lists.osc.edu>
Subject: Re: [OOD-users] Dashboard not available for active directory accounts

Andre,

Looks like that error is occurring here:

https://github.com/OSC/nginx_stage/blob/17a315d32849c77f038747ab8b2effae57a71d99/lib/nginx_stage/user.rb#L36

The system user it is looking for is "john.smith" and Etc.getpwnam is likely raising an ArgumentError. Do you have a system account "john.smith" or is the logged in user "john.smith" meant to bew mapped to a different system user like jsmith or john_smith etc.?

Thanks,
Eric

---
Eric Franz, Senior Web & Interface App Engineer
Ohio Supercomputer Center
An Ohio Technology Consortium (OH-TECH) Member
1224 Kinnear Road
Columbus, OH 43212
email: efranz at osc.edu

From: OOD-users <ood-users-bounces+efranz=osc.edu at lists.osc.edu> on behalf of Andre Torres via OOD-users <ood-users at lists.osc.edu>
Reply-To: Andre Torres <andre.torres at ibmc.up.pt>, User support mailing list for Open OnDemand <ood-users at lists.osc.edu>
Date: Wednesday, October 10, 2018 at 7:36 AM
To: "ood-users at lists.osc.edu" <ood-users at lists.osc.edu>
Subject: [OOD-users] Dashboard not available for active directory accounts

Hi,

I have configured Active Directory authentication for ood, but when I login I receive the following message:

Error -- user doesn't exist: john.smith
Run 'nginx_stage --help' to see a full list of available command line options.

I have the home dirs in an NFS share.  Does anyone can help me ?

Thanks in advance,
Andre




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osu.edu/pipermail/ood-users/attachments/20181010/072a3951/attachment.html>

More information about the OOD-users mailing list