Pivotal Knowledge Base

Follow

Configuring LDAP Requires a Group Search Base

Symptoms

Upgrading from Pivotal Cloud Foundry® 1.3.x, where LDAP configured and working properly, results in users no longer being able to login.

When trying to install and configure Pivotal Cloud Foundry (PCF) to use LDAP for authentication, LDAP users are able to be looked up but users still cannot login.

Products

PCF 1.4.x

Cause

When trying to install and configure PCF to use LDAP for authentication you currently need to configure the LDAP Group Search Base field, even if you are not mapping LDAP groups to groups in PCF.

This also applies for users who have upgraded from PCF 1.3.x to 1.4.x because the PCF 1.3.x configuration did not have the group configuration fields.  Thus when upgrading you need to populate this field.

The reason this field is required has to do with the underlying UAA configuration that is generated by Ops Manager.  The UAA component has a property which enables a given UAA scope to map to an LDAP group. The property is called uaa.ldap.groups.profile_type and Ops Manager 1.4 sets this to groups-map-to-scopes.  This value signals to the UAA that the LDAP Group Search Base is required and it is treated that way - therefore an empty value causes an error.

Resolution

To workaround this issue, you simply need to populate the search base with a legitimate value.  This can be any arbitrary DN so long as it exists in your LDAP structure.  When in doubt, you should be able to use the same value that is set in the LDAP Search Base field.

A fix for this issue is planned for PCF 1.5.

Impact / Risk

If you do not populate the LDAP Group Search Base field prior to installing, users will not be able to login to the system.  This is especially important when upgrading a system as user's would be unable to login until the configuration is fixed and applied through Ops Manager.

Comments

Powered by Zendesk