OneFuse LDAP Troubleshooting

Knowledge Base

In this article, we will go over troubleshooting LDAP in OneFuse.

Considerations

OneFuse will need to be installed/configured and LDAP should already be setup. Please refer to this article, Configure LDAP Authentication for OneFuse, on how to setup LDAP if that’s not completed.

Troubleshooting

SSH into the OneFuse Appliance

Once we’re connected to the appliance, we can open Shell Plus

/opt/cloudbolt/manage.py shell_plus

View current LDAP Configuration

Map LDAPUtility to ldap

  • Note: Replace domain.net with your actual domain
ldap = LDAPUtility.objects.get(ldap_domain="domain.net")

View LDAP configuration using __dict__

ldap.__dict__

Output (Example)

Out[6]:
{'_state': <django.db.models.base.ModelState at 0x7f5d0b30bcc0>,
 'id': 1,
 'ip': '192.168.1.1',
 'port': 389,
 'protocol': 'ldap',
 'version': '3',
 'serviceaccount': 'admin@domain.net',
 'servicepasswd': '',
 'ldap_domain': 'domain.net',
 'base_dn': 'DC=domain,DC=net',
 'ldap_filter': None,
 'disabled_filter': 'userAccountControl:1.2.840.113556.1.4.803:=2',
 'ldap_username': 'sAMAccountName',
 'ldap_first': 'givenName',
 'ldap_last': 'sn',
 'ldap_mail': 'mail',
 'email_format': None,
 'auto_create_user': True}

Search for user in LDAP

Run user search from ldap map we made above

ldap.runUserSearch(username="admin")

Output (Good)

Out[11]: [('CN=Admin,OU=Users,DC=domain,DC=net', {})]

Output (Bad)

  • Note: Your base_dn might need to be updated which will be covered in the next section.
Out[7]: []

Update LDAP Properties

Update the base_dn property or any others that need to be adjusted

ldap.base_dn = "DC=domain,DC=net"
  • Note: The base DN is used for user and group search. It is recommended to keep it closer to the root DN

(Optional) Feel free to update any other properties at this point using the example below. The properties are listed above when we ran the _dict_ command.

ldap.ldapproperty  = newvalue

Once we’ve updated all our properties, we need to save it

ldap.save()

To verify the changes are made, run the below command

ldap.__dict__

View LDAP Mappings

View the LDAP Mappings you configured by running this command

ldap.ldapmapping_set.all()

Output (Example)

<QuerySet [<LDAPMapping: LDAPMapping object (1)>, <LDAPMapping: LDAPMapping object (2)>]>

Let’s grab the first object and return the properties it has

ldap.ldapmapping_set.first().__dict__

Output (Example)

{'_state': <django.db.models.base.ModelState at 0x7f5d0aa04160>,
 'id': 1,
 'ldap_utility_id': 1,
 'ldap_ou_dn': '',
 'ldap_group_dn': 'CN=GirAdmins,OU=orisa,OU=build,DC=domain,DC=net',
 'is_cbadmin': False,
 'is_super_admin': False,
 'is_devops_admin': False,
 'has_api_access': True,
 'is_global_viewer': False}

If there are multiples and you want to see all, we can loop through and return any of the properties on each. We’ll map the ldapmapping_set to maps and then loop through it to return the ldap_group_dn for each

maps = ldap.ldapmapping_set.all()

for map in maps:
    print(map.ldap_group_dn)

Output (Example)

CN=GirAdmins,OU=orisa,OU=build,DC=domain,DC=net
CN=GirUsers,OU=orisa,OU=build,DC=domain,DC=net

Update LDAP Mapping

If we ran the above commands, we should still have maps so we can use that to update the properties for an ldapmappingset. We’ll update the ldap_group_dn on the first element in maps

maps[0].ldap_group_dn = 'CN=GirAdminss,OU=orisa,OU=build,DC=domain,DC=net'

Once we’ve made our changes, we’ll need to save it

maps[0].save()

We can make sure the changes took by running the __dict__ command

maps[0].__dict__

Output (Example)

{'_state': <django.db.models.base.ModelState at 0x7f5d0a4b8a58>,
 'id': 1,
 'ldap_utility_id': 1,
 'ldap_ou_dn': '',
 'ldap_group_dn': 'CN=GirAdminss,OU=orisa,OU=build,DC=domain,DC=net',
 'is_cbadmin': False,
 'is_super_admin': False,
 'is_devops_admin': False,
 'has_api_access': True,
 'is_global_viewer': False}

Delete LDAP Mappings

If we still have the maps array, we can loop through and delete the ldap mappings. If not, we can run the first command below to map it

maps = ldap.ldapmapping_set.all()

for map in maps:
    ...:     map.delete()
    
ldap.ldapmapping_set.all()

Output (Good)

<QuerySet []>

Delete LDAP Configuration

We can delete the entire LDAP configuration by running this command below

ldap = LDAPUtility.objects.get(ldap_domain="domain.net")

ldap.delete()

Output (Good)

(3,
 {'accounts.UserProfile_custom_field_values': 0,
  'accounts.PasswordHistory': 0,
  'sso.BaseSSOProvider_contact_person': 0,
  'bookmarks.Bookmark': 0,
  'portals.PortalConfig_ldaps': 0,
  'utilities.LDAPUtility': 1,
  'accounts.GroupRoleMembership': 1,
  'accounts.UserProfile': 1})

Now we can verify that it’s deleted

LDAPUtility.objects.get(ldap_domain="domain.net")

Output (Good)

---------------------------------------------------------------------------
DoesNotExist                              Traceback (most recent call last)
<ipython-input-17-e9b78a601e50> in <module>
----> 1 ldap = LDAPUtility.objects.get(ldap_domain="domain.net")

/usr/local/lib/python3.6/site-packages/django/db/models/manager.py in manager_method(self, *args, **kwargs)
     80         def create_method(name, method):
     81             def manager_method(self, *args, **kwargs):
---> 82                 return getattr(self.get_queryset(), name)(*args, **kwargs)
     83             manager_method.__name__ = method.__name__
     84             manager_method.__doc__ = method.__doc__

/usr/local/lib/python3.6/site-packages/django/db/models/query.py in get(self, *args, **kwargs)
    406             raise self.model.DoesNotExist(
    407                 "%s matching query does not exist." %
--> 408                 self.model._meta.object_name
    409             )
    410         raise self.model.MultipleObjectsReturned(

DoesNotExist: LDAPUtility matching query does not exist.

Additional Information

Configure LDAP Authentication for OneFuse

Questions or comments? Visit our

Comments are closed.

Skip to toolbar