Salt: Eauth (ERROR :Exception occurred while authenticating: 'dict' object has no attribute 'endswith')

Created on 1 Apr 2018  路  10Comments  路  Source: saltstack/salt

Hello Team,
Eauth is not working .
My settings are below:
auth.ldap.uri: 'ldaps://ipa.example.com'
auth.ldap.scope: 2
auth.ldap.no_verify: False
auth.ldap.groupclass: 'posixGroup'
auth.ldap.filter: '(uid={{ username }})'
auth.ldap.basedn: 'cn=users,cn=accounts,dc=infra,dc=example,dc=com'
auth.ldap.binddn: 'uid=admin,cn=users,cn=accounts,dc=infra,dc=example,dc=com'
auth.ldap.bindpw: 'password'
auth.ldap.groupou: 'Groups'
auth.ldap.freeipa: True
external_auth:
ldap:
- ipausers@:
- '*':
- test.ping

The logs are shown below:-
/var/log/salt/master
2018-04-01 12:55:32,874 [salt.utils.lazy ][DEBUG ][31930] LazyLoaded ldap.auth
2018-04-01 12:55:32,962 [salt.loaded.int.auth.ldap][DEBUG ][31930] Running LDAP user dn search with filter:(uid=test), dn:cn=users,cn=accounts,dc=infra,dc=com,dc=example, scope:2
2018-04-01 12:55:32,970 [salt.loaded.int.auth.ldap][DEBUG ][31930] Attempting LDAP bind with user dn: uid=test,cn=users,cn=accounts,dc=infra,dc=com,dc=example
2018-04-01 12:55:32,988 [salt.loaded.int.auth.ldap][DEBUG ][31930] Successfully authenticated user dn via LDAP: uid=test,cn=users,cn=accounts,dc=infra,dc=com,dc=example
2018-04-01 12:55:32,989 [salt.loaded.int.auth.ldap][DEBUG ][31930] ldap bind to determine group membership succeeded!

2018-04-01 12:55:32,989 [salt.master ][ERROR ][31930] Exception occurred while authenticating: 'dict' object has no attribute 'endswith'

2018-04-01 12:55:32,991 [salt.master ][ERROR ][31930] ['Traceback (most recent call last):n', ' File "/usr/lib/python2.7/site-packages/salt/master.py", line 2070, in publishn group_perm_keys = [item for item in self.opts['external_auth'][extra['eauth']] if item.endswith('%')] # The configured auth groupsn', "AttributeError: 'dict' object has no attribute 'endswith'n"]

2018-04-01 12:55:35,080 [salt.transport.mixins.auth][INFO ][31931] Authentication request from inslt01p1.infra.smf1.mobitv
2018-04-01 12:55:35,083 [salt.transport.mixins.auth][INFO ][31931] Authentication accepted from salt.example.com
2018-04-01 12:55:35,138 [salt.utils.event ][DEBUG ][31931] Sending event: tag = salt/auth; data = {'id': 'salt.example.com', '_stamp': '2018-04-01T12:55:35.138599', 'result': True, 'pub': '-----BEGIN PUBLIC KEY-----nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsbI4MDokR3xy2oCGlCZ1nNX7CNF0I5xRkrN01mMmbi20QDJsGymszA3PCP9FKPh+vFfTh6HtRpK/ltOd1CaifnYdfLobrG60CiOLjLHb027fWK4wIp0lT1/RUwasgCJDaWZnCLlCP2qmIvlI1a+vM1nxWu6Qd7Hu+pNc2uC/7IGl9O9OfN3bvnrIRz3n27VqfGE2Gm/SJmq6WUaTn/9/TBXn6QQlGEHDnezkvqG/ykIsk/ehWv1voGopVtCLgYAMzpRxcHKMHjH+V9lK0RnELaidnDi2m0bRTXvAR0gBShsLsZ35U/1VhJmZFLkgGKnK4uIszFD7nmU9Xml1tcMjmo08SnZwIDAQABn-----END PUBLIC KEY-----', 'act': 'accept'}

salt --versions-report

Salt Version:
Salt: 2016.11.4

Dependency Versions:
cffi: 1.6.0
cherrypy: 3.2.2
dateutil: 1.5
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.7.2
libgit2: 0.24.6
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.8
mysql-python: Not Installed
pycparser: 2.14
pycrypto: 2.6.1
pycryptodome: 3.4.3
pygit2: 0.24.2
Python: 2.7.5 (default, Nov 6 2016, 00:28:07)
python-gnupg: Not Installed
PyYAML: 3.11
PyZMQ: 15.3.0
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.2.1
ZMQ: 4.1.4

System Versions:
dist: centos 7.3.1611 Core
machine: x86_64
release: 3.10.0-514.26.2.el7.x86_64
system: Linux
version: CentOS Linux 7.3.1611 Core

picture thatsk

Most helpful comment

Hi, this is my config and it's working for users and groups:

##### LDAP configurations #####
###############################
external_auth:
  ldap:
    some-group%:
      - '.*'
      - '@wheel'
      - '@runner'
    some-user:
      - '@wheel'

auth.ldap.activedirectory: False
auth.ldap.freeipa: True

auth.ldap.no_verify: False
auth.ldap.anonymous: False
auth.ldap.tls: True

auth.ldap.uri: 'ldaps://ldap-server.example.com'
auth.ldap.server: 'ldap-server.example.com'
auth.ldap.port: '636'

auth.ldap.binddn: 'uid=authproxy,cn=sysaccounts,cn=etc,dc=example,dc=com'
auth.ldap.bindpw: somepass
auth.ldap.scope: 2

auth.ldap.auth_by_group_membership_only: False
auth.ldap.basedn: 'cn=accounts,dc=example,dc=com'
auth.ldap.accountattributename: 'member'
auth.ldap.filter: '(uid={{ username }})'

auth.ldap.groupou: 'Groups'
auth.ldap.groupclass: 'posixGroup'
auth.ldap.group_basedn: 'cn=groups,'cn=accounts,dc=example,dc=com'
auth.ldap.group_filter: '(&(member=uid={{ username }},cn=users,cn=accounts,dc=example,dc=com)(objectClass=posixgroup))'
picture azelezni on 2 Apr 2018
1 🎉1 👍1

All 10 comments

As per Ticket:27138 i have formatted eauth as follows and tab error gone. but command not work
salt -a ldap 'test.example.com' test.ping
username: test
password:
Failed to authenticate! This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage).

external_auth:
ldap:
ipausers%:
- '*':
- test.ping
Log file:
/var/log/salt/master:-

2018-04-01 13:15:58,892 [salt.transport.mixins.auth][INFO ][7912] Authentication request from salt.example.com
2018-04-01 13:15:58,896 [salt.transport.mixins.auth][INFO ][7912] Authentication accepted from
salt.example.com
2018-04-01 13:15:58,957 [salt.transport.ipc][DEBUG ][7912] Initializing new IPCClient for path: /var/run/salt/master/master_event_pull.ipc
2018-04-01 13:15:58,960 [salt.utils.event ][DEBUG ][7912] Sending event: tag = salt/auth; data = {'id': 'salt.example.com', '_stamp': '2018-04-01T13:15:58.960026', 'result': True, 'pub': '-----BEGIN PUBLIC KEY-----nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsbI4MDokR3xy2oCGlCZ1nNX7CNF0I5xRkrN01mMmbi20QDJsGymszA3PCP9FKPh+vFfTh6HtRpK/ltOd1CaifnYdfLobrG60CiOLjLHb027fWK4wIp0lT1/RUwasgCJDaWZnCLlCP2qmIvlI1a+vM1nxWu6Qd7Hu+pNc2uC/7IGl9O9OfN3bvnrIRz3n27VqfGE2Gm/SJmq6WUaTn/9/TBXn6QQlGEHDnezkvqG/ykIsk/ehWv1voGopVtCLgYAMzpRxcHKMHjH+V9lK0RnELaidnDi2m0bRTXvAR0gBShsLsZ35U/1VhJmZFLkgGKnK4uIszFD7nmU9Xml1tcMjmo08SnZwIDAQABn-----END PUBLIC KEY-----', 'act': 'accept'}
2018-04-01 13:16:06,652 [salt.utils.lazy ][DEBUG ][7911] LazyLoaded ldap.auth
2018-04-01 13:16:06,795 [salt.loaded.int.auth.ldap][DEBUG ][7911] Running LDAP user dn search with filter:(uid=test), dn:cn=users,cn=accounts,dc=infra,dc=com,dc=example, scope:2
2018-04-01 13:16:06,804 [salt.loaded.int.auth.ldap][DEBUG ][7911] Attempting LDAP bind with user dn: uid=test,cn=users,cn=accounts,dc=infra,dc=com,dc=example
2018-04-01 13:16:06,827 [salt.loaded.int.auth.ldap][DEBUG ][7911] Successfully authenticated user dn via LDAP: uid=test,cn=users,cn=accounts,dc=infra,dc=com,dc=example
2018-04-01 13:16:06,827 [salt.loaded.int.auth.ldap][DEBUG ][7911] ldap bind to determine group membership succeeded!
2018-04-01 13:16:06,828 [salt.master ][WARNING ][7911] Authentication failure of type "eauth" occurred.
2018-04-01 13:16:08,989 [salt.transport.mixins.auth][INFO ][7915] Authentication request from salt.example.com
2018-04-01 13:16:08,993 [salt.transport.mixins.auth][INFO ][7915] Authentication accepted from salt.example.com
2018-04-01 13:16:09,048 [salt.transport.ipc][DEBUG ][7915] Initializing new IPCClient for path: /var/run/salt/master/master_event_pull.ipc
2018-04-01 13:16:09,050 [salt.utils.event ][DEBUG ][7915] Sending event: tag = salt/auth; data = {'id': 'salt.example.com', '_stamp': '2018-04-01T13:16:09.050536', 'result': True, 'pub': '-----BEGIN PUBLIC KEY-----nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsbI4MDokR3xy2oCGlCZ1nNX7CNF0I5xRkrN01mMmbi20QDJsGymszA3PCP9FKPh+vFfTh6HtRpK/ltOd1CaifnYdfLobrG60CiOLjLHb027fWK4wIp0lT1/RUwasgCJDaWZnCLlCP2qmIvlI1a+vM1nxWu6Qd7Hu+pNc2uC/7IGl9O9OfN3bvnrIRz3n27VqfGE2Gm/SJmq6WUaTn/9/TBXn6QQlGEHDnezkvqG/ykIsk/ehWv1voGopVtCLgYAMzpRxcHKMHjH+V9lK0RnELaidnDi2m0bRTXvAR0gBShsLsZ35U/1VhJmZFLkgGKnK4uIszFD7nmU9Xml1tcMjmo08SnZwIDAQABn-----END PUBLIC KEY-----', 'act': 'accept'}

thatsk picture thatsk on 1 Apr 2018

Please let me know if you need more info

thatsk picture thatsk on 1 Apr 2018

even this method also not working

thatsk picture thatsk on 1 Apr 2018

this tickets i have referred and tried all method but results are same

thatsk picture thatsk on 1 Apr 2018

single ldap user is working

thatsk picture thatsk on 1 Apr 2018

but not group

thatsk picture thatsk on 1 Apr 2018

/etc/salt/master
auth.ldap.server: 'freeipa'
auth.ldap.uri: 'ldaps://freeipa'
auth.ldap.scope: 2
auth.ldap.port: 389
auth.ldap.tls: False
auth.ldap.no_verify: False
auth.ldap.anonymous: False
auth.ldap.auth_by_group_membership_only: False
auth.ldap.groupclass: 'posixGroup'
auth.ldap.accountattributename: 'memberUid'
auth.ldap.groupattribute: 'memberUid'
auth.ldap.filter: '(uid={{ username }})'
auth.ldap.basedn: 'cn=users,cn=accounts,dc=infra,dc=com,dc=example
auth.ldap.binddn: 'uid=admin,cn=users,cn=accounts,dc=infra,dc=smf1,dc=example
auth.ldap.bindpw: 'password'
auth.ldap.groupou: 'Groups'
auth.ldap.freeipa: True
external_auth:
ldap:
sudo%:
- 'test.server':
- test.ping
- cmd.run

2018-04-01 15:35:39,313 [salt.loaded.int.auth.ldap][DEBUG ][20285] Attempting LDAP bind with user dn: uid=kthakur,cn=users,cn=accounts,dc=infra,dc=com,dc=example
2018-04-01 15:35:39,335 [salt.loaded.int.auth.ldap][DEBUG ][20285] Successfully authenticated user dn via LDAP: uid=kthakur,cn=users,cn=accounts,dc=infra,dc=com,dc=example
2018-04-01 15:35:39,336 [salt.loaded.int.auth.ldap][DEBUG ][20285] ldap bind to determine group membership succeeded!
2018-04-01 15:35:39,337 [salt.master ][WARNING ][20285] Authentication failure of type "eauth" occurred.

id kthakur
uid=53100503(kthakur) gid=53100503(kthakur) groups=53100503(kthakur),1039(clienteng),1040(servereng),1006(sudo),1047(devops),53000003(jenkins-admin),53000000(admins),1001(rtv),100(users)

thatsk picture thatsk on 1 Apr 2018

salt -a ldap test.server
username: kthakur
password:
Failed to authenticate! This is most likely because this user is not permitted to execute commands, but there is a small possibility that a disk error occurred (check disk/inode usage).

thatsk picture thatsk on 1 Apr 2018

Hi, this is my config and it's working for users and groups:

##### LDAP configurations #####
###############################
external_auth:
  ldap:
    some-group%:
      - '.*'
      - '@wheel'
      - '@runner'
    some-user:
      - '@wheel'

auth.ldap.activedirectory: False
auth.ldap.freeipa: True

auth.ldap.no_verify: False
auth.ldap.anonymous: False
auth.ldap.tls: True

auth.ldap.uri: 'ldaps://ldap-server.example.com'
auth.ldap.server: 'ldap-server.example.com'
auth.ldap.port: '636'

auth.ldap.binddn: 'uid=authproxy,cn=sysaccounts,cn=etc,dc=example,dc=com'
auth.ldap.bindpw: somepass
auth.ldap.scope: 2

auth.ldap.auth_by_group_membership_only: False
auth.ldap.basedn: 'cn=accounts,dc=example,dc=com'
auth.ldap.accountattributename: 'member'
auth.ldap.filter: '(uid={{ username }})'

auth.ldap.groupou: 'Groups'
auth.ldap.groupclass: 'posixGroup'
auth.ldap.group_basedn: 'cn=groups,'cn=accounts,dc=example,dc=com'
auth.ldap.group_filter: '(&(member=uid={{ username }},cn=users,cn=accounts,dc=example,dc=com)(objectClass=posixgroup))'
azelezni picture azelezni on 2 Apr 2018
1 🎉1 👍1

Thanks, @azelezni A lot of efforts are done. Thanks for giving this.
Lot of thanks for writing this.

thatsk picture thatsk on 2 Apr 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

zieba88 picture zieba88  路  3Comments
allyunion picture allyunion  路  3Comments
lhost picture lhost  路  3Comments
icycle77 picture icycle77  路  3Comments
mooperd picture mooperd  路  3Comments