PowerFlex authentication using LDAP not working when the user is a member of a different OU path from the group

Summary: The user who is a member of the distribution group that was assigned to the LDAP service configuration was unable to log in After enabling LDAP authentication in the ScaleIO cluster.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

 

Scenario

Configuring LDAP services for ScaleIO in either the MDM cluster or the Gateway with a single Active Directory domain. While also configuring Users and the ScaleIO group in different OUs within the same domain this problem can happen.

Symptoms

User is in CN=testuser,OU=Users,OU=IT Dept,DC=swlab,DC=local

 

The group is: CN=Sio_Admin_Role,OU=GlobalGroups,OU=Groups,DC=swlab,DC=local

 

We can find the following warning messages in the MDM or gateway trace log.

The error message in gateway-trace.log is: 2017-06-14 11:49:46,587 [http-nio-443-exec-6] ERROR c.e.s.s.w.s.ScaleIOSecurityUtils - User testuser was not found in group CN=Sio_Admin_Role,OU=GlobalGroups,OU=Groups,DC=swlab,DC=local

Impact

Some users are unable to log in to the ScaleIO system or Gateway using LDAP authentication.

Cause

Root cause

The root cause of this issue is that the "--ldap_base_dn" parameter that was used when the LDAP service was added to the ScaleIO cluster was at too low of a level.

See the below configuration for the above example issue:

scli --add_ldap_service --ldap_service_uri "ldap://swlab.local" --ldap_base_dn "OU=GlobalGroups,OU=Groups,DC=swlab,DC=local" --ldap_service_name testldap
scli --assign_ldap_groups_to_roles --administrator_role_dn "CN=Sio_Admin_Role,OU=GlobalGroups,OU=Groups,DC=swlab,DC=local" --monitor_role_dn "CN=Sio_Admin_Role,OU=GlobalGroups,OU=Groups,DC=swlab,DC=local" --ldap_service_name testldap

This places the base dn to start searching too low in the AD hive schema. When starting at "swlab.local/Groups/GlobalGroups" LDAP cannot query for a user at a higher level.

So in this case the "testuser" exists in "swlab.local/IT Dept/Users/testuser" so when the group "Sio_Admin_Role" is queried it tries to find the member user under the base_dn again.

The user does not exist there, and the login does not succeed.   

Resolution

Workaround

To resolve this issue, re-create the LDAP service in ScaleIO and use a higher level base_dn. For the above example the following could be changed in the "add_ldap_service" scli command.

   scli --add_ldap_service --ldap_service_uri "ldap://swlab.local" --ldap_base_dn "DC=swlab,DC=local" --ldap_service_name testldap

By changing the base_dn to be the root of the domain, LDAP can query any OU or CN for the appropriate user that is a member of the SIO role group.

Affected Products

VxFlex Product Family

Products

VxFlex Product Family
Article Properties
Article Number: 000080292
Article Type: Solution
Last Modified: 01 May 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.