PowerFlex Management Platform: LDAP user unable to make API calls
Summary: An LDAP-enabled user gets a "no role assigned to user" error when making API calls.
Symptoms
Scenario
An LDAP user can log in over UI but cannot make API calls. Error message as seen in the screenshot below: "No role assigned to user":
Impact
Unable to use API with LDAP user.
Cause
A software design flaw does not allow recognizing the LDAP User role if the user is only part of a Group role.
When using SSO - an LDAP user is assigned to an LDAP group, and the LDAP group is configured with a User role, the REST login command fails due to "no role assigned to user."
Resolution
The workaround is to add the User to the Remote Users/Groups section in the UI. Even if the user is already in one of the groups listed. The bug is hit when the Type User is not found for an API call.
In the image below, even though the user "xxxxx" is a member of the sio_admin Group, the user cannot make API calls until we add the user here as a Type = User.
If the user "xxxx" is removed from this section, it will not allow API calls. The user must exist with a Type = User.
Additional Information
Impacted Version
PFMP 4.x