Readiness probe fails after LDAP activation

[florianschendel]

If we enable LDAP as backend auth the netbox pod reports a readiness failure with the return value http code 500.
I checked already the ladp.yaml and the config was written in the ldap.yaml including correct user + password.

[bootc]

Could I please have the logs from the pod? A 500 error suggests your LDAP configuration isn't quite right, to be honest.

[florianschendel]

Sorry for the delay! What log files do you need? These are the logs what we see on our openshift.

🧬 loaded config '/etc/netbox/config/configuration.py'
🧬 loaded config '/etc/netbox/config/extra.py'
Operations to perform:
Apply all migrations: admin, auth, circuits, contenttypes, dcim, extras, ipam, secrets, sessions, taggit, tenancy, users, virtualization
Running migrations:
No migrations to apply.
🧬 loaded config '/etc/netbox/config/configuration.py'
🧬 loaded config '/etc/netbox/config/extra.py'
💡 Superuser Username: admin, E-Mail: [email protected]
↩️ Skipping startup scripts
✅ Initialisation is done.
⏳ Waiting for control socket to be created... (1/10)
2021/03/16 09:10:44 [warn] 1#1 Unit is running unprivileged, then it cannot use arbitrary user and group.
2021/03/16 09:10:44 [alert] 1#1 Unable to create certificates storage directory: mkdir(/opt/unit/state/certs/) failed (13: Permission denied)
2021/03/16 09:10:44 [info] 1#1 unit started
2021/03/16 09:10:44 [info] 15#15 discovery started
2021/03/16 09:10:44 [notice] 15#15 module: python 3.8.7 "/usr/lib/unit/modules/python3.unit.so"
2021/03/16 09:10:44 [info] 1#1 controller started
2021/03/16 09:10:44 [alert] 1#1 no certificates storage directory
2021/03/16 09:10:44 [notice] 1#1 process 15 exited with code 0
2021/03/16 09:10:44 [info] 17#17 router started
2021/03/16 09:10:44 [info] 17#17 OpenSSL 1.1.1j 16 Feb 2021, 101010af
⚙️ Applying configuration from /etc/unit/nginx-unit.json
2021/03/16 09:10:45 [info] 21#21 "netbox" application started
2021/03/16 09:10:47 [alert] 1#1 failed to store current configuration
✅ Unit configuration loaded successfully
2021/03/16 09:10:47 [info] 47#47 "netbox" application started
2021/03/16 09:10:47 [notice] 1#1 process 13 exited with code 0
2021/03/16 09:10:48 [info] 17#28 *46 send(129, 7FB8192F3000, 1800) failed (32: Broken pipe)
100.122.18.2 - - [16/Mar/2021:09:10:48 +0000] "GET /login/ HTTP/1.1" 500 0 "-" "kube-probe/1.19"
100.122.18.2 - - [16/Mar/2021:09:10:56 +0000] "GET /login/ HTTP/1.1" 500 1800 "-" "kube-probe/1.19"
100.122.18.2 - - [16/Mar/2021:09:11:06 +0000] "GET /login/ HTTP/1.1" 500 1800 "-" "kube-probe/1.19"
100.122.18.2 - - [16/Mar/2021:09:11:16 +0000] "GET /login/ HTTP/1.1" 500 1800 "-" "kube-probe/1.19"

[florianschendel]

In the ldap.py located under run there is no entry for my required group but valid entries for
"is_staff" or "is_superuser"

What is see on ldap.py

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_active": AUTH_LDAP_REQUIRE_GROUP,

In my ldap.yml there is my entry for REQUIRE_GROUP but no entries for "is_staff" or "is_superuser"
I don´t know whether this is the root issue but I believe somewhere we need the defintion of require_group

[florianschendel]

Found the issue. If a required value is not set in the value.yml the pod crashes during startup.

[bootc]

Which required value was this, in particular? Just in case someone turns up this issue when searching for a similar problem in future.

[florianschendel]

These values were not set and my netbox fails to start and of course the health check.

userDnTemplate: null
userSearchAttr: 'sAMAccountName'
groupSearchClass: 'group'
requireGroupDn: ''
mirrorGroupsExcept: null
attrFirstName: 'givenName'
attrLastName: 'sn'
attrMail: 'mail'

I uncommented all values in the values.yaml and set it to valid parameters. I used your chart in version 2.3 and the ldap values were imported as env, missing entries came from the netbox default config or django framework - a failsafe system that not longer exists ;)

[bootc]

@florianschendel I'm not clear if any changes should be made to the chart to improve this situation. Is there anything to be done, or should we close the issue?

[bananflugan]

@florianschendel Is it possible for you to share your configuration, changing out the sensitive data for dummy data?
I am facing the exact same issue as you did and so far ive spent 5 hours trying to get LDAP to work, with no success. :/

[florianschendel]

@bananflugan
sorry for the late answer. I put the sample below, we use Active Directory. Be careful if you use "bindPassword", you can only use plain text passwords in the template. Sealed secrests will not work with this helm version.

# Remote authentication support
remoteAuth:
  enabled: true
  backend: netbox.authentication.LDAPBackend
  header: HTTP_REMOTE_USER
  autoCreateUser: true
  defaultGroups: []
  defaultPermissions: {}
  ldap:
    serverUri: 'ldap://myADserver.domain.net'
    startTls: true
    ignoreCertErrors: true
    bindDn: 'MyLDAPServiceAccount'
    bindPassword: 'myCrazyPasswort'
    userDnTemplate: null
    userSearchBaseDn: 'DC=domain,DC=net'
    userSearchAttr: 'sAMAccountName'
    groupSearchBaseDn: 'DC=domain,DC=net'
    groupSearchClass: 'group'
    groupType: 'NestedGroupOfNamesType'
    requireGroupDn: 'CN=GROUP_NETBOX_USERS,OU=Users,DC=domain,DC=net'
    findGroupPerms: true
    mirrorGroups: true
    mirrorGroupsExcept: null
    cacheTimeout: 300
    isAdminDn: 'CN=GROUP_NETBOX_ADMIN,OU=Users,DC=domain,DC=net'
    isSuperUserDn: 'CN=GROUP_NETBOX_SUPERUSER,OU=Users,DC=domain,DC=net'
    attrFirstName: 'givenName'
    attrLastName: 'sn'
    attrMail: 'mail'

[bananflugan]

@florianschendel Thank you for that! It seems that most of the different settings must have some value set for this to work. I did not use DnTemplate so had that commented out, setting this to an active null value, and also enable AdminDn solved it for me. I enabled debug log and saw log posts complaining about 'is staff' not set, which is the AdminDN.

Now the AD integration is working great!

[holmesb]

@florianschendel I'm not clear if any changes should be made to the chart to improve this situation. Is there anything to be done, or should we close the issue?

Everyone must specify all ldap values because they're commented out in values.yaml. Since remoteAuth is disabled, uncommenting won't break anything.

[holmesb]

To anyone else whose pod doesn't start after enabling ldap: you have to use an image with tag suffix "-ldap". This info is hidden away at the bottom of the readme, should really be in the values table's image.tag row. Still can't login to webui using ldap credentials though "Please enter a correct username and password"...

[GoozeyX]

@holmesb thank you this solved the issue for me! Appreciate you going the extra mile to comment on the correct solution here!

[bootc]

I just pushed f197260, does that documentation update fix this issue?

[bootc]

I've just released version 4.0.1 of this chart which resolves this issue.