Summary
This article provides additional information about a misleading error when the name of an LDAP group contains special characters.
Symptoms
After enabling LDAP authentication in OpsCenter, attempts to login fail with errors reported in the logs. Here is an example entry from an OpsCenter 6.5 opscenterd.log:
2018-06-27 12:34:56,789 [opscenterd] ERROR: Problem while calling LoginController (UnicodeEncodeError): \
'ascii' codec can't encode character u'\xe6' in position 109: ordinal not in range(128) File "/usr/share/opscenter/lib/py/twisted/internet/defer.py", line 1122, in _inlineCallbacks result = result.throwExceptionIntoGenerator(g) File "/usr/share/opscenter/lib/py/twisted/python/failure.py", line 389, in throwExceptionIntoGenerator return g.throw(self.type, self.value, self.tb) File "/usr/share/opscenter/Lib/site-packages/opscenterd/WebServer.py", line 2842, in LoginController File "/usr/share/opscenter/lib/py/twisted/internet/defer.py", line 1122, in _inlineCallbacks result = result.throwExceptionIntoGenerator(g) File "/usr/share/opscenter/lib/py/twisted/python/failure.py", line 389, in throwExceptionIntoGenerator return g.throw(self.type, self.value, self.tb) File "/usr/share/opscenter/Lib/site-packages/opscenterd/api/LDAP.py", line 425, in authenticate File "/usr/share/opscenter/lib/py/twisted/python/threadpool.py", line 196, in _worker result = context.call(ctx, function, *args, **kwargs) File "/usr/share/opscenter/lib/py/twisted/python/context.py", line 118, in callWithContext return self.currentContext().callWithContext(ctx, func, *args, **kw) File "/usr/share/opscenter/lib/py/twisted/python/context.py", line 81, in callWithContext return func(*args,**kw) File "/usr/share/opscenter/Lib/site-packages/opscenterd/api/LDAP.py", line 329, in getUserByUsername File "/usr/share/opscenter/Lib/site-packages/opscenterd/api/LDAP.py", line 241, in memberof_search File "/usr/share/opscenter/Lib/site-packages/opscenterd/api/LDAP.py", line 279, in _choose_filtered_role File "/usr/share/opscenter/Lib/site-packages/opscenterd/TwistedRouter.py", line 53, in __init__ File "/usr/share/opscenter/Lib/site-packages/opscenterd/TwistedRouter.py", line 56, in errorpage_factory (MainThread)
Cause
OpsCenter uses role-based access control (RBAC) when authentication is enabled. When a user attempts to login to OpsCenter with LDAP authentication enabled and LDAP roles, OpsCenter checks the LDAP directory for the user's group membership to determine which OpsCenter role to grant the user.
If OpsCenter does not find a matching OpsCenter role for a user's LDAP group, it returns an error of the form:
Error: Failed to log in: User opsuser has no matching OpsCenter role in LDAP group(s): <ldap_group>
The issue occurs when the Python code tries to output the LDAP group name but fails to display it using the default ASCII encoder because the group name contains a special character. Instead of reporting the real issue with the missing role in OpsCenter, it reports an error which does not truly reflect the cause of the authentication failure.
In the example above, \xe6 is the HTML-encoded grapheme "ash" (æ) which is a letter in some languages including Danish, Norwegian and Icelandic. OpsCenter needs to explicitly encode the group name in UTF-8 in order to handle cases like this (OPSC-14452).
Workaround
Role permissions are stored in OpsCenter. Users must have at least one role defined and configured in OpsCenter when LDAP is enabled (see the Prerequisites for Configuring LDAP authentication for more information).
Configure the role in OpsCenter by following the steps in Adding a role for an LDAP user.
Solution
OPSC-14452 was fixed in OpsCenter 6.1.10, 6.5.3 and 6.7.1. Upgrade to the latest version of OpsCenter 6.1, 6.5 or 6.7 to get the latest fixes and improvements.