LDAP authentication fails in OpsCenter with "'ascii' codec can't encode character"

Summary

This article provides additional information about a misleading error when the name of an LDAP group contains special characters.

Symptoms

After enabling LDAP authentication in OpsCenter, attempts to login fail with errors reported in the logs. Here is an example entry from an OpsCenter 6.5 opscenterd.log:

2018-06-27 12:34:56,789 [opscenterd] ERROR: Problem while calling LoginController (UnicodeEncodeError): \
  'ascii' codec can't encode character u'\xe6' in position 109: ordinal not in range(128) 
File "/usr/share/opscenter/lib/py/twisted/internet/defer.py", line 1122, in _inlineCallbacks 
result = result.throwExceptionIntoGenerator(g)
File "/usr/share/opscenter/lib/py/twisted/python/failure.py", line 389, in throwExceptionIntoGenerator 
return g.throw(self.type, self.value, self.tb)
File "/usr/share/opscenter/Lib/site-packages/opscenterd/WebServer.py", line 2842, in LoginController
File "/usr/share/opscenter/lib/py/twisted/internet/defer.py", line 1122, in _inlineCallbacks 
result = result.throwExceptionIntoGenerator(g)
File "/usr/share/opscenter/lib/py/twisted/python/failure.py", line 389, in throwExceptionIntoGenerator 
return g.throw(self.type, self.value, self.tb)
File "/usr/share/opscenter/Lib/site-packages/opscenterd/api/LDAP.py", line 425, in authenticate
File "/usr/share/opscenter/lib/py/twisted/python/threadpool.py", line 196, in _worker 
result = context.call(ctx, function, *args, **kwargs)
File "/usr/share/opscenter/lib/py/twisted/python/context.py", line 118, in callWithContext 
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/share/opscenter/lib/py/twisted/python/context.py", line 81, in callWithContext 
return func(*args,**kw)
File "/usr/share/opscenter/Lib/site-packages/opscenterd/api/LDAP.py", line 329, in getUserByUsername
File "/usr/share/opscenter/Lib/site-packages/opscenterd/api/LDAP.py", line 241, in memberof_search
File "/usr/share/opscenter/Lib/site-packages/opscenterd/api/LDAP.py", line 279, in _choose_filtered_role
File "/usr/share/opscenter/Lib/site-packages/opscenterd/TwistedRouter.py", line 53, in __init__
File "/usr/share/opscenter/Lib/site-packages/opscenterd/TwistedRouter.py", line 56, in errorpage_factory 
(MainThread)

Cause

OpsCenter uses role-based access control (RBAC) when authentication is enabled. When a user attempts to login to OpsCenter with LDAP authentication enabled and LDAP roles, OpsCenter checks the LDAP directory for the user's group membership to determine which OpsCenter role to grant the user.

If OpsCenter does not find a matching OpsCenter role for a user's LDAP group, it returns an error of the form:

Error: Failed to log in: User opsuser has no matching OpsCenter role in LDAP group(s): <ldap_group>

The issue occurs when the Python code tries to output the LDAP group name but fails to display it using the default ASCII encoder because the group name contains a special character. Instead of reporting the real issue with the missing role in OpsCenter, it reports an error which does not truly reflect the cause of the authentication failure.

In the example above, \xe6 is the HTML-encoded grapheme "ash" (æ) which is a letter in some languages including Danish, Norwegian and Icelandic. OpsCenter needs to explicitly encode the group name in UTF-8 in order to handle cases like this (OPSC-14452).

Workaround

Role permissions are stored in OpsCenter. Users must have at least one role defined and configured in OpsCenter when LDAP is enabled (see the Prerequisites for Configuring LDAP authentication for more information).

Configure the role in OpsCenter by following the steps in Adding a role for an LDAP user.

Solution

OPSC-14452 is in development. Click the "Follow" button above to receive updates on its progress.

See also

Doc - Troubleshooting OpsCenter LDAP