none
Configure LDAP roles on ML server RRS feed

  • Question

  • Hi,

    I used this page to configure role based authentication with LDAP on our ML server. https://docs.microsoft.com/en-us/machine-learning-server/operationalize/configure-roles (sorry, this forum does not allow me to use links)

    For setting up the LDAP server, I used this section: https://docs.microsoft.com/en-us/machine-learning-server/operationalize/configure-authentication#active-directory-and-ldapldap-s

    This is how my LDAP section looks in appsettings.json:

        "LDAP": {
          "Enabled": true,
          "Host": "<hostname>",
          "Port": 389,
          "UseLDAPS": false,
          "SkipCertificateValidation": false,
          "QueryUserDn": "CN=xxxx,OU=Service Accounts,OU=Accounts,DC=XXX",
          "QueryUserPassword": "xxx",
          "QueryUserPasswordEncrypted": false,
          "SearchBase": "OU=Service Accounts,OU=Accounts,DC=XXX",
          "SearchFilter": "(|(sAMAccountName={0})(cn={0}))",
          "UserPropertiesMapping": {
            "UniqueUserIdentifierAttributeName": "sAMAccountName",
            "DisplayNameAttributeName": "name"
          }
    

    And this is how my Authorization section looks in appsettings.json:

      "Authorization": {
        "Owner": ["G-MLS-OWNER"],
        "Contributor": ["G-MLS-CONTRIBUTOR"],
        "Reader": ["G-MLS-READER"],
        "CacheLifeTimeInMinutes": 60
      },
    

    When I restart my webnode, it fails because of error 

    Microsoft.MLServer.App.Common.Exceptions.ConfigurationException: Unable to find the following group memberships in LDAP: G-MLS-OWNER, G-MLS-CONTRIBUTOR, G-MLS-READER

    Why is the ML server validating those groups on startup? 

    I can fix this by changing the SearchBase prop to the OU where these Groups are in the AD.

          "SearchBase": "OU=G-AP-Groups,OU=Groups,DC=XXX",
    

    Then the web node can start. 

    But when I try to login with any user/password, it is rejected. I'm not surprized by that because the users are in another OU, so the SearchBase should be "OU=Service Accounts,OU=Accounts,DC=XXX"

    I can't configure different search bases for the Groups and the Users. How can I get this done?

    Kind regards,

    Roel

    Wednesday, March 27, 2019 2:58 PM