Error "You do not have sufficient privileges to view this page" when configuring LDAP for Operations Manager for the first time
Article ID: 293884
Updated On:
Products
Operations Manager
Issue/Introduction
After clicking the Setup Authentication button and being presented with the following screen:
You tried entering LDAP credentials for a user multiple times and received the follow error:
When clicked on the UAA link presented on the page above, you will see this:
Based on the above screenshot, you can see that the user is authenticated. This error however "You do not have sufficient privileges to view this page" means that our LDAP user does not have correct Role(s) assigned to it.
In order for you to assign the correct roles to the users or groups in LDAP, you will need to target and get a token for the Operations Manager's UAA. The steps for this are:
- SSH to Operations Manager VM
uaac target https://<operations-manager-url-or-ip>/uaa --skip-ssl-validation
- However, the problem is we cannot get a token with sufficient permissions based on the current user credentials present in LDAP. You will see a failure message of "Bad credentials" when trying to run the command, which is what you'd typically run to get a token:
uaac token owner get admin
OR
uaac token client get admin
You will see the following error:
error response:
{
"error": "unauthorized",
"error_description": "Bad credentials"
}
attempt to get token failed
This article is focussed to resolve the errors above, i.e. how to fetch a token using a client (who is also admin) to successfully authenticate with Operations Manager's UAA and to assign roles to our LDAP user(s) or group(s).
Environment
Product Version: 2.5
OS: Linux
OS: Linux
Resolution
Pre-requisites
Unfortunately, this problem cannot be resolved in an existing Operations Manager. The first step is to install a new Operations Manager VM. Follow the standard docs for Installing Operations Manager. When the VM is deployed, do not go to it in your browser. Instead, use one of the following two options:
Do a CURL PUT request to Operations Manager API endpoint /api/v0/setup to configure LDAP authentication. The following command should be executed after the Operations Manager VM is powered on and no initial configuration to setup authentication has been done:
Example: (We can also refer to the API Documentation)
Please adjust the cURL command below as per your environment configurations. For example: Operations Manager URL, decryption passphrase, precreated_client_secret, ldap settings etc.
Using OM CLI's configure-ldap-authentication command to setup LDAP authentication. Example:
Please adjust the om command below as per your environment configurations. For example: Operations Manager URL, decryption passphrase, precreated_client_secret, ldap settings etc.
Result
In summary:
Note
- LDAP server up and running.
- Users we are going to use for authenticating in Operations Manager UI must exist on LDAP server.
- Deploying Operations Manager and setting up its authentication using LDAP Server option
Unfortunately, this problem cannot be resolved in an existing Operations Manager. The first step is to install a new Operations Manager VM. Follow the standard docs for Installing Operations Manager. When the VM is deployed, do not go to it in your browser. Instead, use one of the following two options:
Option 1
Do a CURL PUT request to Operations Manager API endpoint /api/v0/setup to configure LDAP authentication. The following command should be executed after the Operations Manager VM is powered on and no initial configuration to setup authentication has been done:Example: (We can also refer to the API Documentation)
Please adjust the cURL command below as per your environment configurations. For example: Operations Manager URL, decryption passphrase, precreated_client_secret, ldap settings etc.
curl -k "https://<opsmanager-url-or-ip>/api/v0/setup" \
-X POST \
-H "Content-Type: application/json" \
-d '{ "setup": {
"identity_provider": "ldap",
"decryption_passphrase": "<decryption-passphrase>",
"decryption_passphrase_confirmation":"<decryption-passphrase>",
"eula_accepted": "true",
"precreated_client_secret": "pa55word",
"ldap_settings": {
"server_url": "ldap://<url>",
"ldap_username": "user",
"ldap_password": "password",
"user_search_base": "ou=users,dc=opsmanager,dc=com",
"user_search_filter": "cn={0}",
"group_search_base": "ou=groups,dc=opsmanager,dc=com",
"group_search_filter": "member={0}",
"ldap_max_search_depth": 3,
"ldap_rbac_admin_group_name": "ou=groups,dc=opsmanager,dc=com",
"email_attribute": "mail",
"ldap_referrals": "follow"
}
} }'
OR
Option 2
Using OM CLI's configure-ldap-authentication command to setup LDAP authentication. Example:Please adjust the om command below as per your environment configurations. For example: Operations Manager URL, decryption passphrase, precreated_client_secret, ldap settings etc.
om -k -t https://opsmanager.pivotal.io configure-ldap-authentication \
--email-attribute "mail" \
--decryption-passphrase "pa55word" \
--group-search-base "ou=groups,ou=pcf,dc=pivotal,dc=io" \
--group-search-filter "cn={0}" \
--ldap-password "LetMeIn001%" \
--ldap-rbac-admin-group-name "ou=groups,ou=pcf,dc=pivotal,dc=io" \
--ldap-referrals "follow" \
--ldap-username "user" \
--precreated-client-secret "pa55word" \
--server-url "ldap://pivotal.io" \
--user-search-base "ou=users,ou=pcf,dc=pivotal,dc=io" \
--user-search-filter "cn={0}"
Note: When using the above command in bash, make sure there's now extra spaces after "\" and no spaces before a newline.Result
uaac token client get precreated-client -s "pa55word" Successfully fetched token via client credentials grant.After fetching the token successfully, you can now assign appropriate role(s) to your LDAP user(s) or group(s) and then each attempt to login into Operations Manager with an LDAP account will get processed successfully.
In summary:
- After authenticating LDAP user with UAA running on Operations Manager, its role(s) were checked but no one assigned an appropriate role to the LDAP user, so UAA reported that you do not have sufficient authorization.
- To fix, you need to assign the appropriate role to our LDAP user but you cannot do this because only a client who has admin privileges can assign those roles to out LDAP user(s) and group(s). The challenge faced here is that no users have the admin permissions configured by default in Operations Manager's UAA, so there is no way to assign role(s) to our LDAP users.
- Currently, Operations Manager only allows you to provision an admin client called "precreated-client" by directly talking to its API as opposed to its UI. To resolve this issue, you need the precreated client.
- When using the API, send "precreated-client-secret" as an additional parameter. This request made sure that after successful execution there will be an admin client called precreated-client whose secret is configured to be a value we passed for the key precreated-client-secret
- Finally, once the configuration completes, you should be able to successfully authenticate with the precreated-client admin client which we can now use to assign appropriate role(s) to our LDAP user(s) and group(s).
Note
- This article is only meant to provide the ability to get a token from Operations Manager UAA as an admin client called precreated-client so that we will be able to assign LDAP users or groups sufficient role(s) which will help to successfully login to Operations Manager UI. Assumption is that you are trying to setup LDAP integration with Operations Manager for the first time.
Feedback
Yes
No
Powered by
