PKS authentication fails for ldap users.
In the Uaa.logs on PKS VM, you see the entries similar to:
[2019-02-26 22:06:51.645] uaa - 1074 [https-jsse-nio-8443-exec-3] .... WARN --- UaaAuthorizationRequestManager: The requested scopes are invalid
[2019-02-26 22:06:51.645] uaa - 1074 [https-jsse-nio-8443-exec-3] .... DEBUG --- BackwardsCompatibleTokenEndpointAuthenticationFilter: Authentication request failed with Oauth exception: [pks.clusters.admin, pks.clusters.manage] is invalid. This user is not allowed any of the requested scopes
[2019-02-26 22:06:51.646] uaa - 1074 [https-jsse-nio-8443-exec-3] .... DEBUG --- DefaultOAuth2ExceptionRenderer: Written [error="invalid_scope", error_description="[pks.clusters.admin, pks.clusters.manage] is invalid. This user is not allowed any of the requested scopes"] as "application/json;charset=UTF-8" using [org.springframework.http.converter.json.MappingJackson2HttpMessageConverter@45085f8f]
[2019-02-26 22:06:51.647] uaa - 1074 [https-jsse-nio-8443-exec-3] .... DEBUG --- SecurityContextPersistenceFilter: SecurityContextHolder now cleared, as request processing completed
[2019-02-26 22:06:52.481] uaa - 1074 [pool-4-thread-1] .... DEBUG --- JdbcTemplate: Executing SQL query [select count(*) from users]
[2019-02-26 22:06:52.482] uaa - 1074 [pool-4-thread-1] .... DEBUG --- JdbcTemplate: Executing SQL query [select count(*) from oauth_client_details]
when you run the below command to check the validity, it replies invalid access token.
$uaac group map --name pks.clusters.manage GROUP-DISTINGUISHED-NAME
error response:
{
"error": "invalid_token".
error_description": "invalid access token"
}
To resolve this issue, fetch the token via client credentials agent.
$uaac token client get admin -s 'UAA-ADMIN-SECRET'
Where UAA-ADMIN-SECRET is your UAA admin secret. Refer to Ops Manager > Pivotal Container Service > Credentials > Pks Uaa Management Admin Client to retrieve your UAA admin secret.