Rancher社区版升级企业版AD域用户权限失效

发表于 分类于

问题概述

该问题发生在当社区版升级到企业版并重新对接了AD域时,由于社区版默认使用 distinguishedName 属性作为用户的唯一标识,而企业版默认使用 objectGUID 属性作为用户的唯一标识,导致新登录的用户 ID 发生了变化,之前创建的权限会失效。

问题处理

可以用如下命令查询AD域用户的属性:

其中sAMAccountName可以替换为其他用户进行查询

1
2
3
4
5
6
7
8
9
10
11
docker run \
-it --rm --net host \
emeraldsquad/ldapsearch:latest \
ldapsearch \
-x \
-h ad.zerchin.xyz \
-p 389 \
-D "ad\test01" \
-w'Rancher123' \
-b "dc=ad,dc=zerchin,dc=xyz" \
-s sub "sAMAccountName=test01"

输出结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# extended LDIF
#
# LDAPv3
# base <dc=ad,dc=zerchin,dc=xyz> with scope subtree
# filter: sAMAccountName=test01
# requesting: ALL
#

# test01, Users, ad.zerchin.xyz
dn: CN=test01,CN=Users,DC=ad,DC=zerchin,DC=xyz
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test01
sn: test
givenName: 01
distinguishedName: CN=test01,CN=Users,DC=ad,DC=zerchin,DC=xyz
instanceType: 4
whenCreated: 20220813133912.0Z
whenChanged: 20220825014512.0Z
displayName: test01
uSNCreated: 12751
uSNChanged: 16391
name: test01
objectGUID:: Ix8x/6OYkk2hnT+ABwgyZg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 133058658792195622
lastLogoff: 0
lastLogon: 133058661795008175
pwdLastSet: 133048715525737854
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAX8h9emUAZqheH8c/UAQAAA==
accountExpires: 9223372036854775807
logonCount: 2
sAMAccountName: test01
sAMAccountType: 805306368
userPrincipalName: test01@ad.zerchin.xyz
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=zerchin,DC=xyz
dSCorePropagationData: 20220813133912.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133058655125789353

# search reference
ref: ldap://ForestDnsZones.ad.zerchin.xyz/DC=ForestDnsZones,DC=ad,DC=zerchin,D
 C=xyz

# search reference
ref: ldap://DomainDnsZones.ad.zerchin.xyz/DC=DomainDnsZones,DC=ad,DC=zerchin,D
 C=xyz

# search reference
ref: ldap://ad.zerchin.xyz/CN=Configuration,DC=ad,DC=zerchin,DC=xyz

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

解决方法

打开AD域认证对接页面,点击 编辑 按钮进入编辑状态,在自定义模式中,找到用户唯一标识,修改成distinguishedName,如下: