Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User synchronisation not working #1882

Closed
5 tasks done
jemrobinson opened this issue May 10, 2024 · 0 comments · Fixed by #1883
Closed
5 tasks done

User synchronisation not working #1882

jemrobinson opened this issue May 10, 2024 · 0 comments · Fixed by #1883
Labels
bug Problem when deploying a Data Safe Haven.
Milestone
Release 5.0.0rc2

Comments

@jemrobinson
Copy link
Member

jemrobinson commented May 10, 2024
edited

✅ Checklist

  • I have searched open and closed issues for duplicates.
  • This is a problem observed when deploying a Data Safe Haven.
  • I can reproduce this with the latest version.
  • I have read through the documentation.
  • This isn't an open-ended question (open a discussion if it is).

💻 System information

  • Operating System: macOS
  • Data Safe Haven version: develop @ 1dbd9aa

🚫 Describe the problem

Synchronisation of users from the identity server to the Guacamole database is not working. This seems to be due to connection failures from the identity server which are caused by an incorrect DNS allowlist.

🌳 Log messages

Relevant log messages

guacamole-user-sync

2024-05-10T15:00:54+00:00 Running LDAP synchronisation...
/var/lib/gems/3.1.0/gems/pg-ldap-sync-0.5.0/lib/pg_ldap_sync/application.rb:89:in `search_ldap_users': LDAP: Protocol Error (PgLdapSync::LdapError)
	from /var/lib/gems/3.1.0/gems/pg-ldap-sync-0.5.0/lib/pg_ldap_sync/application.rb:384:in `start!'
	from /var/lib/gems/3.1.0/gems/pg-ldap-sync-0.5.0/lib/pg_ldap_sync/application.rb:434:in `run'
	from /var/lib/gems/3.1.0/gems/pg-ldap-sync-0.5.0/exe/pg_ldap_sync:6:in `<top (required)>'
	from /usr/local/bin/pg_ldap_sync:25:in `load'
	from /usr/local/bin/pg_ldap_sync:25:in `<main>'

apricot logs

2024-05-10 15:05:01+0000 [ReadOnlyLDAPServer,76,10.2.2.4] S->C LDAPMessage(id=156, value=LDAPSearchResultDone(resultCode=2, errorMessage='LDAP search request failed. HTTPSConnectionPool(host=\'graph.microsoft.com\', port=443): Max retries exceeded with url: /v1.0/groups?$select=createdDateTime,displayName,id (Caused by NameResolutionError("<urllib3.connection.HTTPSConnection object at 0x7f39ba24d650>: Failed to resolve \'graph.microsoft.com\' ([Errno -2] Name does not resolve)"))'), controls=None)

apricot connectivity

/app # nslookup graph.microsoft.com
Server:         192.168.0.4
Address:        192.168.0.4:53

** server can't find graph.microsoft.com: NXDOMAIN

** server can't find graph.microsoft.com: NXDOMAIN

dns server logs

2024/05/10 15:08:03.554250 43#5641 [debug] filtering: found rule "*.*" for host "graph.microsoft.com", filter list id: 0
2024/05/10 15:08:03.554278 43#5641 [debug] dnsforward: host "graph.microsoft.com" is filtered, reason: "FilteredBlackList"; rule: "*.*"

♻️ To reproduce

Deploy an SRE. Look at the container logs.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Problem when deploying a Data Safe Haven.
Projects
None yet
Milestone
Release 5.0.0rc2
Development

Successfully merging a pull request may close this issue.

Fix inconsistent firewall rules jemrobinson/data-safe-haven
1 participant
@jemrobinson