Unable to get Slurm Web 5.2.0 LDAP authentication working with Active Directory

[titleistfour]

Hi, we have installed latest version of Slurm Web and trying to get LDAP auth working against an Active Directory backend.

[root@master01 slurm-web]# rpm -qa | grep -i slurm | sort
python3-slurm-web-5.2.0-2.el9.noarch
slurm-25.05.4-1.el9.x86_64
slurm-libpmi-25.05.4-1.el9.x86_64
slurm-perlapi-25.05.4-1.el9.x86_64
slurm-slurmctld-25.05.4-1.el9.x86_64
slurm-slurmd-25.05.4-1.el9.x86_64
slurm-slurmdbd-25.05.4-1.el9.x86_64
slurm-slurmrestd-25.05.4-1.el9.x86_64
slurm-web-agent-5.2.0-2.el9.noarch
slurm-web-gateway-5.2.0-2.el9.noarch
[root@master01 slurm-web]#

Basic config file /etc/slurm-web/agent.ini config.

[service]
cluster = hpcluster.local

Sanitized /etc/slurm-web/gateway.ini config.

[ui]
host=https://master01.example.com

[agents]
url=https://master01.example.com/agent

[service]
debug=true
debug_flags=rfl

[authentication]
enabled=true
method=ldap

[ldap]
uri=ldap://dc01.example.com
cacert=/etc/pki/tls/certs/ca-bundle.trust.crt
starttls=true
user_base=OU=Admin,OU=Managed,DC=example,DC=com
group_base=OU=Groups,OU=Managed,DC=example,DC=com
user_class=person
user_name_attribute=sAMAccountName
user_fullname_attribute=cn
user_primary_group_attribute=primaryGroupID
group_name_attribute=cn
group_object_classes=
  group
lookup_user_dn=true
#lookup_as_user=true
bind_dn=CN=svc_bind_ldap,OU=Service Accounts,OU=Managed,DC=example,DC=com
bind_password=xxxxxxxxxx
restricted_groups=
  Linux-Administrators

Seems like the connection to LDAP works because we get a large result of users returned but we get the following exception at the end of running /usr/libexec/slurm-web/slurm-web-ldap-check --debug --debug-flags rfl. Users are unable to login due to this.

[root@master01 slurm-web]# /usr/libexec/slurm-web/slurm-web-ldap-check --debug --debug-flags rfl
[DEBUG] ⸬rfl.settings.loaders:31        ↦ Loading site settings file /etc/slurm-web/gateway.ini
[INFO]  ⸬slurmweb.apps.ldap:22          ↦ Running slurm-web-ldap-check
[DEBUG] ⸬rfl.authentication.ldap:104    ↦ Using CA certification /etc/pki/tls/certs/ca-bundle.trust.crt to authenticate
 server
[DEBUG] ⸬rfl.authentication.ldap:117    ↦ Using STARTTLS to initialize TLS connection
[DEBUG] ⸬rfl.authentication.ldap:251    ↦ Using DN CN=svc_bind_ldap,OU=Service Accounts,OU=Managed,DC=example,DC=com to bind to LDAP directory
[DEBUG] ⸬rfl.authentication.ldap:407    ↦ LDAP search base: OU=Groups,OU=Managed,DC=example,DC=com, scope: subtree, filter: (objectClass=person), results: [ ...<large number of results returned>... ]
[DEBUG] ⸬rfl.authentication.ldap:143    ↦ LDAP search base: CN=User01,OU=Admin,OU=Managed,DC=example,DC=com, scope: base filter: (objectClass=person), results: [('CN=User01,OU=Admin
,OU=Managed,DC=example,DC=com', {'cn': [b'User01'], 'primaryGroupID': [b'513']})]
Traceback (most recent call last):
  File "/usr/libexec/slurm-web/slurm-web-ldap-check", line 8, in <module>
    sys.exit(SlurmwebExecLDAPCheck.run())
  File "/usr/lib/python3.9/site-packages/slurmweb/exec/__init__.py", line 15, in run
    cls.app().run()
  File "/usr/lib/python3.9/site-packages/slurmweb/apps/ldap.py", line 51, in run
    users = self.authentifier.users(with_groups=True)
  File "/usr/lib/python3.9/site-packages/rfl/authentication/ldap.py", line 458, in users
    groups = self._get_groups(connection, user, user_dn, gid)
  File "/usr/lib/python3.9/site-packages/rfl/authentication/ldap.py", line 202, in _get_groups
    results = connection.search_s(
  File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 631, in search_s
    return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
  File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 624, in search_ext_s
    msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
  File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 614, in search_ext
    return self._ldap_call(
  File "/usr/lib64/python3.9/site-packages/ldap/ldapobject.py", line 128, in _ldap_call
    result = func(*args,**kwargs)
ldap.FILTER_ERROR: {'result': -7, 'desc': 'Bad search filter', 'ctrls': []}

How else can we troubleshoot what is going on here? We don't have gidNumber attribute implemented for user accounts in AD but primaryGroupID is there.

Does anyone have a working gateway.ini config that uses Active Directory for authentication they would be willing to share?

Thank you!

[titleistfour]

Found the issue for our edge case. We have Admin usernames that contain a comma "," in the CN field. The ldap filter needs to be escaped properly for it to be accepted as valid.

# examples
CN=Smith (ADM), Bill,OU=Admin,OU=Managed,DC=example,DC=com
CN=Birch (ADM), Jim,OU=Admin,OU=Managed,DC=example,DC=com

--- /usr/lib/python3.9/site-packages/rfl/authentication/ldap.py.bak     2025-11-09 18:01:22.645713323 -0600
+++ /usr/lib/python3.9/site-packages/rfl/authentication/ldap.py 2025-11-09 17:59:59.074502274 -0600
@@ -9,6 +9,7 @@
 import logging

 import ldap
+import ldap.filter

 from .user import AuthenticatedUser
 from .errors import LDAPAuthenticationError
@@ -196,7 +197,7 @@
         search_filter = (
             "(&"
             f"(|{object_class_filter})"
-            f"(|(memberUid={user_name})(member={user_dn}){gid_filter}))"
+            f"(|(memberUid={user_name})(member={ldap.filter.escape_filter_chars(user_dn)}){gid_filter}))"
         )
         try:
             results = connection.search_s(

With this patch in place our admin users can login to Slurm Web successfully.

[rezib]

Hello @titleistfour, very good catch! 👍 I just opened rackslab/RFL#63 to integrate a definitive fix in the next version of RFL library.

[titleistfour]

@rezib Thanks!