How to debug user's not being given permissions in Dashboard (probably due to the LDAP group not being found)?

[kastl-ars]

Hi Marc,

TL;DR: is there a way to debug why a user has no permissions in the Kubernetes dashboard, even though there is a ClusterRoleBinding giving a LDAP group cluster-admin permissions?

I have a demo setup with a ApacheDS LDAP server and OpenUnison, both running on k3s.

I have three users in LDAP, but only one of them is a member of the k8s-cluster-admins group. I can log into OpenUnison and the Kubernetes Dashboard with all three of them, so LDAP in general seems to be working.

But for all of them I get the error notifications due to missing permissions, while one of them should have enough permissions.

I do not think that I can configure any more of the AD/LDAP-related settings than this block in the values.yaml file:

active_directory:
  base: "DC=apacheds,DC=vagrant-libvirt,DC=org"
  host: "apacheds.apacheds.svc.cluster.local"
  port: "389"
  bind_dn: "uid=admin,ou=system"
  con_type: ldap
  srv_dns: "false"

The group in question looks like this:

dn: CN=k8s-cluster-admins,OU=Groups,DC=apacheds,DC=vagrant-libvirt,DC=org
objectClass: group
cn: k8s-cluster-admins
member: CN=hpotter,OU=Users,DC=apacheds,DC=vagrant-libvirt,DC=org

The ClusterRoleBinding (adapted from the OpenUnison documentation):

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2024-07-26T05:04:40Z"
  name: all-ldap-users-are-cluster-admins
  resourceVersion: "847"
  uid: 3db10840-f5b6-46db-ad77-f5d796b91907
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: CN=k8s-cluster-admins,OU=Groups,DC=apacheds,DC=vagrant-libvirt,DC=org

Maybe you (or someone else reading this) can spot my mistake or give an idea how and where to start digging.

Thanks in advance!

Kind Regards
Johannes