Rstudio-connect Ubuntu 18.04 first time set up problem

rstudioconnect

#1

Hi everyone,

I have problems to set up rstudio-connect and to get it working for the first time.
It would be wonderful if anyone could support me. :weary:
Thank you very much in advance!

This I get when I stop and start it:

**●** rstudio-connect.service - RStudio Connect
Loaded: loaded (/lib/systemd/system/rstudio-connect.service; enabled; vendor preset: enabled)
Active: **failed** (Result: exit-code) since Tue 2018-08-07 15:35:30 CEST; 43min ago
Process: 32725 ExecStart=/bin/sh -c exec /opt/rstudio-connect/bin/connect --config /etc/rstudio-connect/rstudio-connect.gcfg >> /var

Main PID: 32725 (code=exited, status=1/FAILURE)
Aug 07 15:35:30 ... systemd[1]: Started RStudio Connect.
Aug 07 15:35:30 ... systemd[1]: **rstudio-connect.service: Main process exited, code=exited, status=1/FAILURE**
Aug 07 15:35:30 ... systemd[1]: **rstudio-connect.service: Failed with result 'exit-code'.**

/var/log/rstudio-connect.log says:

2018/08/07 15:35:30 Resource limits: {"nofile":{"soft":1000000,"hard":1000000}}
2018/08/07 15:35:30 Starting RStudio Connect v1.6.4.2-13
2018/08/07 15:35:30 Error: Couldn't read configuration file: warnings:
can't store data at section "Authentication", variable "ServerAddress"
can't store data at section "UserObjectClass"
can't store data at section "UserObjectClass"
can't store data at section "UserFilterBase"
....

#2

This looks like problems with your rstudio-connect.gcfg (i.e. the "configuration file"). Not sure if you want to share that configuration file publicly? Oftentimes it will have sensitive information for authentication configuration, URLs, etc.

However, you are definitely welcome to send that information privately to support@rstudio.com, and we can help you through the configuration! Otherwise, just use the pointers it gave you to locate problems in the file (Authentication section, UserObjectClass, UserFilterBase, etc.).

It sounds like this section of the admin guide may be helpful: http://docs.rstudio.com/connect/admin/authentication.html

Specifically, it sounds like most of these items should probably be within an LDAP or AD block.

http://docs.rstudio.com/connect/admin/appendix-configuration.html#appendix-configuration-ldap


#3

Hi cole,

Yes I'll do so but I will replace sensitive informations by a-b-c dummy values in the same format as the original ones.

Thank you cole!
marc


#4
; RStudio Connect configuration file
  
[Server]
; SenderEmail is an email address used by RStudio Connect to send outbound
; email. The system will not be able to send administrative email until this
; setting is configured.
;
; SenderEmail = account@company.com
SenderEmail = a@b.c

; Address is a public URL for this RStudio Connect server. Must be configured
; to enable features like including links to your content in emails. If
; Connect is deployed behind an HTTP proxy, this should be the URL for Connect
; in terms of that proxy.
;
; Address =*removed*
Address = http://a.b.c

[HTTP]
; RStudio Connect will listen on this network address for HTTP connections.
Listen = :3939

[SQLite]
Dir = /var/lib/rstudio-connect/db

[Server]
DataDir = /var/lib/rstudio-connect

[Authentication]
; Specifies the type of user authentication.
Provider = ldap
Name = DOMAIN
ServerAddress = a.b.c

[UserObjectClass]
;The name of the LDAP objectClass used to define users.
;Type: string
UserObjectClass = Users

[UserFilterBase]
;An LDAP filter clause used to select user objects. Defaults to objectClass={UserObjectClass}.
;Type: string
UserFilterBase = "CN=Domänen-Benutzer,CN=Users,DC=abc,DC=local"

[UserFirstNameAttribute]
;The LDAP user attribute containing a user’s first name. This is often the givenName attribute. This attribute is case-sensitive.
;Type: string
UserFirstNameAttribute = GivenName

[UserLastNameAttribute]
;The LDAP user attribute containing a user’s last name. The sn attribute will usually contain last name. This attribute is case-sensitive.
;Type: string
UserLastNameAttribute = SurName

[UserEmailAttribute]
;The LDAP user attribute containing a user’s email address. Many systems use the mail attribute. This attribute is case-sensitive.
;Type: string
UserEmailAttribute = UserPrincipalName

[UsernameAttribute]
;The LDAP user attribute containing a user’s username. Commonly used attributes include uid, cn, and sAMAccountName. This attribute is case-sensitive.
;Type: string
UsernameAttribute = SamAccountName

[BindDN]
;A DN for a read-only admin account that is used during double-bind authentication and for certain operations that do not occur during the login sequence (such as searching). Must be paired with BindPassword.
;Type: string
BindDN = abc

[BindPassword]
;The password for the BindDN account.
;Type: string
BindPassword = abcde456

;[BindPasswordFile]
;Path to file containing the bind password. Either BindPassword or BindPasswordFile may be specified when using LDAP, but if both are set, it is an error.
;Type: string
;Default: <empty-string>

[AnonymousBind]
;Enable anonymous bind. An anonymous user must have rights to search and view all pertinent groups, group memberships, and users.
;Type: boolean
AnonymousBind = false

[UserSearchBaseDN]
;The base DN used when performing user searches.
;Type: string
UserSearchBaseDN = a.b

;[WhitelistedLoginGroup]
;Limit who can log into Connect by specifying a group DN. Multiple definitions can be used to provide multiple groups.
;Type: multi-string
;unspecified

;[GroupObjectClass]
;The name of the LDAP ‘objectClass’ used to define groups. Commonly this is ‘group’ or ‘posixGroup’.
;Type: string
;Default: <empty-string>

[GroupFilterBase]
;An LDAP filter clause used to select group objects. Defaults to objectClass={GroupObjectClass}.
;Type: string
GroupFilterBase = objectClass={rstudio-user}

[GroupNameAttribute]
;The LDAP group attribute containing a group’s name. Commonly this is ‘cn’ or ‘sAMAccountName’. This attribute is case-sensitive.
;Type: string
GroupNameAttribute = CN

[GroupSearchBaseDN]
;The base DN used when performing group searches.
;Type: string
GroupSearchBaseDN = a.b

[WebSudoMode]
;Whether web-sudo mode is enabled
;Type: boolean
WebSudoMode = true

[WebSudoModeDuration]
;The lifetime of web-sudo mode.
;Type: duration
WebSudoModeDuration5m

#5

Yeah, the problem is exactly as I mentioned. Most / all of your top level items are not meant to be top level. For instance, for WebSudoMode, the following is in the admin guide:

For all other authentication providers, the WebSudoMode and WebSudoModeDuration configuration options are available within the section pertaining to that provider

So you would do something like:

[Password]
WebSudoMode = true
WebSudoModeDuration = 10m

The ones throwing an error are [UserObjectClass], [UserFilterBase], and the like. Specifically, those should look like:

[LDAP "My LDAP Server"]
UserObjectClass = Users
UserFilterBase = "..."

More detail is here: http://docs.rstudio.com/connect/admin/appendix-configuration.html#appendix-configuration-ldap

Why don't you give rewriting the config file a shot, moving a bunch of these top level headers (the ones with []) to configuration name = value pairs within the proper top level heading?


#6

Hi cole,

yes that was it - I got it to get it run first time :sunglasses:

Maybe other people will have a better idea how to build this file, like I didn't have too before, so it is posted here and sensitive information is replaced in the same structure as I wrote it.....

I get now some Active Directory user/password issues, maybe you want to through a look over it?

Unable to verify credentials: LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580

I'm trying to fix this too but maybe you will see anything directly :slight_smile:

Thank you again!

My config file:

[Server]

SenderEmail = rstudiouser@domain

Address = https://RConnect.domain

[HTTP]

; RStudio Connect will listen on this network address for HTTP connections.

Listen = :3939

[SQLite]

Dir = /var/lib/rstudio-connect/db

[Server]

DataDir = /var/lib/rstudio-connect

[Authentication]

Provider = ldap

[LDAP "domain" ]

ServerAddress = IP.IP.IP.IP:389

UserObjectClass = Users

UserFilterBase = "CN=Domänen-Benutzer,CN=Users,DC=domainDC,DC=local"

UserFirstNameAttribute = GivenName

UserLastNameAttribute = SurName

UserEmailAttribute = UserPrincipalName

UsernameAttribute = SamAccountName

BindDN = rstudiouser

BindPassword = p@s5w0rT

AnonymousBind = false

UserSearchBaseDN = "CN=Domänen-Benutzer,CN=Users,DC=domainDC,DC=local"

GroupFilterBase = objectClass={rstudio-user}

GroupNameAttribute = CN

GroupSearchBaseDN = domain

[Password]

WebSudoMode = true

WebSudoModeDuration = 5m

~


#7

As a quick aside, RStudio Connect v.1.6.6 was recently released. While you are in the early install stage, it may be worth downloading a new binary! In particular, there is an important new attribute for LDAP / AD called UniqueIdAttribute. It specifies the unique identifier for your AD system. An example of a full config using the value is here:

http://docs.rstudio.com/connect/admin/authentication.html#complete-configuration-example

That said, is the error you are seeing occurring when users attempt to log into the server? If so, I would take a look at the user attributes and ensure that users are being mapped appropriately. There also may be some type of permission issue within AD itself. If this is occurring when starting up the server, then I would have a look at the BindDN / BindPassword to be sure they are correct. Typically, the best resource when debugging AD stuff is an internal IT admin. However, we are definitely happy to give it our best shot and support@rstudio.com is always your best avenue for direct professional support!

Some information I found that may be helpful, from google searching the error message you received:

https://social.technet.microsoft.com/Forums/ie/en-US/474abb8f-cfc6-4cac-af79-c3e80e80291f/ldap-authentication-error-ldap-error-code-49-80090308-ldaperr-dsid0c090334-comment?forum=winserverDS

http://www-01.ibm.com/support/docview.wss?uid=swg21290631

It seems like the 52e error you're getting is caused by:

NOTE: Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.


#8

Hi cole,

I installed 1.6.6 now.

I'll give it a new try now.


#9

Maybe I made it worse now :frowning:

Configuration Problem Detected: 'DOMAIN' LDAP uses 'S-1-5-21-xxxxx-xxxxx-xxxx-xxxx' to identify users but there are still users relying on Distinguished Names (DN). You must first run 'usermanager alter --update-ids-using DN'.

[Server]

SenderEmail = studio@Domain

Address = https://RConnect.Domain

[HTTP]

Listen = :3939

[SQLite]

Dir = /var/lib/rstudio-connect/db

[Server]

DataDir = /var/lib/rstudio-connect

[Authentication]

Provider = ldap

[LDAP "DOMAIN"]

ServerAddress = IP:389

BindDN = "CN=RStudio,CN=Users,DC=DOMAIN,DC=local"

BindPassword= "Password"

UserSearchBaseDN = "DC=DOMAIN,DC=local"

UniqueIdAttribute = objectGUID

UserFirstNameAttribute = GivenName

UserLastNameAttribute = Surname

UserObjectClass = User

UserEmailAttribute = UserPrincipalName

UsernameAttribute = SamAccountName

GroupNameAttribute = "CN=rstudio-users,CN=Users,DC=DOMAIN,DC=local"

GroupSearchBaseDN = DOMAIN

GroupFilterBase = objectClass={rstudio-user}

[Password]

WebSudoMode = true

WebSudoModeDuration = 5m

#10

Ahh yes. This is because you have already installed the 1.6.4 version and added users. :man_facepalming:

Honestly, going forward with 1.6.6 is your best bet for the future stability of your system. You also get a handful of exciting new features :slight_smile: Your options are either to:

Which approach is most desirable for you? I'm not sure how much of your previous install is worth keeping!

EDIT: Just for clarity, Connect versions prior to 1.6.6 used the DN as the unique identifier for users. This is problematic because DN can change over time.

EDIT2: If you place "```" (three backticks) before and after your config file, it makes the content more readable! I have been editing your responses to include those backticks, but wanted to be sure you knew how I was doing it! :slight_smile:


#11

Next Step :smiley:

I could log in but adding additional informations it doesn't let me fill in an e-mail address ....


#12

That is usually set by UserEmailAttribute. It looks like you set UserEmailAttribute = UserPrincipalName. Do you have an AD field that provides the actual email address?

Also, you probably want to remove the [Password] header. You can set the same WebSudoMode and WebSudoModeDuration under the [LDAP "DOMAIN"] header (as specified here)

For all other authentication providers, the WebSudoMode and WebSudoModeDuration configuration options are available within the section pertaining to that provider.


#13

Hi cole,

me again :frowning:

With this config I will be prompted to enter Username but if I do so I get the red-banner-message that this is managed by the authentication provider ...

Do you have any idea?

 ; RStudio Connect configuration file

[Server]

SenderEmail = tech_rstudio@DOMAIN

Address = https://RConnect. DOMAIN

[HTTP]

Listen = :3939

[SQLite]

Dir = /var/lib/rstudio-connect/db

[Server]

DataDir = /var/lib/rstudio-connect

[Authentication]

Provider = ldap

[LDAP "DOMAIN"]

ServerAddress = IP:389

BindDN = "CN=RStudio,CN=Users,DC= DOMAIN,DC=local"

BindPassword= password

UserSearchBaseDN = "CN=Users,DC= DOMAIN,DC=local"

UsernameAttribute = "SamAccountName"

UserObjectClass = User

UserEmailAttribute = mail

UserFirstNameAttribute = GivenName

UserLastNameAttribute = SN

;UniqueIDAttribute = "objectSid"

WebSudoMode = true

WebSudoModeDuration = 5m

[Debug]

Log = ldap

#14

Very interesting!

Is the space before DOMAIN a function of replacing things? Or is that space expected?

Unfortunately, it sounds like there is something wrong with your LDAP configuration, which is very difficult for us to help with because we don't know which values are configured for your LDAP server. I would use this complete example for guidance, and then speak with an internal IT admin or fiddle with the configuration to pick up the values.

It sounds like the LDAP configuration is not accurately picking up the UsernameAttribute, which causes Connect to prompt for the value. Of course, you cannot actually input the value because LDAP should be providing the value.