cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From 不坏阿峰 <onlydeb...@gmail.com>
Subject Re: How is Cloudstack work with Active Directory
Date Mon, 26 Aug 2013 08:49:08 GMT
thank you for your quick reply.
hope that CS4.2 can user external ldap server easily.

and is there some script to import AD ldap user into cs ?



2013/8/26 Suresh Sadhu <Suresh.Sadhu@citrix.com>:
> Please find my answers below:
>
>
> -----Original Message-----
> From: 不坏阿峰 [mailto:onlydebian@gmail.com]
> Sent: 26 August 2013 13:21
> To: users@cloudstack.apache.org
> Subject: Re: How is Cloudstack work with Active Directory
>
> about my Question,    when use active directory LDAP for
> authentication  ,  if i want use 3 user in AD,  i need create 3 same
> account in CS ?
>
> *******************sadhu**********
> yes ,as per the current implementation ..it requires same accounts in CS.
> ****************
> just now ,i test use dota,  this user exist both on AD and CS,  just
> different password.  i test use dota and user password in AD, can
> login.
>
> as my experience, if use a LDAP server, just need one user to bind the
> ldap,  then can query and do authentication on all user in the
> specific OU.  but CS seam some different.
>
> **************sadhu*******
> Yes you are right ,One user is enough to bind and rest of users will validate but  in
CS case initial verification happens at DB level and if its  fail then authentication happens
at LDAP level. due to this reason(firest ;level authentication happening in db level) you
 need to create same user(like same user with different password) in CS as well. Hope this
info will help.
> *********
>
> could you explain it?
>
> thanks
>
> 2013/8/26 Ian Duffy <ian@ianduffy.ie>:
>> Try sAMAccountName=%u
>>
>>
>> On 26 August 2013 03:15, 不坏阿峰 <onlydebian@gmail.com> wrote:
>>
>>> in AD 2008, do not have uid, so i user disPlayname=%u,    %u is the
>>> cloudstack username.
>>>
>>> i also follow this ,install cloudmoney and ldapconfig it.
>>>
>>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloudstack-v401.html
>>>
>>> >  ldap config hostname=192.168.123.61 searchbase=ou=member,DC=lab,DC=com
>>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com
>>> bindpass=123@lab port=389
>>> ldapconfig:
>>> binddn = CN=dota,ou=member,DC=lab,DC=com
>>> hostname = 192.168.123.61
>>> port = false
>>> queryfilter = (diaplayname=%u)
>>> searchbase = ou=member,DC=lab,DC=com
>>>
>>> >> Dn: CN=dota,OU=member,DC=lab,DC=com
>>> 0> objectClass:
>>> 0> cn:
>>> 0> distinguishedName:
>>> 0> instanceType:
>>> 0> whenCreated:
>>> 0> whenChanged:
>>> 0> displayName:
>>> 0> uSNCreated:
>>> 0> uSNChanged:
>>> 0> name:
>>> 0> objectGUID:
>>> 0> userAccountControl:
>>> 0> badPwdCount:
>>> 0> codePage:
>>> 0> countryCode:
>>> 0> badPasswordTime:
>>> 0> lastLogoff:
>>> 0> lastLogon:
>>> 0> pwdLastSet:
>>> 0> primaryGroupID:
>>> 0> objectSid:
>>> 0> accountExpires:
>>> 0> logonCount:
>>> 0> sAMAccountName:
>>> 0> sAMAccountType:
>>> 0> userPrincipalName:
>>> 0> objectCategory:
>>> 0> dSCorePropagationData:
>>> 0> lastLogonTimestamp:
>>>
>>> 2013/8/25 Kirk Jantzer <kirk.jantzer@gmail.com>:
>>> > It appears your queryfilter may be incorrect - You are trying to match
>>> the
>>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you put
>>> into
>>> > the username field in CS matches whatever is in the 'disPlayname' field
>>> in
>>> > AD (this can be found by opening AD Users and Computers, selecting the
>>> menu
>>> > option to show advanced properties, then looking at the user, then
>>> clicking
>>> > the 'attributes' tab.
>>> >
>>> >
>>> > Regards,
>>> >
>>> > Kirk Jantzer
>>> > http://about.met/kirkjantzer
>>> >
>>> >
>>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <onlydebian@gmail.com>
wrote:
>>> >
>>> >> Cloudstack4.1.1
>>> >> (1). i create same user: dota on Active Directory and CS
>>> >> (2). i have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com,
>>> >> it is ok,so active directory ldap is ready.
>>> >> (3). have two user under  ou=member, dc=lab,dc=com: dota , csuser01
>>> >> (4). enable integration.api.port =8096, and restart CS-mangement
>>> >>
>>> >> Q1:  from the CS log, ldap server configed, but IE response  false,
>>> >> what is correct information?
>>> >>
>>> >> Q2: how many user should be created on both Active Directory and CS
?
>>> >> or only one for ldap config,   active directory create other user just
>>> >> for CS use
>>> >>
>>> >> Q3: what will change in UI when ldap config success? can see  users
>>> >> imported from Active Directory ? can use csuser01 to login CS ?(i try
>>> >> log in  but failure)
>>> >>
>>> >>
>>> >>
>>> >>
>>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192.168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter=%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json
>>> >>
>>> >> ####### Got  this response:#####
>>> >> { "ldapconfigresponse" :  { "ldapconfig" :
>>> >>
>>> >>
>>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota,OU=member,DC=lab,DC=com"}
>>> >> }  }
>>> >>
>>> >> #######  CS log  #########
>>> >> 2013-08-24 21:10:44,453 DEBUG
>>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null) The
>>> >> ldap server is configured: 192.168.123.61
>>> >>
>>> >> ######## other thing i checked ######
>>> >> (1) in CS4.1.1 ,sharedFunctions.js  , var md5HashedLogin = fals
>>> >> (2) when create dota in CS, "Network Domain" i put lab.com, username
i
>>> >> put dota
>>> >>
>>>

Mime
View raw message