cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antonio Packery <Antonio.Pack...@t-systems.co.za>
Subject Re: AD LDAP authentication failing post CS 4.2.1 to CS 4.3 upgrade
Date Fri, 04 Apr 2014 11:24:24 GMT
Both user ldap authentication and import is not working.

The service account used does have the necessary privileges to query the AD DC.

No change to the AD account since i configured LDAP in CS 4.2.1 and until yesterday when i
upgraded to CS 4.3, all was still working.

On 04/04/2014 01:07 PM, Ian Duffy wrote:

Just to confirm, is both authentication and import not working or just import?

If just import does the assigned bind user have the correct rights to
query the specified dc?

On 4 April 2014 12:04, Antonio Packery <Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za>
wrote:
> I have removed and re-added the ldap server previously.
>
> I can see the log entries for the tasks you mentioned below in the catalina.out log but
nothing when trying to import a new ldap user.
>
> Busy doing default ldapsearch tests against the AD ldap to confirm this works.
>
> On 04/04/2014 12:53 PM, Ian Duffy wrote:
>
> CCing Rajani on this to see if she has any ideas.....
>
> If you haven't done so already can you try remove/re-add the LDAP
> server via the UI.
>
>> Are there any logs in cloudstack that records the ldap activity?
>
> On failed adding of a LDAP server you will get a message back saying
> so and the server will not add.
>
> On authentication failure of an ldap user it will appear in the cloudstack logs.
>
> On 4 April 2014 11:47, Antonio Packery <Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za>
wrote:
>> Hi Ian,
>>
>> Change ldap.user.object to user but still no change.
>>
>> Busy sniffing the ldap server connection for any errors.
>>
>> Are there any logs in cloudstack that records the ldap activity?
>>
>> Regards
>> Antonio
>>
>> On 04/04/2014 12:14 PM, Ian Duffy wrote:
>>
>> Interesting, they look OK.
>>
>> Can you change ldap.user.object to have the value user then restart
>> the management server and check if things are back working as
>> expected.
>>
>> Thanks,
>> Ian
>>
>>
>> On 4 April 2014 11:11, Antonio Packery <Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za>
wrote:
>>> Hi Ian,
>>>
>>> Here they are, ldap server via port 389 is being used.
>>>
>>> ldap.basedn    The search base defines the starting point for the search in the
directory tree Example: dc=cloud,dc=com.    dc=....dc=....,dc=...
>>> ldap.bind.principal    Specify the distinguished name of a user with the search
permission on the directory    CN=...,OU=...,DC=....,DC=.....,DC=.....
>>> ldap.email.attribute    Sets the email attribute used within LDAP    mail
>>> ldap.firstname.attribute    Sets the firstname attribute used within LDAP   
givenname
>>> ldap.group.object    Sets the object type of groups within LDAP    groupOfUniqueNames
>>> ldap.group.user.uniquemember    Sets the attribute for uniquemembers within a
group    uniquemember
>>> ldap.lastname.attribute    Sets the lastname attribute used within LDAP    sn
>>> ldap.search.group.principle    Sets the principle of the group that users must
be a member of
>>> ldap.truststore    Enter the path to trusted keystore
>>> ldap.truststore.password    Enter the password for trusted keystore
>>> ldap.user.object = inetOrgPerson
>>> ldap.username.attribute = sAMAccountName
>>>
>>> Regards
>>> Antonio
>>>
>>> On 04/04/2014 11:47 AM, Ian Duffy wrote:
>>>
>>> Hi Antonio,
>>>
>>> Can you confirm the values for the settings in global settings
>>> starting with "ldap."
>>>
>>> Since you mentioned AD I'm specifically interested in
>>> ldap.username.attribute and ldap.user.object
>>>
>>> Thanks,
>>> Ian
>>>
>>> On 4 April 2014 10:36, Antonio Packery <Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za>
wrote:
>>>> Hi,
>>>>
>>>> Since upgrading to CS 4.3 my AD LDAP authentication no longer works.  All
my previous do seem to have been retained but i am not able to import any LDAP users.
>>>>
>>>> Are there any log/configuration files i can check for errors?
>>>>
>>>> Also, any guidance on the correct syntac, ldap attributes to be using for
AD would help.
>>>>
>>>> Regards
>>>> Antonio
>>>>
>>>>
>>>>
>>>> Disclaimer: This message and/or attachment(s) may contain privileged, confidential
and/or personal information. If you are not the intended recipient you may not disclose or
distribute any of the information contained within this message. In such case you must destroy
this message and inform the sender of the error. T-Systems does not accept liability for any
errors, omissions, information and viruses contained in the transmission of this message.
Any opinions, conclusions and other information contained within this message not related
to T-Systems' official business is deemed to be that of the individual only and is not endorsed
by T-Systems.
>>>>
>>>> This message and/or attachment(s) may contain privileged or confidential
>>>> information. If you are not the intended recipient you may not disclose or
>>>> distribute any of the information contained within this message. In such
>>>> case you must destroy this message and inform the sender of the error.
>>>> T-Systems does not accept liability for any errors, omissions, information
>>>> and viruses contained in the transmission of this message. Any opinions,
>>>> conclusions and other information contained within this message not related
>>>> to T-Systems' official business is deemed to be that of the individual only
>>>> and is not endorsed by T-Systems.
>>>>
>>>> T-Systems - Business Flexibility
>>>
>>>
>>> Disclaimer: This message and/or attachment(s) may contain privileged, confidential
and/or personal information. If you are not the intended recipient you may not disclose or
distribute any of the information contained within this message. In such case you must destroy
this message and inform the sender of the error. T-Systems does not accept liability for any
errors, omissions, information and viruses contained in the transmission of this message.
Any opinions, conclusions and other information contained within this message not related
to T-Systems' official business is deemed to be that of the individual only and is not endorsed
by T-Systems.
>>>
>>> This message and/or attachment(s) may contain privileged or confidential
>>> information. If you are not the intended recipient you may not disclose or
>>> distribute any of the information contained within this message. In such
>>> case you must destroy this message and inform the sender of the error.
>>> T-Systems does not accept liability for any errors, omissions, information
>>> and viruses contained in the transmission of this message. Any opinions,
>>> conclusions and other information contained within this message not related
>>> to T-Systems' official business is deemed to be that of the individual only
>>> and is not endorsed by T-Systems.
>>>
>>> T-Systems - Business Flexibility
>>
>>
>> Disclaimer: This message and/or attachment(s) may contain privileged, confidential
and/or personal information. If you are not the intended recipient you may not disclose or
distribute any of the information contained within this message. In such case you must destroy
this message and inform the sender of the error. T-Systems does not accept liability for any
errors, omissions, information and viruses contained in the transmission of this message.
Any opinions, conclusions and other information contained within this message not related
to T-Systems' official business is deemed to be that of the individual only and is not endorsed
by T-Systems.
>>
>> This message and/or attachment(s) may contain privileged or confidential
>> information. If you are not the intended recipient you may not disclose or
>> distribute any of the information contained within this message. In such
>> case you must destroy this message and inform the sender of the error.
>> T-Systems does not accept liability for any errors, omissions, information
>> and viruses contained in the transmission of this message. Any opinions,
>> conclusions and other information contained within this message not related
>> to T-Systems' official business is deemed to be that of the individual only
>> and is not endorsed by T-Systems.
>>
>> T-Systems - Business Flexibility
>
>
> Disclaimer: This message and/or attachment(s) may contain privileged, confidential and/or
personal information. If you are not the intended recipient you may not disclose or distribute
any of the information contained within this message. In such case you must destroy this message
and inform the sender of the error. T-Systems does not accept liability for any errors, omissions,
information and viruses contained in the transmission of this message. Any opinions, conclusions
and other information contained within this message not related to T-Systems' official business
is deemed to be that of the individual only and is not endorsed by T-Systems.
>
> This message and/or attachment(s) may contain privileged or confidential
> information. If you are not the intended recipient you may not disclose or
> distribute any of the information contained within this message. In such
> case you must destroy this message and inform the sender of the error.
> T-Systems does not accept liability for any errors, omissions, information
> and viruses contained in the transmission of this message. Any opinions,
> conclusions and other information contained within this message not related
> to T-Systems' official business is deemed to be that of the individual only
> and is not endorsed by T-Systems.
>
> T-Systems - Business Flexibility


Disclaimer: This message and/or attachment(s) may contain privileged, confidential and/or
personal information. If you are not the intended recipient you may not disclose or distribute
any of the information contained within this message. In such case you must destroy this message
and inform the sender of the error. T-Systems does not accept liability for any errors, omissions,
information and viruses contained in the transmission of this message. Any opinions, conclusions
and other information contained within this message not related to T-Systems' official business
is deemed to be that of the individual only and is not endorsed by T-Systems.

This message and/or attachment(s) may contain privileged or confidential         
information. If you are not the intended recipient you may not disclose or        
distribute any of the information contained within this message. In such
case you must destroy this message and inform the sender of the error.
T-Systems does not accept liability for any errors, omissions, information
and viruses contained in the transmission of this message. Any opinions, 
conclusions and other information contained within this message not related 
to T-Systems' official business is deemed to be that of the individual only 
and is not endorsed by T-Systems.        
                                                                                  
T-Systems - Business Flexibility
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message