cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antonio Packery <Antonio.Pack...@t-systems.co.za>
Subject Re: AD LDAP authentication failing post CS 4.2.1 to CS 4.3 upgrade
Date Tue, 08 Apr 2014 08:41:14 GMT
Thanks Ian,

Does you ldap bind principal user have any special permissions?

I have re-validated all my settings but still don't get a ldap user list from which to select.

Could it be to many users to list, AD has in excess of 10000 accounts?

Is there an api command i can use to test my ldap settings, maybe via cloudmonkey?

On 04/08/2014 08:03 AM, Ian Duffy wrote:

> Can you please confirm your global ldap settings?

Screen shot of them here: http://imgur.com/adnlmSS

> Are you able to ‎import ldap users from AD?

Yes. http://imgur.com/df29OOm

On 7 April 2014 20:44, Antonio Packery <Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za>
wrote:
> Hi Ian,
>
> Can you please confirm your global ldap settings?
>
> Are you able to ‎import ldap users from AD?
>
>   Original Message
> From: Ian Duffy
> Sent: Monday 7 April 2014 21:22
> To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>
> Reply To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>
> Subject: Re: AD LDAP authentication failing post CS 4.2.1 to CS 4.3 upgrade
>
>
> Hi All,
>
> Just after trying to recreate the issue, I failed to do so successfully.
>
> I installed 4.2, configured LDAP, verified it worked. Upgraded to 4.3,
> logged in as admin, verified the LDAP configuration was present.
> Logged out and attempted to login as an LDAP user.
>
> On 7 April 2014 19:17, Suresh Sadhu <Suresh.Sadhu@citrix.com><mailto:Suresh.Sadhu@citrix.com>
wrote:
>> Its seems there is a problem and values are not configured properly after upgrade.
Please log a defect.
>>
>> Hope you set the following attributes .
>>
>> Ldap.basedn
>> Ldap.bind.password
>> Ldap.username.attribute- sAMAccountName
>> Ldap.user.object --user
>> Ldap.search.group.principle
>>
>> All the above fields are mandatory.
>>
>> Work around I followed is : used old api to register ldap and created same AD user
in CS. And make sure that all global parameters set.
>>
>> http://localhost:8096/client/api?command=ldapConfig&binddn=CN%3Dtest%2CCN%3DUsers%2CDC%3Dhyd-qa%2CDC%3Dcom&bindpass=aaaa_1111&hostname=ADserver&searchbase=CN%3DUsers%2CDC%3Dhyd-qa%2CDC%3Dcom&queryfilter=%28%26%28mail%3D%25e%29%29&port=389&ssl=false&response=json
>>
>>
>> Regards
>> Sadhu
>>
>>
>>
>> -----Original Message-----
>> From: Antonio Packery [mailto:Antonio.Packery@t-systems.co.za]
>> Sent: 07 April 2014 18:52
>> To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>
>> Subject: Re: AD LDAP authentication failing post CS 4.2.1 to CS 4.3 upgrade
>>
>> Hi Sadhu,
>>
>> No changes from when i had AD authentication configured on ACS 4.2.1 where all worked
fine.
>>
>> Still no joy with ldap authentication on ACS 4.3.0 even with the steps listed below.
>>
>> Regards
>> Antonio
>>
>> On 04/07/2014 06:31 AM, Suresh Sadhu wrote:
>>
>> HI Antonio,
>>
>> Hope Registered user has list capabilities .
>>
>>
>> I think there is an issue while importing ldap user if any user has missing attributes(like
mail,user name), it fail to import user successfully but if we create a same AD user in cloudstack
manually with different password and try to login with ad user with ad password .I am able
to login successfully.
>>
>> Assume  AD user: test ,password:aaaa_1111 Try below scenario:
>>
>> 1.make sure AD  user has  list capabilities or better try with user with admin privileges
2.register ldap  by providing ldap IP and port 3. provide the required parameters in the global
configuration 4. restart the MS 5.create a same AD user with different password(user :test,password:password)
in cs manually 6.try to login with AD user with AD password(user :test,password:aaaa_1111)
>>
>> Hope this will help.
>>
>> Regards
>> Sadhu
>>
>>
>>
>>
>> -----Original Message-----
>> From: Antonio Packery [mailto:Antonio.Packery@t-systems.co.za]
>> Sent: 06 April 2014 16:43
>> To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org><mailto:users@cloudstack.apache.org>
>> Subject: Re: AD LDAP authentication failing post CS 4.2.1 to CS 4.3 upgrade
>>
>> Hi Sadhu,
>>
>> Here are the ldap log entries,
>> 2014-04-06 12:49:26,428 INFO  [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] (main:null)
Module Hierarchy:         ldap
>> 2014-04-06 12:49:53,127 INFO  [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] (main:null)
Loading module context [ldap] from URL [jar:file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-plugin-user-authenticator-ldap-4.3.0.jar!/META-INF/cloudstack/ldap/spring-ldap-context.xml<file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-plugin-user-authenticator-ldap-4.3.0.jar%21/META-INF/cloudstack/ldap/spring-ldap-context.xml><file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-plugin-user-authenticator-ldap-4.3.0.jar%21/META-INF/cloudstack/ldap/spring-ldap-context.xml>]
>> 2014-04-06 12:49:53,127 INFO  [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] (main:null)
Loading module context [ldap] from URL [jar:file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar!/META-INF/cloudstack/api/spring-core-lifecycle-api-context-inheritable.xml<file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar%21/META-INF/cloudstack/api/spring-core-lifecycle-api-context-inheritable.xml><file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar%21/META-INF/cloudstack/api/spring-core-lifecycle-api-context-inheritable.xml>]
>> 2014-04-06 12:49:53,127 INFO  [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] (main:null)
Loading module context [ldap] from URL [jar:file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar!/META-INF/cloudstack/core/spring-core-lifecycle-core-context-inheritable.xml<file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar%21/META-INF/cloudstack/core/spring-core-lifecycle-core-context-inheritable.xml><file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar%21/META-INF/cloudstack/core/spring-core-lifecycle-core-context-inheritable.xml>]
>> 2014-04-06 12:49:53,127 INFO  [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] (main:null)
Loading module context [ldap] from URL [jar:file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar!/META-INF/cloudstack/system/spring-core-system-context-inheritable.xml<file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar%21/META-INF/cloudstack/system/spring-core-system-context-inheritable.xml><file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar%21/META-INF/cloudstack/system/spring-core-system-context-inheritable.xml>]
>> 2014-04-06 12:49:53,127 INFO  [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] (main:null)
Loading module context [ldap] from URL [jar:file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-framework-config-4.3.0.jar!/META-INF/cloudstack/system/spring-framework-config-system-context-inheritable.xml<file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-framework-config-4.3.0.jar%21/META-INF/cloudstack/system/spring-framework-config-system-context-inheritable.xml><file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-framework-config-4.3.0.jar%21/META-INF/cloudstack/system/spring-framework-config-system-context-inheritable.xml>]
>> 2014-04-06 12:49:53,127 INFO  [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] (main:null)
Loading module context [ldap] from URL [jar:file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar!/META-INF/cloudstack/bootstrap/spring-bootstrap-context-inheritable.xml<file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar%21/META-INF/cloudstack/bootstrap/spring-bootstrap-context-inheritable.xml><file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar%21/META-INF/cloudstack/bootstrap/spring-bootstrap-context-inheritable.xml>]
>> 2014-04-06 12:49:53,330 DEBUG [o.a.c.s.l.r.RegistryLifecycle] (main:null) Registered
org.apache.cloudstack.ldap.LdapAuthenticator@20090eb6
>> 2014-04-06 12:49:53,334 DEBUG [o.a.c.s.l.r.RegistryLifecycle] (main:null) Registered
org.apache.cloudstack.ldap.LdapAuthenticator@20090eb6
>> 2014-04-06 12:49:53,334 DEBUG [o.a.c.s.l.r.RegistryLifecycle] (main:null) Registered
org.apache.cloudstack.ldap.LdapManagerImpl@6852fbac
>> 2014-04-06 12:49:53,340 INFO  [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] (main:null)
Loaded module context [ldap] in 214 ms
>> 2014-04-06 12:50:01,159 DEBUG [o.a.c.d.ApiDiscoveryServiceImpl] (main:null) getting
api commands of service: org.apache.cloudstack.ldap.LdapManagerImpl
>> 2014-04-06 12:50:01,586 INFO  [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] (main:null)
Starting module [ldap]
>>
>> Ldap does seem to be configured correctly but it appears a ldap lookup is not initiated
when trying to add a LDAP user via the CloudStack UI.
>>
>> Regards
>> Antonio
>>
>> On 04/04/2014 01:12 PM, Suresh Sadhu wrote:
>>
>> Can you post the logs ,we used to log ldap transactions in management log.
>> Are you hitting any nullpointer exception.
>>
>>
>> Make sure active directory user has defined email address in AD.
>>
>> Regards
>> Sadhu
>>
>>
>>
>> -----Original Message-----
>> From: Ian Duffy [mailto:ian@ianduffy.ie]
>> Sent: 04 April 2014 16:24
>> To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org><mailto:users@cloudstack.apache.org><mailto:users@cloudstack.apache.org>
>> Cc: Rajani Karuturi
>> Subject: Re: AD LDAP authentication failing post CS 4.2.1 to CS 4.3 upgrade
>>
>> CCing Rajani on this to see if she has any ideas.....
>>
>> If you haven't done so already can you try remove/re-add the LDAP server via the
UI.
>>
>>> Are there any logs in cloudstack that records the ldap activity?
>>
>> On failed adding of a LDAP server you will get a message back saying so and the server
will not add.
>>
>> On authentication failure of an ldap user it will appear in the cloudstack logs.
>>
>> On 4 April 2014 11:47, Antonio Packery <Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za>
wrote:
>>> Hi Ian,
>>>
>>> Change ldap.user.object to user but still no change.
>>>
>>> Busy sniffing the ldap server connection for any errors.
>>>
>>> Are there any logs in cloudstack that records the ldap activity?
>>>
>>> Regards
>>> Antonio
>>>
>>> On 04/04/2014 12:14 PM, Ian Duffy wrote:
>>>
>>> Interesting, they look OK.
>>>
>>> Can you change ldap.user.object to have the value user then restart
>>> the management server and check if things are back working as
>>> expected.
>>>
>>> Thanks,
>>> Ian
>>>
>>>
>>> On 4 April 2014 11:11, Antonio Packery <Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za>
wrote:
>>>> Hi Ian,
>>>>
>>>> Here they are, ldap server via port 389 is being used.
>>>>
>>>> ldap.basedn    The search base defines the starting point for the search
in the directory tree Example: dc=cloud,dc=com.    dc=....dc=....,dc=...
>>>> ldap.bind.principal    Specify the distinguished name of a user with the
search permission on the directory    CN=...,OU=...,DC=....,DC=.....,DC=.....
>>>> ldap.email.attribute    Sets the email attribute used within LDAP    mail
>>>> ldap.firstname.attribute    Sets the firstname attribute used within LDAP
   givenname
>>>> ldap.group.object    Sets the object type of groups within LDAP    groupOfUniqueNames
>>>> ldap.group.user.uniquemember    Sets the attribute for uniquemembers within
a group    uniquemember
>>>> ldap.lastname.attribute    Sets the lastname attribute used within LDAP 
  sn
>>>> ldap.search.group.principle    Sets the principle of the group that users
must be a member of
>>>> ldap.truststore    Enter the path to trusted keystore
>>>> ldap.truststore.password    Enter the password for trusted keystore
>>>> ldap.user.object = inetOrgPerson
>>>> ldap.username.attribute = sAMAccountName
>>>>
>>>> Regards
>>>> Antonio
>>>>
>>>> On 04/04/2014 11:47 AM, Ian Duffy wrote:
>>>>
>>>> Hi Antonio,
>>>>
>>>> Can you confirm the values for the settings in global settings
>>>> starting with "ldap."
>>>>
>>>> Since you mentioned AD I'm specifically interested in
>>>> ldap.username.attribute and ldap.user.object
>>>>
>>>> Thanks,
>>>> Ian
>>>>
>>>> On 4 April 2014 10:36, Antonio Packery <Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za><mailto:Antonio.Packery@t-systems.co.za>
wrote:
>>>>> Hi,
>>>>>
>>>>> Since upgrading to CS 4.3 my AD LDAP authentication no longer works.
 All my previous do seem to have been retained but i am not able to import any LDAP users.
>>>>>
>>>>> Are there any log/configuration files i can check for errors?
>>>>>
>>>>> Also, any guidance on the correct syntac, ldap attributes to be using
for AD would help.
>>>>>
>>>>> Regards
>>>>> Antonio
>>>>>
>>>>>
>>>>>
>>>>> Disclaimer: This message and/or attachment(s) may contain privileged,
confidential and/or personal information. If you are not the intended recipient you may not
disclose or distribute any of the information contained within this message. In such case
you must destroy this message and inform the sender of the error. T-Systems does not accept
liability for any errors, omissions, information and viruses contained in the transmission
of this message. Any opinions, conclusions and other information contained within this message
not related to T-Systems' official business is deemed to be that of the individual only and
is not endorsed by T-Systems.
>>>>>
>>>>> This message and/or attachment(s) may contain privileged or
>>>>> confidential information. If you are not the intended recipient you
>>>>> may not disclose or distribute any of the information contained
>>>>> within this message. In such case you must destroy this message and inform
the sender of the error.
>>>>> T-Systems does not accept liability for any errors, omissions,
>>>>> information and viruses contained in the transmission of this
>>>>> message. Any opinions, conclusions and other information contained
>>>>> within this message not related to T-Systems' official business is
>>>>> deemed to be that of the individual only and is not endorsed by T-Systems.
>>>>>
>>>>> T-Systems - Business Flexibility
>>>>
>>>>
>>>> Disclaimer: This message and/or attachment(s) may contain privileged, confidential
and/or personal information. If you are not the intended recipient you may not disclose or
distribute any of the information contained within this message. In such case you must destroy
this message and inform the sender of the error. T-Systems does not accept liability for any
errors, omissions, information and viruses contained in the transmission of this message.
Any opinions, conclusions and other information contained within this message not related
to T-Systems' official business is deemed to be that of the individual only and is not endorsed
by T-Systems.
>>>>
>>>> This message and/or attachment(s) may contain privileged or
>>>> confidential information. If you are not the intended recipient you
>>>> may not disclose or distribute any of the information contained
>>>> within this message. In such case you must destroy this message and inform
the sender of the error.
>>>> T-Systems does not accept liability for any errors, omissions,
>>>> information and viruses contained in the transmission of this
>>>> message. Any opinions, conclusions and other information contained
>>>> within this message not related to T-Systems' official business is
>>>> deemed to be that of the individual only and is not endorsed by T-Systems.
>>>>
>>>> T-Systems - Business Flexibility
>>>
>>>
>>> Disclaimer: This message and/or attachment(s) may contain privileged, confidential
and/or personal information. If you are not the intended recipient you may not disclose or
distribute any of the information contained within this message. In such case you must destroy
this message and inform the sender of the error. T-Systems does not accept liability for any
errors, omissions, information and viruses contained in the transmission of this message.
Any opinions, conclusions and other information contained within this message not related
to T-Systems' official business is deemed to be that of the individual only and is not endorsed
by T-Systems.
>>>
>>> This message and/or attachment(s) may contain privileged or
>>> confidential information. If you are not the intended recipient you
>>> may not disclose or distribute any of the information contained within
>>> this message. In such case you must destroy this message and inform the sender
of the error.
>>> T-Systems does not accept liability for any errors, omissions,
>>> information and viruses contained in the transmission of this message.
>>> Any opinions, conclusions and other information contained within this
>>> message not related to T-Systems' official business is deemed to be
>>> that of the individual only and is not endorsed by T-Systems.
>>>
>>> T-Systems - Business Flexibility
>>
>>
>> Disclaimer: This message and/or attachment(s) may contain privileged, confidential
and/or personal information. If you are not the intended recipient you may not disclose or
distribute any of the information contained within this message. In such case you must destroy
this message and inform the sender of the error. T-Systems does not accept liability for any
errors, omissions, information and viruses contained in the transmission of this message.
Any opinions, conclusions and other information contained within this message not related
to T-Systems' official business is deemed to be that of the individual only and is not endorsed
by T-Systems.
>>
>> This message and/or attachment(s) may contain privileged or confidential information.
If you are not the intended recipient you may not disclose or distribute any of the information
contained within this message. In such case you must destroy this message and inform the sender
of the error.
>> T-Systems does not accept liability for any errors, omissions, information and viruses
contained in the transmission of this message. Any opinions, conclusions and other information
contained within this message not related to T-Systems' official business is deemed to be
that of the individual only and is not endorsed by T-Systems.
>>
>> T-Systems - Business Flexibility
>>
>>
>> Disclaimer: This message and/or attachment(s) may contain privileged, confidential
and/or personal information. If you are not the intended recipient you may not disclose or
distribute any of the information contained within this message. In such case you must destroy
this message and inform the sender of the error. T-Systems does not accept liability for any
errors, omissions, information and viruses contained in the transmission of this message.
Any opinions, conclusions and other information contained within this message not related
to T-Systems' official business is deemed to be that of the individual only and is not endorsed
by T-Systems.
>>
>> This message and/or attachment(s) may contain privileged or confidential
>> information. If you are not the intended recipient you may not disclose or
>> distribute any of the information contained within this message. In such case you
must destroy this message and inform the sender of the error.
>> T-Systems does not accept liability for any errors, omissions, information and viruses
contained in the transmission of this message. Any opinions, conclusions and other information
contained within this message not related to T-Systems' official business is deemed to be
that of the individual only
>> and is not endorsed by T-Systems.
>>
>> T-Systems - Business Flexibility
>
> Disclaimer: This message and/or attachment(s) may contain privileged, confidential and/or
personal information. If you are not the intended recipient you may not disclose or distribute
any of the information contained within this message. In such case you must destroy this message
and inform the sender of the error. T-Systems does not accept liability for any errors, omissions,
information and viruses contained in the transmission of this message. Any opinions, conclusions
and other information contained within this message not related to T-Systems' official business
is deemed to be that of the individual only and is not endorsed by T-Systems.
>
> This message and/or attachment(s) may contain privileged or confidential
> information. If you are not the intended recipient you may not disclose or
> distribute any of the information contained within this message. In such
> case you must destroy this message and inform the sender of the error.
> T-Systems does not accept liability for any errors, omissions, information
> and viruses contained in the transmission of this message. Any opinions,
> conclusions and other information contained within this message not related
> to T-Systems' official business is deemed to be that of the individual only
> and is not endorsed by T-Systems.
>
> T-Systems - Business Flexibility


Disclaimer: This message and/or attachment(s) may contain privileged, confidential and/or
personal information. If you are not the intended recipient you may not disclose or distribute
any of the information contained within this message. In such case you must destroy this message
and inform the sender of the error. T-Systems does not accept liability for any errors, omissions,
information and viruses contained in the transmission of this message. Any opinions, conclusions
and other information contained within this message not related to T-Systems' official business
is deemed to be that of the individual only and is not endorsed by T-Systems.

This message and/or attachment(s) may contain privileged or confidential         
information. If you are not the intended recipient you may not disclose or        
distribute any of the information contained within this message. In such
case you must destroy this message and inform the sender of the error.
T-Systems does not accept liability for any errors, omissions, information
and viruses contained in the transmission of this message. Any opinions, 
conclusions and other information contained within this message not related 
to T-Systems' official business is deemed to be that of the individual only 
and is not endorsed by T-Systems.        
                                                                                  
T-Systems - Business Flexibility
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message