cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rajani Karuturi <raj...@apache.org>
Subject Re: Link Domain to LDAP
Date Fri, 14 Oct 2016 11:02:28 GMT
you need not import the users manually. It should automatically sync.

In my installation with microsoftAD, this is how any entry in the
ldap_trust_map looks:
mysql> select * from ldap_trust_map where domain_id=7\G
*************************** 1. row ***************************
          id: 4
   domain_id: 7
        type: GROUP
        name: CN=acp-hyd,CN=Users,DC=acp,DC=accelerite,DC=com
account_type: 0
1 row in set (0.00 sec)

Any user who is member of AD group
"CN=acp-hyd,CN=Users,DC=acp,DC=accelerite,DC=com" should be able to login
to domain with id 7. If a user doesnt exist, it will automatically create
one.


Check the below configuration values
ldap.provider: microsoftad
ldap.nested.groups.enable: true
ldap.search.group.principle: NULL

My sample configuration values:
mysql> select component,name,value,description from configuration where
name like '%ldap%';
+-------------------+------------------------------+-------------------------------------------------------+---------------------------------------------------------------------------+
| component         | name                         |
value                                                 |
description                                                               |
+-------------------+------------------------------+-------------------------------------------------------+---------------------------------------------------------------------------+
| management-server | ldap.basedn                  |
dc=acp,dc=accelerite,dc=com                           | Sets the basedn for
LDAP                                                  |
| management-server | ldap.bind.password           | password
                                            | Specifies the password to use
for binding to LDAP                         |
| management-server | ldap.bind.principal          |
CN=Administrator,CN=Users,DC=acp,DC=accelerite,DC=com | Specifies the bind
principal to use for bind to LDAP                      |
| management-server | ldap.email.attribute         |
mail                                                  | Sets the email
attribute used within LDAP                                 |
| management-server | ldap.firstname.attribute     |
givenname                                             | Sets the firstname
attribute used within LDAP                             |
| management-server | ldap.group.object            |
group                                                 | Sets the object
type of groups within LDAP                                |
| management-server | ldap.group.user.uniquemember |
member                                                | Sets the attribute
for uniquemembers within a group                       |
| management-server | ldap.lastname.attribute      |
sn                                                    | Sets the lastname
attribute used within LDAP                              |
| LdapConfiguration | ldap.nested.groups.enable    |
true                                                  | if true, nested
groups will also be queried                               |
| LdapConfiguration | ldap.provider                |
microsoftad                                           | ldap provider
ex:openldap, microsoftad                                    |
| LdapConfiguration | ldap.read.timeout            |
1000                                                  | LDAP connection
Timeout in milli sec                                      |
| LdapConfiguration | ldap.request.page.size       |
1000                                                  | page size sent to
ldap server on each request to get user                 |
| management-server | ldap.search.group.principle  |
NULL                                                  | Sets the principle
of the group that users must be a member of (optional) |
| management-server | ldap.truststore              |
NULL                                                  | Sets the path to
the truststore to use for LDAP SSL                       |
| management-server | ldap.truststore.password     |
NULL                                                  | Sets the password
for the truststore                                      |
| management-server | ldap.user.object             |
user                                                  | Sets the object
type of users within LDAP                                 |
| management-server | ldap.username.attribute      |
sAMAccountName                                        | Sets the username
attribute used within LDAP                              |
+-------------------+------------------------------+-------------------------------------------------------+---------------------------------------------------------------------------+
17 rows in set (0.00 sec)


~ Rajani
http://cloudplatform.accelerite.com/

~Rajani
http://cloudplatform.accelerite.com/

On Fri, Oct 14, 2016 at 2:23 PM, Stephan Seitz <
s.seitz@secretresearchfacility.com> wrote:

> Hi,
>
> I'ld verify the settings via mysql
>
> mysql> select * from ldap_configuration \G
> *************************** 1. row ***************************
>       id: 2
> hostname: YOUR_LDAP_SERVER
>     port: 636
>
> also check, if you're able to resolve the hostname and connect to it
> from your management host.
>
> mysql> select * from ldap_trust_map \G
> *************************** 1. row ***************************
>           id: 1
>    domain_id: 2
>         type: OU
>         name: dc=FOO,dc=BAR
> account_type: 0
>
> you'ld also need to import the specific users. I checked them via
>
> mysql> select * from user where username="XXXXXX" \G
> *************************** X. row ***************************
>                       id: NNN
>                     uuid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
>                 username: XXXXXX
>                 password: XXXXXXXXXXXXXXXXXXXXXX==:100000
>               account_id: NNN
>                firstname: John
>                 lastname: Doe
>                    email: XXXXX@XXXXXXXXXXXXXXXXXX
>                    state: enabled
>                  api_key: NULL
>               secret_key: NULL
>                  created: NNNN-NN-NN NN:NN:NN
>                  removed: NULL
>                 timezone: NULL
>       registration_token: NULL
>            is_registered: 0
> incorrect_login_attempts: 0
>                  default: 0
>                   source: LDAP
>          external_entity: NULL
>
>
>
> - Stephan
>
> Am Freitag, den 14.10.2016, 02:06 +0000 schrieb Marty Godsey:
> > I have confirmed that when I am attempting to login with the user
> > that is failing, or any user in the group specified for that matter,
> > the packets are not even hitting the domain controller. I did a
> > packet capture at the DC and logged in with a known AD user that is
> > already configured in another ACS domain. This ACS domain does not
> > have any LDAP bindings just the "default" LDAP settings. I was able
> > to see my packets hit the DC and authenticate. When attempting to log
> > in from a user in the linked domain, no packets are seen.. Is there a
> > service or a library I need to check?
> >
> > Regards,
> > Marty Godsey
> >
> > -----Original Message-----
> > From: Marty Godsey [mailto:marty@gonsource.com]
> > Sent: Thursday, October 13, 2016 9:37 PM
> > To: users@cloudstack.apache.org
> > Subject: RE: Link Domain to LDAP
> >
> > Whenever I try to bind to LDAP using the users credentials, its
> > works.
> >
> > root@cs3-mgmt:/var/log/cloudstack/management# ldapwhoami -vvv -h
> > x.x.x.x -p 389 -D "CN=John Doe,OU=test1,OU=test2,DC=mydomain,DC=com"
> > -x -w Password1234!
> > ldap_initialize( ldap://10.253.0.21:389 ) u:domain\john.doe
> > Result: Success (0)
> >
> > If I also run an ldapsearch on this user, it is successful..
> >
> > However upon trying to authenticate with the same credentials on the
> > ACS screen, I receive an incorrect password error. When I look in the
> > log file all that is the following:
> >
> > Authentication failure:
> > {"loginresponse":{"uuidList":[],"errorcode":531,"errortext":"User is
> > not allowed CloudStack login"}}
> >
> > I have recreated this domain and liked it to GROUP and OU. Nested
> > groups is set to true in the ldap settings.
> >
> > Thoughts?
> >
> > Regards,
> > Marty Godsey
> >
> > -----Original Message-----
> > From: Rajani Karuturi [mailto:rajani@apache.org]
> > Sent: Wednesday, October 12, 2016 3:01 AM
> > To: users@cloudstack.apache.org
> > Subject: Re: Link Domain to LDAP
> >
> > Yes, you can have LDAP configured at global and domain level.
> > Did you give fully qualified name of GROUP/OU while linking?
> >
> > Easiest way to debug is to run the ldap query manually and see if it
> > returns any results ldapsearch -x -h hostname -p port "basedn" -s sub
> > -D "username"
> > -w password
> > "(&(objectClass=user)(sAMAccountName=*)(memberof=linked_group_name))"
> >
> > Also check that `ldap.provider` is set to correct value and there are
> > direct users in the group.
> > Nested groups will only work with MicrosoftAD provider and with
> > configuration `ldap.nested.groups.enable` set to true.
> >
> > There is a demo of the feature at
> > https://youtu.be/GI9b9MiOQkw?t=4m10s
> >
> > Thanks,
> > ~ Rajani
> > http://cloudplatform.accelerite.com/
> >
> > On October 12, 2016 at 6:23 AM, Marty Godsey
> > (marty@gonsource.com) wrote:
> > Hello,
> >
> > I have an ACS 4.9 instance that runs well with no issues. I have
> > enabled LDAP authentication at the Global Level and this works
> > without issue. The question I have is the "Link Domain to LDAP"
> > function at the domain level. I have a domain that I want to auto
> > sync. I added this sub domain ( lets call it ROOT/LDAPTest ) that I
> > configured with the DN of the group I am wanting to populate from (I
> > also attempted this with the OU setting as well) and the user that
> > was created cannot authenticate nor are any of the test accounts in
> > Active Directory being created in ACS.
> >
> > I have LDAP configured globally and I also, as a test made the user
> > part of the group I indicated for "LDAP Accounts" and the user shows
> > up, but the "Link Domain to LDAP" does not seem to work. I tried
> > looking in the logs and did not see any error or attempts to query
> > Active Directory.
> >
> > Is this a broken function? Can you have both globally set LDAP
> > settings and "Link Domain to LDAP" settings?
> >
> > Regards,
> > Marty Godsey
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message