I think I found my issue.. Standby..
Regards,
Marty Godsey
-----Original Message-----
From: Marty Godsey [mailto:marty@gonsource.com]
Sent: Friday, October 14, 2016 10:17 AM
To: users@cloudstack.apache.org
Subject: RE: Link Domain to LDAP
This is how this is set up.. One think I see different however are my ldap settings. I am
going over 389 (for now) does this functionality require 636?
Regards,
Marty Godsey
-----Original Message-----
From: Rajani Karuturi [mailto:rajani@apache.org]
Sent: Friday, October 14, 2016 7:02 AM
To: Users <users@cloudstack.apache.org>
Subject: Re: Link Domain to LDAP
you need not import the users manually. It should automatically sync.
In my installation with microsoftAD, this is how any entry in the ldap_trust_map looks:
mysql> select * from ldap_trust_map where domain_id=7\G
*************************** 1. row ***************************
id: 4
domain_id: 7
type: GROUP
name: CN=acp-hyd,CN=Users,DC=acp,DC=accelerite,DC=com
account_type: 0
1 row in set (0.00 sec)
Any user who is member of AD group
"CN=acp-hyd,CN=Users,DC=acp,DC=accelerite,DC=com" should be able to login to domain with id
7. If a user doesnt exist, it will automatically create one.
Check the below configuration values
ldap.provider: microsoftad
ldap.nested.groups.enable: true
ldap.search.group.principle: NULL
My sample configuration values:
mysql> select component,name,value,description from configuration where
name like '%ldap%';
+-------------------+------------------------------+-------------------------------------------------------+---------------------------------------------------------------------------+
| component | name |
value |
description |
+-------------------+------------------------------+-------------------------------------------------------+---------------------------------------------------------------------------+
| management-server | ldap.basedn |
dc=acp,dc=accelerite,dc=com | Sets the basedn for
LDAP |
| management-server | ldap.bind.password | password
| Specifies the password to use
for binding to LDAP |
| management-server | ldap.bind.principal |
CN=Administrator,CN=Users,DC=acp,DC=accelerite,DC=com | Specifies the bind
principal to use for bind to LDAP |
| management-server | ldap.email.attribute |
mail | Sets the email
attribute used within LDAP |
| management-server | ldap.firstname.attribute |
givenname | Sets the firstname
attribute used within LDAP |
| management-server | ldap.group.object |
group | Sets the object
type of groups within LDAP |
| management-server | ldap.group.user.uniquemember |
member | Sets the attribute
for uniquemembers within a group |
| management-server | ldap.lastname.attribute |
sn | Sets the lastname
attribute used within LDAP |
| LdapConfiguration | ldap.nested.groups.enable |
true | if true, nested
groups will also be queried |
| LdapConfiguration | ldap.provider |
microsoftad | ldap provider
ex:openldap, microsoftad |
| LdapConfiguration | ldap.read.timeout |
1000 | LDAP connection
Timeout in milli sec |
| LdapConfiguration | ldap.request.page.size |
1000 | page size sent to
ldap server on each request to get user |
| management-server | ldap.search.group.principle |
NULL | Sets the principle
of the group that users must be a member of (optional) |
| management-server | ldap.truststore |
NULL | Sets the path to
the truststore to use for LDAP SSL |
| management-server | ldap.truststore.password |
NULL | Sets the password
for the truststore |
| management-server | ldap.user.object |
user | Sets the object
type of users within LDAP |
| management-server | ldap.username.attribute |
sAMAccountName | Sets the username
attribute used within LDAP |
+-------------------+------------------------------+-------------------------------------------------------+---------------------------------------------------------------------------+
17 rows in set (0.00 sec)
~ Rajani
http://cloudplatform.accelerite.com/
~Rajani
http://cloudplatform.accelerite.com/
On Fri, Oct 14, 2016 at 2:23 PM, Stephan Seitz < s.seitz@secretresearchfacility.com>
wrote:
> Hi,
>
> I'ld verify the settings via mysql
>
> mysql> select * from ldap_configuration \G
> *************************** 1. row ***************************
> id: 2
> hostname: YOUR_LDAP_SERVER
> port: 636
>
> also check, if you're able to resolve the hostname and connect to it
> from your management host.
>
> mysql> select * from ldap_trust_map \G
> *************************** 1. row ***************************
> id: 1
> domain_id: 2
> type: OU
> name: dc=FOO,dc=BAR
> account_type: 0
>
> you'ld also need to import the specific users. I checked them via
>
> mysql> select * from user where username="XXXXXX" \G
> *************************** X. row ***************************
> id: NNN
> uuid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
> username: XXXXXX
> password: XXXXXXXXXXXXXXXXXXXXXX==:100000
> account_id: NNN
> firstname: John
> lastname: Doe
> email: XXXXX@XXXXXXXXXXXXXXXXXX
> state: enabled
> api_key: NULL
> secret_key: NULL
> created: NNNN-NN-NN NN:NN:NN
> removed: NULL
> timezone: NULL
> registration_token: NULL
> is_registered: 0
> incorrect_login_attempts: 0
> default: 0
> source: LDAP
> external_entity: NULL
>
>
>
> - Stephan
>
> Am Freitag, den 14.10.2016, 02:06 +0000 schrieb Marty Godsey:
> > I have confirmed that when I am attempting to login with the user
> > that is failing, or any user in the group specified for that matter,
> > the packets are not even hitting the domain controller. I did a
> > packet capture at the DC and logged in with a known AD user that is
> > already configured in another ACS domain. This ACS domain does not
> > have any LDAP bindings just the "default" LDAP settings. I was able
> > to see my packets hit the DC and authenticate. When attempting to
> > log in from a user in the linked domain, no packets are seen.. Is
> > there a service or a library I need to check?
> >
> > Regards,
> > Marty Godsey
> >
> > -----Original Message-----
> > From: Marty Godsey [mailto:marty@gonsource.com]
> > Sent: Thursday, October 13, 2016 9:37 PM
> > To: users@cloudstack.apache.org
> > Subject: RE: Link Domain to LDAP
> >
> > Whenever I try to bind to LDAP using the users credentials, its
> > works.
> >
> > root@cs3-mgmt:/var/log/cloudstack/management# ldapwhoami -vvv -h
> > x.x.x.x -p 389 -D "CN=John Doe,OU=test1,OU=test2,DC=mydomain,DC=com"
> > -x -w Password1234!
> > ldap_initialize( ldap://10.253.0.21:389 ) u:domain\john.doe
> > Result: Success (0)
> >
> > If I also run an ldapsearch on this user, it is successful..
> >
> > However upon trying to authenticate with the same credentials on the
> > ACS screen, I receive an incorrect password error. When I look in
> > the log file all that is the following:
> >
> > Authentication failure:
> > {"loginresponse":{"uuidList":[],"errorcode":531,"errortext":"User is
> > not allowed CloudStack login"}}
> >
> > I have recreated this domain and liked it to GROUP and OU. Nested
> > groups is set to true in the ldap settings.
> >
> > Thoughts?
> >
> > Regards,
> > Marty Godsey
> >
> > -----Original Message-----
> > From: Rajani Karuturi [mailto:rajani@apache.org]
> > Sent: Wednesday, October 12, 2016 3:01 AM
> > To: users@cloudstack.apache.org
> > Subject: Re: Link Domain to LDAP
> >
> > Yes, you can have LDAP configured at global and domain level.
> > Did you give fully qualified name of GROUP/OU while linking?
> >
> > Easiest way to debug is to run the ldap query manually and see if it
> > returns any results ldapsearch -x -h hostname -p port "basedn" -s
> > sub -D "username"
> > -w password
> > "(&(objectClass=user)(sAMAccountName=*)(memberof=linked_group_name))"
> >
> > Also check that `ldap.provider` is set to correct value and there
> > are direct users in the group.
> > Nested groups will only work with MicrosoftAD provider and with
> > configuration `ldap.nested.groups.enable` set to true.
> >
> > There is a demo of the feature at
> > https://youtu.be/GI9b9MiOQkw?t=4m10s
> >
> > Thanks,
> > ~ Rajani
> > http://cloudplatform.accelerite.com/
> >
> > On October 12, 2016 at 6:23 AM, Marty Godsey
> > (marty@gonsource.com) wrote:
> > Hello,
> >
> > I have an ACS 4.9 instance that runs well with no issues. I have
> > enabled LDAP authentication at the Global Level and this works
> > without issue. The question I have is the "Link Domain to LDAP"
> > function at the domain level. I have a domain that I want to auto
> > sync. I added this sub domain ( lets call it ROOT/LDAPTest ) that I
> > configured with the DN of the group I am wanting to populate from (I
> > also attempted this with the OU setting as well) and the user that
> > was created cannot authenticate nor are any of the test accounts in
> > Active Directory being created in ACS.
> >
> > I have LDAP configured globally and I also, as a test made the user
> > part of the group I indicated for "LDAP Accounts" and the user shows
> > up, but the "Link Domain to LDAP" does not seem to work. I tried
> > looking in the logs and did not see any error or attempts to query
> > Active Directory.
> >
> > Is this a broken function? Can you have both globally set LDAP
> > settings and "Link Domain to LDAP" settings?
> >
> > Regards,
> > Marty Godsey
>
|