cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephan Seitz <>
Subject Re: Link Domain to LDAP
Date Fri, 14 Oct 2016 08:53:09 GMT

I'ld verify the settings via mysql

mysql> select * from ldap_configuration \G
*************************** 1. row ***************************
      id: 2
    port: 636

also check, if you're able to resolve the hostname and connect to it
from your management host.

mysql> select * from ldap_trust_map \G
*************************** 1. row ***************************
          id: 1
   domain_id: 2
        type: OU
        name: dc=FOO,dc=BAR
account_type: 0

you'ld also need to import the specific users. I checked them via

mysql> select * from user where username="XXXXXX" \G
*************************** X. row ***************************
                      id: NNN
                username: XXXXXX
                password: XXXXXXXXXXXXXXXXXXXXXX==:100000
              account_id: NNN
               firstname: John
                lastname: Doe
                   email: XXXXX@XXXXXXXXXXXXXXXXXX
                   state: enabled
                 api_key: NULL
              secret_key: NULL
                 created: NNNN-NN-NN NN:NN:NN
                 removed: NULL
                timezone: NULL
      registration_token: NULL
           is_registered: 0
incorrect_login_attempts: 0
                 default: 0
                  source: LDAP
         external_entity: NULL

- Stephan

Am Freitag, den 14.10.2016, 02:06 +0000 schrieb Marty Godsey:
> I have confirmed that when I am attempting to login with the user
> that is failing, or any user in the group specified for that matter,
> the packets are not even hitting the domain controller. I did a
> packet capture at the DC and logged in with a known AD user that is
> already configured in another ACS domain. This ACS domain does not
> have any LDAP bindings just the "default" LDAP settings. I was able
> to see my packets hit the DC and authenticate. When attempting to log
> in from a user in the linked domain, no packets are seen.. Is there a
> service or a library I need to check?
> Regards,
> Marty Godsey
> -----Original Message-----
> From: Marty Godsey [] 
> Sent: Thursday, October 13, 2016 9:37 PM
> To:
> Subject: RE: Link Domain to LDAP
> Whenever I try to bind to LDAP using the users credentials, its
> works.
> root@cs3-mgmt:/var/log/cloudstack/management# ldapwhoami -vvv -h
> x.x.x.x -p 389 -D "CN=John Doe,OU=test1,OU=test2,DC=mydomain,DC=com"
> -x -w Password1234!
> ldap_initialize( ldap:// ) u:domain\john.doe
> Result: Success (0)
> If I also run an ldapsearch on this user, it is successful..
> However upon trying to authenticate with the same credentials on the
> ACS screen, I receive an incorrect password error. When I look in the
> log file all that is the following:
> Authentication failure:
> {"loginresponse":{"uuidList":[],"errorcode":531,"errortext":"User is
> not allowed CloudStack login"}}
> I have recreated this domain and liked it to GROUP and OU. Nested
> groups is set to true in the ldap settings.
> Thoughts?
> Regards,
> Marty Godsey
> -----Original Message-----
> From: Rajani Karuturi []
> Sent: Wednesday, October 12, 2016 3:01 AM
> To:
> Subject: Re: Link Domain to LDAP
> Yes, you can have LDAP configured at global and domain level.
> Did you give fully qualified name of GROUP/OU while linking?
> Easiest way to debug is to run the ldap query manually and see if it
> returns any results ldapsearch -x -h hostname -p port "basedn" -s sub
> -D "username"
> -w password
> "(&(objectClass=user)(sAMAccountName=*)(memberof=linked_group_name))"
> Also check that `ldap.provider` is set to correct value and there are
> direct users in the group.
> Nested groups will only work with MicrosoftAD provider and with
> configuration `ldap.nested.groups.enable` set to true.
> There is a demo of the feature at
> Thanks,
> ~ Rajani
> On October 12, 2016 at 6:23 AM, Marty Godsey
> ( wrote:
> Hello,
> I have an ACS 4.9 instance that runs well with no issues. I have
> enabled LDAP authentication at the Global Level and this works
> without issue. The question I have is the "Link Domain to LDAP"
> function at the domain level. I have a domain that I want to auto
> sync. I added this sub domain ( lets call it ROOT/LDAPTest ) that I
> configured with the DN of the group I am wanting to populate from (I
> also attempted this with the OU setting as well) and the user that
> was created cannot authenticate nor are any of the test accounts in
> Active Directory being created in ACS.
> I have LDAP configured globally and I also, as a test made the user
> part of the group I indicated for "LDAP Accounts" and the user shows
> up, but the "Link Domain to LDAP" does not seem to work. I tried
> looking in the logs and did not see any error or attempts to query
> Active Directory.
> Is this a broken function? Can you have both globally set LDAP
> settings and "Link Domain to LDAP" settings?
> Regards,
> Marty Godsey

View raw message