Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 5499A200BA0 for ; Fri, 14 Oct 2016 10:53:43 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 52FF4160ADD; Fri, 14 Oct 2016 08:53:43 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 7204B160AD9 for ; Fri, 14 Oct 2016 10:53:42 +0200 (CEST) Received: (qmail 10463 invoked by uid 500); 14 Oct 2016 08:53:41 -0000 Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cloudstack.apache.org Delivered-To: mailing list users@cloudstack.apache.org Received: (qmail 10426 invoked by uid 99); 14 Oct 2016 08:53:40 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Oct 2016 08:53:40 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id A26351A067B for ; Fri, 14 Oct 2016 08:53:39 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -3.1 X-Spam-Level: X-Spam-Status: No, score=-3.1 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-2.999, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=secretresearchfacility.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id b5fgQv_CjvBH for ; Fri, 14 Oct 2016 08:53:36 +0000 (UTC) Received: from srf.secretresearchfacility.com (srf.secretresearchfacility.com [80.241.60.3]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 916015FB90 for ; Fri, 14 Oct 2016 08:53:35 +0000 (UTC) Received: from localhost (localhost [IPv6:::1]) by srf.secretresearchfacility.com (Postfix) with ESMTP id 5287F6E8E48 for ; Fri, 14 Oct 2016 10:53:28 +0200 (CEST) Received: from srf.secretresearchfacility.com ([IPv6:::1]) by localhost (srf.secretresearchfacility.com [IPv6:::1]) (amavisd-new, port 10032) with ESMTP id h3LthRZdnm_x for ; Fri, 14 Oct 2016 10:53:28 +0200 (CEST) Received: from localhost (localhost [IPv6:::1]) by srf.secretresearchfacility.com (Postfix) with ESMTP id 049176E8E8E for ; Fri, 14 Oct 2016 10:53:28 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.8.0 srf.secretresearchfacility.com 049176E8E8E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secretresearchfacility.com; s=0951BA80-03F6-11E2-8407-76ED25AAF112; t=1476435208; bh=LzJUBgsxxAjCUv3IVjE0Y6OCNWtj36t9wConr4XZFtk=; h=Message-ID:Subject:From:To:Date:Content-Type:Mime-Version: Content-Transfer-Encoding; b=NBqodPH5PUltj3VAAehWTOZuvkEb5XCD7rqrmBqupx9cJ4j4NhMJGWRP1M/po771M IOqs6UK8JtA695yo/k04Z8wuCOlMeWY7AFfVkeYpsEzek8KOFniX5obqFejQ1zvrgU frzBOcetn8WCSG0awtB55Sl168vJGI6Bl4U5iSMw= X-Virus-Scanned: amavisd-new at secretresearchfacility.com Received: from srf.secretresearchfacility.com ([IPv6:::1]) by localhost (srf.secretresearchfacility.com [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id nW_0ErURZqh2 for ; Fri, 14 Oct 2016 10:53:27 +0200 (CEST) Received: from sseitz (p549FCB46.dip0.t-ipconnect.de [84.159.203.70]) by srf.secretresearchfacility.com (Postfix) with ESMTPSA id 6CAA46E8E48 for ; Fri, 14 Oct 2016 10:53:27 +0200 (CEST) Message-ID: <1476435189.5744.66.camel@secretresearchfacility.com> Subject: Re: Link Domain to LDAP From: Stephan Seitz To: users@cloudstack.apache.org Date: Fri, 14 Oct 2016 10:53:09 +0200 In-Reply-To: References: <6dc7f0ab-43ab-46ce-a31f-ae6abf8e95d9@msgid.missiveapp.com> Organization: private Content-Type: text/plain; charset="ISO-8859-15" X-Mailer: Evolution 3.18.5.2-0ubuntu3.1 Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable archived-at: Fri, 14 Oct 2016 08:53:43 -0000 Hi, I'ld verify the settings via mysql mysql> select * from ldap_configuration \G *************************** 1. row *************************** =A0=A0=A0=A0=A0=A0id: 2 hostname: YOUR_LDAP_SERVER =A0=A0=A0=A0port: 636 also check, if you're able to resolve the hostname and connect to it from your management host. mysql> select * from ldap_trust_map \G *************************** 1. row *************************** =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0id: 1 =A0=A0=A0domain_id: 2 =A0=A0=A0=A0=A0=A0=A0=A0type: OU =A0=A0=A0=A0=A0=A0=A0=A0name: dc=3DFOO,dc=3DBAR account_type: 0 you'ld also need to import the specific users. I checked them via mysql> select * from user where username=3D"XXXXXX" \G *************************** X. row *************************** =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0id: NNN =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0uuid: XXXXXXX= X-XXXX-XXXX-XXXX-XXXXXXXXXXXX =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0username: XXXXXX =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0password: XXXXXXXXXXXXXXX= XXXXXXX=3D=3D:100000 =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0account_id: NNN =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0firstname: John =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0lastname: Doe =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0email: XXXXX@XXX= XXXXXXXXXXXXXXX =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0state: enabled =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0api_key: NULL =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0secret_key: NULL =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0created: NNNN-NN-NN NN= :NN:NN =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0removed: NULL =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0timezone: NULL =A0=A0=A0=A0=A0=A0registration_token: NULL =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0is_registered: 0 incorrect_login_attempts: 0 =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0default: 0 =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0source: LDAP =A0=A0=A0=A0=A0=A0=A0=A0=A0external_entity: NULL - Stephan Am Freitag, den 14.10.2016, 02:06 +0000 schrieb Marty Godsey: > I have confirmed that when I am attempting to login with the user > that is failing, or any user in the group specified for that matter, > the packets are not even hitting the domain controller. I did a > packet capture at the DC and logged in with a known AD user that is > already configured in another ACS domain. This ACS domain does not > have any LDAP bindings just the "default" LDAP settings. I was able > to see my packets hit the DC and authenticate. When attempting to log > in from a user in the linked domain, no packets are seen.. Is there a > service or a library I need to check? >=20 > Regards, > Marty Godsey >=20 > -----Original Message----- > From: Marty Godsey [mailto:marty@gonsource.com]=A0 > Sent: Thursday, October 13, 2016 9:37 PM > To: users@cloudstack.apache.org > Subject: RE: Link Domain to LDAP >=20 > Whenever I try to bind to LDAP using the users credentials, its > works. >=20 > root@cs3-mgmt:/var/log/cloudstack/management# ldapwhoami -vvv -h > x.x.x.x -p 389 -D "CN=3DJohn Doe,OU=3Dtest1,OU=3Dtest2,DC=3Dmydomain,DC= =3Dcom" > -x -w Password1234! > ldap_initialize( ldap://10.253.0.21:389 ) u:domain\john.doe > Result: Success (0) >=20 > If I also run an ldapsearch on this user, it is successful.. >=20 > However upon trying to authenticate with the same credentials on the > ACS screen, I receive an incorrect password error. When I look in the > log file all that is the following: >=20 > Authentication failure: > {"loginresponse":{"uuidList":[],"errorcode":531,"errortext":"User is > not allowed CloudStack login"}} >=20 > I have recreated this domain and liked it to GROUP and OU. Nested > groups is set to true in the ldap settings. >=20 > Thoughts? >=20 > Regards, > Marty Godsey >=20 > -----Original Message----- > From: Rajani Karuturi [mailto:rajani@apache.org] > Sent: Wednesday, October 12, 2016 3:01 AM > To: users@cloudstack.apache.org > Subject: Re: Link Domain to LDAP >=20 > Yes, you can have LDAP configured at global and domain level. > Did you give fully qualified name of GROUP/OU while linking? >=20 > Easiest way to debug is to run the ldap query manually and see if it > returns any results ldapsearch -x -h hostname -p port "basedn" -s sub > -D "username" > -w password > "(&(objectClass=3Duser)(sAMAccountName=3D*)(memberof=3Dlinked_group_nam= e))" >=20 > Also check that `ldap.provider` is set to correct value and there are > direct users in the group. > Nested groups will only work with MicrosoftAD provider and with > configuration `ldap.nested.groups.enable` set to true. >=20 > There is a demo of the feature at > https://youtu.be/GI9b9MiOQkw?t=3D4m10s >=20 > Thanks, > ~ Rajani > http://cloudplatform.accelerite.com/ >=20 > On October 12, 2016 at 6:23 AM, Marty Godsey > (marty@gonsource.com) wrote: > Hello, >=20 > I have an ACS 4.9 instance that runs well with no issues. I have > enabled LDAP authentication at the Global Level and this works > without issue. The question I have is the "Link Domain to LDAP" > function at the domain level. I have a domain that I want to auto > sync. I added this sub domain ( lets call it ROOT/LDAPTest ) that I > configured with the DN of the group I am wanting to populate from (I > also attempted this with the OU setting as well) and the user that > was created cannot authenticate nor are any of the test accounts in > Active Directory being created in ACS. >=20 > I have LDAP configured globally and I also, as a test made the user > part of the group I indicated for "LDAP Accounts" and the user shows > up, but the "Link Domain to LDAP" does not seem to work. I tried > looking in the logs and did not see any error or attempts to query > Active Directory. >=20 > Is this a broken function? Can you have both globally set LDAP > settings and "Link Domain to LDAP" settings? >=20 > Regards, > Marty Godsey