correajl opened a new issue #5712:
URL: https://github.com/apache/cloudstack/issues/5712
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and main branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete
the comments.
-->
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* Bug Report
##### COMPONENT NAME
<!--
Categorize the issue, e.g. API, VR, VPN, UI, etc.
-->
~~~
Code, API.
~~~
##### CLOUDSTACK VERSION
<!--
New line separated list of affected versions, commit ID for issues on main
branch.
-->
~~~
CloudStack 4.15.2.0
~~~
##### CONFIGURATION
<!--
Information about the configuration if relevant, e.g. basic network,
advanced networking, etc. N/A otherwise
-->
Using many domains.
Trying to use LDAP server with TLS.
All certificates generated and tested.
Keystore configured and tested.
##### OS / ENVIRONMENT
<!--
Information about the environment if relevant, N/A otherwise
-->
Ubuntu Server 20.04.3 LTS.
KVM.
cloudstack-management 4.15.2.0~focal
##### SUMMARY
<!-- Explain the problem/feature briefly -->
Need to communicate management server with LDAP using TLS (LDAPS).
Documentation says if ldap.truststore and ldap.truststore.password are
configured it will switch working to LDAPS. It just happens when these
parameters are configured globally but using API it is possible to configure
them inside a domain. When configured inside a domain we have no effect.
##### STEPS TO REPRODUCE
<!--
For bugs, show exactly how to reproduce the problem, using a minimal
test-case. Use Screenshots if accurate.
For new features, show how the feature would be used.
-->
Try to configure ldap.truststore and ldap.truststore.password for a domain:
cmk -p user@myprofile update configuration name='ldap.truststore'
value='/etc/cloudstack/management/cloud.jks'
**domainid="e8b2ec00-21e2-430b-bd9b-a31c3d642bbf"**
cmk -p user@myprofile update configuration name='ldap.truststore.password'
value=PASSWORD **domainid="e8b2ec00-21e2-430b-bd9b-a31c3d642bbf"**
<!-- You can also paste gist.github.com links for larger files -->
##### EXPECTED RESULTS
<!-- What did you expect to happen when running the steps above? -->
~~~
LDAPS enabled and communication between management and LDAP servers using
TLS.
~~~
##### ACTUAL RESULTS
<!-- What actually happened? -->
<!-- Paste verbatim command output between quotes below -->
~~~
LDAPS is not enabled.
LDAP server logs shows "initializing ldap with provider url:
ldap://ldapserver.domain:636";.
All queries trying to log in a user use ldap:// too, not ldaps://.
~~~
If we configure ldap.truststore and ldap.truststore.password globally (not
for a domain), so we can make LDAPS to work.
~~~
cmk -p user@myprofile update configuration name='ldap.truststore'
value='/etc/cloudstack/management/cloud.jks'
cmk -p user@myprofile update configuration name='ldap.truststore.password'
value=PASSWORD
# Until here no domain was specified!
cmk -p user@myprofile add ldapconfiguration hostname=ldapserver.mydomain
port=636 domainid="e8b2ec00-21e2-430b-bd9b-a31c3d642bbf"
cmk -p user@myprofile update configuration name='ldap.basedn'
value='...............' domainid="e8b2ec00-21e2-430b-bd9b-a31c3d642bbf"
~~~
I think the code is looking for ldap.truststore and ldap.truststore.password
only in global configuration. It would be interesting looking inside domain
configurations too. So, each domain could have a different LDAP configuration.
As the API accepts the domainid= parameter to configure the truststore, I
believe that the initial idea was this, but something is not working as well.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
