rajujith commented on issue #10278:
URL: https://github.com/apache/cloudstack/issues/10278#issuecomment-3311088537
I can reproduce this issue consistently. CloudStack is not using the
'memberOf:1.2.840.113556.1.4.1941' when the 'ldap.nested.groups.enable' is set
to 'true'
`2025-09-19 07:55:06,636 DEBUG [o.a.c.l.ADLdapUserManagerImpl]
(qtp2038105753-3697:[ctx-8fdbc05e, ctx-8967c294]) (logid:e13a9f64) adding
search filter for 'CN=cloudstack-users,CN=Users,DC=jithinraju,DC=in', using
'memberOf'`
```
select name,value from configuration where name like '%ldap%';
+------------------------------+------------------------------------------------------+
| name | value
|
+------------------------------+------------------------------------------------------+
| ldap.basedn | DC=jithinraju,DC=in
|
| ldap.bind.password |
DcpBIGUMfwEpixRitIagJ13hEDOlPJ12IOUf5cury3dotb8cVOOM |
| ldap.bind.principal |
CN=Administrator,CN=Users,DC=jithinraju,DC=in |
| ldap.email.attribute | mail
|
| ldap.firstname.attribute | givenName
|
| ldap.group.object | group
|
| ldap.group.user.uniquemember | member
|
| ldap.lastname.attribute | sn
|
| ldap.nested.groups.enable | true
|
| ldap.provider | microsoftad
|
| ldap.read.timeout | 1000
|
| ldap.request.page.size | 1000
|
| ldap.search.group.principle |
CN=cloudstack-users,CN=Users,DC=jithinraju,DC=in |
| ldap.truststore | NULL
|
| ldap.truststore.password | NULL
|
| ldap.user.memberof.attribute | memberOf
|
| ldap.user.object | user
|
| ldap.username.attribute | sAMAccountName
|
+------------------------------+------------------------------------------------------+
ldapsearch -H ldap://ad1.jithinraju.in:389 -D
"CN=Administrator,CN=Users,DC=jithinraju,DC=in" -W -b "DC=jithinraju,DC=in"
'(memberOf:1.2.840.113556.1.4.1941:=CN=cloudstack-users,CN=Users,DC=jithinraju,DC=in)'
cn
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <DC=jithinraju,DC=in> with scope subtree
# filter:
(memberOf:1.2.840.113556.1.4.1941:=CN=cloudstack-users,CN=Users,DC=jithinraju,DC=in)
# requesting: cn
#
# Jithin Raju, Architecture, jithinraju.in
dn: CN=Jithin Raju,OU=Architecture,DC=jithinraju,DC=in
cn: Jithin Raju
# appusers, Users, jithinraju.in
dn: CN=appusers,CN=Users,DC=jithinraju,DC=in
cn: appusers
# vmwaremigrated, Users, jithinraju.in
dn: CN=vmwaremigrated,CN=Users,DC=jithinraju,DC=in
cn: vmwaremigrated
# Vishesh Jindal, engineering, jithinraju.in
dn: CN=Vishesh Jindal,OU=engineering,DC=jithinraju,DC=in
cn: Vishesh Jindal
# Kiran Chavala, engineering, jithinraju.in
dn: CN=Kiran Chavala,OU=engineering,DC=jithinraju,DC=in
cn: Kiran Chavala
# aduser 1, engineering, jithinraju.in
dn: CN=aduser 1,OU=engineering,DC=jithinraju,DC=in
cn: aduser 1
# aduser 2, engineering, jithinraju.in
dn: CN=aduser 2,OU=engineering,DC=jithinraju,DC=in
cn: aduser 2
# aduser 500, Architecture, jithinraju.in
dn: CN=aduser 500,OU=Architecture,DC=jithinraju,DC=in
cn: aduser 500
# search reference
ref:
ldap://ForestDnsZones.jithinraju.in/DC=ForestDnsZones,DC=jithinraju,DC=in
# search reference
ref:
ldap://DomainDnsZones.jithinraju.in/DC=DomainDnsZones,DC=jithinraju,DC=in
# search reference
ref: ldap://jithinraju.in/CN=Configuration,DC=jithinraju,DC=in
# search result
search: 2
result: 0 Success
# numResponses: 12
# numEntries: 8
# numReferences: 3
🐱 > list ldapusers
{
"LdapUser": [
{
"conflictingusersource": "",
"domain": "CN=Kiran Chavala,OU=engineering",
"firstname": "Kiran",
"lastname": "Chavala",
"principal": "CN=Kiran Chavala,OU=engineering,DC=jithinraju,DC=in",
"username": "kiran"
}
],
"count": 1
}
```
<img width="1660" height="679" alt="Image"
src="https://github.com/user-attachments/assets/97a53909-23e1-4c0e-92bf-beb911c741d9";
/>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
