I have confirmed that when I am attempting to login with the user that is
failing, or any user in the group specified for that matter, the packets are
not even hitting the domain controller. I did a packet capture at the DC and
logged in with a known AD user that is already configured in another ACS
domain. This ACS domain does not have any LDAP bindings just the "default" LDAP
settings. I was able to see my packets hit the DC and authenticate. When
attempting to log in from a user in the linked domain, no packets are seen.. Is
there a service or a library I need to check?
Regards,
Marty Godsey
-Original Message-
From: Marty Godsey [mailto:ma...@gonsource.com]
Sent: Thursday, October 13, 2016 9:37 PM
To: users@cloudstack.apache.org
Subject: RE: Link Domain to LDAP
Whenever I try to bind to LDAP using the users credentials, its works.
root@cs3-mgmt:/var/log/cloudstack/management# ldapwhoami -vvv -h x.x.x.x -p 389
-D "CN=John Doe,OU=test1,OU=test2,DC=mydomain,DC=com" -x -w Password1234!
ldap_initialize( ldap://10.253.0.21:389 ) u:domain\john.doe
Result: Success (0)
If I also run an ldapsearch on this user, it is successful..
However upon trying to authenticate with the same credentials on the ACS
screen, I receive an incorrect password error. When I look in the log file all
that is the following:
Authentication failure:
{"loginresponse":{"uuidList":[],"errorcode":531,"errortext":"User is not
allowed CloudStack login"}}
I have recreated this domain and liked it to GROUP and OU. Nested groups is set
to true in the ldap settings.
Thoughts?
Regards,
Marty Godsey
-Original Message-
From: Rajani Karuturi [mailto:raj...@apache.org]
Sent: Wednesday, October 12, 2016 3:01 AM
To: users@cloudstack.apache.org
Subject: Re: Link Domain to LDAP
Yes, you can have LDAP configured at global and domain level.
Did you give fully qualified name of GROUP/OU while linking?
Easiest way to debug is to run the ldap query manually and see if it returns
any results ldapsearch -x -h hostname -p port "basedn" -s sub -D "username"
-w password
"(&(objectClass=user)(sAMAccountName=*)(memberof=linked_group_name))"
Also check that `ldap.provider` is set to correct value and there are direct
users in the group.
Nested groups will only work with MicrosoftAD provider and with configuration
`ldap.nested.groups.enable` set to true.
There is a demo of the feature at
https://youtu.be/GI9b9MiOQkw?t=4m10s
Thanks,
~ Rajani
http://cloudplatform.accelerite.com/
On October 12, 2016 at 6:23 AM, Marty Godsey
(ma...@gonsource.com) wrote:
Hello,
I have an ACS 4.9 instance that runs well with no issues. I have enabled LDAP
authentication at the Global Level and this works without issue. The question I
have is the "Link Domain to LDAP"
function at the domain level. I have a domain that I want to auto sync. I added
this sub domain ( lets call it ROOT/LDAPTest ) that I configured with the DN of
the group I am wanting to populate from (I also attempted this with the OU
setting as well) and the user that was created cannot authenticate nor are any
of the test accounts in Active Directory being created in ACS.
I have LDAP configured globally and I also, as a test made the user part of the
group I indicated for "LDAP Accounts" and the user shows up, but the "Link
Domain to LDAP" does not seem to work. I tried looking in the logs and did not
see any error or attempts to query Active Directory.
Is this a broken function? Can you have both globally set LDAP settings and
"Link Domain to LDAP" settings?
Regards,
Marty Godsey
