Re: link domain to ldap
Mateuzs, there is a bug in the domain linkage where you cannot have a global value and a domain level value. It is solved in master (4.14 to be). I think in your case delete the global setting. If you need it you can't use the domain level binding. On Mon, Mar 30, 2020 at 8:15 PM Mateusz Tykierko < mateusz.tykie...@pwr.edu.pl> wrote: > Hi all, > > I'm trying to link domain to ldap and getting > > can not link a domain unless a basedn is configured for it. > > Basedn in global and domain settings is set. I can add users and groups > from ldap manually to domain using Add ldap account. > > Where should I look. > > Cloudstack version 4.11.2.0 > > MT > -- Daan
Re: link domain to ldap
Please share the management server log with the error. Thanks, Suresh On Mon, Mar 30, 2020 at 11:45 PM Mateusz Tykierko < mateusz.tykie...@pwr.edu.pl> wrote: > Hi all, > > I'm trying to link domain to ldap and getting > > can not link a domain unless a basedn is configured for it. > > Basedn in global and domain settings is set. I can add users and groups > from ldap manually to domain using Add ldap account. > > Where should I look. > > Cloudstack version 4.11.2.0 > > MT >
RE: Link Domain to LDAP
Ok. So that is not it.. Basically this is where I set.. All the settings are as below. The database looks fine, the settings look good. I can authenticate as any AD users IF I add them manually. However, when I attempt to login with a user that is not in ACS but IS in AD, in a domain that has a link, I don’t even see the attempt to query LDAP hit the domain controller from a network level (using wireshark). If I log in as an LDAP user that is already in ACS, I see the request hit the domain controller in wireshark. Is there a library or something I may be missing? This was originally a 4.8.0.1 install that was upgraded to 4.9. Regards, Marty Godsey -Original Message- From: Marty Godsey [mailto:ma...@gonsource.com] Sent: Friday, October 14, 2016 10:21 AM To: users@cloudstack.apache.org Subject: RE: Link Domain to LDAP I think I found my issue.. Standby.. Regards, Marty Godsey -Original Message- From: Marty Godsey [mailto:ma...@gonsource.com] Sent: Friday, October 14, 2016 10:17 AM To: users@cloudstack.apache.org Subject: RE: Link Domain to LDAP This is how this is set up.. One think I see different however are my ldap settings. I am going over 389 (for now) does this functionality require 636? Regards, Marty Godsey -Original Message- From: Rajani Karuturi [mailto:raj...@apache.org] Sent: Friday, October 14, 2016 7:02 AM To: Users <users@cloudstack.apache.org> Subject: Re: Link Domain to LDAP you need not import the users manually. It should automatically sync. In my installation with microsoftAD, this is how any entry in the ldap_trust_map looks: mysql> select * from ldap_trust_map where domain_id=7\G *** 1. row *** id: 4 domain_id: 7 type: GROUP name: CN=acp-hyd,CN=Users,DC=acp,DC=accelerite,DC=com account_type: 0 1 row in set (0.00 sec) Any user who is member of AD group "CN=acp-hyd,CN=Users,DC=acp,DC=accelerite,DC=com" should be able to login to domain with id 7. If a user doesnt exist, it will automatically create one. Check the below configuration values ldap.provider: microsoftad ldap.nested.groups.enable: true ldap.search.group.principle: NULL My sample configuration values: mysql> select component,name,value,description from configuration where name like '%ldap%'; +---+--+---+---+ | component | name | value | description | +---+--+---+---+ | management-server | ldap.basedn | dc=acp,dc=accelerite,dc=com | Sets the basedn for LDAP | | management-server | ldap.bind.password | password | Specifies the password to use for binding to LDAP | | management-server | ldap.bind.principal | CN=Administrator,CN=Users,DC=acp,DC=accelerite,DC=com | Specifies the bind principal to use for bind to LDAP | | management-server | ldap.email.attribute | mail | Sets the email attribute used within LDAP | | management-server | ldap.firstname.attribute | givenname | Sets the firstname attribute used within LDAP | | management-server | ldap.group.object| group | Sets the object type of groups within LDAP| | management-server | ldap.group.user.uniquemember | member| Sets the attribute for uniquemembers within a group | | management-server | ldap.lastname.attribute | sn| Sets the lastname attribute used within LDAP | | LdapConfiguration | ldap.nested.groups.enable| true | if true, nested groups will also be queried | | LdapConfiguration | ldap.provider| microsoftad | ldap provider ex:openldap, microsoftad| | LdapConfiguration | ldap.read.timeout| 1000 | LDAP connection Timeout in milli sec | | LdapConfiguration | ldap.request.
Re: Link Domain to LDAP
> Hi,
>
> I'ld verify the settings via mysql
>
> mysql> select * from ldap_configuration \G
> *** 1. row ***
> id: 2
> hostname: YOUR_LDAP_SERVER
> port: 636
>
> also check, if you're able to resolve the hostname and connect to it
> from your management host.
>
> mysql> select * from ldap_trust_map \G
> *** 1. row ***
> id: 1
>domain_id: 2
> type: OU
> name: dc=FOO,dc=BAR
> account_type: 0
>
> you'ld also need to import the specific users. I checked them via
>
> mysql> select * from user where username="XX" \G
> *** X. row ***
> id: NNN
> uuid: ----
> username: XX
> password: XX==:10
> account_id: NNN
>firstname: John
> lastname: Doe
>email: X@XX
>state: enabled
> api_key: NULL
> secret_key: NULL
> created: -NN-NN NN:NN:NN
> removed: NULL
> timezone: NULL
> registration_token: NULL
>is_registered: 0
> incorrect_login_attempts: 0
> default: 0
> source: LDAP
> external_entity: NULL
>
>
>
> - Stephan
>
> Am Freitag, den 14.10.2016, 02:06 + schrieb Marty Godsey:
> > I have confirmed that when I am attempting to login with the user
> > that is failing, or any user in the group specified for that matter,
> > the packets are not even hitting the domain controller. I did a
> > packet capture at the DC and logged in with a known AD user that is
> > already configured in another ACS domain. This ACS domain does not
> > have any LDAP bindings just the "default" LDAP settings. I was able
> > to see my packets hit the DC and authenticate. When attempting to log
> > in from a user in the linked domain, no packets are seen.. Is there a
> > service or a library I need to check?
> >
> > Regards,
> > Marty Godsey
> >
> > -Original Message-
> > From: Marty Godsey [mailto:ma...@gonsource.com]
> > Sent: Thursday, October 13, 2016 9:37 PM
> > To: users@cloudstack.apache.org
> > Subject: RE: Link Domain to LDAP
> >
> > Whenever I try to bind to LDAP using the users credentials, its
> > works.
> >
> > root@cs3-mgmt:/var/log/cloudstack/management# ldapwhoami -vvv -h
> > x.x.x.x -p 389 -D "CN=John Doe,OU=test1,OU=test2,DC=mydomain,DC=com"
> > -x -w Password1234!
> > ldap_initialize( ldap://10.253.0.21:389 ) u:domain\john.doe
> > Result: Success (0)
> >
> > If I also run an ldapsearch on this user, it is successful..
> >
> > However upon trying to authenticate with the same credentials on the
> > ACS screen, I receive an incorrect password error. When I look in the
> > log file all that is the following:
> >
> > Authentication failure:
> > {"loginresponse":{"uuidList":[],"errorcode":531,"errortext":"User is
> > not allowed CloudStack login"}}
> >
> > I have recreated this domain and liked it to GROUP and OU. Nested
> > groups is set to true in the ldap settings.
> >
> > Thoughts?
> >
> > Regards,
> > Marty Godsey
> >
> > -Original Message-
> > From: Rajani Karuturi [mailto:raj...@apache.org]
> > Sent: Wednesday, October 12, 2016 3:01 AM
> > To: users@cloudstack.apache.org
> > Subject: Re: Link Domain to LDAP
> >
> > Yes, you can have LDAP configured at global and domain level.
> > Did you give fully qualified name of GROUP/OU while linking?
> >
> > Easiest way to debug is to run the ldap query manually and see if it
> > returns any results ldapsearch -x -h hostname -p port "basedn" -s sub
> > -D "username"
> > -w password
> > "(&(objectClass=user)(sAMAccountName=*)(memberof=linked_group_name))"
> >
> > Also check that `ldap.provider` is set to correct value and there are
> > direct users in the group.
> > Nested groups will only work with MicrosoftAD provider and with
> > configuration `ldap.nested.groups.enable` set to true.
> >
> > There is a demo of the feature at
> > https://youtu.be/GI9b9MiOQkw?t=4m10s
> >
> > Thanks,
> > ~ Rajani
> > http://clou
Re: Link Domain to LDAP
Hi,
I'ld verify the settings via mysql
mysql> select * from ldap_configuration \G
*** 1. row ***
id: 2
hostname: YOUR_LDAP_SERVER
port: 636
also check, if you're able to resolve the hostname and connect to it
from your management host.
mysql> select * from ldap_trust_map \G
*** 1. row ***
id: 1
domain_id: 2
type: OU
name: dc=FOO,dc=BAR
account_type: 0
you'ld also need to import the specific users. I checked them via
mysql> select * from user where username="XX" \G
*** X. row ***
id: NNN
uuid: ----
username: XX
password: XX==:10
account_id: NNN
firstname: John
lastname: Doe
email: X@XX
state: enabled
api_key: NULL
secret_key: NULL
created: -NN-NN NN:NN:NN
removed: NULL
timezone: NULL
registration_token: NULL
is_registered: 0
incorrect_login_attempts: 0
default: 0
source: LDAP
external_entity: NULL
- Stephan
Am Freitag, den 14.10.2016, 02:06 + schrieb Marty Godsey:
> I have confirmed that when I am attempting to login with the user
> that is failing, or any user in the group specified for that matter,
> the packets are not even hitting the domain controller. I did a
> packet capture at the DC and logged in with a known AD user that is
> already configured in another ACS domain. This ACS domain does not
> have any LDAP bindings just the "default" LDAP settings. I was able
> to see my packets hit the DC and authenticate. When attempting to log
> in from a user in the linked domain, no packets are seen.. Is there a
> service or a library I need to check?
>
> Regards,
> Marty Godsey
>
> -Original Message-
> From: Marty Godsey [mailto:ma...@gonsource.com]
> Sent: Thursday, October 13, 2016 9:37 PM
> To: users@cloudstack.apache.org
> Subject: RE: Link Domain to LDAP
>
> Whenever I try to bind to LDAP using the users credentials, its
> works.
>
> root@cs3-mgmt:/var/log/cloudstack/management# ldapwhoami -vvv -h
> x.x.x.x -p 389 -D "CN=John Doe,OU=test1,OU=test2,DC=mydomain,DC=com"
> -x -w Password1234!
> ldap_initialize( ldap://10.253.0.21:389 ) u:domain\john.doe
> Result: Success (0)
>
> If I also run an ldapsearch on this user, it is successful..
>
> However upon trying to authenticate with the same credentials on the
> ACS screen, I receive an incorrect password error. When I look in the
> log file all that is the following:
>
> Authentication failure:
> {"loginresponse":{"uuidList":[],"errorcode":531,"errortext":"User is
> not allowed CloudStack login"}}
>
> I have recreated this domain and liked it to GROUP and OU. Nested
> groups is set to true in the ldap settings.
>
> Thoughts?
>
> Regards,
> Marty Godsey
>
> -Original Message-
> From: Rajani Karuturi [mailto:raj...@apache.org]
> Sent: Wednesday, October 12, 2016 3:01 AM
> To: users@cloudstack.apache.org
> Subject: Re: Link Domain to LDAP
>
> Yes, you can have LDAP configured at global and domain level.
> Did you give fully qualified name of GROUP/OU while linking?
>
> Easiest way to debug is to run the ldap query manually and see if it
> returns any results ldapsearch -x -h hostname -p port "basedn" -s sub
> -D "username"
> -w password
> "(&(objectClass=user)(sAMAccountName=*)(memberof=linked_group_name))"
>
> Also check that `ldap.provider` is set to correct value and there are
> direct users in the group.
> Nested groups will only work with MicrosoftAD provider and with
> configuration `ldap.nested.groups.enable` set to true.
>
> There is a demo of the feature at
> https://youtu.be/GI9b9MiOQkw?t=4m10s
>
> Thanks,
> ~ Rajani
> http://cloudplatform.accelerite.com/
>
> On October 12, 2016 at 6:23 AM, Marty Godsey
> (ma...@gonsource.com) wrote:
> Hello,
>
> I have an ACS 4.9 instance that runs well with no issues. I have
> enabled LDAP authentication at the Global Level and this works
> without issue. The question I have is the "Link Domain to LDAP"
> function at the domain level. I have a domain that I want to auto
> sync. I added this sub domain ( lets call it ROOT/LDAPTest ) that I
> configured with the DN of the group I am wanting to populate from (I
> also attempte
RE: Link Domain to LDAP
I have confirmed that when I am attempting to login with the user that is
failing, or any user in the group specified for that matter, the packets are
not even hitting the domain controller. I did a packet capture at the DC and
logged in with a known AD user that is already configured in another ACS
domain. This ACS domain does not have any LDAP bindings just the "default" LDAP
settings. I was able to see my packets hit the DC and authenticate. When
attempting to log in from a user in the linked domain, no packets are seen.. Is
there a service or a library I need to check?
Regards,
Marty Godsey
-Original Message-
From: Marty Godsey [mailto:ma...@gonsource.com]
Sent: Thursday, October 13, 2016 9:37 PM
To: users@cloudstack.apache.org
Subject: RE: Link Domain to LDAP
Whenever I try to bind to LDAP using the users credentials, its works.
root@cs3-mgmt:/var/log/cloudstack/management# ldapwhoami -vvv -h x.x.x.x -p 389
-D "CN=John Doe,OU=test1,OU=test2,DC=mydomain,DC=com" -x -w Password1234!
ldap_initialize( ldap://10.253.0.21:389 ) u:domain\john.doe
Result: Success (0)
If I also run an ldapsearch on this user, it is successful..
However upon trying to authenticate with the same credentials on the ACS
screen, I receive an incorrect password error. When I look in the log file all
that is the following:
Authentication failure:
{"loginresponse":{"uuidList":[],"errorcode":531,"errortext":"User is not
allowed CloudStack login"}}
I have recreated this domain and liked it to GROUP and OU. Nested groups is set
to true in the ldap settings.
Thoughts?
Regards,
Marty Godsey
-Original Message-
From: Rajani Karuturi [mailto:raj...@apache.org]
Sent: Wednesday, October 12, 2016 3:01 AM
To: users@cloudstack.apache.org
Subject: Re: Link Domain to LDAP
Yes, you can have LDAP configured at global and domain level.
Did you give fully qualified name of GROUP/OU while linking?
Easiest way to debug is to run the ldap query manually and see if it returns
any results ldapsearch -x -h hostname -p port "basedn" -s sub -D "username"
-w password
"(&(objectClass=user)(sAMAccountName=*)(memberof=linked_group_name))"
Also check that `ldap.provider` is set to correct value and there are direct
users in the group.
Nested groups will only work with MicrosoftAD provider and with configuration
`ldap.nested.groups.enable` set to true.
There is a demo of the feature at
https://youtu.be/GI9b9MiOQkw?t=4m10s
Thanks,
~ Rajani
http://cloudplatform.accelerite.com/
On October 12, 2016 at 6:23 AM, Marty Godsey
(ma...@gonsource.com) wrote:
Hello,
I have an ACS 4.9 instance that runs well with no issues. I have enabled LDAP
authentication at the Global Level and this works without issue. The question I
have is the "Link Domain to LDAP"
function at the domain level. I have a domain that I want to auto sync. I added
this sub domain ( lets call it ROOT/LDAPTest ) that I configured with the DN of
the group I am wanting to populate from (I also attempted this with the OU
setting as well) and the user that was created cannot authenticate nor are any
of the test accounts in Active Directory being created in ACS.
I have LDAP configured globally and I also, as a test made the user part of the
group I indicated for "LDAP Accounts" and the user shows up, but the "Link
Domain to LDAP" does not seem to work. I tried looking in the logs and did not
see any error or attempts to query Active Directory.
Is this a broken function? Can you have both globally set LDAP settings and
"Link Domain to LDAP" settings?
Regards,
Marty Godsey
RE: Link Domain to LDAP
Whenever I try to bind to LDAP using the users credentials, its works.
root@cs3-mgmt:/var/log/cloudstack/management# ldapwhoami -vvv -h x.x.x.x -p 389
-D "CN=John Doe,OU=test1,OU=test2,DC=mydomain,DC=com" -x -w Password1234!
ldap_initialize( ldap://10.253.0.21:389 )
u:domain\john.doe
Result: Success (0)
If I also run an ldapsearch on this user, it is successful..
However upon trying to authenticate with the same credentials on the ACS
screen, I receive an incorrect password error. When I look in the log file all
that is the following:
Authentication failure:
{"loginresponse":{"uuidList":[],"errorcode":531,"errortext":"User is not
allowed CloudStack login"}}
I have recreated this domain and liked it to GROUP and OU. Nested groups is set
to true in the ldap settings.
Thoughts?
Regards,
Marty Godsey
-Original Message-
From: Rajani Karuturi [mailto:raj...@apache.org]
Sent: Wednesday, October 12, 2016 3:01 AM
To: users@cloudstack.apache.org
Subject: Re: Link Domain to LDAP
Yes, you can have LDAP configured at global and domain level.
Did you give fully qualified name of GROUP/OU while linking?
Easiest way to debug is to run the ldap query manually and see if it returns
any results ldapsearch -x -h hostname -p port "basedn" -s sub -D "username"
-w password
"(&(objectClass=user)(sAMAccountName=*)(memberof=linked_group_name))"
Also check that `ldap.provider` is set to correct value and there are direct
users in the group.
Nested groups will only work with MicrosoftAD provider and with configuration
`ldap.nested.groups.enable` set to true.
There is a demo of the feature at
https://youtu.be/GI9b9MiOQkw?t=4m10s
Thanks,
~ Rajani
http://cloudplatform.accelerite.com/
On October 12, 2016 at 6:23 AM, Marty Godsey
(ma...@gonsource.com) wrote:
Hello,
I have an ACS 4.9 instance that runs well with no issues. I have enabled LDAP
authentication at the Global Level and this works without issue. The question I
have is the "Link Domain to LDAP"
function at the domain level. I have a domain that I want to auto sync. I added
this sub domain ( lets call it ROOT/LDAPTest ) that I configured with the DN of
the group I am wanting to populate from (I also attempted this with the OU
setting as well) and the user that was created cannot authenticate nor are any
of the test accounts in Active Directory being created in ACS.
I have LDAP configured globally and I also, as a test made the user part of the
group I indicated for "LDAP Accounts" and the user shows up, but the "Link
Domain to LDAP" does not seem to work. I tried looking in the logs and did not
see any error or attempts to query Active Directory.
Is this a broken function? Can you have both globally set LDAP settings and
"Link Domain to LDAP" settings?
Regards,
Marty Godsey
Re: Link Domain to LDAP
Yes, you can have LDAP configured at global and domain level. Did you give fully qualified name of GROUP/OU while linking? Easiest way to debug is to run the ldap query manually and see if it returns any results ldapsearch -x -h hostname -p port "basedn" -s sub -D "username" -w password "(&(objectClass=user)(sAMAccountName=*)(memberof=linked_group_name))" Also check that `ldap.provider` is set to correct value and there are direct users in the group. Nested groups will only work with MicrosoftAD provider and with configuration `ldap.nested.groups.enable` set to true. There is a demo of the feature at https://youtu.be/GI9b9MiOQkw?t=4m10s Thanks, ~ Rajani http://cloudplatform.accelerite.com/ On October 12, 2016 at 6:23 AM, Marty Godsey (ma...@gonsource.com) wrote: Hello, I have an ACS 4.9 instance that runs well with no issues. I have enabled LDAP authentication at the Global Level and this works without issue. The question I have is the "Link Domain to LDAP" function at the domain level. I have a domain that I want to auto sync. I added this sub domain ( lets call it ROOT/LDAPTest ) that I configured with the DN of the group I am wanting to populate from (I also attempted this with the OU setting as well) and the user that was created cannot authenticate nor are any of the test accounts in Active Directory being created in ACS. I have LDAP configured globally and I also, as a test made the user part of the group I indicated for "LDAP Accounts" and the user shows up, but the "Link Domain to LDAP" does not seem to work. I tried looking in the logs and did not see any error or attempts to query Active Directory. Is this a broken function? Can you have both globally set LDAP settings and "Link Domain to LDAP" settings? Regards, Marty Godsey
