thank you for your quick reply. hope that CS4.2 can user external ldap server easily.
and is there some script to import AD ldap user into cs ? 2013/8/26 Suresh Sadhu <suresh.sa...@citrix.com>: > Please find my answers below: > > > -----Original Message----- > From: 不坏阿峰 [mailto:onlydeb...@gmail.com] > Sent: 26 August 2013 13:21 > To: users@cloudstack.apache.org > Subject: Re: How is Cloudstack work with Active Directory > > about my Question, when use active directory LDAP for > authentication , if i want use 3 user in AD, i need create 3 same > account in CS ? > > *******************sadhu********** > yes ,as per the current implementation ..it requires same accounts in CS. > **************** > just now ,i test use dota, this user exist both on AD and CS, just > different password. i test use dota and user password in AD, can > login. > > as my experience, if use a LDAP server, just need one user to bind the > ldap, then can query and do authentication on all user in the > specific OU. but CS seam some different. > > **************sadhu******* > Yes you are right ,One user is enough to bind and rest of users will validate > but in CS case initial verification happens at DB level and if its fail > then authentication happens at LDAP level. due to this reason(firest ;level > authentication happening in db level) you need to create same user(like same > user with different password) in CS as well. Hope this info will help. > ********* > > could you explain it? > > thanks > > 2013/8/26 Ian Duffy <i...@ianduffy.ie>: >> Try sAMAccountName=%u >> >> >> On 26 August 2013 03:15, 不坏阿峰 <onlydeb...@gmail.com> wrote: >> >>> in AD 2008, do not have uid, so i user disPlayname=%u, %u is the >>> cloudstack username. >>> >>> i also follow this ,install cloudmoney and ldapconfig it. >>> >>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloudstack-v401.html >>> >>> > ldap config hostname=192.168.123.61 searchbase=ou=member,DC=lab,DC=com >>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com >>> bindpass=123@lab port=389 >>> ldapconfig: >>> binddn = CN=dota,ou=member,DC=lab,DC=com >>> hostname = 192.168.123.61 >>> port = false >>> queryfilter = (diaplayname=%u) >>> searchbase = ou=member,DC=lab,DC=com >>> >>> >> Dn: CN=dota,OU=member,DC=lab,DC=com >>> 0> objectClass: >>> 0> cn: >>> 0> distinguishedName: >>> 0> instanceType: >>> 0> whenCreated: >>> 0> whenChanged: >>> 0> displayName: >>> 0> uSNCreated: >>> 0> uSNChanged: >>> 0> name: >>> 0> objectGUID: >>> 0> userAccountControl: >>> 0> badPwdCount: >>> 0> codePage: >>> 0> countryCode: >>> 0> badPasswordTime: >>> 0> lastLogoff: >>> 0> lastLogon: >>> 0> pwdLastSet: >>> 0> primaryGroupID: >>> 0> objectSid: >>> 0> accountExpires: >>> 0> logonCount: >>> 0> sAMAccountName: >>> 0> sAMAccountType: >>> 0> userPrincipalName: >>> 0> objectCategory: >>> 0> dSCorePropagationData: >>> 0> lastLogonTimestamp: >>> >>> 2013/8/25 Kirk Jantzer <kirk.jant...@gmail.com>: >>> > It appears your queryfilter may be incorrect - You are trying to match >>> the >>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you put >>> into >>> > the username field in CS matches whatever is in the 'disPlayname' field >>> in >>> > AD (this can be found by opening AD Users and Computers, selecting the >>> menu >>> > option to show advanced properties, then looking at the user, then >>> clicking >>> > the 'attributes' tab. >>> > >>> > >>> > Regards, >>> > >>> > Kirk Jantzer >>> > http://about.met/kirkjantzer >>> > >>> > >>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <onlydeb...@gmail.com> wrote: >>> > >>> >> Cloudstack4.1.1 >>> >> (1). i create same user: dota on Active Directory and CS >>> >> (2). i have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com, >>> >> it is ok,so active directory ldap is ready. >>> >> (3). have two user under ou=member, dc=lab,dc=com: dota , csuser01 >>> >> (4). enable integration.api.port =8096, and restart CS-mangement >>> >> >>> >> Q1: from the CS log, ldap server configed, but IE response false, >>> >> what is correct information? >>> >> >>> >> Q2: how many user should be created on both Active Directory and CS ? >>> >> or only one for ldap config, active directory create other user just >>> >> for CS use >>> >> >>> >> Q3: what will change in UI when ldap config success? can see users >>> >> imported from Active Directory ? can use csuser01 to login CS ?(i try >>> >> log in but failure) >>> >> >>> >> >>> >> >>> >> >>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192.168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter=%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json >>> >> >>> >> ####### Got this response:##### >>> >> { "ldapconfigresponse" : { "ldapconfig" : >>> >> >>> >> >>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota,OU=member,DC=lab,DC=com"} >>> >> } } >>> >> >>> >> ####### CS log ######### >>> >> 2013-08-24 21:10:44,453 DEBUG >>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null) The >>> >> ldap server is configured: 192.168.123.61 >>> >> >>> >> ######## other thing i checked ###### >>> >> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals >>> >> (2) when create dota in CS, "Network Domain" i put lab.com, username i >>> >> put dota >>> >> >>>