thank you for your quick reply.
hope that CS4.2 can user external ldap server easily.

and is there some script to import AD ldap user into cs ?



2013/8/26 Suresh Sadhu <suresh.sa...@citrix.com>:
> Please find my answers below:
>
>
> -----Original Message-----
> From: 不坏阿峰 [mailto:onlydeb...@gmail.com]
> Sent: 26 August 2013 13:21
> To: users@cloudstack.apache.org
> Subject: Re: How is Cloudstack work with Active Directory
>
> about my Question,    when use active directory LDAP for
> authentication  ,  if i want use 3 user in AD,  i need create 3 same
> account in CS ?
>
> *******************sadhu**********
> yes ,as per the current implementation ..it requires same accounts in CS.
> ****************
> just now ,i test use dota,  this user exist both on AD and CS,  just
> different password.  i test use dota and user password in AD, can
> login.
>
> as my experience, if use a LDAP server, just need one user to bind the
> ldap,  then can query and do authentication on all user in the
> specific OU.  but CS seam some different.
>
> **************sadhu*******
> Yes you are right ,One user is enough to bind and rest of users will validate 
> but  in CS case initial verification happens at DB level and if its  fail 
> then authentication happens at LDAP level. due to this reason(firest ;level 
> authentication happening in db level) you  need to create same user(like same 
> user with different password) in CS as well. Hope this info will help.
> *********
>
> could you explain it?
>
> thanks
>
> 2013/8/26 Ian Duffy <i...@ianduffy.ie>:
>> Try sAMAccountName=%u
>>
>>
>> On 26 August 2013 03:15, 不坏阿峰 <onlydeb...@gmail.com> wrote:
>>
>>> in AD 2008, do not have uid, so i user disPlayname=%u,    %u is the
>>> cloudstack username.
>>>
>>> i also follow this ,install cloudmoney and ldapconfig it.
>>>
>>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloudstack-v401.html
>>>
>>> >  ldap config hostname=192.168.123.61 searchbase=ou=member,DC=lab,DC=com
>>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com
>>> bindpass=123@lab port=389
>>> ldapconfig:
>>> binddn = CN=dota,ou=member,DC=lab,DC=com
>>> hostname = 192.168.123.61
>>> port = false
>>> queryfilter = (diaplayname=%u)
>>> searchbase = ou=member,DC=lab,DC=com
>>>
>>> >> Dn: CN=dota,OU=member,DC=lab,DC=com
>>> 0> objectClass:
>>> 0> cn:
>>> 0> distinguishedName:
>>> 0> instanceType:
>>> 0> whenCreated:
>>> 0> whenChanged:
>>> 0> displayName:
>>> 0> uSNCreated:
>>> 0> uSNChanged:
>>> 0> name:
>>> 0> objectGUID:
>>> 0> userAccountControl:
>>> 0> badPwdCount:
>>> 0> codePage:
>>> 0> countryCode:
>>> 0> badPasswordTime:
>>> 0> lastLogoff:
>>> 0> lastLogon:
>>> 0> pwdLastSet:
>>> 0> primaryGroupID:
>>> 0> objectSid:
>>> 0> accountExpires:
>>> 0> logonCount:
>>> 0> sAMAccountName:
>>> 0> sAMAccountType:
>>> 0> userPrincipalName:
>>> 0> objectCategory:
>>> 0> dSCorePropagationData:
>>> 0> lastLogonTimestamp:
>>>
>>> 2013/8/25 Kirk Jantzer <kirk.jant...@gmail.com>:
>>> > It appears your queryfilter may be incorrect - You are trying to match
>>> the
>>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you put
>>> into
>>> > the username field in CS matches whatever is in the 'disPlayname' field
>>> in
>>> > AD (this can be found by opening AD Users and Computers, selecting the
>>> menu
>>> > option to show advanced properties, then looking at the user, then
>>> clicking
>>> > the 'attributes' tab.
>>> >
>>> >
>>> > Regards,
>>> >
>>> > Kirk Jantzer
>>> > http://about.met/kirkjantzer
>>> >
>>> >
>>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <onlydeb...@gmail.com> wrote:
>>> >
>>> >> Cloudstack4.1.1
>>> >> (1). i create same user: dota on Active Directory and CS
>>> >> (2). i have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com,
>>> >> it is ok,so active directory ldap is ready.
>>> >> (3). have two user under  ou=member, dc=lab,dc=com: dota , csuser01
>>> >> (4). enable integration.api.port =8096, and restart CS-mangement
>>> >>
>>> >> Q1:  from the CS log, ldap server configed, but IE response  false,
>>> >> what is correct information?
>>> >>
>>> >> Q2: how many user should be created on both Active Directory and CS ?
>>> >> or only one for ldap config,   active directory create other user just
>>> >> for CS use
>>> >>
>>> >> Q3: what will change in UI when ldap config success? can see  users
>>> >> imported from Active Directory ? can use csuser01 to login CS ?(i try
>>> >> log in  but failure)
>>> >>
>>> >>
>>> >>
>>> >>
>>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192.168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter=%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json
>>> >>
>>> >> ####### Got  this response:#####
>>> >> { "ldapconfigresponse" :  { "ldapconfig" :
>>> >>
>>> >>
>>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota,OU=member,DC=lab,DC=com"}
>>> >> }  }
>>> >>
>>> >> #######  CS log  #########
>>> >> 2013-08-24 21:10:44,453 DEBUG
>>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null) The
>>> >> ldap server is configured: 192.168.123.61
>>> >>
>>> >> ######## other thing i checked ######
>>> >> (1) in CS4.1.1 ,sharedFunctions.js  , var md5HashedLogin = fals
>>> >> (2) when create dota in CS, "Network Domain" i put lab.com, username i
>>> >> put dota
>>> >>
>>>

Reply via email to