What Suresh is refering to is something someone is working on for a future version of CS. In the current versions, I'm not aware of any global settings for ldap. See this blog post about creating a script a script to sync your LDAP users into CS. While this may not work for you, it is a starting point on the idea behind bulk adding LDAP based users into CS.
I take from your reply earlier that things are working as expected now?? Regards, Kirk Jantzer http://about.me/kirkjantzer On Mon, Aug 26, 2013 at 10:31 AM, 不坏阿峰 <onlydeb...@gmail.com> wrote: > i have tried search ldap from global settings before, but can not find. > my Cloudstack upgrade from 4.0.2, maybe the new database scheme not be > imported ? > > 2013/8/26 Suresh Sadhu <suresh.sa...@citrix.com>: > > IAN did this part, please visit below link: > > > > https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1 > > > > regards > > sadhu > > > > -----Original Message----- > > From: 不坏阿峰 [mailto:onlydeb...@gmail.com] > > Sent: 26 August 2013 14:20 > > To: users@cloudstack.apache.org > > Subject: Re: How is Cloudstack work with Active Directory > > > > thank you for your quick reply. > > hope that CS4.2 can user external ldap server easily. > > > > and is there some script to import AD ldap user into cs ? > > > > > > > > 2013/8/26 Suresh Sadhu <suresh.sa...@citrix.com>: > >> Please find my answers below: > >> > >> > >> -----Original Message----- > >> From: 不坏阿峰 [mailto:onlydeb...@gmail.com] > >> Sent: 26 August 2013 13:21 > >> To: users@cloudstack.apache.org > >> Subject: Re: How is Cloudstack work with Active Directory > >> > >> about my Question, when use active directory LDAP for > >> authentication , if i want use 3 user in AD, i need create 3 same > >> account in CS ? > >> > >> *******************sadhu********** > >> yes ,as per the current implementation ..it requires same accounts in > CS. > >> **************** > >> just now ,i test use dota, this user exist both on AD and CS, just > >> different password. i test use dota and user password in AD, can > >> login. > >> > >> as my experience, if use a LDAP server, just need one user to bind the > >> ldap, then can query and do authentication on all user in the > >> specific OU. but CS seam some different. > >> > >> **************sadhu******* > >> Yes you are right ,One user is enough to bind and rest of users will > validate but in CS case initial verification happens at DB level and if > its fail then authentication happens at LDAP level. due to this > reason(firest ;level authentication happening in db level) you need to > create same user(like same user with different password) in CS as well. > Hope this info will help. > >> ********* > >> > >> could you explain it? > >> > >> thanks > >> > >> 2013/8/26 Ian Duffy <i...@ianduffy.ie>: > >>> Try sAMAccountName=%u > >>> > >>> > >>> On 26 August 2013 03:15, 不坏阿峰 <onlydeb...@gmail.com> wrote: > >>> > >>>> in AD 2008, do not have uid, so i user disPlayname=%u, %u is the > >>>> cloudstack username. > >>>> > >>>> i also follow this ,install cloudmoney and ldapconfig it. > >>>> > >>>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloud > >>>> stack-v401.html > >>>> > >>>> > ldap config hostname=192.168.123.61 > >>>> > searchbase=ou=member,DC=lab,DC=com > >>>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com > >>>> bindpass=123@lab port=389 > >>>> ldapconfig: > >>>> binddn = CN=dota,ou=member,DC=lab,DC=com hostname = 192.168.123.61 > >>>> port = false queryfilter = (diaplayname=%u) searchbase = > >>>> ou=member,DC=lab,DC=com > >>>> > >>>> >> Dn: CN=dota,OU=member,DC=lab,DC=com > >>>> 0> objectClass: > >>>> 0> cn: > >>>> 0> distinguishedName: > >>>> 0> instanceType: > >>>> 0> whenCreated: > >>>> 0> whenChanged: > >>>> 0> displayName: > >>>> 0> uSNCreated: > >>>> 0> uSNChanged: > >>>> 0> name: > >>>> 0> objectGUID: > >>>> 0> userAccountControl: > >>>> 0> badPwdCount: > >>>> 0> codePage: > >>>> 0> countryCode: > >>>> 0> badPasswordTime: > >>>> 0> lastLogoff: > >>>> 0> lastLogon: > >>>> 0> pwdLastSet: > >>>> 0> primaryGroupID: > >>>> 0> objectSid: > >>>> 0> accountExpires: > >>>> 0> logonCount: > >>>> 0> sAMAccountName: > >>>> 0> sAMAccountType: > >>>> 0> userPrincipalName: > >>>> 0> objectCategory: > >>>> 0> dSCorePropagationData: > >>>> 0> lastLogonTimestamp: > >>>> > >>>> 2013/8/25 Kirk Jantzer <kirk.jant...@gmail.com>: > >>>> > It appears your queryfilter may be incorrect - You are trying to > >>>> > match > >>>> the > >>>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you > >>>> > put > >>>> into > >>>> > the username field in CS matches whatever is in the 'disPlayname' > >>>> > field > >>>> in > >>>> > AD (this can be found by opening AD Users and Computers, selecting > >>>> > the > >>>> menu > >>>> > option to show advanced properties, then looking at the user, then > >>>> clicking > >>>> > the 'attributes' tab. > >>>> > > >>>> > > >>>> > Regards, > >>>> > > >>>> > Kirk Jantzer > >>>> > http://about.met/kirkjantzer > >>>> > > >>>> > > >>>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <onlydeb...@gmail.com> > wrote: > >>>> > > >>>> >> Cloudstack4.1.1 > >>>> >> (1). i create same user: dota on Active Directory and CS (2). i > >>>> >> have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com, > >>>> >> it is ok,so active directory ldap is ready. > >>>> >> (3). have two user under ou=member, dc=lab,dc=com: dota , > >>>> >> csuser01 (4). enable integration.api.port =8096, and restart > >>>> >> CS-mangement > >>>> >> > >>>> >> Q1: from the CS log, ldap server configed, but IE response > >>>> >> false, what is correct information? > >>>> >> > >>>> >> Q2: how many user should be created on both Active Directory and > CS ? > >>>> >> or only one for ldap config, active directory create other user > just > >>>> >> for CS use > >>>> >> > >>>> >> Q3: what will change in UI when ldap config success? can see > >>>> >> users imported from Active Directory ? can use csuser01 to login > >>>> >> CS ?(i try log in but failure) > >>>> >> > >>>> >> > >>>> >> > >>>> >> > >>>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192 > >>>> .168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter > >>>> =%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2C > >>>> DC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json > >>>> >> > >>>> >> ####### Got this response:##### > >>>> >> { "ldapconfigresponse" : { "ldapconfig" : > >>>> >> > >>>> >> > >>>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member, > >>>> DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota > >>>> ,OU=member,DC=lab,DC=com"} > >>>> >> } } > >>>> >> > >>>> >> ####### CS log ######### > >>>> >> 2013-08-24 21:10:44,453 DEBUG > >>>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null) > >>>> >> The ldap server is configured: 192.168.123.61 > >>>> >> > >>>> >> ######## other thing i checked ###### > >>>> >> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals > >>>> >> (2) when create dota in CS, "Network Domain" i put lab.com, > >>>> >> username i put dota > >>>> >> > >>>> >
