Dear  Kirk

from your post, i got the php script to import Active Directory's user into CS
here is the script can run,  i modify it and can run (original script
has some mistake )
Hope other person will like it and CS4.2 will release soon and have
the good LDAP integration solution.

thanks.

###########
<?php

$ldaphost="192.168.123.61";
$ldapport=389;
$ldaprdn='cn=dota,ou=member,dc=lab,dc=com';
$ldappass='123@lab';
function array_searchRecursive($needle,$haystack,$strict=false,$path=array())
{
  if( !is_array($haystack) ) {
    return false;
  }
  foreach( $haystack as $key => $val ) {
    if( is_array($val) && $subPath =array_searchRecursive($needle,
$val, $strict, $path)) {
      $path =array_merge($path, array($key), $subPath);
      return $path;
    } elseif( (!$strict && $val ==$needle) || ($strict && $val ===$needle)) {
      $path[] =$key;
      return $path;
    }
  }
  //return false;
}

function getSignature($queryString) {
  $secretKey 
="_3DJxz7hNp4QX46u2D_Ju48NWsYtEefvOYPUj-8qjIKvpTSZd9nQsdVb-ILqUj_0Sv60fHcS-hB0vktMlJ1Kqw";
  $hash =@hash_hmac("SHA1", $queryString, $secretKey, true);
  $base64encoded =base64_encode($hash);
  return urlencode($base64encoded);
}
function request($command, $args =array()) {
    $cloudServer ="192.168.230.2:8096";
    $apiKey 
="YqMHjNVGzg6c3sH-aRpSkqHm4gSS3DMDtgicIG_MoztKlKRU9OSTZ5l50nbsVQczsWsLE28HSoT-Ljqg0N22ZA";
    foreach ($args as $key => $value) {
      if($value =="") {
        unset($args[$key]);
      }
    }
  // Building the query
  $args['apikey'] =$apiKey;
  $args['command'] =$command;
  $args['response'] ="json";
  ksort($args);
  $query =http_build_query($args);
  $query =str_replace("+", "%20", $query);
  $query .="&signature=" . getSignature(strtolower($query));
  $httpRequest =new HttpRequest();
  $httpRequest->setMethod(HTTP_METH_POST);
  $url ="http://"; . $cloudServer . "?" . $query;
  //die($url."\n");
  $httpRequest->setUrl($url);
  $httpRequest->send();
  $code =$httpRequest->getResponseCode();
  $data =$httpRequest->getResponseData();
  if (empty($data)) {
     die("NO_DATA_RECEIVED");
  }
  //echo $data['body'] . "\n";
  $result =@json_decode($data['body']);
  if (empty($result)) {
     die("NO_VALID_JSON_RECEIVED");
  }
  //print_r($result);
  //die();
  $propertyResponse =strtolower($command) . "response";
  if (!property_exists($result, $propertyResponse)) {
    if (property_exists($result, "errorresponse") &&
property_exists($result->errorresponse, "errortext")) {
       die($result->errorresponse->errortext);
    } else {
       die("Unable to parse the response. Got code ".$code." and
message: " . $data['body']);
    }
  }
  $response =$result->{$propertyResponse};
  // list handling : most of lists are on the same pattern as
listVirtualMachines :
  // { "listvirtualmachinesresponse" : { "virtualmachine" : [ ... ] } }
  preg_match('/list(\w+)s/', strtolower($command), $listMatches);
  //print_r($listMatches);
  //die();
  if (!empty($listMatches)) {
    $objectName =$listMatches[1];
    //echo $objectName."\n";
    if (property_exists($response, $objectName)) {
      $resultArray =$response->{$objectName};
      if (is_array($resultArray)) {
         return $resultArray;
      }
    } else {
      // sometimes, the 's' is kept, as in :
      // { "listasyncjobsresponse" : { "asyncjobs" : [ ... ] } }
      $objectName =$listMatches[1] . "s";
      //echo $objectName."\n";
      if (property_exists($response, $objectName)) {
         $resultArray =$response->{$objectName};
         if (is_array($resultArray)) {
            return $resultArray;
         }
      }
    }
  }
  return $response;
}


//Get users from CloudStack
$cloudAccounts =request("listAccounts", array("listall" => "true"));
//print_r($cloudAccounts);
//die();
// Connecting to LDAP
$ldapconn =ldap_connect($ldaphost, $ldapport) or die("Could not
connect to {$ldaphost}");
if ($ldapconn) {
    ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
    // binding to ldap server
    $ldapbind =ldap_bind($ldapconn, $ldaprdn, $ldappass);
    // verify binding
  if ($ldapbind) {
    echo "LDAP bind successful...\n";
    $basedn ="ou=member,dc=lab,dc=com";
    $filter="(&(cn=*))";
    #$filter="(&(accountstatus=active))";
    #$justthese =array("dn","uid", "cn", "mail", "mobile");
    #$search =ldap_search($ldapconn, $basedn, $filter, $justthese);
    $search =ldap_search($ldapconn, $basedn, $filter);
    $info =ldap_get_entries($ldapconn, $search);

    if ($info["count"] > 0){
      //die("Found ".$info["count"]. " users!\n");
      echo " true\n";
    for ($i =0; $i < $info["count"]; $i++)
    {
      echo "Porcessing user [" . $info[$i]["cn"][0]."]\n";
      //do stuff here
    if (array_searchRecursive($info[$i]["cn"][0],$cloudAccounts) === false)
    {
      //Create user account
      $result =request("createAccount", array(
      "accounttype" => "0",
      "email" => $info[$i]["mail"][0],
      "firstname" => $info[$i]["givenname"][0],
      "lastname" => $info[$i]['sn'][0],
      "password" => "password", //$info[$i]['userpassword'][0],
      "username" => $info[$i]['cn'][0],
      "networkdomain" => "lab.com",
      "timezone" => "Etc/UTC",
      ));
    } else {
       echo "User alredy exists!\n";
    }
    }
    } else {
      echo "No users found...\n";
    }
      //Unbind
      ldap_unbind($ldapconn);
  } else {
     echo "LDAP bind failed...\n";
  }
}
?>

###########

2013/8/26 不坏阿峰 <onlydeb...@gmail.com>:
> follow Ian suggestion.
> sAMAccountName=%u   , work for windows 2008 AD
>
> 2013/8/26 Kirk Jantzer <kirk.jant...@gmail.com>:
>> What Suresh is refering to is something someone is working on for a future
>> version of CS. In the current versions, I'm not aware of any global
>> settings for ldap. See this blog post about creating a script a script to
>> sync your LDAP users into CS. While this may not work for you, it is a
>> starting point on the idea behind bulk adding LDAP based users into CS.
>>
>> I take from your reply earlier that things are working as expected now??
>>
>>
>> Regards,
>>
>> Kirk Jantzer
>> http://about.me/kirkjantzer
>>
>>
>> On Mon, Aug 26, 2013 at 10:31 AM, 不坏阿峰 <onlydeb...@gmail.com> wrote:
>>
>>> i have tried search ldap from global settings before,  but can not find.
>>> my Cloudstack upgrade from 4.0.2, maybe the new database scheme not be
>>> imported ?
>>>
>>> 2013/8/26 Suresh Sadhu <suresh.sa...@citrix.com>:
>>> > IAN did  this part, please visit below link:
>>> >
>>> >  https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1
>>> >
>>> > regards
>>> > sadhu
>>> >
>>> > -----Original Message-----
>>> > From: 不坏阿峰 [mailto:onlydeb...@gmail.com]
>>> > Sent: 26 August 2013 14:20
>>> > To: users@cloudstack.apache.org
>>> > Subject: Re: How is Cloudstack work with Active Directory
>>> >
>>> > thank you for your quick reply.
>>> > hope that CS4.2 can user external ldap server easily.
>>> >
>>> > and is there some script to import AD ldap user into cs ?
>>> >
>>> >
>>> >
>>> > 2013/8/26 Suresh Sadhu <suresh.sa...@citrix.com>:
>>> >> Please find my answers below:
>>> >>
>>> >>
>>> >> -----Original Message-----
>>> >> From: 不坏阿峰 [mailto:onlydeb...@gmail.com]
>>> >> Sent: 26 August 2013 13:21
>>> >> To: users@cloudstack.apache.org
>>> >> Subject: Re: How is Cloudstack work with Active Directory
>>> >>
>>> >> about my Question,    when use active directory LDAP for
>>> >> authentication  ,  if i want use 3 user in AD,  i need create 3 same
>>> >> account in CS ?
>>> >>
>>> >> *******************sadhu**********
>>> >> yes ,as per the current implementation ..it requires same accounts in
>>> CS.
>>> >> ****************
>>> >> just now ,i test use dota,  this user exist both on AD and CS,  just
>>> >> different password.  i test use dota and user password in AD, can
>>> >> login.
>>> >>
>>> >> as my experience, if use a LDAP server, just need one user to bind the
>>> >> ldap,  then can query and do authentication on all user in the
>>> >> specific OU.  but CS seam some different.
>>> >>
>>> >> **************sadhu*******
>>> >> Yes you are right ,One user is enough to bind and rest of users will
>>> validate but  in CS case initial verification happens at DB level and if
>>> its  fail then authentication happens at LDAP level. due to this
>>> reason(firest ;level authentication happening in db level) you  need to
>>> create same user(like same user with different password) in CS as well.
>>> Hope this info will help.
>>> >> *********
>>> >>
>>> >> could you explain it?
>>> >>
>>> >> thanks
>>> >>
>>> >> 2013/8/26 Ian Duffy <i...@ianduffy.ie>:
>>> >>> Try sAMAccountName=%u
>>> >>>
>>> >>>
>>> >>> On 26 August 2013 03:15, 不坏阿峰 <onlydeb...@gmail.com> wrote:
>>> >>>
>>> >>>> in AD 2008, do not have uid, so i user disPlayname=%u,    %u is the
>>> >>>> cloudstack username.
>>> >>>>
>>> >>>> i also follow this ,install cloudmoney and ldapconfig it.
>>> >>>>
>>> >>>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloud
>>> >>>> stack-v401.html
>>> >>>>
>>> >>>> >  ldap config hostname=192.168.123.61
>>> >>>> > searchbase=ou=member,DC=lab,DC=com
>>> >>>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com
>>> >>>> bindpass=123@lab port=389
>>> >>>> ldapconfig:
>>> >>>> binddn = CN=dota,ou=member,DC=lab,DC=com hostname = 192.168.123.61
>>> >>>> port = false queryfilter = (diaplayname=%u) searchbase =
>>> >>>> ou=member,DC=lab,DC=com
>>> >>>>
>>> >>>> >> Dn: CN=dota,OU=member,DC=lab,DC=com
>>> >>>> 0> objectClass:
>>> >>>> 0> cn:
>>> >>>> 0> distinguishedName:
>>> >>>> 0> instanceType:
>>> >>>> 0> whenCreated:
>>> >>>> 0> whenChanged:
>>> >>>> 0> displayName:
>>> >>>> 0> uSNCreated:
>>> >>>> 0> uSNChanged:
>>> >>>> 0> name:
>>> >>>> 0> objectGUID:
>>> >>>> 0> userAccountControl:
>>> >>>> 0> badPwdCount:
>>> >>>> 0> codePage:
>>> >>>> 0> countryCode:
>>> >>>> 0> badPasswordTime:
>>> >>>> 0> lastLogoff:
>>> >>>> 0> lastLogon:
>>> >>>> 0> pwdLastSet:
>>> >>>> 0> primaryGroupID:
>>> >>>> 0> objectSid:
>>> >>>> 0> accountExpires:
>>> >>>> 0> logonCount:
>>> >>>> 0> sAMAccountName:
>>> >>>> 0> sAMAccountType:
>>> >>>> 0> userPrincipalName:
>>> >>>> 0> objectCategory:
>>> >>>> 0> dSCorePropagationData:
>>> >>>> 0> lastLogonTimestamp:
>>> >>>>
>>> >>>> 2013/8/25 Kirk Jantzer <kirk.jant...@gmail.com>:
>>> >>>> > It appears your queryfilter may be incorrect - You are trying to
>>> >>>> > match
>>> >>>> the
>>> >>>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you
>>> >>>> > put
>>> >>>> into
>>> >>>> > the username field in CS matches whatever is in the 'disPlayname'
>>> >>>> > field
>>> >>>> in
>>> >>>> > AD (this can be found by opening AD Users and Computers, selecting
>>> >>>> > the
>>> >>>> menu
>>> >>>> > option to show advanced properties, then looking at the user, then
>>> >>>> clicking
>>> >>>> > the 'attributes' tab.
>>> >>>> >
>>> >>>> >
>>> >>>> > Regards,
>>> >>>> >
>>> >>>> > Kirk Jantzer
>>> >>>> > http://about.met/kirkjantzer
>>> >>>> >
>>> >>>> >
>>> >>>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <onlydeb...@gmail.com>
>>> wrote:
>>> >>>> >
>>> >>>> >> Cloudstack4.1.1
>>> >>>> >> (1). i create same user: dota on Active Directory and CS (2). i
>>> >>>> >> have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com,
>>> >>>> >> it is ok,so active directory ldap is ready.
>>> >>>> >> (3). have two user under  ou=member, dc=lab,dc=com: dota ,
>>> >>>> >> csuser01 (4). enable integration.api.port =8096, and restart
>>> >>>> >> CS-mangement
>>> >>>> >>
>>> >>>> >> Q1:  from the CS log, ldap server configed, but IE response
>>> >>>> >> false, what is correct information?
>>> >>>> >>
>>> >>>> >> Q2: how many user should be created on both Active Directory and
>>> CS ?
>>> >>>> >> or only one for ldap config,   active directory create other user
>>> just
>>> >>>> >> for CS use
>>> >>>> >>
>>> >>>> >> Q3: what will change in UI when ldap config success? can see
>>> >>>> >> users imported from Active Directory ? can use csuser01 to login
>>> >>>> >> CS ?(i try log in  but failure)
>>> >>>> >>
>>> >>>> >>
>>> >>>> >>
>>> >>>> >>
>>> >>>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192
>>> >>>> .168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter
>>> >>>> =%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2C
>>> >>>> DC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json
>>> >>>> >>
>>> >>>> >> ####### Got  this response:#####
>>> >>>> >> { "ldapconfigresponse" :  { "ldapconfig" :
>>> >>>> >>
>>> >>>> >>
>>> >>>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,
>>> >>>> DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota
>>> >>>> ,OU=member,DC=lab,DC=com"}
>>> >>>> >> }  }
>>> >>>> >>
>>> >>>> >> #######  CS log  #########
>>> >>>> >> 2013-08-24 21:10:44,453 DEBUG
>>> >>>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null)
>>> >>>> >> The ldap server is configured: 192.168.123.61
>>> >>>> >>
>>> >>>> >> ######## other thing i checked ######
>>> >>>> >> (1) in CS4.1.1 ,sharedFunctions.js  , var md5HashedLogin = fals
>>> >>>> >> (2) when create dota in CS, "Network Domain" i put lab.com,
>>> >>>> >> username i put dota
>>> >>>> >>
>>> >>>>
>>>

Reply via email to