Dear Kirk from your post, i got the php script to import Active Directory's user into CS here is the script can run, i modify it and can run (original script has some mistake ) Hope other person will like it and CS4.2 will release soon and have the good LDAP integration solution.
thanks. ########### <?php $ldaphost="192.168.123.61"; $ldapport=389; $ldaprdn='cn=dota,ou=member,dc=lab,dc=com'; $ldappass='123@lab'; function array_searchRecursive($needle,$haystack,$strict=false,$path=array()) { if( !is_array($haystack) ) { return false; } foreach( $haystack as $key => $val ) { if( is_array($val) && $subPath =array_searchRecursive($needle, $val, $strict, $path)) { $path =array_merge($path, array($key), $subPath); return $path; } elseif( (!$strict && $val ==$needle) || ($strict && $val ===$needle)) { $path[] =$key; return $path; } } //return false; } function getSignature($queryString) { $secretKey ="_3DJxz7hNp4QX46u2D_Ju48NWsYtEefvOYPUj-8qjIKvpTSZd9nQsdVb-ILqUj_0Sv60fHcS-hB0vktMlJ1Kqw"; $hash =@hash_hmac("SHA1", $queryString, $secretKey, true); $base64encoded =base64_encode($hash); return urlencode($base64encoded); } function request($command, $args =array()) { $cloudServer ="192.168.230.2:8096"; $apiKey ="YqMHjNVGzg6c3sH-aRpSkqHm4gSS3DMDtgicIG_MoztKlKRU9OSTZ5l50nbsVQczsWsLE28HSoT-Ljqg0N22ZA"; foreach ($args as $key => $value) { if($value =="") { unset($args[$key]); } } // Building the query $args['apikey'] =$apiKey; $args['command'] =$command; $args['response'] ="json"; ksort($args); $query =http_build_query($args); $query =str_replace("+", "%20", $query); $query .="&signature=" . getSignature(strtolower($query)); $httpRequest =new HttpRequest(); $httpRequest->setMethod(HTTP_METH_POST); $url ="http://" . $cloudServer . "?" . $query; //die($url."\n"); $httpRequest->setUrl($url); $httpRequest->send(); $code =$httpRequest->getResponseCode(); $data =$httpRequest->getResponseData(); if (empty($data)) { die("NO_DATA_RECEIVED"); } //echo $data['body'] . "\n"; $result =@json_decode($data['body']); if (empty($result)) { die("NO_VALID_JSON_RECEIVED"); } //print_r($result); //die(); $propertyResponse =strtolower($command) . "response"; if (!property_exists($result, $propertyResponse)) { if (property_exists($result, "errorresponse") && property_exists($result->errorresponse, "errortext")) { die($result->errorresponse->errortext); } else { die("Unable to parse the response. Got code ".$code." and message: " . $data['body']); } } $response =$result->{$propertyResponse}; // list handling : most of lists are on the same pattern as listVirtualMachines : // { "listvirtualmachinesresponse" : { "virtualmachine" : [ ... ] } } preg_match('/list(\w+)s/', strtolower($command), $listMatches); //print_r($listMatches); //die(); if (!empty($listMatches)) { $objectName =$listMatches[1]; //echo $objectName."\n"; if (property_exists($response, $objectName)) { $resultArray =$response->{$objectName}; if (is_array($resultArray)) { return $resultArray; } } else { // sometimes, the 's' is kept, as in : // { "listasyncjobsresponse" : { "asyncjobs" : [ ... ] } } $objectName =$listMatches[1] . "s"; //echo $objectName."\n"; if (property_exists($response, $objectName)) { $resultArray =$response->{$objectName}; if (is_array($resultArray)) { return $resultArray; } } } } return $response; } //Get users from CloudStack $cloudAccounts =request("listAccounts", array("listall" => "true")); //print_r($cloudAccounts); //die(); // Connecting to LDAP $ldapconn =ldap_connect($ldaphost, $ldapport) or die("Could not connect to {$ldaphost}"); if ($ldapconn) { ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0); // binding to ldap server $ldapbind =ldap_bind($ldapconn, $ldaprdn, $ldappass); // verify binding if ($ldapbind) { echo "LDAP bind successful...\n"; $basedn ="ou=member,dc=lab,dc=com"; $filter="(&(cn=*))"; #$filter="(&(accountstatus=active))"; #$justthese =array("dn","uid", "cn", "mail", "mobile"); #$search =ldap_search($ldapconn, $basedn, $filter, $justthese); $search =ldap_search($ldapconn, $basedn, $filter); $info =ldap_get_entries($ldapconn, $search); if ($info["count"] > 0){ //die("Found ".$info["count"]. " users!\n"); echo " true\n"; for ($i =0; $i < $info["count"]; $i++) { echo "Porcessing user [" . $info[$i]["cn"][0]."]\n"; //do stuff here if (array_searchRecursive($info[$i]["cn"][0],$cloudAccounts) === false) { //Create user account $result =request("createAccount", array( "accounttype" => "0", "email" => $info[$i]["mail"][0], "firstname" => $info[$i]["givenname"][0], "lastname" => $info[$i]['sn'][0], "password" => "password", //$info[$i]['userpassword'][0], "username" => $info[$i]['cn'][0], "networkdomain" => "lab.com", "timezone" => "Etc/UTC", )); } else { echo "User alredy exists!\n"; } } } else { echo "No users found...\n"; } //Unbind ldap_unbind($ldapconn); } else { echo "LDAP bind failed...\n"; } } ?> ########### 2013/8/26 不坏阿峰 <onlydeb...@gmail.com>: > follow Ian suggestion. > sAMAccountName=%u , work for windows 2008 AD > > 2013/8/26 Kirk Jantzer <kirk.jant...@gmail.com>: >> What Suresh is refering to is something someone is working on for a future >> version of CS. In the current versions, I'm not aware of any global >> settings for ldap. See this blog post about creating a script a script to >> sync your LDAP users into CS. While this may not work for you, it is a >> starting point on the idea behind bulk adding LDAP based users into CS. >> >> I take from your reply earlier that things are working as expected now?? >> >> >> Regards, >> >> Kirk Jantzer >> http://about.me/kirkjantzer >> >> >> On Mon, Aug 26, 2013 at 10:31 AM, 不坏阿峰 <onlydeb...@gmail.com> wrote: >> >>> i have tried search ldap from global settings before, but can not find. >>> my Cloudstack upgrade from 4.0.2, maybe the new database scheme not be >>> imported ? >>> >>> 2013/8/26 Suresh Sadhu <suresh.sa...@citrix.com>: >>> > IAN did this part, please visit below link: >>> > >>> > https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1 >>> > >>> > regards >>> > sadhu >>> > >>> > -----Original Message----- >>> > From: 不坏阿峰 [mailto:onlydeb...@gmail.com] >>> > Sent: 26 August 2013 14:20 >>> > To: users@cloudstack.apache.org >>> > Subject: Re: How is Cloudstack work with Active Directory >>> > >>> > thank you for your quick reply. >>> > hope that CS4.2 can user external ldap server easily. >>> > >>> > and is there some script to import AD ldap user into cs ? >>> > >>> > >>> > >>> > 2013/8/26 Suresh Sadhu <suresh.sa...@citrix.com>: >>> >> Please find my answers below: >>> >> >>> >> >>> >> -----Original Message----- >>> >> From: 不坏阿峰 [mailto:onlydeb...@gmail.com] >>> >> Sent: 26 August 2013 13:21 >>> >> To: users@cloudstack.apache.org >>> >> Subject: Re: How is Cloudstack work with Active Directory >>> >> >>> >> about my Question, when use active directory LDAP for >>> >> authentication , if i want use 3 user in AD, i need create 3 same >>> >> account in CS ? >>> >> >>> >> *******************sadhu********** >>> >> yes ,as per the current implementation ..it requires same accounts in >>> CS. >>> >> **************** >>> >> just now ,i test use dota, this user exist both on AD and CS, just >>> >> different password. i test use dota and user password in AD, can >>> >> login. >>> >> >>> >> as my experience, if use a LDAP server, just need one user to bind the >>> >> ldap, then can query and do authentication on all user in the >>> >> specific OU. but CS seam some different. >>> >> >>> >> **************sadhu******* >>> >> Yes you are right ,One user is enough to bind and rest of users will >>> validate but in CS case initial verification happens at DB level and if >>> its fail then authentication happens at LDAP level. due to this >>> reason(firest ;level authentication happening in db level) you need to >>> create same user(like same user with different password) in CS as well. >>> Hope this info will help. >>> >> ********* >>> >> >>> >> could you explain it? >>> >> >>> >> thanks >>> >> >>> >> 2013/8/26 Ian Duffy <i...@ianduffy.ie>: >>> >>> Try sAMAccountName=%u >>> >>> >>> >>> >>> >>> On 26 August 2013 03:15, 不坏阿峰 <onlydeb...@gmail.com> wrote: >>> >>> >>> >>>> in AD 2008, do not have uid, so i user disPlayname=%u, %u is the >>> >>>> cloudstack username. >>> >>>> >>> >>>> i also follow this ,install cloudmoney and ldapconfig it. >>> >>>> >>> >>>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloud >>> >>>> stack-v401.html >>> >>>> >>> >>>> > ldap config hostname=192.168.123.61 >>> >>>> > searchbase=ou=member,DC=lab,DC=com >>> >>>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com >>> >>>> bindpass=123@lab port=389 >>> >>>> ldapconfig: >>> >>>> binddn = CN=dota,ou=member,DC=lab,DC=com hostname = 192.168.123.61 >>> >>>> port = false queryfilter = (diaplayname=%u) searchbase = >>> >>>> ou=member,DC=lab,DC=com >>> >>>> >>> >>>> >> Dn: CN=dota,OU=member,DC=lab,DC=com >>> >>>> 0> objectClass: >>> >>>> 0> cn: >>> >>>> 0> distinguishedName: >>> >>>> 0> instanceType: >>> >>>> 0> whenCreated: >>> >>>> 0> whenChanged: >>> >>>> 0> displayName: >>> >>>> 0> uSNCreated: >>> >>>> 0> uSNChanged: >>> >>>> 0> name: >>> >>>> 0> objectGUID: >>> >>>> 0> userAccountControl: >>> >>>> 0> badPwdCount: >>> >>>> 0> codePage: >>> >>>> 0> countryCode: >>> >>>> 0> badPasswordTime: >>> >>>> 0> lastLogoff: >>> >>>> 0> lastLogon: >>> >>>> 0> pwdLastSet: >>> >>>> 0> primaryGroupID: >>> >>>> 0> objectSid: >>> >>>> 0> accountExpires: >>> >>>> 0> logonCount: >>> >>>> 0> sAMAccountName: >>> >>>> 0> sAMAccountType: >>> >>>> 0> userPrincipalName: >>> >>>> 0> objectCategory: >>> >>>> 0> dSCorePropagationData: >>> >>>> 0> lastLogonTimestamp: >>> >>>> >>> >>>> 2013/8/25 Kirk Jantzer <kirk.jant...@gmail.com>: >>> >>>> > It appears your queryfilter may be incorrect - You are trying to >>> >>>> > match >>> >>>> the >>> >>>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you >>> >>>> > put >>> >>>> into >>> >>>> > the username field in CS matches whatever is in the 'disPlayname' >>> >>>> > field >>> >>>> in >>> >>>> > AD (this can be found by opening AD Users and Computers, selecting >>> >>>> > the >>> >>>> menu >>> >>>> > option to show advanced properties, then looking at the user, then >>> >>>> clicking >>> >>>> > the 'attributes' tab. >>> >>>> > >>> >>>> > >>> >>>> > Regards, >>> >>>> > >>> >>>> > Kirk Jantzer >>> >>>> > http://about.met/kirkjantzer >>> >>>> > >>> >>>> > >>> >>>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <onlydeb...@gmail.com> >>> wrote: >>> >>>> > >>> >>>> >> Cloudstack4.1.1 >>> >>>> >> (1). i create same user: dota on Active Directory and CS (2). i >>> >>>> >> have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com, >>> >>>> >> it is ok,so active directory ldap is ready. >>> >>>> >> (3). have two user under ou=member, dc=lab,dc=com: dota , >>> >>>> >> csuser01 (4). enable integration.api.port =8096, and restart >>> >>>> >> CS-mangement >>> >>>> >> >>> >>>> >> Q1: from the CS log, ldap server configed, but IE response >>> >>>> >> false, what is correct information? >>> >>>> >> >>> >>>> >> Q2: how many user should be created on both Active Directory and >>> CS ? >>> >>>> >> or only one for ldap config, active directory create other user >>> just >>> >>>> >> for CS use >>> >>>> >> >>> >>>> >> Q3: what will change in UI when ldap config success? can see >>> >>>> >> users imported from Active Directory ? can use csuser01 to login >>> >>>> >> CS ?(i try log in but failure) >>> >>>> >> >>> >>>> >> >>> >>>> >> >>> >>>> >> >>> >>>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192 >>> >>>> .168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter >>> >>>> =%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2C >>> >>>> DC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json >>> >>>> >> >>> >>>> >> ####### Got this response:##### >>> >>>> >> { "ldapconfigresponse" : { "ldapconfig" : >>> >>>> >> >>> >>>> >> >>> >>>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member, >>> >>>> DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota >>> >>>> ,OU=member,DC=lab,DC=com"} >>> >>>> >> } } >>> >>>> >> >>> >>>> >> ####### CS log ######### >>> >>>> >> 2013-08-24 21:10:44,453 DEBUG >>> >>>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null) >>> >>>> >> The ldap server is configured: 192.168.123.61 >>> >>>> >> >>> >>>> >> ######## other thing i checked ###### >>> >>>> >> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals >>> >>>> >> (2) when create dota in CS, "Network Domain" i put lab.com, >>> >>>> >> username i put dota >>> >>>> >> >>> >>>> >>>