Dear Kirk
from your post, i got the php script to import Active Directory's user into CS
here is the script can run, i modify it and can run (original script
has some mistake )
Hope other person will like it and CS4.2 will release soon and have
the good LDAP integration solution.
thanks.
###########
<?php
$ldaphost="192.168.123.61";
$ldapport=389;
$ldaprdn='cn=dota,ou=member,dc=lab,dc=com';
$ldappass='123@lab';
function array_searchRecursive($needle,$haystack,$strict=false,$path=array())
{
if( !is_array($haystack) ) {
return false;
}
foreach( $haystack as $key => $val ) {
if( is_array($val) && $subPath =array_searchRecursive($needle,
$val, $strict, $path)) {
$path =array_merge($path, array($key), $subPath);
return $path;
} elseif( (!$strict && $val ==$needle) || ($strict && $val ===$needle)) {
$path[] =$key;
return $path;
}
}
//return false;
}
function getSignature($queryString) {
$secretKey
="_3DJxz7hNp4QX46u2D_Ju48NWsYtEefvOYPUj-8qjIKvpTSZd9nQsdVb-ILqUj_0Sv60fHcS-hB0vktMlJ1Kqw";
$hash =@hash_hmac("SHA1", $queryString, $secretKey, true);
$base64encoded =base64_encode($hash);
return urlencode($base64encoded);
}
function request($command, $args =array()) {
$cloudServer ="192.168.230.2:8096";
$apiKey
="YqMHjNVGzg6c3sH-aRpSkqHm4gSS3DMDtgicIG_MoztKlKRU9OSTZ5l50nbsVQczsWsLE28HSoT-Ljqg0N22ZA";
foreach ($args as $key => $value) {
if($value =="") {
unset($args[$key]);
}
}
// Building the query
$args['apikey'] =$apiKey;
$args['command'] =$command;
$args['response'] ="json";
ksort($args);
$query =http_build_query($args);
$query =str_replace("+", "%20", $query);
$query .="&signature=" . getSignature(strtolower($query));
$httpRequest =new HttpRequest();
$httpRequest->setMethod(HTTP_METH_POST);
$url ="http://"; . $cloudServer . "?" . $query;
//die($url."\n");
$httpRequest->setUrl($url);
$httpRequest->send();
$code =$httpRequest->getResponseCode();
$data =$httpRequest->getResponseData();
if (empty($data)) {
die("NO_DATA_RECEIVED");
}
//echo $data['body'] . "\n";
$result =@json_decode($data['body']);
if (empty($result)) {
die("NO_VALID_JSON_RECEIVED");
}
//print_r($result);
//die();
$propertyResponse =strtolower($command) . "response";
if (!property_exists($result, $propertyResponse)) {
if (property_exists($result, "errorresponse") &&
property_exists($result->errorresponse, "errortext")) {
die($result->errorresponse->errortext);
} else {
die("Unable to parse the response. Got code ".$code." and
message: " . $data['body']);
}
}
$response =$result->{$propertyResponse};
// list handling : most of lists are on the same pattern as
listVirtualMachines :
// { "listvirtualmachinesresponse" : { "virtualmachine" : [ ... ] } }
preg_match('/list(\w+)s/', strtolower($command), $listMatches);
//print_r($listMatches);
//die();
if (!empty($listMatches)) {
$objectName =$listMatches[1];
//echo $objectName."\n";
if (property_exists($response, $objectName)) {
$resultArray =$response->{$objectName};
if (is_array($resultArray)) {
return $resultArray;
}
} else {
// sometimes, the 's' is kept, as in :
// { "listasyncjobsresponse" : { "asyncjobs" : [ ... ] } }
$objectName =$listMatches[1] . "s";
//echo $objectName."\n";
if (property_exists($response, $objectName)) {
$resultArray =$response->{$objectName};
if (is_array($resultArray)) {
return $resultArray;
}
}
}
}
return $response;
}
//Get users from CloudStack
$cloudAccounts =request("listAccounts", array("listall" => "true"));
//print_r($cloudAccounts);
//die();
// Connecting to LDAP
$ldapconn =ldap_connect($ldaphost, $ldapport) or die("Could not
connect to {$ldaphost}");
if ($ldapconn) {
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
// binding to ldap server
$ldapbind =ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...\n";
$basedn ="ou=member,dc=lab,dc=com";
$filter="(&(cn=*))";
#$filter="(&(accountstatus=active))";
#$justthese =array("dn","uid", "cn", "mail", "mobile");
#$search =ldap_search($ldapconn, $basedn, $filter, $justthese);
$search =ldap_search($ldapconn, $basedn, $filter);
$info =ldap_get_entries($ldapconn, $search);
if ($info["count"] > 0){
//die("Found ".$info["count"]. " users!\n");
echo " true\n";
for ($i =0; $i < $info["count"]; $i++)
{
echo "Porcessing user [" . $info[$i]["cn"][0]."]\n";
//do stuff here
if (array_searchRecursive($info[$i]["cn"][0],$cloudAccounts) === false)
{
//Create user account
$result =request("createAccount", array(
"accounttype" => "0",
"email" => $info[$i]["mail"][0],
"firstname" => $info[$i]["givenname"][0],
"lastname" => $info[$i]['sn'][0],
"password" => "password", //$info[$i]['userpassword'][0],
"username" => $info[$i]['cn'][0],
"networkdomain" => "lab.com",
"timezone" => "Etc/UTC",
));
} else {
echo "User alredy exists!\n";
}
}
} else {
echo "No users found...\n";
}
//Unbind
ldap_unbind($ldapconn);
} else {
echo "LDAP bind failed...\n";
}
}
?>
###########
2013/8/26 不坏阿峰 <onlydeb...@gmail.com>:
> follow Ian suggestion.
> sAMAccountName=%u , work for windows 2008 AD
>
> 2013/8/26 Kirk Jantzer <kirk.jant...@gmail.com>:
>> What Suresh is refering to is something someone is working on for a future
>> version of CS. In the current versions, I'm not aware of any global
>> settings for ldap. See this blog post about creating a script a script to
>> sync your LDAP users into CS. While this may not work for you, it is a
>> starting point on the idea behind bulk adding LDAP based users into CS.
>>
>> I take from your reply earlier that things are working as expected now??
>>
>>
>> Regards,
>>
>> Kirk Jantzer
>> http://about.me/kirkjantzer
>>
>>
>> On Mon, Aug 26, 2013 at 10:31 AM, 不坏阿峰 <onlydeb...@gmail.com> wrote:
>>
>>> i have tried search ldap from global settings before, but can not find.
>>> my Cloudstack upgrade from 4.0.2, maybe the new database scheme not be
>>> imported ?
>>>
>>> 2013/8/26 Suresh Sadhu <suresh.sa...@citrix.com>:
>>> > IAN did this part, please visit below link:
>>> >
>>> > https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1
>>> >
>>> > regards
>>> > sadhu
>>> >
>>> > -----Original Message-----
>>> > From: 不坏阿峰 [mailto:onlydeb...@gmail.com]
>>> > Sent: 26 August 2013 14:20
>>> > To: users@cloudstack.apache.org
>>> > Subject: Re: How is Cloudstack work with Active Directory
>>> >
>>> > thank you for your quick reply.
>>> > hope that CS4.2 can user external ldap server easily.
>>> >
>>> > and is there some script to import AD ldap user into cs ?
>>> >
>>> >
>>> >
>>> > 2013/8/26 Suresh Sadhu <suresh.sa...@citrix.com>:
>>> >> Please find my answers below:
>>> >>
>>> >>
>>> >> -----Original Message-----
>>> >> From: 不坏阿峰 [mailto:onlydeb...@gmail.com]
>>> >> Sent: 26 August 2013 13:21
>>> >> To: users@cloudstack.apache.org
>>> >> Subject: Re: How is Cloudstack work with Active Directory
>>> >>
>>> >> about my Question, when use active directory LDAP for
>>> >> authentication , if i want use 3 user in AD, i need create 3 same
>>> >> account in CS ?
>>> >>
>>> >> *******************sadhu**********
>>> >> yes ,as per the current implementation ..it requires same accounts in
>>> CS.
>>> >> ****************
>>> >> just now ,i test use dota, this user exist both on AD and CS, just
>>> >> different password. i test use dota and user password in AD, can
>>> >> login.
>>> >>
>>> >> as my experience, if use a LDAP server, just need one user to bind the
>>> >> ldap, then can query and do authentication on all user in the
>>> >> specific OU. but CS seam some different.
>>> >>
>>> >> **************sadhu*******
>>> >> Yes you are right ,One user is enough to bind and rest of users will
>>> validate but in CS case initial verification happens at DB level and if
>>> its fail then authentication happens at LDAP level. due to this
>>> reason(firest ;level authentication happening in db level) you need to
>>> create same user(like same user with different password) in CS as well.
>>> Hope this info will help.
>>> >> *********
>>> >>
>>> >> could you explain it?
>>> >>
>>> >> thanks
>>> >>
>>> >> 2013/8/26 Ian Duffy <i...@ianduffy.ie>:
>>> >>> Try sAMAccountName=%u
>>> >>>
>>> >>>
>>> >>> On 26 August 2013 03:15, 不坏阿峰 <onlydeb...@gmail.com> wrote:
>>> >>>
>>> >>>> in AD 2008, do not have uid, so i user disPlayname=%u, %u is the
>>> >>>> cloudstack username.
>>> >>>>
>>> >>>> i also follow this ,install cloudmoney and ldapconfig it.
>>> >>>>
>>> >>>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloud
>>> >>>> stack-v401.html
>>> >>>>
>>> >>>> > ldap config hostname=192.168.123.61
>>> >>>> > searchbase=ou=member,DC=lab,DC=com
>>> >>>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com
>>> >>>> bindpass=123@lab port=389
>>> >>>> ldapconfig:
>>> >>>> binddn = CN=dota,ou=member,DC=lab,DC=com hostname = 192.168.123.61
>>> >>>> port = false queryfilter = (diaplayname=%u) searchbase =
>>> >>>> ou=member,DC=lab,DC=com
>>> >>>>
>>> >>>> >> Dn: CN=dota,OU=member,DC=lab,DC=com
>>> >>>> 0> objectClass:
>>> >>>> 0> cn:
>>> >>>> 0> distinguishedName:
>>> >>>> 0> instanceType:
>>> >>>> 0> whenCreated:
>>> >>>> 0> whenChanged:
>>> >>>> 0> displayName:
>>> >>>> 0> uSNCreated:
>>> >>>> 0> uSNChanged:
>>> >>>> 0> name:
>>> >>>> 0> objectGUID:
>>> >>>> 0> userAccountControl:
>>> >>>> 0> badPwdCount:
>>> >>>> 0> codePage:
>>> >>>> 0> countryCode:
>>> >>>> 0> badPasswordTime:
>>> >>>> 0> lastLogoff:
>>> >>>> 0> lastLogon:
>>> >>>> 0> pwdLastSet:
>>> >>>> 0> primaryGroupID:
>>> >>>> 0> objectSid:
>>> >>>> 0> accountExpires:
>>> >>>> 0> logonCount:
>>> >>>> 0> sAMAccountName:
>>> >>>> 0> sAMAccountType:
>>> >>>> 0> userPrincipalName:
>>> >>>> 0> objectCategory:
>>> >>>> 0> dSCorePropagationData:
>>> >>>> 0> lastLogonTimestamp:
>>> >>>>
>>> >>>> 2013/8/25 Kirk Jantzer <kirk.jant...@gmail.com>:
>>> >>>> > It appears your queryfilter may be incorrect - You are trying to
>>> >>>> > match
>>> >>>> the
>>> >>>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you
>>> >>>> > put
>>> >>>> into
>>> >>>> > the username field in CS matches whatever is in the 'disPlayname'
>>> >>>> > field
>>> >>>> in
>>> >>>> > AD (this can be found by opening AD Users and Computers, selecting
>>> >>>> > the
>>> >>>> menu
>>> >>>> > option to show advanced properties, then looking at the user, then
>>> >>>> clicking
>>> >>>> > the 'attributes' tab.
>>> >>>> >
>>> >>>> >
>>> >>>> > Regards,
>>> >>>> >
>>> >>>> > Kirk Jantzer
>>> >>>> > http://about.met/kirkjantzer
>>> >>>> >
>>> >>>> >
>>> >>>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <onlydeb...@gmail.com>
>>> wrote:
>>> >>>> >
>>> >>>> >> Cloudstack4.1.1
>>> >>>> >> (1). i create same user: dota on Active Directory and CS (2). i
>>> >>>> >> have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com,
>>> >>>> >> it is ok,so active directory ldap is ready.
>>> >>>> >> (3). have two user under ou=member, dc=lab,dc=com: dota ,
>>> >>>> >> csuser01 (4). enable integration.api.port =8096, and restart
>>> >>>> >> CS-mangement
>>> >>>> >>
>>> >>>> >> Q1: from the CS log, ldap server configed, but IE response
>>> >>>> >> false, what is correct information?
>>> >>>> >>
>>> >>>> >> Q2: how many user should be created on both Active Directory and
>>> CS ?
>>> >>>> >> or only one for ldap config, active directory create other user
>>> just
>>> >>>> >> for CS use
>>> >>>> >>
>>> >>>> >> Q3: what will change in UI when ldap config success? can see
>>> >>>> >> users imported from Active Directory ? can use csuser01 to login
>>> >>>> >> CS ?(i try log in but failure)
>>> >>>> >>
>>> >>>> >>
>>> >>>> >>
>>> >>>> >>
>>> >>>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192
>>> >>>> .168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter
>>> >>>> =%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2C
>>> >>>> DC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json
>>> >>>> >>
>>> >>>> >> ####### Got this response:#####
>>> >>>> >> { "ldapconfigresponse" : { "ldapconfig" :
>>> >>>> >>
>>> >>>> >>
>>> >>>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,
>>> >>>> DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota
>>> >>>> ,OU=member,DC=lab,DC=com"}
>>> >>>> >> } }
>>> >>>> >>
>>> >>>> >> ####### CS log #########
>>> >>>> >> 2013-08-24 21:10:44,453 DEBUG
>>> >>>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null)
>>> >>>> >> The ldap server is configured: 192.168.123.61
>>> >>>> >>
>>> >>>> >> ######## other thing i checked ######
>>> >>>> >> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals
>>> >>>> >> (2) when create dota in CS, "Network Domain" i put lab.com,
>>> >>>> >> username i put dota
>>> >>>> >>
>>> >>>>
>>>
