> Can you please confirm your global ldap settings? Screen shot of them here: http://imgur.com/adnlmSS
> Are you able to import ldap users from AD? Yes. http://imgur.com/df29OOm On 7 April 2014 20:44, Antonio Packery <antonio.pack...@t-systems.co.za> wrote: > Hi Ian, > > Can you please confirm your global ldap settings? > > Are you able to import ldap users from AD? > > Original Message > From: Ian Duffy > Sent: Monday 7 April 2014 21:22 > To: users@cloudstack.apache.org > Reply To: users@cloudstack.apache.org > Subject: Re: AD LDAP authentication failing post CS 4.2.1 to CS 4.3 upgrade > > > Hi All, > > Just after trying to recreate the issue, I failed to do so successfully. > > I installed 4.2, configured LDAP, verified it worked. Upgraded to 4.3, > logged in as admin, verified the LDAP configuration was present. > Logged out and attempted to login as an LDAP user. > > On 7 April 2014 19:17, Suresh Sadhu <suresh.sa...@citrix.com> wrote: >> Its seems there is a problem and values are not configured properly after >> upgrade. Please log a defect. >> >> Hope you set the following attributes . >> >> Ldap.basedn >> Ldap.bind.password >> Ldap.username.attribute- sAMAccountName >> Ldap.user.object --user >> Ldap.search.group.principle >> >> All the above fields are mandatory. >> >> Work around I followed is : used old api to register ldap and created same >> AD user in CS. And make sure that all global parameters set. >> >> http://localhost:8096/client/api?command=ldapConfig&binddn=CN%3Dtest%2CCN%3DUsers%2CDC%3Dhyd-qa%2CDC%3Dcom&bindpass=aaaa_1111&hostname=ADserver&searchbase=CN%3DUsers%2CDC%3Dhyd-qa%2CDC%3Dcom&queryfilter=%28%26%28mail%3D%25e%29%29&port=389&ssl=false&response=json >> >> >> Regards >> Sadhu >> >> >> >> -----Original Message----- >> From: Antonio Packery [mailto:antonio.pack...@t-systems.co.za] >> Sent: 07 April 2014 18:52 >> To: users@cloudstack.apache.org >> Subject: Re: AD LDAP authentication failing post CS 4.2.1 to CS 4.3 upgrade >> >> Hi Sadhu, >> >> No changes from when i had AD authentication configured on ACS 4.2.1 where >> all worked fine. >> >> Still no joy with ldap authentication on ACS 4.3.0 even with the steps >> listed below. >> >> Regards >> Antonio >> >> On 04/07/2014 06:31 AM, Suresh Sadhu wrote: >> >> HI Antonio, >> >> Hope Registered user has list capabilities . >> >> >> I think there is an issue while importing ldap user if any user has missing >> attributes(like mail,user name), it fail to import user successfully but if >> we create a same AD user in cloudstack manually with different password and >> try to login with ad user with ad password .I am able to login successfully. >> >> Assume AD user: test ,password:aaaa_1111 Try below scenario: >> >> 1.make sure AD user has list capabilities or better try with user with >> admin privileges 2.register ldap by providing ldap IP and port 3. provide >> the required parameters in the global configuration 4. restart the MS >> 5.create a same AD user with different password(user >> :test,password:password) in cs manually 6.try to login with AD user with AD >> password(user :test,password:aaaa_1111) >> >> Hope this will help. >> >> Regards >> Sadhu >> >> >> >> >> -----Original Message----- >> From: Antonio Packery [mailto:antonio.pack...@t-systems.co.za] >> Sent: 06 April 2014 16:43 >> To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org> >> Subject: Re: AD LDAP authentication failing post CS 4.2.1 to CS 4.3 upgrade >> >> Hi Sadhu, >> >> Here are the ldap log entries, >> 2014-04-06 12:49:26,428 INFO [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] >> (main:null) Module Hierarchy: ldap >> 2014-04-06 12:49:53,127 INFO [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] >> (main:null) Loading module context [ldap] from URL >> [jar:file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-plugin-user-authenticator-ldap-4.3.0.jar!/META-INF/cloudstack/ldap/spring-ldap-context.xml<file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-plugin-user-authenticator-ldap-4.3.0.jar%21/META-INF/cloudstack/ldap/spring-ldap-context.xml>] >> 2014-04-06 12:49:53,127 INFO [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] >> (main:null) Loading module context [ldap] from URL >> [jar:file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar!/META-INF/cloudstack/api/spring-core-lifecycle-api-context-inheritable.xml<file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar%21/META-INF/cloudstack/api/spring-core-lifecycle-api-context-inheritable.xml>] >> 2014-04-06 12:49:53,127 INFO [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] >> (main:null) Loading module context [ldap] from URL >> [jar:file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar!/META-INF/cloudstack/core/spring-core-lifecycle-core-context-inheritable.xml<file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar%21/META-INF/cloudstack/core/spring-core-lifecycle-core-context-inheritable.xml>] >> 2014-04-06 12:49:53,127 INFO [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] >> (main:null) Loading module context [ldap] from URL >> [jar:file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar!/META-INF/cloudstack/system/spring-core-system-context-inheritable.xml<file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar%21/META-INF/cloudstack/system/spring-core-system-context-inheritable.xml>] >> 2014-04-06 12:49:53,127 INFO [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] >> (main:null) Loading module context [ldap] from URL >> [jar:file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-framework-config-4.3.0.jar!/META-INF/cloudstack/system/spring-framework-config-system-context-inheritable.xml<file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-framework-config-4.3.0.jar%21/META-INF/cloudstack/system/spring-framework-config-system-context-inheritable.xml>] >> 2014-04-06 12:49:53,127 INFO [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] >> (main:null) Loading module context [ldap] from URL >> [jar:file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar!/META-INF/cloudstack/bootstrap/spring-bootstrap-context-inheritable.xml<file:/usr/share/cloudstack-management/webapps/client/WEB-INF/lib/cloud-core-4.3.0.jar%21/META-INF/cloudstack/bootstrap/spring-bootstrap-context-inheritable.xml>] >> 2014-04-06 12:49:53,330 DEBUG [o.a.c.s.l.r.RegistryLifecycle] (main:null) >> Registered org.apache.cloudstack.ldap.LdapAuthenticator@20090eb6 >> 2014-04-06 12:49:53,334 DEBUG [o.a.c.s.l.r.RegistryLifecycle] (main:null) >> Registered org.apache.cloudstack.ldap.LdapAuthenticator@20090eb6 >> 2014-04-06 12:49:53,334 DEBUG [o.a.c.s.l.r.RegistryLifecycle] (main:null) >> Registered org.apache.cloudstack.ldap.LdapManagerImpl@6852fbac >> 2014-04-06 12:49:53,340 INFO [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] >> (main:null) Loaded module context [ldap] in 214 ms >> 2014-04-06 12:50:01,159 DEBUG [o.a.c.d.ApiDiscoveryServiceImpl] (main:null) >> getting api commands of service: org.apache.cloudstack.ldap.LdapManagerImpl >> 2014-04-06 12:50:01,586 INFO [o.a.c.s.m.m.i.DefaultModuleDefinitionSet] >> (main:null) Starting module [ldap] >> >> Ldap does seem to be configured correctly but it appears a ldap lookup is >> not initiated when trying to add a LDAP user via the CloudStack UI. >> >> Regards >> Antonio >> >> On 04/04/2014 01:12 PM, Suresh Sadhu wrote: >> >> Can you post the logs ,we used to log ldap transactions in management log. >> Are you hitting any nullpointer exception. >> >> >> Make sure active directory user has defined email address in AD. >> >> Regards >> Sadhu >> >> >> >> -----Original Message----- >> From: Ian Duffy [mailto:i...@ianduffy.ie] >> Sent: 04 April 2014 16:24 >> To: >> users@cloudstack.apache.org<mailto:users@cloudstack.apache.org><mailto:users@cloudstack.apache.org> >> Cc: Rajani Karuturi >> Subject: Re: AD LDAP authentication failing post CS 4.2.1 to CS 4.3 upgrade >> >> CCing Rajani on this to see if she has any ideas..... >> >> If you haven't done so already can you try remove/re-add the LDAP server via >> the UI. >> >>> Are there any logs in cloudstack that records the ldap activity? >> >> On failed adding of a LDAP server you will get a message back saying so and >> the server will not add. >> >> On authentication failure of an ldap user it will appear in the cloudstack >> logs. >> >> On 4 April 2014 11:47, Antonio Packery >> <antonio.pack...@t-systems.co.za><mailto:antonio.pack...@t-systems.co.za><mailto:antonio.pack...@t-systems.co.za> >> wrote: >>> Hi Ian, >>> >>> Change ldap.user.object to user but still no change. >>> >>> Busy sniffing the ldap server connection for any errors. >>> >>> Are there any logs in cloudstack that records the ldap activity? >>> >>> Regards >>> Antonio >>> >>> On 04/04/2014 12:14 PM, Ian Duffy wrote: >>> >>> Interesting, they look OK. >>> >>> Can you change ldap.user.object to have the value user then restart >>> the management server and check if things are back working as >>> expected. >>> >>> Thanks, >>> Ian >>> >>> >>> On 4 April 2014 11:11, Antonio Packery >>> <antonio.pack...@t-systems.co.za><mailto:antonio.pack...@t-systems.co.za><mailto:antonio.pack...@t-systems.co.za><mailto:antonio.pack...@t-systems.co.za> >>> wrote: >>>> Hi Ian, >>>> >>>> Here they are, ldap server via port 389 is being used. >>>> >>>> ldap.basedn The search base defines the starting point for the search >>>> in the directory tree Example: dc=cloud,dc=com. dc=....dc=....,dc=... >>>> ldap.bind.principal Specify the distinguished name of a user with the >>>> search permission on the directory >>>> CN=...,OU=...,DC=....,DC=.....,DC=..... >>>> ldap.email.attribute Sets the email attribute used within LDAP mail >>>> ldap.firstname.attribute Sets the firstname attribute used within LDAP >>>> givenname >>>> ldap.group.object Sets the object type of groups within LDAP >>>> groupOfUniqueNames >>>> ldap.group.user.uniquemember Sets the attribute for uniquemembers >>>> within a group uniquemember >>>> ldap.lastname.attribute Sets the lastname attribute used within LDAP >>>> sn >>>> ldap.search.group.principle Sets the principle of the group that users >>>> must be a member of >>>> ldap.truststore Enter the path to trusted keystore >>>> ldap.truststore.password Enter the password for trusted keystore >>>> ldap.user.object = inetOrgPerson >>>> ldap.username.attribute = sAMAccountName >>>> >>>> Regards >>>> Antonio >>>> >>>> On 04/04/2014 11:47 AM, Ian Duffy wrote: >>>> >>>> Hi Antonio, >>>> >>>> Can you confirm the values for the settings in global settings >>>> starting with "ldap." >>>> >>>> Since you mentioned AD I'm specifically interested in >>>> ldap.username.attribute and ldap.user.object >>>> >>>> Thanks, >>>> Ian >>>> >>>> On 4 April 2014 10:36, Antonio Packery >>>> <antonio.pack...@t-systems.co.za><mailto:antonio.pack...@t-systems.co.za><mailto:antonio.pack...@t-systems.co.za><mailto:antonio.pack...@t-systems.co.za><mailto:antonio.pack...@t-systems.co.za> >>>> wrote: >>>>> Hi, >>>>> >>>>> Since upgrading to CS 4.3 my AD LDAP authentication no longer works. All >>>>> my previous do seem to have been retained but i am not able to import any >>>>> LDAP users. >>>>> >>>>> Are there any log/configuration files i can check for errors? >>>>> >>>>> Also, any guidance on the correct syntac, ldap attributes to be using for >>>>> AD would help. >>>>> >>>>> Regards >>>>> Antonio >>>>> >>>>> >>>>> >>>>> Disclaimer: This message and/or attachment(s) may contain privileged, >>>>> confidential and/or personal information. If you are not the intended >>>>> recipient you may not disclose or distribute any of the information >>>>> contained within this message. In such case you must destroy this message >>>>> and inform the sender of the error. T-Systems does not accept liability >>>>> for any errors, omissions, information and viruses contained in the >>>>> transmission of this message. Any opinions, conclusions and other >>>>> information contained within this message not related to T-Systems' >>>>> official business is deemed to be that of the individual only and is not >>>>> endorsed by T-Systems. >>>>> >>>>> This message and/or attachment(s) may contain privileged or >>>>> confidential information. If you are not the intended recipient you >>>>> may not disclose or distribute any of the information contained >>>>> within this message. In such case you must destroy this message and >>>>> inform the sender of the error. >>>>> T-Systems does not accept liability for any errors, omissions, >>>>> information and viruses contained in the transmission of this >>>>> message. Any opinions, conclusions and other information contained >>>>> within this message not related to T-Systems' official business is >>>>> deemed to be that of the individual only and is not endorsed by T-Systems. >>>>> >>>>> T-Systems - Business Flexibility >>>> >>>> >>>> Disclaimer: This message and/or attachment(s) may contain privileged, >>>> confidential and/or personal information. If you are not the intended >>>> recipient you may not disclose or distribute any of the information >>>> contained within this message. In such case you must destroy this message >>>> and inform the sender of the error. T-Systems does not accept liability >>>> for any errors, omissions, information and viruses contained in the >>>> transmission of this message. Any opinions, conclusions and other >>>> information contained within this message not related to T-Systems' >>>> official business is deemed to be that of the individual only and is not >>>> endorsed by T-Systems. >>>> >>>> This message and/or attachment(s) may contain privileged or >>>> confidential information. If you are not the intended recipient you >>>> may not disclose or distribute any of the information contained >>>> within this message. In such case you must destroy this message and inform >>>> the sender of the error. >>>> T-Systems does not accept liability for any errors, omissions, >>>> information and viruses contained in the transmission of this >>>> message. Any opinions, conclusions and other information contained >>>> within this message not related to T-Systems' official business is >>>> deemed to be that of the individual only and is not endorsed by T-Systems. >>>> >>>> T-Systems - Business Flexibility >>> >>> >>> Disclaimer: This message and/or attachment(s) may contain privileged, >>> confidential and/or personal information. If you are not the intended >>> recipient you may not disclose or distribute any of the information >>> contained within this message. In such case you must destroy this message >>> and inform the sender of the error. T-Systems does not accept liability for >>> any errors, omissions, information and viruses contained in the >>> transmission of this message. Any opinions, conclusions and other >>> information contained within this message not related to T-Systems' >>> official business is deemed to be that of the individual only and is not >>> endorsed by T-Systems. >>> >>> This message and/or attachment(s) may contain privileged or >>> confidential information. If you are not the intended recipient you >>> may not disclose or distribute any of the information contained within >>> this message. In such case you must destroy this message and inform the >>> sender of the error. >>> T-Systems does not accept liability for any errors, omissions, >>> information and viruses contained in the transmission of this message. >>> Any opinions, conclusions and other information contained within this >>> message not related to T-Systems' official business is deemed to be >>> that of the individual only and is not endorsed by T-Systems. >>> >>> T-Systems - Business Flexibility >> >> >> Disclaimer: This message and/or attachment(s) may contain privileged, >> confidential and/or personal information. If you are not the intended >> recipient you may not disclose or distribute any of the information >> contained within this message. In such case you must destroy this message >> and inform the sender of the error. T-Systems does not accept liability for >> any errors, omissions, information and viruses contained in the transmission >> of this message. Any opinions, conclusions and other information contained >> within this message not related to T-Systems' official business is deemed to >> be that of the individual only and is not endorsed by T-Systems. >> >> This message and/or attachment(s) may contain privileged or confidential >> information. If you are not the intended recipient you may not disclose or >> distribute any of the information contained within this message. In such >> case you must destroy this message and inform the sender of the error. >> T-Systems does not accept liability for any errors, omissions, information >> and viruses contained in the transmission of this message. Any opinions, >> conclusions and other information contained within this message not related >> to T-Systems' official business is deemed to be that of the individual only >> and is not endorsed by T-Systems. >> >> T-Systems - Business Flexibility >> >> >> Disclaimer: This message and/or attachment(s) may contain privileged, >> confidential and/or personal information. If you are not the intended >> recipient you may not disclose or distribute any of the information >> contained within this message. In such case you must destroy this message >> and inform the sender of the error. T-Systems does not accept liability for >> any errors, omissions, information and viruses contained in the transmission >> of this message. Any opinions, conclusions and other information contained >> within this message not related to T-Systems' official business is deemed to >> be that of the individual only and is not endorsed by T-Systems. >> >> This message and/or attachment(s) may contain privileged or confidential >> information. If you are not the intended recipient you may not disclose or >> distribute any of the information contained within this message. In such >> case you must destroy this message and inform the sender of the error. >> T-Systems does not accept liability for any errors, omissions, information >> and viruses contained in the transmission of this message. Any opinions, >> conclusions and other information contained within this message not related >> to T-Systems' official business is deemed to be that of the individual only >> and is not endorsed by T-Systems. >> >> T-Systems - Business Flexibility > > Disclaimer: This message and/or attachment(s) may contain privileged, > confidential and/or personal information. If you are not the intended > recipient you may not disclose or distribute any of the information contained > within this message. In such case you must destroy this message and inform > the sender of the error. T-Systems does not accept liability for any errors, > omissions, information and viruses contained in the transmission of this > message. Any opinions, conclusions and other information contained within > this message not related to T-Systems' official business is deemed to be that > of the individual only and is not endorsed by T-Systems. > > This message and/or attachment(s) may contain privileged or confidential > information. If you are not the intended recipient you may not disclose or > distribute any of the information contained within this message. In such > case you must destroy this message and inform the sender of the error. > T-Systems does not accept liability for any errors, omissions, information > and viruses contained in the transmission of this message. Any opinions, > conclusions and other information contained within this message not related > to T-Systems' official business is deemed to be that of the individual only > and is not endorsed by T-Systems. > > T-Systems - Business Flexibility
