Hi, I'ld verify the settings via mysql
mysql> select * from ldap_configuration \G *************************** 1. row *************************** id: 2 hostname: YOUR_LDAP_SERVER port: 636 also check, if you're able to resolve the hostname and connect to it from your management host. mysql> select * from ldap_trust_map \G *************************** 1. row *************************** id: 1 domain_id: 2 type: OU name: dc=FOO,dc=BAR account_type: 0 you'ld also need to import the specific users. I checked them via mysql> select * from user where username="XXXXXX" \G *************************** X. row *************************** id: NNN uuid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX username: XXXXXX password: XXXXXXXXXXXXXXXXXXXXXX==:100000 account_id: NNN firstname: John lastname: Doe email: XXXXX@XXXXXXXXXXXXXXXXXX state: enabled api_key: NULL secret_key: NULL created: NNNN-NN-NN NN:NN:NN removed: NULL timezone: NULL registration_token: NULL is_registered: 0 incorrect_login_attempts: 0 default: 0 source: LDAP external_entity: NULL - Stephan Am Freitag, den 14.10.2016, 02:06 +0000 schrieb Marty Godsey: > I have confirmed that when I am attempting to login with the user > that is failing, or any user in the group specified for that matter, > the packets are not even hitting the domain controller. I did a > packet capture at the DC and logged in with a known AD user that is > already configured in another ACS domain. This ACS domain does not > have any LDAP bindings just the "default" LDAP settings. I was able > to see my packets hit the DC and authenticate. When attempting to log > in from a user in the linked domain, no packets are seen.. Is there a > service or a library I need to check? > > Regards, > Marty Godsey > > -----Original Message----- > From: Marty Godsey [mailto:ma...@gonsource.com] > Sent: Thursday, October 13, 2016 9:37 PM > To: users@cloudstack.apache.org > Subject: RE: Link Domain to LDAP > > Whenever I try to bind to LDAP using the users credentials, its > works. > > root@cs3-mgmt:/var/log/cloudstack/management# ldapwhoami -vvv -h > x.x.x.x -p 389 -D "CN=John Doe,OU=test1,OU=test2,DC=mydomain,DC=com" > -x -w Password1234! > ldap_initialize( ldap://10.253.0.21:389 ) u:domain\john.doe > Result: Success (0) > > If I also run an ldapsearch on this user, it is successful.. > > However upon trying to authenticate with the same credentials on the > ACS screen, I receive an incorrect password error. When I look in the > log file all that is the following: > > Authentication failure: > {"loginresponse":{"uuidList":[],"errorcode":531,"errortext":"User is > not allowed CloudStack login"}} > > I have recreated this domain and liked it to GROUP and OU. Nested > groups is set to true in the ldap settings. > > Thoughts? > > Regards, > Marty Godsey > > -----Original Message----- > From: Rajani Karuturi [mailto:raj...@apache.org] > Sent: Wednesday, October 12, 2016 3:01 AM > To: users@cloudstack.apache.org > Subject: Re: Link Domain to LDAP > > Yes, you can have LDAP configured at global and domain level. > Did you give fully qualified name of GROUP/OU while linking? > > Easiest way to debug is to run the ldap query manually and see if it > returns any results ldapsearch -x -h hostname -p port "basedn" -s sub > -D "username" > -w password > "(&(objectClass=user)(sAMAccountName=*)(memberof=linked_group_name))" > > Also check that `ldap.provider` is set to correct value and there are > direct users in the group. > Nested groups will only work with MicrosoftAD provider and with > configuration `ldap.nested.groups.enable` set to true. > > There is a demo of the feature at > https://youtu.be/GI9b9MiOQkw?t=4m10s > > Thanks, > ~ Rajani > http://cloudplatform.accelerite.com/ > > On October 12, 2016 at 6:23 AM, Marty Godsey > (ma...@gonsource.com) wrote: > Hello, > > I have an ACS 4.9 instance that runs well with no issues. I have > enabled LDAP authentication at the Global Level and this works > without issue. The question I have is the "Link Domain to LDAP" > function at the domain level. I have a domain that I want to auto > sync. I added this sub domain ( lets call it ROOT/LDAPTest ) that I > configured with the DN of the group I am wanting to populate from (I > also attempted this with the OU setting as well) and the user that > was created cannot authenticate nor are any of the test accounts in > Active Directory being created in ACS. > > I have LDAP configured globally and I also, as a test made the user > part of the group I indicated for "LDAP Accounts" and the user shows > up, but the "Link Domain to LDAP" does not seem to work. I tried > looking in the logs and did not see any error or attempts to query > Active Directory. > > Is this a broken function? Can you have both globally set LDAP > settings and "Link Domain to LDAP" settings? > > Regards, > Marty Godsey
