Hi,

I'ld verify the settings via mysql

mysql> select * from ldap_configuration \G
*************************** 1. row ***************************
      id: 2
hostname: YOUR_LDAP_SERVER
    port: 636

also check, if you're able to resolve the hostname and connect to it
from your management host.

mysql> select * from ldap_trust_map \G
*************************** 1. row ***************************
          id: 1
   domain_id: 2
        type: OU
        name: dc=FOO,dc=BAR
account_type: 0

you'ld also need to import the specific users. I checked them via

mysql> select * from user where username="XXXXXX" \G
*************************** X. row ***************************
                      id: NNN
                    uuid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
                username: XXXXXX
                password: XXXXXXXXXXXXXXXXXXXXXX==:100000
              account_id: NNN
               firstname: John
                lastname: Doe
                   email: XXXXX@XXXXXXXXXXXXXXXXXX
                   state: enabled
                 api_key: NULL
              secret_key: NULL
                 created: NNNN-NN-NN NN:NN:NN
                 removed: NULL
                timezone: NULL
      registration_token: NULL
           is_registered: 0
incorrect_login_attempts: 0
                 default: 0
                  source: LDAP
         external_entity: NULL



- Stephan

Am Freitag, den 14.10.2016, 02:06 +0000 schrieb Marty Godsey:
> I have confirmed that when I am attempting to login with the user
> that is failing, or any user in the group specified for that matter,
> the packets are not even hitting the domain controller. I did a
> packet capture at the DC and logged in with a known AD user that is
> already configured in another ACS domain. This ACS domain does not
> have any LDAP bindings just the "default" LDAP settings. I was able
> to see my packets hit the DC and authenticate. When attempting to log
> in from a user in the linked domain, no packets are seen.. Is there a
> service or a library I need to check?
> 
> Regards,
> Marty Godsey
> 
> -----Original Message-----
> From: Marty Godsey [mailto:ma...@gonsource.com] 
> Sent: Thursday, October 13, 2016 9:37 PM
> To: users@cloudstack.apache.org
> Subject: RE: Link Domain to LDAP
> 
> Whenever I try to bind to LDAP using the users credentials, its
> works.
> 
> root@cs3-mgmt:/var/log/cloudstack/management# ldapwhoami -vvv -h
> x.x.x.x -p 389 -D "CN=John Doe,OU=test1,OU=test2,DC=mydomain,DC=com"
> -x -w Password1234!
> ldap_initialize( ldap://10.253.0.21:389 ) u:domain\john.doe
> Result: Success (0)
> 
> If I also run an ldapsearch on this user, it is successful..
> 
> However upon trying to authenticate with the same credentials on the
> ACS screen, I receive an incorrect password error. When I look in the
> log file all that is the following:
> 
> Authentication failure:
> {"loginresponse":{"uuidList":[],"errorcode":531,"errortext":"User is
> not allowed CloudStack login"}}
> 
> I have recreated this domain and liked it to GROUP and OU. Nested
> groups is set to true in the ldap settings.
> 
> Thoughts?
> 
> Regards,
> Marty Godsey
> 
> -----Original Message-----
> From: Rajani Karuturi [mailto:raj...@apache.org]
> Sent: Wednesday, October 12, 2016 3:01 AM
> To: users@cloudstack.apache.org
> Subject: Re: Link Domain to LDAP
> 
> Yes, you can have LDAP configured at global and domain level.
> Did you give fully qualified name of GROUP/OU while linking?
> 
> Easiest way to debug is to run the ldap query manually and see if it
> returns any results ldapsearch -x -h hostname -p port "basedn" -s sub
> -D "username"
> -w password
> "(&(objectClass=user)(sAMAccountName=*)(memberof=linked_group_name))"
> 
> Also check that `ldap.provider` is set to correct value and there are
> direct users in the group.
> Nested groups will only work with MicrosoftAD provider and with
> configuration `ldap.nested.groups.enable` set to true.
> 
> There is a demo of the feature at
> https://youtu.be/GI9b9MiOQkw?t=4m10s
> 
> Thanks,
> ~ Rajani
> http://cloudplatform.accelerite.com/
> 
> On October 12, 2016 at 6:23 AM, Marty Godsey
> (ma...@gonsource.com) wrote:
> Hello,
> 
> I have an ACS 4.9 instance that runs well with no issues. I have
> enabled LDAP authentication at the Global Level and this works
> without issue. The question I have is the "Link Domain to LDAP"
> function at the domain level. I have a domain that I want to auto
> sync. I added this sub domain ( lets call it ROOT/LDAPTest ) that I
> configured with the DN of the group I am wanting to populate from (I
> also attempted this with the OU setting as well) and the user that
> was created cannot authenticate nor are any of the test accounts in
> Active Directory being created in ACS.
> 
> I have LDAP configured globally and I also, as a test made the user
> part of the group I indicated for "LDAP Accounts" and the user shows
> up, but the "Link Domain to LDAP" does not seem to work. I tried
> looking in the logs and did not see any error or attempts to query
> Active Directory.
> 
> Is this a broken function? Can you have both globally set LDAP
> settings and "Link Domain to LDAP" settings?
> 
> Regards,
> Marty Godsey

Reply via email to