you need not import the users manually. It should automatically sync. In my installation with microsoftAD, this is how any entry in the ldap_trust_map looks: mysql> select * from ldap_trust_map where domain_id=7\G *************************** 1. row *************************** id: 4 domain_id: 7 type: GROUP name: CN=acp-hyd,CN=Users,DC=acp,DC=accelerite,DC=com account_type: 0 1 row in set (0.00 sec)
Any user who is member of AD group "CN=acp-hyd,CN=Users,DC=acp,DC=accelerite,DC=com" should be able to login to domain with id 7. If a user doesnt exist, it will automatically create one. Check the below configuration values ldap.provider: microsoftad ldap.nested.groups.enable: true ldap.search.group.principle: NULL My sample configuration values: mysql> select component,name,value,description from configuration where name like '%ldap%'; +-------------------+------------------------------+-------------------------------------------------------+---------------------------------------------------------------------------+ | component | name | value | description | +-------------------+------------------------------+-------------------------------------------------------+---------------------------------------------------------------------------+ | management-server | ldap.basedn | dc=acp,dc=accelerite,dc=com | Sets the basedn for LDAP | | management-server | ldap.bind.password | password | Specifies the password to use for binding to LDAP | | management-server | ldap.bind.principal | CN=Administrator,CN=Users,DC=acp,DC=accelerite,DC=com | Specifies the bind principal to use for bind to LDAP | | management-server | ldap.email.attribute | mail | Sets the email attribute used within LDAP | | management-server | ldap.firstname.attribute | givenname | Sets the firstname attribute used within LDAP | | management-server | ldap.group.object | group | Sets the object type of groups within LDAP | | management-server | ldap.group.user.uniquemember | member | Sets the attribute for uniquemembers within a group | | management-server | ldap.lastname.attribute | sn | Sets the lastname attribute used within LDAP | | LdapConfiguration | ldap.nested.groups.enable | true | if true, nested groups will also be queried | | LdapConfiguration | ldap.provider | microsoftad | ldap provider ex:openldap, microsoftad | | LdapConfiguration | ldap.read.timeout | 1000 | LDAP connection Timeout in milli sec | | LdapConfiguration | ldap.request.page.size | 1000 | page size sent to ldap server on each request to get user | | management-server | ldap.search.group.principle | NULL | Sets the principle of the group that users must be a member of (optional) | | management-server | ldap.truststore | NULL | Sets the path to the truststore to use for LDAP SSL | | management-server | ldap.truststore.password | NULL | Sets the password for the truststore | | management-server | ldap.user.object | user | Sets the object type of users within LDAP | | management-server | ldap.username.attribute | sAMAccountName | Sets the username attribute used within LDAP | +-------------------+------------------------------+-------------------------------------------------------+---------------------------------------------------------------------------+ 17 rows in set (0.00 sec) ~ Rajani http://cloudplatform.accelerite.com/ ~Rajani http://cloudplatform.accelerite.com/ On Fri, Oct 14, 2016 at 2:23 PM, Stephan Seitz < s.se...@secretresearchfacility.com> wrote: > Hi, > > I'ld verify the settings via mysql > > mysql> select * from ldap_configuration \G > *************************** 1. row *************************** > id: 2 > hostname: YOUR_LDAP_SERVER > port: 636 > > also check, if you're able to resolve the hostname and connect to it > from your management host. > > mysql> select * from ldap_trust_map \G > *************************** 1. row *************************** > id: 1 > domain_id: 2 > type: OU > name: dc=FOO,dc=BAR > account_type: 0 > > you'ld also need to import the specific users. I checked them via > > mysql> select * from user where username="XXXXXX" \G > *************************** X. row *************************** > id: NNN > uuid: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > username: XXXXXX > password: XXXXXXXXXXXXXXXXXXXXXX==:100000 > account_id: NNN > firstname: John > lastname: Doe > email: XXXXX@XXXXXXXXXXXXXXXXXX > state: enabled > api_key: NULL > secret_key: NULL > created: NNNN-NN-NN NN:NN:NN > removed: NULL > timezone: NULL > registration_token: NULL > is_registered: 0 > incorrect_login_attempts: 0 > default: 0 > source: LDAP > external_entity: NULL > > > > - Stephan > > Am Freitag, den 14.10.2016, 02:06 +0000 schrieb Marty Godsey: > > I have confirmed that when I am attempting to login with the user > > that is failing, or any user in the group specified for that matter, > > the packets are not even hitting the domain controller. I did a > > packet capture at the DC and logged in with a known AD user that is > > already configured in another ACS domain. This ACS domain does not > > have any LDAP bindings just the "default" LDAP settings. I was able > > to see my packets hit the DC and authenticate. When attempting to log > > in from a user in the linked domain, no packets are seen.. Is there a > > service or a library I need to check? > > > > Regards, > > Marty Godsey > > > > -----Original Message----- > > From: Marty Godsey [mailto:ma...@gonsource.com] > > Sent: Thursday, October 13, 2016 9:37 PM > > To: users@cloudstack.apache.org > > Subject: RE: Link Domain to LDAP > > > > Whenever I try to bind to LDAP using the users credentials, its > > works. > > > > root@cs3-mgmt:/var/log/cloudstack/management# ldapwhoami -vvv -h > > x.x.x.x -p 389 -D "CN=John Doe,OU=test1,OU=test2,DC=mydomain,DC=com" > > -x -w Password1234! > > ldap_initialize( ldap://10.253.0.21:389 ) u:domain\john.doe > > Result: Success (0) > > > > If I also run an ldapsearch on this user, it is successful.. > > > > However upon trying to authenticate with the same credentials on the > > ACS screen, I receive an incorrect password error. When I look in the > > log file all that is the following: > > > > Authentication failure: > > {"loginresponse":{"uuidList":[],"errorcode":531,"errortext":"User is > > not allowed CloudStack login"}} > > > > I have recreated this domain and liked it to GROUP and OU. Nested > > groups is set to true in the ldap settings. > > > > Thoughts? > > > > Regards, > > Marty Godsey > > > > -----Original Message----- > > From: Rajani Karuturi [mailto:raj...@apache.org] > > Sent: Wednesday, October 12, 2016 3:01 AM > > To: users@cloudstack.apache.org > > Subject: Re: Link Domain to LDAP > > > > Yes, you can have LDAP configured at global and domain level. > > Did you give fully qualified name of GROUP/OU while linking? > > > > Easiest way to debug is to run the ldap query manually and see if it > > returns any results ldapsearch -x -h hostname -p port "basedn" -s sub > > -D "username" > > -w password > > "(&(objectClass=user)(sAMAccountName=*)(memberof=linked_group_name))" > > > > Also check that `ldap.provider` is set to correct value and there are > > direct users in the group. > > Nested groups will only work with MicrosoftAD provider and with > > configuration `ldap.nested.groups.enable` set to true. > > > > There is a demo of the feature at > > https://youtu.be/GI9b9MiOQkw?t=4m10s > > > > Thanks, > > ~ Rajani > > http://cloudplatform.accelerite.com/ > > > > On October 12, 2016 at 6:23 AM, Marty Godsey > > (ma...@gonsource.com) wrote: > > Hello, > > > > I have an ACS 4.9 instance that runs well with no issues. I have > > enabled LDAP authentication at the Global Level and this works > > without issue. The question I have is the "Link Domain to LDAP" > > function at the domain level. I have a domain that I want to auto > > sync. I added this sub domain ( lets call it ROOT/LDAPTest ) that I > > configured with the DN of the group I am wanting to populate from (I > > also attempted this with the OU setting as well) and the user that > > was created cannot authenticate nor are any of the test accounts in > > Active Directory being created in ACS. > > > > I have LDAP configured globally and I also, as a test made the user > > part of the group I indicated for "LDAP Accounts" and the user shows > > up, but the "Link Domain to LDAP" does not seem to work. I tried > > looking in the logs and did not see any error or attempts to query > > Active Directory. > > > > Is this a broken function? Can you have both globally set LDAP > > settings and "Link Domain to LDAP" settings? > > > > Regards, > > Marty Godsey >