Luis, i hope to answer most of your queries below;

On Mon, Oct 25, 2021 at 8:42 PM Jorge Luiz Correa
<jorge.l.cor...@embrapa.br.invalid> wrote:

> Hi! This is just my first post here and I'm looking for some help to
> understand more about LDAP use. I'm using CloudStack 4.15.2.0 and an
> OpenLDAP server. I need to configure autosync to map an account to a LDAP
> group. My LDAP uses as group entity the posixGroup type.
>
In the domain you want to set the linked accounts up in, you'll need to
change the setting `ldap.group.object` to posixGroup.


>
> Could CloudStack use groups of that type? If yes, how can I configure it in
> this way?
>
see above


>
> My tests just work if I create a group of type groupOfNames
> (objectClass=groupOfNames with entries like member=userone member=usertwo).
> But, I already have an OpenLDAP server with a lot of groups using
> objectClass=posixGroup (with entries like memberUid=userone
> memberUid=usertwo). I would like to use them.
>
`groupOfUniqueNames` is the default. I'm not sure why yours has changed to
`grouOfNames`


>
> Looking the slapd log I see a query with the following filter:
>
>
> (&(objectClass=inetOrgPerson)(uid=userone)(|(memberOf=cn=groupaccount1,ou=groups,dc=domain)))
>
This makes complete sense.


>
> Reading about LDAP groups (in general), to use posixGroup it looks like the
> client should implement this, a way to check for users inside posixGroups.
> The log above appears to check users in groups using the memberof scheme. I
> didn't understand yet if CloudStack could operate like this.
>
Yes it does if using the autosync mechanism.


>
> Is there a way to delete a "link accounttoldap" configuration? I always
> have to delete the account to make new testes, didn't find a way to delete
> this mapping.
>
There is no unlink, if that's what you mean. It would be a good feature but
only during design of your cloud. I don't see a use case in production. Of
course I might be missing something.


>
> Thank you!
> :)
>
hope it helps


>
> --
> Jorge Luiz CorrĂȘa
> Embrapa Agricultura Digital
>
> echo "CkpvcmdlIEx1aXogQ29ycmVhCkFu
> YWxpc3RhIGRlIFJlZGVzIGUgU2VndXJhbm
> NhCkVtYnJhcGEgQWdyaWN1bHR1cmEgRGln
> aXRhbCAtIE5USQpBdi4gQW5kcmUgVG9zZW
> xsbywgMjA5IChCYXJhbyBHZXJhbGRvKQpD
> RVAgMTMwODMtODg2IC0gQ2FtcGluYXMsIF
> NQClRlbGVmb25lOiAoMTkpIDMyMTEtNTg4
> Mgpqb3JnZS5sLmNvcnJlYUBlbWJyYXBhLm
> JyCgo="|base64 -d
>
> --
> __________________________
> Aviso de confidencialidade
>
> Esta mensagem da
> Empresa  Brasileira de Pesquisa  Agropecuaria (Embrapa), empresa publica
> federal  regida pelo disposto  na Lei Federal no. 5.851,  de 7 de dezembro
> de 1972,  e  enviada exclusivamente  a seu destinatario e pode conter
> informacoes  confidenciais, protegidas  por sigilo profissional.  Sua
> utilizacao desautorizada  e ilegal e  sujeita o infrator as penas da lei.
> Se voce  a recebeu indevidamente, queira, por gentileza, reenvia-la ao
> emitente, esclarecendo o equivoco.
>
> Confidentiality note
>
> This message from
> Empresa  Brasileira de Pesquisa  Agropecuaria (Embrapa), a government
> company  established under  Brazilian law (5.851/72), is directed
> exclusively to  its addressee  and may contain confidential data,
> protected under  professional secrecy  rules. Its unauthorized  use is
> illegal and  may subject the transgressor to the law's penalties. If you
> are not the addressee, please send it back, elucidating the failure.
>


-- 
Daan

Reply via email to