Luis, i hope to answer most of your queries below; On Mon, Oct 25, 2021 at 8:42 PM Jorge Luiz Correa <jorge.l.cor...@embrapa.br.invalid> wrote:
> Hi! This is just my first post here and I'm looking for some help to > understand more about LDAP use. I'm using CloudStack 4.15.2.0 and an > OpenLDAP server. I need to configure autosync to map an account to a LDAP > group. My LDAP uses as group entity the posixGroup type. > In the domain you want to set the linked accounts up in, you'll need to change the setting `ldap.group.object` to posixGroup. > > Could CloudStack use groups of that type? If yes, how can I configure it in > this way? > see above > > My tests just work if I create a group of type groupOfNames > (objectClass=groupOfNames with entries like member=userone member=usertwo). > But, I already have an OpenLDAP server with a lot of groups using > objectClass=posixGroup (with entries like memberUid=userone > memberUid=usertwo). I would like to use them. > `groupOfUniqueNames` is the default. I'm not sure why yours has changed to `grouOfNames` > > Looking the slapd log I see a query with the following filter: > > > (&(objectClass=inetOrgPerson)(uid=userone)(|(memberOf=cn=groupaccount1,ou=groups,dc=domain))) > This makes complete sense. > > Reading about LDAP groups (in general), to use posixGroup it looks like the > client should implement this, a way to check for users inside posixGroups. > The log above appears to check users in groups using the memberof scheme. I > didn't understand yet if CloudStack could operate like this. > Yes it does if using the autosync mechanism. > > Is there a way to delete a "link accounttoldap" configuration? I always > have to delete the account to make new testes, didn't find a way to delete > this mapping. > There is no unlink, if that's what you mean. It would be a good feature but only during design of your cloud. I don't see a use case in production. Of course I might be missing something. > > Thank you! > :) > hope it helps > > -- > Jorge Luiz CorrĂȘa > Embrapa Agricultura Digital > > echo "CkpvcmdlIEx1aXogQ29ycmVhCkFu > YWxpc3RhIGRlIFJlZGVzIGUgU2VndXJhbm > NhCkVtYnJhcGEgQWdyaWN1bHR1cmEgRGln > aXRhbCAtIE5USQpBdi4gQW5kcmUgVG9zZW > xsbywgMjA5IChCYXJhbyBHZXJhbGRvKQpD > RVAgMTMwODMtODg2IC0gQ2FtcGluYXMsIF > NQClRlbGVmb25lOiAoMTkpIDMyMTEtNTg4 > Mgpqb3JnZS5sLmNvcnJlYUBlbWJyYXBhLm > JyCgo="|base64 -d > > -- > __________________________ > Aviso de confidencialidade > > Esta mensagem da > Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), empresa publica > federal regida pelo disposto na Lei Federal no. 5.851, de 7 de dezembro > de 1972, e enviada exclusivamente a seu destinatario e pode conter > informacoes confidenciais, protegidas por sigilo profissional. Sua > utilizacao desautorizada e ilegal e sujeita o infrator as penas da lei. > Se voce a recebeu indevidamente, queira, por gentileza, reenvia-la ao > emitente, esclarecendo o equivoco. > > Confidentiality note > > This message from > Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), a government > company established under Brazilian law (5.851/72), is directed > exclusively to its addressee and may contain confidential data, > protected under professional secrecy rules. Its unauthorized use is > illegal and may subject the transgressor to the law's penalties. If you > are not the addressee, please send it back, elucidating the failure. > -- Daan