Re: "Add LDAP account" returns empty user list

Thu, 10 Nov 2022 06:05:49 -0800 

Daan,
so I assume for manual import which I want to use I can leave "ldap.user.memberof.attribute" empty? If I do so, I am getting an LDAP exception in the management logs: 

(logid:8e0b6291) ldap Exception:

        at 
java.naming/com.sun.jndi.ldap.Filter.encodeSimpleFilter(Filter.java:446)
        at 
java.naming/com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:146)
        at 
java.naming/com.sun.jndi.ldap.Filter.encodeFilterList(Filter.java:741)
        at 
java.naming/com.sun.jndi.ldap.Filter.encodeComplexFilter(Filter.java:657)
        at 
java.naming/com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:104)
        at 
java.naming/com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74)
        at 
java.naming/com.sun.jndi.ldap.LdapClient.search(LdapClient.java:547)
        at 
java.naming/com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2014)
        at 
java.naming/com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1873)
        at 
java.naming/com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
        at 
org.apache.cloudstack.ldap.OpenLdapUserManagerImpl.searchUsers(OpenLdapUserManagerImpl.java:329)
        at 
org.apache.cloudstack.ldap.OpenLdapUserManagerImpl.getUsers(OpenLdapUserManagerImpl.java:228)
        at 
org.apache.cloudstack.ldap.OpenLdapUserManagerImpl.getUsers(OpenLdapUserManagerImpl.java:223)
        at 
org.apache.cloudstack.ldap.LdapManagerImpl.getUsers(LdapManagerImpl.java:309)



Otherwise, if memberOf attribute is set, the ACS seems to look only 
after the memberOf attribute in LDAP which currently not exists.


Am 10.11.2022 um 13:49 schrieb Daan Hoogland:

Mevludin,
If you want the "autosync" feature, there is no way around it. Manual
import and "autoimport" work without the automatic attributes, of which
memberof is an example of.

On Thu, Nov 10, 2022 at 1:42 PM Mevludin Blazevic <mblaze...@uni-koblenz.de>
wrote:


Hi there,

some time ago I had issues with setting up LDAP for our ACS instance. It
seems like that the LDAP functionality works only with the "memberOf"
attribute which ApacheDS do not seem to support this (according to the
latest ACS doc). Is there any way to avoid searching for the memberOf
attribute in ACS if the LDAP does not have such attribute?

Regards

Mevludin



mevludin,

the base dn should be just that, not any group below it. Did you try
clearing the search group principle?
If ldap.group.user.uniquemember is "uniquemember", the group should show
`uniquemember: uid=person1,ou=ou1,dc=my-domain, dc=de` for all those

users,

and not member: `uid=person1,ou=ou1,dc=my-domain, dc=de`. It seems
something is off with your configuration in LDAP. I am not sure if this

is

needed for autoimport, the the empty principle group would be if the
correct membership attribute isn't set.

On Tue, Dec 14, 2021 at 5:29 PM Mevludin Blazevic <

mblaze...@uni-koblenz.de>

wrote:


Hi Daan,

value for ldap.group.user.uniquemember is "uniquemember". I have also
tried to set up the basedn as "ou=ou1,dc=my-domain,dc=de" to get all
users of ou1, list is still empty..

Am 14.12.2021 um 16:55 schrieb Daan Hoogland:

ok Mevludin,
can try and you empty

ldap.search.group.principle (remove the
"cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de"), if you have one all

your

users must have the memberOf attribute filled with that group.


Can you share your value for ldap.group.user.uniquemember?


On Tue, Dec 14, 2021 at 4:18 PM Mevludin Blazevic <

mblaze...@uni-koblenz.de>

wrote:


Hi Daan,

yes, I am trying to use the manual import, we will not have much
Cloudstack users so manually importing them once would be enough.

I've added the LDAP configuration via the GUI under Configuration ->
LDAP Configuration (only server and port, no domain). Then I

configured

the basedn and the other properties from my previous e-mail using the
Global Settings view.

The users do not have a memberOf attribute yet. Nevertheless, the

group

knows its members and yes, the group has a series of uniqueMember
attributes, for example:

member: uid=person1,ou=ou1,dc=my-domain, dc=de
member: uid=person2,ou=ou1,dc=my-domain, dc=de
member: uid=person3,ou=ou1,dc=my-domain, dc=de
member: uid=person4,ou=ou1,dc=my-domain, dc=de
member:
member: uid=person5,ou=ou1,dc=my-domain, dc=de
member: uid=person6,ou=ou1,dc=my-domain, dc=de
member: uid=person7,ou=ou1,dc=my-domain, dc=de
member: uid=person8,ou=ou1,dc=my-domain, dc=de
member: uid=person9,ou=ou1,dc=my-domain, dc=de
member: uid=person10,ou=ou1,dc=my-domain, dc=de
memberUid: person1
memberUid: person2
memberUid: person3
memberUid: person4
memberUid: person5
memberUid: person6
memberUid: person7
memberUid: person8
memberUid: person9
memberUid: person10

Is the manual import possible if there is no memberOf attribute?

Best Regards

Mevludin

Am 14.12.2021 um 12:36 schrieb Daan Hoogland:

Mevludin,
I suppose you are using the documentation to add your LDAP. which

strategy

are you using, manual import, autoimport or autosync?
By the looks it seems you want the manual import, but I am not sure.
Does the user have a memberOf attribute?
Does the group cloudstack-user have a series of uniqueMember

attributes?

On Tue, Dec 14, 2021 at 11:04 AM Mevludin Blazevic<

mblaze...@uni-koblenz.de>

wrote:


Hi all,

when I try to set up a connection to our LDAP server I am getting an
empty list after clicking on the "Add LDAP button". I have already

set

up the basedn, confuigured a bind.principal by using the dn

(beginning

with uid= instead of cn=) and a bind password. No LDAP exception is
logged, but when I try to change the password or the principal dn I

am

getting an LDAP exception, so I assume that the connection can be
established. My configuration:

LDAP: my-ldap-server.de:389 (no domain was assigned)
basedn: dc=my-domain, dc=de
bind-principal: uid=<my-user>,ou=ou1,dc=my-domain, dc=de
ldap.provider: openldap
ldap.group.object: groupOfUniqueNames
ldap.nested.groups.enable: true
ldap.search.group.principle: (for example
"cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de")
ldap.user.memberof.attribute: memberOf
ldap.user.object: inetOrgPerson
ldap.username.attribute: uid
ldap.read.timeout: 1000
ldap.request.page.size: 1000

For testing purposes, I run ldapsearch on the same machine where
cloudstack-management is installed. For example:

ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
"uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
dc=my-domain, dc=de "(ou=ou1)" --> returning a (long) list of LDAP

entrys

ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
"uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
dc=my-domain, dc=de "(cn=cloustack-user)" --> returning a dn with a

list

of all group members

ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
"uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
dc=my-domain, dc=de "(uid=person1)" --> returns an LDAP entry

Cloudstack-Management log after clicking on "Add LDAP account":

2021-12-14 10:59:32,204 DEBUG [o.a.c.l.LdapContextFactory]
(qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
initializing ldap with provider url:ldap://my-ldap-server.de:389
2021-12-14 10:59:32,212 TRACE [o.a.c.a.c.LdapListUsersCmd]
(qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)

returning

unfiltered list of ldap users

I have also stopped the firewall on the cloudstack-management

machine.

Still an empty list.

Does anyone have any idea why an empty list is displayed on the
Cloudstack UI? Hope you can help me out.

Best Regards

Mevludin





--
Mevludin Blazevic, M.Sc.

University of Koblenz-Landau
Computing Centre (GHRKO)
Universitaetsstrasse 1
D-56070 Koblenz, Germany
Room A023
Tel: +49 261/287-1326























					Reply via email to