Mevludin, I completely ignored this mail and forgot about it. Have you gotten any further?
On Thu, Nov 10, 2022 at 3:05 PM Mevludin Blazevic <mblaze...@uni-koblenz.de> wrote: > Daan, > > so I assume for manual import which I want to use I can leave > "ldap.user.memberof.attribute" empty? If I do so, I am getting an LDAP > exception in the management logs: > > (logid:8e0b6291) ldap Exception: > at > java.naming/com.sun.jndi.ldap.Filter.encodeSimpleFilter(Filter.java:446) > at > java.naming/com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:146) > at > java.naming/com.sun.jndi.ldap.Filter.encodeFilterList(Filter.java:741) > at > java.naming/com.sun.jndi.ldap.Filter.encodeComplexFilter(Filter.java:657) > at > java.naming/com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:104) > at > java.naming/com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74) > at > java.naming/com.sun.jndi.ldap.LdapClient.search(LdapClient.java:547) > at > java.naming/com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2014) > at > java.naming/com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1873) > at > java.naming/com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798) > at > > org.apache.cloudstack.ldap.OpenLdapUserManagerImpl.searchUsers(OpenLdapUserManagerImpl.java:329) > at > > org.apache.cloudstack.ldap.OpenLdapUserManagerImpl.getUsers(OpenLdapUserManagerImpl.java:228) > at > > org.apache.cloudstack.ldap.OpenLdapUserManagerImpl.getUsers(OpenLdapUserManagerImpl.java:223) > at > > org.apache.cloudstack.ldap.LdapManagerImpl.getUsers(LdapManagerImpl.java:309) > > Otherwise, if memberOf attribute is set, the ACS seems to look only > after the memberOf attribute in LDAP which currently not exists. > > Am 10.11.2022 um 13:49 schrieb Daan Hoogland: > > Mevludin, > > If you want the "autosync" feature, there is no way around it. Manual > > import and "autoimport" work without the automatic attributes, of which > > memberof is an example of. > > > > On Thu, Nov 10, 2022 at 1:42 PM Mevludin Blazevic < > mblaze...@uni-koblenz.de> > > wrote: > > > >> Hi there, > >> > >> some time ago I had issues with setting up LDAP for our ACS instance. It > >> seems like that the LDAP functionality works only with the "memberOf" > >> attribute which ApacheDS do not seem to support this (according to the > >> latest ACS doc). Is there any way to avoid searching for the memberOf > >> attribute in ACS if the LDAP does not have such attribute? > >> > >> Regards > >> > >> Mevludin > >> > >> > >>> mevludin, > >>> > >>> the base dn should be just that, not any group below it. Did you try > >>> clearing the search group principle? > >>> If ldap.group.user.uniquemember is "uniquemember", the group should > show > >>> `uniquemember: uid=person1,ou=ou1,dc=my-domain, dc=de` for all those > >> users, > >>> and not member: `uid=person1,ou=ou1,dc=my-domain, dc=de`. It seems > >>> something is off with your configuration in LDAP. I am not sure if this > >> is > >>> needed for autoimport, the the empty principle group would be if the > >>> correct membership attribute isn't set. > >>> > >>> On Tue, Dec 14, 2021 at 5:29 PM Mevludin Blazevic < > >> mblaze...@uni-koblenz.de> > >>> wrote: > >>> > >>>> Hi Daan, > >>>> > >>>> value for ldap.group.user.uniquemember is "uniquemember". I have also > >>>> tried to set up the basedn as "ou=ou1,dc=my-domain,dc=de" to get all > >>>> users of ou1, list is still empty.. > >>>> > >>>> Am 14.12.2021 um 16:55 schrieb Daan Hoogland: > >>>>> ok Mevludin, > >>>>> can try and you empty > >>>>> > >>>>> ldap.search.group.principle (remove the > >>>>> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de"), if you have one all > >> your > >>>>> users must have the memberOf attribute filled with that group. > >>>>> > >>>>> > >>>>> Can you share your value for ldap.group.user.uniquemember? > >>>>> > >>>>> > >>>>> On Tue, Dec 14, 2021 at 4:18 PM Mevludin Blazevic < > >>>> mblaze...@uni-koblenz.de> > >>>>> wrote: > >>>>> > >>>>>> Hi Daan, > >>>>>> > >>>>>> yes, I am trying to use the manual import, we will not have much > >>>>>> Cloudstack users so manually importing them once would be enough. > >>>>>> > >>>>>> I've added the LDAP configuration via the GUI under Configuration -> > >>>>>> LDAP Configuration (only server and port, no domain). Then I > >> configured > >>>>>> the basedn and the other properties from my previous e-mail using > the > >>>>>> Global Settings view. > >>>>>> > >>>>>> The users do not have a memberOf attribute yet. Nevertheless, the > >> group > >>>>>> knows its members and yes, the group has a series of uniqueMember > >>>>>> attributes, for example: > >>>>>> > >>>>>> member: uid=person1,ou=ou1,dc=my-domain, dc=de > >>>>>> member: uid=person2,ou=ou1,dc=my-domain, dc=de > >>>>>> member: uid=person3,ou=ou1,dc=my-domain, dc=de > >>>>>> member: uid=person4,ou=ou1,dc=my-domain, dc=de > >>>>>> member: > >>>>>> member: uid=person5,ou=ou1,dc=my-domain, dc=de > >>>>>> member: uid=person6,ou=ou1,dc=my-domain, dc=de > >>>>>> member: uid=person7,ou=ou1,dc=my-domain, dc=de > >>>>>> member: uid=person8,ou=ou1,dc=my-domain, dc=de > >>>>>> member: uid=person9,ou=ou1,dc=my-domain, dc=de > >>>>>> member: uid=person10,ou=ou1,dc=my-domain, dc=de > >>>>>> memberUid: person1 > >>>>>> memberUid: person2 > >>>>>> memberUid: person3 > >>>>>> memberUid: person4 > >>>>>> memberUid: person5 > >>>>>> memberUid: person6 > >>>>>> memberUid: person7 > >>>>>> memberUid: person8 > >>>>>> memberUid: person9 > >>>>>> memberUid: person10 > >>>>>> > >>>>>> Is the manual import possible if there is no memberOf attribute? > >>>>>> > >>>>>> Best Regards > >>>>>> > >>>>>> Mevludin > >>>>>> > >>>>>> Am 14.12.2021 um 12:36 schrieb Daan Hoogland: > >>>>>>> Mevludin, > >>>>>>> I suppose you are using the documentation to add your LDAP. which > >>>>>> strategy > >>>>>>> are you using, manual import, autoimport or autosync? > >>>>>>> By the looks it seems you want the manual import, but I am not > sure. > >>>>>>> Does the user have a memberOf attribute? > >>>>>>> Does the group cloudstack-user have a series of uniqueMember > >>>> attributes? > >>>>>>> On Tue, Dec 14, 2021 at 11:04 AM Mevludin Blazevic< > >>>>>> mblaze...@uni-koblenz.de> > >>>>>>> wrote: > >>>>>>> > >>>>>>>> Hi all, > >>>>>>>> > >>>>>>>> when I try to set up a connection to our LDAP server I am getting > an > >>>>>>>> empty list after clicking on the "Add LDAP button". I have already > >> set > >>>>>>>> up the basedn, confuigured a bind.principal by using the dn > >> (beginning > >>>>>>>> with uid= instead of cn=) and a bind password. No LDAP exception > is > >>>>>>>> logged, but when I try to change the password or the principal dn > I > >> am > >>>>>>>> getting an LDAP exception, so I assume that the connection can be > >>>>>>>> established. My configuration: > >>>>>>>> > >>>>>>>> LDAP: my-ldap-server.de:389 (no domain was assigned) > >>>>>>>> basedn: dc=my-domain, dc=de > >>>>>>>> bind-principal: uid=<my-user>,ou=ou1,dc=my-domain, dc=de > >>>>>>>> ldap.provider: openldap > >>>>>>>> ldap.group.object: groupOfUniqueNames > >>>>>>>> ldap.nested.groups.enable: true > >>>>>>>> ldap.search.group.principle: (for example > >>>>>>>> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de") > >>>>>>>> ldap.user.memberof.attribute: memberOf > >>>>>>>> ldap.user.object: inetOrgPerson > >>>>>>>> ldap.username.attribute: uid > >>>>>>>> ldap.read.timeout: 1000 > >>>>>>>> ldap.request.page.size: 1000 > >>>>>>>> > >>>>>>>> For testing purposes, I run ldapsearch on the same machine where > >>>>>>>> cloudstack-management is installed. For example: > >>>>>>>> > >>>>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D > >>>>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" > -b > >>>>>>>> dc=my-domain, dc=de "(ou=ou1)" --> returning a (long) list of LDAP > >>>>>> entrys > >>>>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D > >>>>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" > -b > >>>>>>>> dc=my-domain, dc=de "(cn=cloustack-user)" --> returning a dn with > a > >>>> list > >>>>>>>> of all group members > >>>>>>>> > >>>>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D > >>>>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" > -b > >>>>>>>> dc=my-domain, dc=de "(uid=person1)" --> returns an LDAP entry > >>>>>>>> > >>>>>>>> Cloudstack-Management log after clicking on "Add LDAP account": > >>>>>>>> > >>>>>>>> 2021-12-14 10:59:32,204 DEBUG [o.a.c.l.LdapContextFactory] > >>>>>>>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8) > >>>>>>>> initializing ldap with provider url:ldap://my-ldap-server.de:389 > >>>>>>>> 2021-12-14 10:59:32,212 TRACE [o.a.c.a.c.LdapListUsersCmd] > >>>>>>>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8) > >>>> returning > >>>>>>>> unfiltered list of ldap users > >>>>>>>> > >>>>>>>> I have also stopped the firewall on the cloudstack-management > >> machine. > >>>>>>>> Still an empty list. > >>>>>>>> > >>>>>>>> Does anyone have any idea why an empty list is displayed on the > >>>>>>>> Cloudstack UI? Hope you can help me out. > >>>>>>>> > >>>>>>>> Best Regards > >>>>>>>> > >>>>>>>> Mevludin > >>>>>>>> > >>>>>>>> > > > -- > Mevludin Blazevic, M.Sc. > > University of Koblenz-Landau > Computing Centre (GHRKO) > Universitaetsstrasse 1 > D-56070 Koblenz, Germany > Room A023 > Tel: +49 261/287-1326 > > -- Daan
