You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Daan Hoogland <da...@gmail.com> on 2023/02/02 14:57:29 UTC
Re: "Add LDAP account" returns empty user list
Mevludin,
I completely ignored this mail and forgot about it. Have you gotten any
further?
On Thu, Nov 10, 2022 at 3:05 PM Mevludin Blazevic <mb...@uni-koblenz.de>
wrote:
> Daan,
>
> so I assume for manual import which I want to use I can leave
> "ldap.user.memberof.attribute" empty? If I do so, I am getting an LDAP
> exception in the management logs:
>
> (logid:8e0b6291) ldap Exception:
> at
> java.naming/com.sun.jndi.ldap.Filter.encodeSimpleFilter(Filter.java:446)
> at
> java.naming/com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:146)
> at
> java.naming/com.sun.jndi.ldap.Filter.encodeFilterList(Filter.java:741)
> at
> java.naming/com.sun.jndi.ldap.Filter.encodeComplexFilter(Filter.java:657)
> at
> java.naming/com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:104)
> at
> java.naming/com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74)
> at
> java.naming/com.sun.jndi.ldap.LdapClient.search(LdapClient.java:547)
> at
> java.naming/com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2014)
> at
> java.naming/com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1873)
> at
> java.naming/com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
> at
>
> org.apache.cloudstack.ldap.OpenLdapUserManagerImpl.searchUsers(OpenLdapUserManagerImpl.java:329)
> at
>
> org.apache.cloudstack.ldap.OpenLdapUserManagerImpl.getUsers(OpenLdapUserManagerImpl.java:228)
> at
>
> org.apache.cloudstack.ldap.OpenLdapUserManagerImpl.getUsers(OpenLdapUserManagerImpl.java:223)
> at
>
> org.apache.cloudstack.ldap.LdapManagerImpl.getUsers(LdapManagerImpl.java:309)
>
> Otherwise, if memberOf attribute is set, the ACS seems to look only
> after the memberOf attribute in LDAP which currently not exists.
>
> Am 10.11.2022 um 13:49 schrieb Daan Hoogland:
> > Mevludin,
> > If you want the "autosync" feature, there is no way around it. Manual
> > import and "autoimport" work without the automatic attributes, of which
> > memberof is an example of.
> >
> > On Thu, Nov 10, 2022 at 1:42 PM Mevludin Blazevic <
> mblazevic@uni-koblenz.de>
> > wrote:
> >
> >> Hi there,
> >>
> >> some time ago I had issues with setting up LDAP for our ACS instance. It
> >> seems like that the LDAP functionality works only with the "memberOf"
> >> attribute which ApacheDS do not seem to support this (according to the
> >> latest ACS doc). Is there any way to avoid searching for the memberOf
> >> attribute in ACS if the LDAP does not have such attribute?
> >>
> >> Regards
> >>
> >> Mevludin
> >>
> >>
> >>> mevludin,
> >>>
> >>> the base dn should be just that, not any group below it. Did you try
> >>> clearing the search group principle?
> >>> If ldap.group.user.uniquemember is "uniquemember", the group should
> show
> >>> `uniquemember: uid=person1,ou=ou1,dc=my-domain, dc=de` for all those
> >> users,
> >>> and not member: `uid=person1,ou=ou1,dc=my-domain, dc=de`. It seems
> >>> something is off with your configuration in LDAP. I am not sure if this
> >> is
> >>> needed for autoimport, the the empty principle group would be if the
> >>> correct membership attribute isn't set.
> >>>
> >>> On Tue, Dec 14, 2021 at 5:29 PM Mevludin Blazevic <
> >> mblazevic@uni-koblenz.de>
> >>> wrote:
> >>>
> >>>> Hi Daan,
> >>>>
> >>>> value for ldap.group.user.uniquemember is "uniquemember". I have also
> >>>> tried to set up the basedn as "ou=ou1,dc=my-domain,dc=de" to get all
> >>>> users of ou1, list is still empty..
> >>>>
> >>>> Am 14.12.2021 um 16:55 schrieb Daan Hoogland:
> >>>>> ok Mevludin,
> >>>>> can try and you empty
> >>>>>
> >>>>> ldap.search.group.principle (remove the
> >>>>> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de"), if you have one all
> >> your
> >>>>> users must have the memberOf attribute filled with that group.
> >>>>>
> >>>>>
> >>>>> Can you share your value for ldap.group.user.uniquemember?
> >>>>>
> >>>>>
> >>>>> On Tue, Dec 14, 2021 at 4:18 PM Mevludin Blazevic <
> >>>> mblazevic@uni-koblenz.de>
> >>>>> wrote:
> >>>>>
> >>>>>> Hi Daan,
> >>>>>>
> >>>>>> yes, I am trying to use the manual import, we will not have much
> >>>>>> Cloudstack users so manually importing them once would be enough.
> >>>>>>
> >>>>>> I've added the LDAP configuration via the GUI under Configuration ->
> >>>>>> LDAP Configuration (only server and port, no domain). Then I
> >> configured
> >>>>>> the basedn and the other properties from my previous e-mail using
> the
> >>>>>> Global Settings view.
> >>>>>>
> >>>>>> The users do not have a memberOf attribute yet. Nevertheless, the
> >> group
> >>>>>> knows its members and yes, the group has a series of uniqueMember
> >>>>>> attributes, for example:
> >>>>>>
> >>>>>> member: uid=person1,ou=ou1,dc=my-domain, dc=de
> >>>>>> member: uid=person2,ou=ou1,dc=my-domain, dc=de
> >>>>>> member: uid=person3,ou=ou1,dc=my-domain, dc=de
> >>>>>> member: uid=person4,ou=ou1,dc=my-domain, dc=de
> >>>>>> member:
> >>>>>> member: uid=person5,ou=ou1,dc=my-domain, dc=de
> >>>>>> member: uid=person6,ou=ou1,dc=my-domain, dc=de
> >>>>>> member: uid=person7,ou=ou1,dc=my-domain, dc=de
> >>>>>> member: uid=person8,ou=ou1,dc=my-domain, dc=de
> >>>>>> member: uid=person9,ou=ou1,dc=my-domain, dc=de
> >>>>>> member: uid=person10,ou=ou1,dc=my-domain, dc=de
> >>>>>> memberUid: person1
> >>>>>> memberUid: person2
> >>>>>> memberUid: person3
> >>>>>> memberUid: person4
> >>>>>> memberUid: person5
> >>>>>> memberUid: person6
> >>>>>> memberUid: person7
> >>>>>> memberUid: person8
> >>>>>> memberUid: person9
> >>>>>> memberUid: person10
> >>>>>>
> >>>>>> Is the manual import possible if there is no memberOf attribute?
> >>>>>>
> >>>>>> Best Regards
> >>>>>>
> >>>>>> Mevludin
> >>>>>>
> >>>>>> Am 14.12.2021 um 12:36 schrieb Daan Hoogland:
> >>>>>>> Mevludin,
> >>>>>>> I suppose you are using the documentation to add your LDAP. which
> >>>>>> strategy
> >>>>>>> are you using, manual import, autoimport or autosync?
> >>>>>>> By the looks it seems you want the manual import, but I am not
> sure.
> >>>>>>> Does the user have a memberOf attribute?
> >>>>>>> Does the group cloudstack-user have a series of uniqueMember
> >>>> attributes?
> >>>>>>> On Tue, Dec 14, 2021 at 11:04 AM Mevludin Blazevic<
> >>>>>> mblazevic@uni-koblenz.de>
> >>>>>>> wrote:
> >>>>>>>
> >>>>>>>> Hi all,
> >>>>>>>>
> >>>>>>>> when I try to set up a connection to our LDAP server I am getting
> an
> >>>>>>>> empty list after clicking on the "Add LDAP button". I have already
> >> set
> >>>>>>>> up the basedn, confuigured a bind.principal by using the dn
> >> (beginning
> >>>>>>>> with uid= instead of cn=) and a bind password. No LDAP exception
> is
> >>>>>>>> logged, but when I try to change the password or the principal dn
> I
> >> am
> >>>>>>>> getting an LDAP exception, so I assume that the connection can be
> >>>>>>>> established. My configuration:
> >>>>>>>>
> >>>>>>>> LDAP: my-ldap-server.de:389 (no domain was assigned)
> >>>>>>>> basedn: dc=my-domain, dc=de
> >>>>>>>> bind-principal: uid=<my-user>,ou=ou1,dc=my-domain, dc=de
> >>>>>>>> ldap.provider: openldap
> >>>>>>>> ldap.group.object: groupOfUniqueNames
> >>>>>>>> ldap.nested.groups.enable: true
> >>>>>>>> ldap.search.group.principle: (for example
> >>>>>>>> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de")
> >>>>>>>> ldap.user.memberof.attribute: memberOf
> >>>>>>>> ldap.user.object: inetOrgPerson
> >>>>>>>> ldap.username.attribute: uid
> >>>>>>>> ldap.read.timeout: 1000
> >>>>>>>> ldap.request.page.size: 1000
> >>>>>>>>
> >>>>>>>> For testing purposes, I run ldapsearch on the same machine where
> >>>>>>>> cloudstack-management is installed. For example:
> >>>>>>>>
> >>>>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> >>>>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>"
> -b
> >>>>>>>> dc=my-domain, dc=de "(ou=ou1)" --> returning a (long) list of LDAP
> >>>>>> entrys
> >>>>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> >>>>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>"
> -b
> >>>>>>>> dc=my-domain, dc=de "(cn=cloustack-user)" --> returning a dn with
> a
> >>>> list
> >>>>>>>> of all group members
> >>>>>>>>
> >>>>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> >>>>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>"
> -b
> >>>>>>>> dc=my-domain, dc=de "(uid=person1)" --> returns an LDAP entry
> >>>>>>>>
> >>>>>>>> Cloudstack-Management log after clicking on "Add LDAP account":
> >>>>>>>>
> >>>>>>>> 2021-12-14 10:59:32,204 DEBUG [o.a.c.l.LdapContextFactory]
> >>>>>>>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
> >>>>>>>> initializing ldap with provider url:ldap://my-ldap-server.de:389
> >>>>>>>> 2021-12-14 10:59:32,212 TRACE [o.a.c.a.c.LdapListUsersCmd]
> >>>>>>>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
> >>>> returning
> >>>>>>>> unfiltered list of ldap users
> >>>>>>>>
> >>>>>>>> I have also stopped the firewall on the cloudstack-management
> >> machine.
> >>>>>>>> Still an empty list.
> >>>>>>>>
> >>>>>>>> Does anyone have any idea why an empty list is displayed on the
> >>>>>>>> Cloudstack UI? Hope you can help me out.
> >>>>>>>>
> >>>>>>>> Best Regards
> >>>>>>>>
> >>>>>>>> Mevludin
> >>>>>>>>
> >>>>>>>>
> >
> --
> Mevludin Blazevic, M.Sc.
>
> University of Koblenz-Landau
> Computing Centre (GHRKO)
> Universitaetsstrasse 1
> D-56070 Koblenz, Germany
> Room A023
> Tel: +49 261/287-1326
>
>
--
Daan