You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2021/11/23 12:45:30 UTC

[GitHub] [cloudstack] correajl opened a new issue #5712: Problem enabling LDAPS.

correajl opened a new issue #5712:
URL: https://github.com/apache/cloudstack/issues/5712


   <!--
   Verify first that your issue/request is not already reported on GitHub.
   Also test if the latest release and main branch are affected too.
   Always add information AFTER of these HTML comments, but no need to delete the comments.
   -->
   
   ##### ISSUE TYPE
   <!-- Pick one below and delete the rest -->
    * Bug Report
   
   ##### COMPONENT NAME
   <!--
   Categorize the issue, e.g. API, VR, VPN, UI, etc.
   -->
   ~~~
   Code, API.
   ~~~
   
   ##### CLOUDSTACK VERSION
   <!--
   New line separated list of affected versions, commit ID for issues on main branch.
   -->
   
   ~~~
   CloudStack 4.15.2.0
   ~~~
   
   ##### CONFIGURATION
   <!--
   Information about the configuration if relevant, e.g. basic network, advanced networking, etc.  N/A otherwise
   -->
   Using many domains. 
   Trying to use LDAP server with TLS.
   All certificates generated and tested.
   Keystore configured and tested. 
   
   ##### OS / ENVIRONMENT
   <!--
   Information about the environment if relevant, N/A otherwise
   -->
   Ubuntu Server 20.04.3 LTS.
   KVM.
   cloudstack-management                4.15.2.0~focal
   
   ##### SUMMARY
   <!-- Explain the problem/feature briefly -->
   Need to communicate management server with LDAP using TLS (LDAPS). Documentation says if ldap.truststore and ldap.truststore.password are configured it will switch working to LDAPS. It just happens when these parameters are configured globally but using API it is possible to configure them inside a domain. When configured inside a domain we have no effect. 
   
   ##### STEPS TO REPRODUCE
   <!--
   For bugs, show exactly how to reproduce the problem, using a minimal test-case. Use Screenshots if accurate.
   
   For new features, show how the feature would be used.
   -->
   Try to configure ldap.truststore and ldap.truststore.password for a domain:
   
   cmk -p user@myprofile update configuration name='ldap.truststore' value='/etc/cloudstack/management/cloud.jks' **domainid="e8b2ec00-21e2-430b-bd9b-a31c3d642bbf"** 
   cmk -p user@myprofile update configuration name='ldap.truststore.password' value=PASSWORD **domainid="e8b2ec00-21e2-430b-bd9b-a31c3d642bbf"** 
   
   <!-- You can also paste gist.github.com links for larger files -->
   
   ##### EXPECTED RESULTS
   <!-- What did you expect to happen when running the steps above? -->
   
   ~~~
   LDAPS enabled and communication between management and LDAP servers using TLS. 
   ~~~
   
   ##### ACTUAL RESULTS
   <!-- What actually happened? -->
   
   <!-- Paste verbatim command output between quotes below -->
   ~~~
   LDAPS is not enabled. 
   LDAP server logs shows "initializing ldap with provider url: ldap://ldapserver.domain:636".
   All queries trying to log in a user use ldap:// too, not ldaps://. 
   ~~~
   
   If we configure ldap.truststore and ldap.truststore.password globally (not for a domain), so we can make LDAPS to work. 
   
   ~~~
   cmk -p user@myprofile update configuration name='ldap.truststore' value='/etc/cloudstack/management/cloud.jks'
   cmk -p user@myprofile update configuration name='ldap.truststore.password' value=PASSWORD
   # Until here no domain was specified!
   cmk -p user@myprofile add ldapconfiguration hostname=ldapserver.mydomain port=636 domainid="e8b2ec00-21e2-430b-bd9b-a31c3d642bbf"
   cmk -p user@myprofile update configuration name='ldap.basedn' value='...............' domainid="e8b2ec00-21e2-430b-bd9b-a31c3d642bbf"
   
   ~~~
   I think the code is looking for ldap.truststore and ldap.truststore.password only in global configuration. It would be interesting looking inside domain configurations too. So, each domain could have a different LDAP configuration.  As the API accepts the domainid= parameter to configure the truststore, I believe that the initial idea was this, but something is not working as well.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] rohityadavcloud commented on issue #5712: Problem enabling LDAPS.

Posted by GitBox <gi...@apache.org>.

rohityadavcloud commented on issue #5712:
URL: https://github.com/apache/cloudstack/issues/5712#issuecomment-1004171617


   Fixed in https://github.com/apache/cloudstack/pull/5816


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] DaanHoogland commented on issue #5712: Problem enabling LDAPS.

Posted by GitBox <gi...@apache.org>.

DaanHoogland commented on issue #5712:
URL: https://github.com/apache/cloudstack/issues/5712#issuecomment-1001977344


   @correajl if i make a PR on 4.16 to fix this will you be able to test it? I seems like the fix is rather simple (but testing isn't) I'll try to add some unit tests later.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] correajl commented on issue #5712: Problem enabling LDAPS.

Posted by GitBox <gi...@apache.org>.

correajl commented on issue #5712:
URL: https://github.com/apache/cloudstack/issues/5712#issuecomment-1004032439


   Yes, I'm going to test as soon as possible.
   
   tks
   
   - JLC
   
   
   On Mon, Jan 3, 2022 at 3:52 AM sureshanaparti ***@***.***>
   wrote:
   
   > ping @correajl <https://github.com/correajl> can you test #5816
   > <https://github.com/apache/cloudstack/pull/5816> ?
   >
   > Hi @correajl <https://github.com/correajl> Can you help in testing the PR
   > #5816 <https://github.com/apache/cloudstack/pull/5816>. Thanks.
   >
   > —
   > Reply to this email directly, view it on GitHub
   > <https://github.com/apache/cloudstack/issues/5712#issuecomment-1003898733>,
   > or unsubscribe
   > <https://github.com/notifications/unsubscribe-auth/AANV52X7WRMODYSWDNHQYD3UUFBUHANCNFSM5ITNKXMQ>
   > .
   > Triage notifications on the go with GitHub Mobile for iOS
   > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
   > or Android
   > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
   >
   > You are receiving this because you were mentioned.Message ID:
   > ***@***.***>
   >
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] rohityadavcloud closed issue #5712: Problem enabling LDAPS.

Posted by GitBox <gi...@apache.org>.

rohityadavcloud closed issue #5712:
URL: https://github.com/apache/cloudstack/issues/5712


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] sureshanaparti commented on issue #5712: Problem enabling LDAPS.

Posted by GitBox <gi...@apache.org>.

sureshanaparti commented on issue #5712:
URL: https://github.com/apache/cloudstack/issues/5712#issuecomment-1003898733


   > ping @correajl can you test #5816 ?
   
   Hi @correajl Can you help in testing the PR #5816. Thanks.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] DaanHoogland commented on issue #5712: Problem enabling LDAPS.

Posted by GitBox <gi...@apache.org>.

DaanHoogland commented on issue #5712:
URL: https://github.com/apache/cloudstack/issues/5712#issuecomment-1002973953


   ping @correajl can you test #5816 ?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org