You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by 不坏阿峰 <on...@gmail.com> on 2013/08/24 18:48:42 UTC
How is Cloudstack work with Active Directory
Cloudstack4.1.1
(1). i create same user: dota on Active Directory and CS
(2). i have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com,
it is ok,so active directory ldap is ready.
(3). have two user under ou=member, dc=lab,dc=com: dota , csuser01
(4). enable integration.api.port =8096, and restart CS-mangement
Q1: from the CS log, ldap server configed, but IE response false,
what is correct information?
Q2: how many user should be created on both Active Directory and CS ?
or only one for ldap config, active directory create other user just
for CS use
Q3: what will change in UI when ldap config success? can see users
imported from Active Directory ? can use csuser01 to login CS ?(i try
log in but failure)
http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192.168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter=%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json
####### Got this response:#####
{ "ldapconfigresponse" : { "ldapconfig" :
{"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota,OU=member,DC=lab,DC=com"}
} }
####### CS log #########
2013-08-24 21:10:44,453 DEBUG
[cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null) The
ldap server is configured: 192.168.123.61
######## other thing i checked ######
(1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals
(2) when create dota in CS, "Network Domain" i put lab.com, username i put dota
Re: How is Cloudstack work with Active Directory
Posted by 不坏阿峰 <on...@gmail.com>.
Dear Kirk
from your post, i got the php script to import Active Directory's user into CS
here is the script can run, i modify it and can run (original script
has some mistake )
Hope other person will like it and CS4.2 will release soon and have
the good LDAP integration solution.
thanks.
###########
<?php
$ldaphost="192.168.123.61";
$ldapport=389;
$ldaprdn='cn=dota,ou=member,dc=lab,dc=com';
$ldappass='123@lab';
function array_searchRecursive($needle,$haystack,$strict=false,$path=array())
{
if( !is_array($haystack) ) {
return false;
}
foreach( $haystack as $key => $val ) {
if( is_array($val) && $subPath =array_searchRecursive($needle,
$val, $strict, $path)) {
$path =array_merge($path, array($key), $subPath);
return $path;
} elseif( (!$strict && $val ==$needle) || ($strict && $val ===$needle)) {
$path[] =$key;
return $path;
}
}
//return false;
}
function getSignature($queryString) {
$secretKey ="_3DJxz7hNp4QX46u2D_Ju48NWsYtEefvOYPUj-8qjIKvpTSZd9nQsdVb-ILqUj_0Sv60fHcS-hB0vktMlJ1Kqw";
$hash =@hash_hmac("SHA1", $queryString, $secretKey, true);
$base64encoded =base64_encode($hash);
return urlencode($base64encoded);
}
function request($command, $args =array()) {
$cloudServer ="192.168.230.2:8096";
$apiKey ="YqMHjNVGzg6c3sH-aRpSkqHm4gSS3DMDtgicIG_MoztKlKRU9OSTZ5l50nbsVQczsWsLE28HSoT-Ljqg0N22ZA";
foreach ($args as $key => $value) {
if($value =="") {
unset($args[$key]);
}
}
// Building the query
$args['apikey'] =$apiKey;
$args['command'] =$command;
$args['response'] ="json";
ksort($args);
$query =http_build_query($args);
$query =str_replace("+", "%20", $query);
$query .="&signature=" . getSignature(strtolower($query));
$httpRequest =new HttpRequest();
$httpRequest->setMethod(HTTP_METH_POST);
$url ="http://" . $cloudServer . "?" . $query;
//die($url."\n");
$httpRequest->setUrl($url);
$httpRequest->send();
$code =$httpRequest->getResponseCode();
$data =$httpRequest->getResponseData();
if (empty($data)) {
die("NO_DATA_RECEIVED");
}
//echo $data['body'] . "\n";
$result =@json_decode($data['body']);
if (empty($result)) {
die("NO_VALID_JSON_RECEIVED");
}
//print_r($result);
//die();
$propertyResponse =strtolower($command) . "response";
if (!property_exists($result, $propertyResponse)) {
if (property_exists($result, "errorresponse") &&
property_exists($result->errorresponse, "errortext")) {
die($result->errorresponse->errortext);
} else {
die("Unable to parse the response. Got code ".$code." and
message: " . $data['body']);
}
}
$response =$result->{$propertyResponse};
// list handling : most of lists are on the same pattern as
listVirtualMachines :
// { "listvirtualmachinesresponse" : { "virtualmachine" : [ ... ] } }
preg_match('/list(\w+)s/', strtolower($command), $listMatches);
//print_r($listMatches);
//die();
if (!empty($listMatches)) {
$objectName =$listMatches[1];
//echo $objectName."\n";
if (property_exists($response, $objectName)) {
$resultArray =$response->{$objectName};
if (is_array($resultArray)) {
return $resultArray;
}
} else {
// sometimes, the 's' is kept, as in :
// { "listasyncjobsresponse" : { "asyncjobs" : [ ... ] } }
$objectName =$listMatches[1] . "s";
//echo $objectName."\n";
if (property_exists($response, $objectName)) {
$resultArray =$response->{$objectName};
if (is_array($resultArray)) {
return $resultArray;
}
}
}
}
return $response;
}
//Get users from CloudStack
$cloudAccounts =request("listAccounts", array("listall" => "true"));
//print_r($cloudAccounts);
//die();
// Connecting to LDAP
$ldapconn =ldap_connect($ldaphost, $ldapport) or die("Could not
connect to {$ldaphost}");
if ($ldapconn) {
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
// binding to ldap server
$ldapbind =ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...\n";
$basedn ="ou=member,dc=lab,dc=com";
$filter="(&(cn=*))";
#$filter="(&(accountstatus=active))";
#$justthese =array("dn","uid", "cn", "mail", "mobile");
#$search =ldap_search($ldapconn, $basedn, $filter, $justthese);
$search =ldap_search($ldapconn, $basedn, $filter);
$info =ldap_get_entries($ldapconn, $search);
if ($info["count"] > 0){
//die("Found ".$info["count"]. " users!\n");
echo " true\n";
for ($i =0; $i < $info["count"]; $i++)
{
echo "Porcessing user [" . $info[$i]["cn"][0]."]\n";
//do stuff here
if (array_searchRecursive($info[$i]["cn"][0],$cloudAccounts) === false)
{
//Create user account
$result =request("createAccount", array(
"accounttype" => "0",
"email" => $info[$i]["mail"][0],
"firstname" => $info[$i]["givenname"][0],
"lastname" => $info[$i]['sn'][0],
"password" => "password", //$info[$i]['userpassword'][0],
"username" => $info[$i]['cn'][0],
"networkdomain" => "lab.com",
"timezone" => "Etc/UTC",
));
} else {
echo "User alredy exists!\n";
}
}
} else {
echo "No users found...\n";
}
//Unbind
ldap_unbind($ldapconn);
} else {
echo "LDAP bind failed...\n";
}
}
?>
###########
2013/8/26 不坏阿峰 <on...@gmail.com>:
> follow Ian suggestion.
> sAMAccountName=%u , work for windows 2008 AD
>
> 2013/8/26 Kirk Jantzer <ki...@gmail.com>:
>> What Suresh is refering to is something someone is working on for a future
>> version of CS. In the current versions, I'm not aware of any global
>> settings for ldap. See this blog post about creating a script a script to
>> sync your LDAP users into CS. While this may not work for you, it is a
>> starting point on the idea behind bulk adding LDAP based users into CS.
>>
>> I take from your reply earlier that things are working as expected now??
>>
>>
>> Regards,
>>
>> Kirk Jantzer
>> http://about.me/kirkjantzer
>>
>>
>> On Mon, Aug 26, 2013 at 10:31 AM, 不坏阿峰 <on...@gmail.com> wrote:
>>
>>> i have tried search ldap from global settings before, but can not find.
>>> my Cloudstack upgrade from 4.0.2, maybe the new database scheme not be
>>> imported ?
>>>
>>> 2013/8/26 Suresh Sadhu <Su...@citrix.com>:
>>> > IAN did this part, please visit below link:
>>> >
>>> > https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1
>>> >
>>> > regards
>>> > sadhu
>>> >
>>> > -----Original Message-----
>>> > From: 不坏阿峰 [mailto:onlydebian@gmail.com]
>>> > Sent: 26 August 2013 14:20
>>> > To: users@cloudstack.apache.org
>>> > Subject: Re: How is Cloudstack work with Active Directory
>>> >
>>> > thank you for your quick reply.
>>> > hope that CS4.2 can user external ldap server easily.
>>> >
>>> > and is there some script to import AD ldap user into cs ?
>>> >
>>> >
>>> >
>>> > 2013/8/26 Suresh Sadhu <Su...@citrix.com>:
>>> >> Please find my answers below:
>>> >>
>>> >>
>>> >> -----Original Message-----
>>> >> From: 不坏阿峰 [mailto:onlydebian@gmail.com]
>>> >> Sent: 26 August 2013 13:21
>>> >> To: users@cloudstack.apache.org
>>> >> Subject: Re: How is Cloudstack work with Active Directory
>>> >>
>>> >> about my Question, when use active directory LDAP for
>>> >> authentication , if i want use 3 user in AD, i need create 3 same
>>> >> account in CS ?
>>> >>
>>> >> *******************sadhu**********
>>> >> yes ,as per the current implementation ..it requires same accounts in
>>> CS.
>>> >> ****************
>>> >> just now ,i test use dota, this user exist both on AD and CS, just
>>> >> different password. i test use dota and user password in AD, can
>>> >> login.
>>> >>
>>> >> as my experience, if use a LDAP server, just need one user to bind the
>>> >> ldap, then can query and do authentication on all user in the
>>> >> specific OU. but CS seam some different.
>>> >>
>>> >> **************sadhu*******
>>> >> Yes you are right ,One user is enough to bind and rest of users will
>>> validate but in CS case initial verification happens at DB level and if
>>> its fail then authentication happens at LDAP level. due to this
>>> reason(firest ;level authentication happening in db level) you need to
>>> create same user(like same user with different password) in CS as well.
>>> Hope this info will help.
>>> >> *********
>>> >>
>>> >> could you explain it?
>>> >>
>>> >> thanks
>>> >>
>>> >> 2013/8/26 Ian Duffy <ia...@ianduffy.ie>:
>>> >>> Try sAMAccountName=%u
>>> >>>
>>> >>>
>>> >>> On 26 August 2013 03:15, 不坏阿峰 <on...@gmail.com> wrote:
>>> >>>
>>> >>>> in AD 2008, do not have uid, so i user disPlayname=%u, %u is the
>>> >>>> cloudstack username.
>>> >>>>
>>> >>>> i also follow this ,install cloudmoney and ldapconfig it.
>>> >>>>
>>> >>>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloud
>>> >>>> stack-v401.html
>>> >>>>
>>> >>>> > ldap config hostname=192.168.123.61
>>> >>>> > searchbase=ou=member,DC=lab,DC=com
>>> >>>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com
>>> >>>> bindpass=123@lab port=389
>>> >>>> ldapconfig:
>>> >>>> binddn = CN=dota,ou=member,DC=lab,DC=com hostname = 192.168.123.61
>>> >>>> port = false queryfilter = (diaplayname=%u) searchbase =
>>> >>>> ou=member,DC=lab,DC=com
>>> >>>>
>>> >>>> >> Dn: CN=dota,OU=member,DC=lab,DC=com
>>> >>>> 0> objectClass:
>>> >>>> 0> cn:
>>> >>>> 0> distinguishedName:
>>> >>>> 0> instanceType:
>>> >>>> 0> whenCreated:
>>> >>>> 0> whenChanged:
>>> >>>> 0> displayName:
>>> >>>> 0> uSNCreated:
>>> >>>> 0> uSNChanged:
>>> >>>> 0> name:
>>> >>>> 0> objectGUID:
>>> >>>> 0> userAccountControl:
>>> >>>> 0> badPwdCount:
>>> >>>> 0> codePage:
>>> >>>> 0> countryCode:
>>> >>>> 0> badPasswordTime:
>>> >>>> 0> lastLogoff:
>>> >>>> 0> lastLogon:
>>> >>>> 0> pwdLastSet:
>>> >>>> 0> primaryGroupID:
>>> >>>> 0> objectSid:
>>> >>>> 0> accountExpires:
>>> >>>> 0> logonCount:
>>> >>>> 0> sAMAccountName:
>>> >>>> 0> sAMAccountType:
>>> >>>> 0> userPrincipalName:
>>> >>>> 0> objectCategory:
>>> >>>> 0> dSCorePropagationData:
>>> >>>> 0> lastLogonTimestamp:
>>> >>>>
>>> >>>> 2013/8/25 Kirk Jantzer <ki...@gmail.com>:
>>> >>>> > It appears your queryfilter may be incorrect - You are trying to
>>> >>>> > match
>>> >>>> the
>>> >>>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you
>>> >>>> > put
>>> >>>> into
>>> >>>> > the username field in CS matches whatever is in the 'disPlayname'
>>> >>>> > field
>>> >>>> in
>>> >>>> > AD (this can be found by opening AD Users and Computers, selecting
>>> >>>> > the
>>> >>>> menu
>>> >>>> > option to show advanced properties, then looking at the user, then
>>> >>>> clicking
>>> >>>> > the 'attributes' tab.
>>> >>>> >
>>> >>>> >
>>> >>>> > Regards,
>>> >>>> >
>>> >>>> > Kirk Jantzer
>>> >>>> > http://about.met/kirkjantzer
>>> >>>> >
>>> >>>> >
>>> >>>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <on...@gmail.com>
>>> wrote:
>>> >>>> >
>>> >>>> >> Cloudstack4.1.1
>>> >>>> >> (1). i create same user: dota on Active Directory and CS (2). i
>>> >>>> >> have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com,
>>> >>>> >> it is ok,so active directory ldap is ready.
>>> >>>> >> (3). have two user under ou=member, dc=lab,dc=com: dota ,
>>> >>>> >> csuser01 (4). enable integration.api.port =8096, and restart
>>> >>>> >> CS-mangement
>>> >>>> >>
>>> >>>> >> Q1: from the CS log, ldap server configed, but IE response
>>> >>>> >> false, what is correct information?
>>> >>>> >>
>>> >>>> >> Q2: how many user should be created on both Active Directory and
>>> CS ?
>>> >>>> >> or only one for ldap config, active directory create other user
>>> just
>>> >>>> >> for CS use
>>> >>>> >>
>>> >>>> >> Q3: what will change in UI when ldap config success? can see
>>> >>>> >> users imported from Active Directory ? can use csuser01 to login
>>> >>>> >> CS ?(i try log in but failure)
>>> >>>> >>
>>> >>>> >>
>>> >>>> >>
>>> >>>> >>
>>> >>>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192
>>> >>>> .168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter
>>> >>>> =%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2C
>>> >>>> DC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json
>>> >>>> >>
>>> >>>> >> ####### Got this response:#####
>>> >>>> >> { "ldapconfigresponse" : { "ldapconfig" :
>>> >>>> >>
>>> >>>> >>
>>> >>>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,
>>> >>>> DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota
>>> >>>> ,OU=member,DC=lab,DC=com"}
>>> >>>> >> } }
>>> >>>> >>
>>> >>>> >> ####### CS log #########
>>> >>>> >> 2013-08-24 21:10:44,453 DEBUG
>>> >>>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null)
>>> >>>> >> The ldap server is configured: 192.168.123.61
>>> >>>> >>
>>> >>>> >> ######## other thing i checked ######
>>> >>>> >> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals
>>> >>>> >> (2) when create dota in CS, "Network Domain" i put lab.com,
>>> >>>> >> username i put dota
>>> >>>> >>
>>> >>>>
>>>
Re: How is Cloudstack work with Active Directory
Posted by 不坏阿峰 <on...@gmail.com>.
follow Ian suggestion.
sAMAccountName=%u , work for windows 2008 AD
2013/8/26 Kirk Jantzer <ki...@gmail.com>:
> What Suresh is refering to is something someone is working on for a future
> version of CS. In the current versions, I'm not aware of any global
> settings for ldap. See this blog post about creating a script a script to
> sync your LDAP users into CS. While this may not work for you, it is a
> starting point on the idea behind bulk adding LDAP based users into CS.
>
> I take from your reply earlier that things are working as expected now??
>
>
> Regards,
>
> Kirk Jantzer
> http://about.me/kirkjantzer
>
>
> On Mon, Aug 26, 2013 at 10:31 AM, 不坏阿峰 <on...@gmail.com> wrote:
>
>> i have tried search ldap from global settings before, but can not find.
>> my Cloudstack upgrade from 4.0.2, maybe the new database scheme not be
>> imported ?
>>
>> 2013/8/26 Suresh Sadhu <Su...@citrix.com>:
>> > IAN did this part, please visit below link:
>> >
>> > https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1
>> >
>> > regards
>> > sadhu
>> >
>> > -----Original Message-----
>> > From: 不坏阿峰 [mailto:onlydebian@gmail.com]
>> > Sent: 26 August 2013 14:20
>> > To: users@cloudstack.apache.org
>> > Subject: Re: How is Cloudstack work with Active Directory
>> >
>> > thank you for your quick reply.
>> > hope that CS4.2 can user external ldap server easily.
>> >
>> > and is there some script to import AD ldap user into cs ?
>> >
>> >
>> >
>> > 2013/8/26 Suresh Sadhu <Su...@citrix.com>:
>> >> Please find my answers below:
>> >>
>> >>
>> >> -----Original Message-----
>> >> From: 不坏阿峰 [mailto:onlydebian@gmail.com]
>> >> Sent: 26 August 2013 13:21
>> >> To: users@cloudstack.apache.org
>> >> Subject: Re: How is Cloudstack work with Active Directory
>> >>
>> >> about my Question, when use active directory LDAP for
>> >> authentication , if i want use 3 user in AD, i need create 3 same
>> >> account in CS ?
>> >>
>> >> *******************sadhu**********
>> >> yes ,as per the current implementation ..it requires same accounts in
>> CS.
>> >> ****************
>> >> just now ,i test use dota, this user exist both on AD and CS, just
>> >> different password. i test use dota and user password in AD, can
>> >> login.
>> >>
>> >> as my experience, if use a LDAP server, just need one user to bind the
>> >> ldap, then can query and do authentication on all user in the
>> >> specific OU. but CS seam some different.
>> >>
>> >> **************sadhu*******
>> >> Yes you are right ,One user is enough to bind and rest of users will
>> validate but in CS case initial verification happens at DB level and if
>> its fail then authentication happens at LDAP level. due to this
>> reason(firest ;level authentication happening in db level) you need to
>> create same user(like same user with different password) in CS as well.
>> Hope this info will help.
>> >> *********
>> >>
>> >> could you explain it?
>> >>
>> >> thanks
>> >>
>> >> 2013/8/26 Ian Duffy <ia...@ianduffy.ie>:
>> >>> Try sAMAccountName=%u
>> >>>
>> >>>
>> >>> On 26 August 2013 03:15, 不坏阿峰 <on...@gmail.com> wrote:
>> >>>
>> >>>> in AD 2008, do not have uid, so i user disPlayname=%u, %u is the
>> >>>> cloudstack username.
>> >>>>
>> >>>> i also follow this ,install cloudmoney and ldapconfig it.
>> >>>>
>> >>>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloud
>> >>>> stack-v401.html
>> >>>>
>> >>>> > ldap config hostname=192.168.123.61
>> >>>> > searchbase=ou=member,DC=lab,DC=com
>> >>>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com
>> >>>> bindpass=123@lab port=389
>> >>>> ldapconfig:
>> >>>> binddn = CN=dota,ou=member,DC=lab,DC=com hostname = 192.168.123.61
>> >>>> port = false queryfilter = (diaplayname=%u) searchbase =
>> >>>> ou=member,DC=lab,DC=com
>> >>>>
>> >>>> >> Dn: CN=dota,OU=member,DC=lab,DC=com
>> >>>> 0> objectClass:
>> >>>> 0> cn:
>> >>>> 0> distinguishedName:
>> >>>> 0> instanceType:
>> >>>> 0> whenCreated:
>> >>>> 0> whenChanged:
>> >>>> 0> displayName:
>> >>>> 0> uSNCreated:
>> >>>> 0> uSNChanged:
>> >>>> 0> name:
>> >>>> 0> objectGUID:
>> >>>> 0> userAccountControl:
>> >>>> 0> badPwdCount:
>> >>>> 0> codePage:
>> >>>> 0> countryCode:
>> >>>> 0> badPasswordTime:
>> >>>> 0> lastLogoff:
>> >>>> 0> lastLogon:
>> >>>> 0> pwdLastSet:
>> >>>> 0> primaryGroupID:
>> >>>> 0> objectSid:
>> >>>> 0> accountExpires:
>> >>>> 0> logonCount:
>> >>>> 0> sAMAccountName:
>> >>>> 0> sAMAccountType:
>> >>>> 0> userPrincipalName:
>> >>>> 0> objectCategory:
>> >>>> 0> dSCorePropagationData:
>> >>>> 0> lastLogonTimestamp:
>> >>>>
>> >>>> 2013/8/25 Kirk Jantzer <ki...@gmail.com>:
>> >>>> > It appears your queryfilter may be incorrect - You are trying to
>> >>>> > match
>> >>>> the
>> >>>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you
>> >>>> > put
>> >>>> into
>> >>>> > the username field in CS matches whatever is in the 'disPlayname'
>> >>>> > field
>> >>>> in
>> >>>> > AD (this can be found by opening AD Users and Computers, selecting
>> >>>> > the
>> >>>> menu
>> >>>> > option to show advanced properties, then looking at the user, then
>> >>>> clicking
>> >>>> > the 'attributes' tab.
>> >>>> >
>> >>>> >
>> >>>> > Regards,
>> >>>> >
>> >>>> > Kirk Jantzer
>> >>>> > http://about.met/kirkjantzer
>> >>>> >
>> >>>> >
>> >>>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <on...@gmail.com>
>> wrote:
>> >>>> >
>> >>>> >> Cloudstack4.1.1
>> >>>> >> (1). i create same user: dota on Active Directory and CS (2). i
>> >>>> >> have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com,
>> >>>> >> it is ok,so active directory ldap is ready.
>> >>>> >> (3). have two user under ou=member, dc=lab,dc=com: dota ,
>> >>>> >> csuser01 (4). enable integration.api.port =8096, and restart
>> >>>> >> CS-mangement
>> >>>> >>
>> >>>> >> Q1: from the CS log, ldap server configed, but IE response
>> >>>> >> false, what is correct information?
>> >>>> >>
>> >>>> >> Q2: how many user should be created on both Active Directory and
>> CS ?
>> >>>> >> or only one for ldap config, active directory create other user
>> just
>> >>>> >> for CS use
>> >>>> >>
>> >>>> >> Q3: what will change in UI when ldap config success? can see
>> >>>> >> users imported from Active Directory ? can use csuser01 to login
>> >>>> >> CS ?(i try log in but failure)
>> >>>> >>
>> >>>> >>
>> >>>> >>
>> >>>> >>
>> >>>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192
>> >>>> .168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter
>> >>>> =%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2C
>> >>>> DC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json
>> >>>> >>
>> >>>> >> ####### Got this response:#####
>> >>>> >> { "ldapconfigresponse" : { "ldapconfig" :
>> >>>> >>
>> >>>> >>
>> >>>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,
>> >>>> DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota
>> >>>> ,OU=member,DC=lab,DC=com"}
>> >>>> >> } }
>> >>>> >>
>> >>>> >> ####### CS log #########
>> >>>> >> 2013-08-24 21:10:44,453 DEBUG
>> >>>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null)
>> >>>> >> The ldap server is configured: 192.168.123.61
>> >>>> >>
>> >>>> >> ######## other thing i checked ######
>> >>>> >> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals
>> >>>> >> (2) when create dota in CS, "Network Domain" i put lab.com,
>> >>>> >> username i put dota
>> >>>> >>
>> >>>>
>>
Re: How is Cloudstack work with Active Directory
Posted by Kirk Jantzer <ki...@gmail.com>.
What Suresh is refering to is something someone is working on for a future
version of CS. In the current versions, I'm not aware of any global
settings for ldap. See this blog post about creating a script a script to
sync your LDAP users into CS. While this may not work for you, it is a
starting point on the idea behind bulk adding LDAP based users into CS.
I take from your reply earlier that things are working as expected now??
Regards,
Kirk Jantzer
http://about.me/kirkjantzer
On Mon, Aug 26, 2013 at 10:31 AM, 不坏阿峰 <on...@gmail.com> wrote:
> i have tried search ldap from global settings before, but can not find.
> my Cloudstack upgrade from 4.0.2, maybe the new database scheme not be
> imported ?
>
> 2013/8/26 Suresh Sadhu <Su...@citrix.com>:
> > IAN did this part, please visit below link:
> >
> > https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1
> >
> > regards
> > sadhu
> >
> > -----Original Message-----
> > From: 不坏阿峰 [mailto:onlydebian@gmail.com]
> > Sent: 26 August 2013 14:20
> > To: users@cloudstack.apache.org
> > Subject: Re: How is Cloudstack work with Active Directory
> >
> > thank you for your quick reply.
> > hope that CS4.2 can user external ldap server easily.
> >
> > and is there some script to import AD ldap user into cs ?
> >
> >
> >
> > 2013/8/26 Suresh Sadhu <Su...@citrix.com>:
> >> Please find my answers below:
> >>
> >>
> >> -----Original Message-----
> >> From: 不坏阿峰 [mailto:onlydebian@gmail.com]
> >> Sent: 26 August 2013 13:21
> >> To: users@cloudstack.apache.org
> >> Subject: Re: How is Cloudstack work with Active Directory
> >>
> >> about my Question, when use active directory LDAP for
> >> authentication , if i want use 3 user in AD, i need create 3 same
> >> account in CS ?
> >>
> >> *******************sadhu**********
> >> yes ,as per the current implementation ..it requires same accounts in
> CS.
> >> ****************
> >> just now ,i test use dota, this user exist both on AD and CS, just
> >> different password. i test use dota and user password in AD, can
> >> login.
> >>
> >> as my experience, if use a LDAP server, just need one user to bind the
> >> ldap, then can query and do authentication on all user in the
> >> specific OU. but CS seam some different.
> >>
> >> **************sadhu*******
> >> Yes you are right ,One user is enough to bind and rest of users will
> validate but in CS case initial verification happens at DB level and if
> its fail then authentication happens at LDAP level. due to this
> reason(firest ;level authentication happening in db level) you need to
> create same user(like same user with different password) in CS as well.
> Hope this info will help.
> >> *********
> >>
> >> could you explain it?
> >>
> >> thanks
> >>
> >> 2013/8/26 Ian Duffy <ia...@ianduffy.ie>:
> >>> Try sAMAccountName=%u
> >>>
> >>>
> >>> On 26 August 2013 03:15, 不坏阿峰 <on...@gmail.com> wrote:
> >>>
> >>>> in AD 2008, do not have uid, so i user disPlayname=%u, %u is the
> >>>> cloudstack username.
> >>>>
> >>>> i also follow this ,install cloudmoney and ldapconfig it.
> >>>>
> >>>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloud
> >>>> stack-v401.html
> >>>>
> >>>> > ldap config hostname=192.168.123.61
> >>>> > searchbase=ou=member,DC=lab,DC=com
> >>>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com
> >>>> bindpass=123@lab port=389
> >>>> ldapconfig:
> >>>> binddn = CN=dota,ou=member,DC=lab,DC=com hostname = 192.168.123.61
> >>>> port = false queryfilter = (diaplayname=%u) searchbase =
> >>>> ou=member,DC=lab,DC=com
> >>>>
> >>>> >> Dn: CN=dota,OU=member,DC=lab,DC=com
> >>>> 0> objectClass:
> >>>> 0> cn:
> >>>> 0> distinguishedName:
> >>>> 0> instanceType:
> >>>> 0> whenCreated:
> >>>> 0> whenChanged:
> >>>> 0> displayName:
> >>>> 0> uSNCreated:
> >>>> 0> uSNChanged:
> >>>> 0> name:
> >>>> 0> objectGUID:
> >>>> 0> userAccountControl:
> >>>> 0> badPwdCount:
> >>>> 0> codePage:
> >>>> 0> countryCode:
> >>>> 0> badPasswordTime:
> >>>> 0> lastLogoff:
> >>>> 0> lastLogon:
> >>>> 0> pwdLastSet:
> >>>> 0> primaryGroupID:
> >>>> 0> objectSid:
> >>>> 0> accountExpires:
> >>>> 0> logonCount:
> >>>> 0> sAMAccountName:
> >>>> 0> sAMAccountType:
> >>>> 0> userPrincipalName:
> >>>> 0> objectCategory:
> >>>> 0> dSCorePropagationData:
> >>>> 0> lastLogonTimestamp:
> >>>>
> >>>> 2013/8/25 Kirk Jantzer <ki...@gmail.com>:
> >>>> > It appears your queryfilter may be incorrect - You are trying to
> >>>> > match
> >>>> the
> >>>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you
> >>>> > put
> >>>> into
> >>>> > the username field in CS matches whatever is in the 'disPlayname'
> >>>> > field
> >>>> in
> >>>> > AD (this can be found by opening AD Users and Computers, selecting
> >>>> > the
> >>>> menu
> >>>> > option to show advanced properties, then looking at the user, then
> >>>> clicking
> >>>> > the 'attributes' tab.
> >>>> >
> >>>> >
> >>>> > Regards,
> >>>> >
> >>>> > Kirk Jantzer
> >>>> > http://about.met/kirkjantzer
> >>>> >
> >>>> >
> >>>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <on...@gmail.com>
> wrote:
> >>>> >
> >>>> >> Cloudstack4.1.1
> >>>> >> (1). i create same user: dota on Active Directory and CS (2). i
> >>>> >> have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com,
> >>>> >> it is ok,so active directory ldap is ready.
> >>>> >> (3). have two user under ou=member, dc=lab,dc=com: dota ,
> >>>> >> csuser01 (4). enable integration.api.port =8096, and restart
> >>>> >> CS-mangement
> >>>> >>
> >>>> >> Q1: from the CS log, ldap server configed, but IE response
> >>>> >> false, what is correct information?
> >>>> >>
> >>>> >> Q2: how many user should be created on both Active Directory and
> CS ?
> >>>> >> or only one for ldap config, active directory create other user
> just
> >>>> >> for CS use
> >>>> >>
> >>>> >> Q3: what will change in UI when ldap config success? can see
> >>>> >> users imported from Active Directory ? can use csuser01 to login
> >>>> >> CS ?(i try log in but failure)
> >>>> >>
> >>>> >>
> >>>> >>
> >>>> >>
> >>>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192
> >>>> .168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter
> >>>> =%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2C
> >>>> DC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json
> >>>> >>
> >>>> >> ####### Got this response:#####
> >>>> >> { "ldapconfigresponse" : { "ldapconfig" :
> >>>> >>
> >>>> >>
> >>>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,
> >>>> DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota
> >>>> ,OU=member,DC=lab,DC=com"}
> >>>> >> } }
> >>>> >>
> >>>> >> ####### CS log #########
> >>>> >> 2013-08-24 21:10:44,453 DEBUG
> >>>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null)
> >>>> >> The ldap server is configured: 192.168.123.61
> >>>> >>
> >>>> >> ######## other thing i checked ######
> >>>> >> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals
> >>>> >> (2) when create dota in CS, "Network Domain" i put lab.com,
> >>>> >> username i put dota
> >>>> >>
> >>>>
>
Re: How is Cloudstack work with Active Directory
Posted by 不坏阿峰 <on...@gmail.com>.
i have tried search ldap from global settings before, but can not find.
my Cloudstack upgrade from 4.0.2, maybe the new database scheme not be
imported ?
2013/8/26 Suresh Sadhu <Su...@citrix.com>:
> IAN did this part, please visit below link:
>
> https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1
>
> regards
> sadhu
>
> -----Original Message-----
> From: 不坏阿峰 [mailto:onlydebian@gmail.com]
> Sent: 26 August 2013 14:20
> To: users@cloudstack.apache.org
> Subject: Re: How is Cloudstack work with Active Directory
>
> thank you for your quick reply.
> hope that CS4.2 can user external ldap server easily.
>
> and is there some script to import AD ldap user into cs ?
>
>
>
> 2013/8/26 Suresh Sadhu <Su...@citrix.com>:
>> Please find my answers below:
>>
>>
>> -----Original Message-----
>> From: 不坏阿峰 [mailto:onlydebian@gmail.com]
>> Sent: 26 August 2013 13:21
>> To: users@cloudstack.apache.org
>> Subject: Re: How is Cloudstack work with Active Directory
>>
>> about my Question, when use active directory LDAP for
>> authentication , if i want use 3 user in AD, i need create 3 same
>> account in CS ?
>>
>> *******************sadhu**********
>> yes ,as per the current implementation ..it requires same accounts in CS.
>> ****************
>> just now ,i test use dota, this user exist both on AD and CS, just
>> different password. i test use dota and user password in AD, can
>> login.
>>
>> as my experience, if use a LDAP server, just need one user to bind the
>> ldap, then can query and do authentication on all user in the
>> specific OU. but CS seam some different.
>>
>> **************sadhu*******
>> Yes you are right ,One user is enough to bind and rest of users will validate but in CS case initial verification happens at DB level and if its fail then authentication happens at LDAP level. due to this reason(firest ;level authentication happening in db level) you need to create same user(like same user with different password) in CS as well. Hope this info will help.
>> *********
>>
>> could you explain it?
>>
>> thanks
>>
>> 2013/8/26 Ian Duffy <ia...@ianduffy.ie>:
>>> Try sAMAccountName=%u
>>>
>>>
>>> On 26 August 2013 03:15, 不坏阿峰 <on...@gmail.com> wrote:
>>>
>>>> in AD 2008, do not have uid, so i user disPlayname=%u, %u is the
>>>> cloudstack username.
>>>>
>>>> i also follow this ,install cloudmoney and ldapconfig it.
>>>>
>>>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloud
>>>> stack-v401.html
>>>>
>>>> > ldap config hostname=192.168.123.61
>>>> > searchbase=ou=member,DC=lab,DC=com
>>>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com
>>>> bindpass=123@lab port=389
>>>> ldapconfig:
>>>> binddn = CN=dota,ou=member,DC=lab,DC=com hostname = 192.168.123.61
>>>> port = false queryfilter = (diaplayname=%u) searchbase =
>>>> ou=member,DC=lab,DC=com
>>>>
>>>> >> Dn: CN=dota,OU=member,DC=lab,DC=com
>>>> 0> objectClass:
>>>> 0> cn:
>>>> 0> distinguishedName:
>>>> 0> instanceType:
>>>> 0> whenCreated:
>>>> 0> whenChanged:
>>>> 0> displayName:
>>>> 0> uSNCreated:
>>>> 0> uSNChanged:
>>>> 0> name:
>>>> 0> objectGUID:
>>>> 0> userAccountControl:
>>>> 0> badPwdCount:
>>>> 0> codePage:
>>>> 0> countryCode:
>>>> 0> badPasswordTime:
>>>> 0> lastLogoff:
>>>> 0> lastLogon:
>>>> 0> pwdLastSet:
>>>> 0> primaryGroupID:
>>>> 0> objectSid:
>>>> 0> accountExpires:
>>>> 0> logonCount:
>>>> 0> sAMAccountName:
>>>> 0> sAMAccountType:
>>>> 0> userPrincipalName:
>>>> 0> objectCategory:
>>>> 0> dSCorePropagationData:
>>>> 0> lastLogonTimestamp:
>>>>
>>>> 2013/8/25 Kirk Jantzer <ki...@gmail.com>:
>>>> > It appears your queryfilter may be incorrect - You are trying to
>>>> > match
>>>> the
>>>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you
>>>> > put
>>>> into
>>>> > the username field in CS matches whatever is in the 'disPlayname'
>>>> > field
>>>> in
>>>> > AD (this can be found by opening AD Users and Computers, selecting
>>>> > the
>>>> menu
>>>> > option to show advanced properties, then looking at the user, then
>>>> clicking
>>>> > the 'attributes' tab.
>>>> >
>>>> >
>>>> > Regards,
>>>> >
>>>> > Kirk Jantzer
>>>> > http://about.met/kirkjantzer
>>>> >
>>>> >
>>>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <on...@gmail.com> wrote:
>>>> >
>>>> >> Cloudstack4.1.1
>>>> >> (1). i create same user: dota on Active Directory and CS (2). i
>>>> >> have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com,
>>>> >> it is ok,so active directory ldap is ready.
>>>> >> (3). have two user under ou=member, dc=lab,dc=com: dota ,
>>>> >> csuser01 (4). enable integration.api.port =8096, and restart
>>>> >> CS-mangement
>>>> >>
>>>> >> Q1: from the CS log, ldap server configed, but IE response
>>>> >> false, what is correct information?
>>>> >>
>>>> >> Q2: how many user should be created on both Active Directory and CS ?
>>>> >> or only one for ldap config, active directory create other user just
>>>> >> for CS use
>>>> >>
>>>> >> Q3: what will change in UI when ldap config success? can see
>>>> >> users imported from Active Directory ? can use csuser01 to login
>>>> >> CS ?(i try log in but failure)
>>>> >>
>>>> >>
>>>> >>
>>>> >>
>>>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192
>>>> .168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter
>>>> =%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2C
>>>> DC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json
>>>> >>
>>>> >> ####### Got this response:#####
>>>> >> { "ldapconfigresponse" : { "ldapconfig" :
>>>> >>
>>>> >>
>>>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,
>>>> DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota
>>>> ,OU=member,DC=lab,DC=com"}
>>>> >> } }
>>>> >>
>>>> >> ####### CS log #########
>>>> >> 2013-08-24 21:10:44,453 DEBUG
>>>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null)
>>>> >> The ldap server is configured: 192.168.123.61
>>>> >>
>>>> >> ######## other thing i checked ######
>>>> >> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals
>>>> >> (2) when create dota in CS, "Network Domain" i put lab.com,
>>>> >> username i put dota
>>>> >>
>>>>
RE: How is Cloudstack work with Active Directory
Posted by Suresh Sadhu <Su...@citrix.com>.
IAN did this part, please visit below link:
https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1
regards
sadhu
-----Original Message-----
From: 不坏阿峰 [mailto:onlydebian@gmail.com]
Sent: 26 August 2013 14:20
To: users@cloudstack.apache.org
Subject: Re: How is Cloudstack work with Active Directory
thank you for your quick reply.
hope that CS4.2 can user external ldap server easily.
and is there some script to import AD ldap user into cs ?
2013/8/26 Suresh Sadhu <Su...@citrix.com>:
> Please find my answers below:
>
>
> -----Original Message-----
> From: 不坏阿峰 [mailto:onlydebian@gmail.com]
> Sent: 26 August 2013 13:21
> To: users@cloudstack.apache.org
> Subject: Re: How is Cloudstack work with Active Directory
>
> about my Question, when use active directory LDAP for
> authentication , if i want use 3 user in AD, i need create 3 same
> account in CS ?
>
> *******************sadhu**********
> yes ,as per the current implementation ..it requires same accounts in CS.
> ****************
> just now ,i test use dota, this user exist both on AD and CS, just
> different password. i test use dota and user password in AD, can
> login.
>
> as my experience, if use a LDAP server, just need one user to bind the
> ldap, then can query and do authentication on all user in the
> specific OU. but CS seam some different.
>
> **************sadhu*******
> Yes you are right ,One user is enough to bind and rest of users will validate but in CS case initial verification happens at DB level and if its fail then authentication happens at LDAP level. due to this reason(firest ;level authentication happening in db level) you need to create same user(like same user with different password) in CS as well. Hope this info will help.
> *********
>
> could you explain it?
>
> thanks
>
> 2013/8/26 Ian Duffy <ia...@ianduffy.ie>:
>> Try sAMAccountName=%u
>>
>>
>> On 26 August 2013 03:15, 不坏阿峰 <on...@gmail.com> wrote:
>>
>>> in AD 2008, do not have uid, so i user disPlayname=%u, %u is the
>>> cloudstack username.
>>>
>>> i also follow this ,install cloudmoney and ldapconfig it.
>>>
>>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloud
>>> stack-v401.html
>>>
>>> > ldap config hostname=192.168.123.61
>>> > searchbase=ou=member,DC=lab,DC=com
>>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com
>>> bindpass=123@lab port=389
>>> ldapconfig:
>>> binddn = CN=dota,ou=member,DC=lab,DC=com hostname = 192.168.123.61
>>> port = false queryfilter = (diaplayname=%u) searchbase =
>>> ou=member,DC=lab,DC=com
>>>
>>> >> Dn: CN=dota,OU=member,DC=lab,DC=com
>>> 0> objectClass:
>>> 0> cn:
>>> 0> distinguishedName:
>>> 0> instanceType:
>>> 0> whenCreated:
>>> 0> whenChanged:
>>> 0> displayName:
>>> 0> uSNCreated:
>>> 0> uSNChanged:
>>> 0> name:
>>> 0> objectGUID:
>>> 0> userAccountControl:
>>> 0> badPwdCount:
>>> 0> codePage:
>>> 0> countryCode:
>>> 0> badPasswordTime:
>>> 0> lastLogoff:
>>> 0> lastLogon:
>>> 0> pwdLastSet:
>>> 0> primaryGroupID:
>>> 0> objectSid:
>>> 0> accountExpires:
>>> 0> logonCount:
>>> 0> sAMAccountName:
>>> 0> sAMAccountType:
>>> 0> userPrincipalName:
>>> 0> objectCategory:
>>> 0> dSCorePropagationData:
>>> 0> lastLogonTimestamp:
>>>
>>> 2013/8/25 Kirk Jantzer <ki...@gmail.com>:
>>> > It appears your queryfilter may be incorrect - You are trying to
>>> > match
>>> the
>>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you
>>> > put
>>> into
>>> > the username field in CS matches whatever is in the 'disPlayname'
>>> > field
>>> in
>>> > AD (this can be found by opening AD Users and Computers, selecting
>>> > the
>>> menu
>>> > option to show advanced properties, then looking at the user, then
>>> clicking
>>> > the 'attributes' tab.
>>> >
>>> >
>>> > Regards,
>>> >
>>> > Kirk Jantzer
>>> > http://about.met/kirkjantzer
>>> >
>>> >
>>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <on...@gmail.com> wrote:
>>> >
>>> >> Cloudstack4.1.1
>>> >> (1). i create same user: dota on Active Directory and CS (2). i
>>> >> have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com,
>>> >> it is ok,so active directory ldap is ready.
>>> >> (3). have two user under ou=member, dc=lab,dc=com: dota ,
>>> >> csuser01 (4). enable integration.api.port =8096, and restart
>>> >> CS-mangement
>>> >>
>>> >> Q1: from the CS log, ldap server configed, but IE response
>>> >> false, what is correct information?
>>> >>
>>> >> Q2: how many user should be created on both Active Directory and CS ?
>>> >> or only one for ldap config, active directory create other user just
>>> >> for CS use
>>> >>
>>> >> Q3: what will change in UI when ldap config success? can see
>>> >> users imported from Active Directory ? can use csuser01 to login
>>> >> CS ?(i try log in but failure)
>>> >>
>>> >>
>>> >>
>>> >>
>>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192
>>> .168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter
>>> =%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2C
>>> DC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json
>>> >>
>>> >> ####### Got this response:#####
>>> >> { "ldapconfigresponse" : { "ldapconfig" :
>>> >>
>>> >>
>>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,
>>> DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota
>>> ,OU=member,DC=lab,DC=com"}
>>> >> } }
>>> >>
>>> >> ####### CS log #########
>>> >> 2013-08-24 21:10:44,453 DEBUG
>>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null)
>>> >> The ldap server is configured: 192.168.123.61
>>> >>
>>> >> ######## other thing i checked ######
>>> >> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals
>>> >> (2) when create dota in CS, "Network Domain" i put lab.com,
>>> >> username i put dota
>>> >>
>>>
Re: How is Cloudstack work with Active Directory
Posted by 不坏阿峰 <on...@gmail.com>.
thank you for your quick reply.
hope that CS4.2 can user external ldap server easily.
and is there some script to import AD ldap user into cs ?
2013/8/26 Suresh Sadhu <Su...@citrix.com>:
> Please find my answers below:
>
>
> -----Original Message-----
> From: 不坏阿峰 [mailto:onlydebian@gmail.com]
> Sent: 26 August 2013 13:21
> To: users@cloudstack.apache.org
> Subject: Re: How is Cloudstack work with Active Directory
>
> about my Question, when use active directory LDAP for
> authentication , if i want use 3 user in AD, i need create 3 same
> account in CS ?
>
> *******************sadhu**********
> yes ,as per the current implementation ..it requires same accounts in CS.
> ****************
> just now ,i test use dota, this user exist both on AD and CS, just
> different password. i test use dota and user password in AD, can
> login.
>
> as my experience, if use a LDAP server, just need one user to bind the
> ldap, then can query and do authentication on all user in the
> specific OU. but CS seam some different.
>
> **************sadhu*******
> Yes you are right ,One user is enough to bind and rest of users will validate but in CS case initial verification happens at DB level and if its fail then authentication happens at LDAP level. due to this reason(firest ;level authentication happening in db level) you need to create same user(like same user with different password) in CS as well. Hope this info will help.
> *********
>
> could you explain it?
>
> thanks
>
> 2013/8/26 Ian Duffy <ia...@ianduffy.ie>:
>> Try sAMAccountName=%u
>>
>>
>> On 26 August 2013 03:15, 不坏阿峰 <on...@gmail.com> wrote:
>>
>>> in AD 2008, do not have uid, so i user disPlayname=%u, %u is the
>>> cloudstack username.
>>>
>>> i also follow this ,install cloudmoney and ldapconfig it.
>>>
>>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloudstack-v401.html
>>>
>>> > ldap config hostname=192.168.123.61 searchbase=ou=member,DC=lab,DC=com
>>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com
>>> bindpass=123@lab port=389
>>> ldapconfig:
>>> binddn = CN=dota,ou=member,DC=lab,DC=com
>>> hostname = 192.168.123.61
>>> port = false
>>> queryfilter = (diaplayname=%u)
>>> searchbase = ou=member,DC=lab,DC=com
>>>
>>> >> Dn: CN=dota,OU=member,DC=lab,DC=com
>>> 0> objectClass:
>>> 0> cn:
>>> 0> distinguishedName:
>>> 0> instanceType:
>>> 0> whenCreated:
>>> 0> whenChanged:
>>> 0> displayName:
>>> 0> uSNCreated:
>>> 0> uSNChanged:
>>> 0> name:
>>> 0> objectGUID:
>>> 0> userAccountControl:
>>> 0> badPwdCount:
>>> 0> codePage:
>>> 0> countryCode:
>>> 0> badPasswordTime:
>>> 0> lastLogoff:
>>> 0> lastLogon:
>>> 0> pwdLastSet:
>>> 0> primaryGroupID:
>>> 0> objectSid:
>>> 0> accountExpires:
>>> 0> logonCount:
>>> 0> sAMAccountName:
>>> 0> sAMAccountType:
>>> 0> userPrincipalName:
>>> 0> objectCategory:
>>> 0> dSCorePropagationData:
>>> 0> lastLogonTimestamp:
>>>
>>> 2013/8/25 Kirk Jantzer <ki...@gmail.com>:
>>> > It appears your queryfilter may be incorrect - You are trying to match
>>> the
>>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you put
>>> into
>>> > the username field in CS matches whatever is in the 'disPlayname' field
>>> in
>>> > AD (this can be found by opening AD Users and Computers, selecting the
>>> menu
>>> > option to show advanced properties, then looking at the user, then
>>> clicking
>>> > the 'attributes' tab.
>>> >
>>> >
>>> > Regards,
>>> >
>>> > Kirk Jantzer
>>> > http://about.met/kirkjantzer
>>> >
>>> >
>>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <on...@gmail.com> wrote:
>>> >
>>> >> Cloudstack4.1.1
>>> >> (1). i create same user: dota on Active Directory and CS
>>> >> (2). i have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com,
>>> >> it is ok,so active directory ldap is ready.
>>> >> (3). have two user under ou=member, dc=lab,dc=com: dota , csuser01
>>> >> (4). enable integration.api.port =8096, and restart CS-mangement
>>> >>
>>> >> Q1: from the CS log, ldap server configed, but IE response false,
>>> >> what is correct information?
>>> >>
>>> >> Q2: how many user should be created on both Active Directory and CS ?
>>> >> or only one for ldap config, active directory create other user just
>>> >> for CS use
>>> >>
>>> >> Q3: what will change in UI when ldap config success? can see users
>>> >> imported from Active Directory ? can use csuser01 to login CS ?(i try
>>> >> log in but failure)
>>> >>
>>> >>
>>> >>
>>> >>
>>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192.168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter=%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json
>>> >>
>>> >> ####### Got this response:#####
>>> >> { "ldapconfigresponse" : { "ldapconfig" :
>>> >>
>>> >>
>>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota,OU=member,DC=lab,DC=com"}
>>> >> } }
>>> >>
>>> >> ####### CS log #########
>>> >> 2013-08-24 21:10:44,453 DEBUG
>>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null) The
>>> >> ldap server is configured: 192.168.123.61
>>> >>
>>> >> ######## other thing i checked ######
>>> >> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals
>>> >> (2) when create dota in CS, "Network Domain" i put lab.com, username i
>>> >> put dota
>>> >>
>>>
RE: How is Cloudstack work with Active Directory
Posted by Suresh Sadhu <Su...@citrix.com>.
Please find my answers below:
-----Original Message-----
From: 不坏阿峰 [mailto:onlydebian@gmail.com]
Sent: 26 August 2013 13:21
To: users@cloudstack.apache.org
Subject: Re: How is Cloudstack work with Active Directory
about my Question, when use active directory LDAP for
authentication , if i want use 3 user in AD, i need create 3 same
account in CS ?
*******************sadhu**********
yes ,as per the current implementation ..it requires same accounts in CS.
****************
just now ,i test use dota, this user exist both on AD and CS, just
different password. i test use dota and user password in AD, can
login.
as my experience, if use a LDAP server, just need one user to bind the
ldap, then can query and do authentication on all user in the
specific OU. but CS seam some different.
**************sadhu*******
Yes you are right ,One user is enough to bind and rest of users will validate but in CS case initial verification happens at DB level and if its fail then authentication happens at LDAP level. due to this reason(firest ;level authentication happening in db level) you need to create same user(like same user with different password) in CS as well. Hope this info will help.
*********
could you explain it?
thanks
2013/8/26 Ian Duffy <ia...@ianduffy.ie>:
> Try sAMAccountName=%u
>
>
> On 26 August 2013 03:15, 不坏阿峰 <on...@gmail.com> wrote:
>
>> in AD 2008, do not have uid, so i user disPlayname=%u, %u is the
>> cloudstack username.
>>
>> i also follow this ,install cloudmoney and ldapconfig it.
>>
>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloudstack-v401.html
>>
>> > ldap config hostname=192.168.123.61 searchbase=ou=member,DC=lab,DC=com
>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com
>> bindpass=123@lab port=389
>> ldapconfig:
>> binddn = CN=dota,ou=member,DC=lab,DC=com
>> hostname = 192.168.123.61
>> port = false
>> queryfilter = (diaplayname=%u)
>> searchbase = ou=member,DC=lab,DC=com
>>
>> >> Dn: CN=dota,OU=member,DC=lab,DC=com
>> 0> objectClass:
>> 0> cn:
>> 0> distinguishedName:
>> 0> instanceType:
>> 0> whenCreated:
>> 0> whenChanged:
>> 0> displayName:
>> 0> uSNCreated:
>> 0> uSNChanged:
>> 0> name:
>> 0> objectGUID:
>> 0> userAccountControl:
>> 0> badPwdCount:
>> 0> codePage:
>> 0> countryCode:
>> 0> badPasswordTime:
>> 0> lastLogoff:
>> 0> lastLogon:
>> 0> pwdLastSet:
>> 0> primaryGroupID:
>> 0> objectSid:
>> 0> accountExpires:
>> 0> logonCount:
>> 0> sAMAccountName:
>> 0> sAMAccountType:
>> 0> userPrincipalName:
>> 0> objectCategory:
>> 0> dSCorePropagationData:
>> 0> lastLogonTimestamp:
>>
>> 2013/8/25 Kirk Jantzer <ki...@gmail.com>:
>> > It appears your queryfilter may be incorrect - You are trying to match
>> the
>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you put
>> into
>> > the username field in CS matches whatever is in the 'disPlayname' field
>> in
>> > AD (this can be found by opening AD Users and Computers, selecting the
>> menu
>> > option to show advanced properties, then looking at the user, then
>> clicking
>> > the 'attributes' tab.
>> >
>> >
>> > Regards,
>> >
>> > Kirk Jantzer
>> > http://about.met/kirkjantzer
>> >
>> >
>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <on...@gmail.com> wrote:
>> >
>> >> Cloudstack4.1.1
>> >> (1). i create same user: dota on Active Directory and CS
>> >> (2). i have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com,
>> >> it is ok,so active directory ldap is ready.
>> >> (3). have two user under ou=member, dc=lab,dc=com: dota , csuser01
>> >> (4). enable integration.api.port =8096, and restart CS-mangement
>> >>
>> >> Q1: from the CS log, ldap server configed, but IE response false,
>> >> what is correct information?
>> >>
>> >> Q2: how many user should be created on both Active Directory and CS ?
>> >> or only one for ldap config, active directory create other user just
>> >> for CS use
>> >>
>> >> Q3: what will change in UI when ldap config success? can see users
>> >> imported from Active Directory ? can use csuser01 to login CS ?(i try
>> >> log in but failure)
>> >>
>> >>
>> >>
>> >>
>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192.168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter=%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json
>> >>
>> >> ####### Got this response:#####
>> >> { "ldapconfigresponse" : { "ldapconfig" :
>> >>
>> >>
>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota,OU=member,DC=lab,DC=com"}
>> >> } }
>> >>
>> >> ####### CS log #########
>> >> 2013-08-24 21:10:44,453 DEBUG
>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null) The
>> >> ldap server is configured: 192.168.123.61
>> >>
>> >> ######## other thing i checked ######
>> >> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals
>> >> (2) when create dota in CS, "Network Domain" i put lab.com, username i
>> >> put dota
>> >>
>>
Re: How is Cloudstack work with Active Directory
Posted by 不坏阿峰 <on...@gmail.com>.
about my Question, when use active directory LDAP for
authentication , if i want use 3 user in AD, i need create 3 same
account in CS ?
just now ,i test use dota, this user exist both on AD and CS, just
different password. i test use dota and user password in AD, can
login.
as my experience, if use a LDAP server, just need one user to bind the
ldap, then can query and do authentication on all user in the
specific OU. but CS seam some different.
could you explain it?
thanks
2013/8/26 Ian Duffy <ia...@ianduffy.ie>:
> Try sAMAccountName=%u
>
>
> On 26 August 2013 03:15, 不坏阿峰 <on...@gmail.com> wrote:
>
>> in AD 2008, do not have uid, so i user disPlayname=%u, %u is the
>> cloudstack username.
>>
>> i also follow this ,install cloudmoney and ldapconfig it.
>>
>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloudstack-v401.html
>>
>> > ldap config hostname=192.168.123.61 searchbase=ou=member,DC=lab,DC=com
>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com
>> bindpass=123@lab port=389
>> ldapconfig:
>> binddn = CN=dota,ou=member,DC=lab,DC=com
>> hostname = 192.168.123.61
>> port = false
>> queryfilter = (diaplayname=%u)
>> searchbase = ou=member,DC=lab,DC=com
>>
>> >> Dn: CN=dota,OU=member,DC=lab,DC=com
>> 0> objectClass:
>> 0> cn:
>> 0> distinguishedName:
>> 0> instanceType:
>> 0> whenCreated:
>> 0> whenChanged:
>> 0> displayName:
>> 0> uSNCreated:
>> 0> uSNChanged:
>> 0> name:
>> 0> objectGUID:
>> 0> userAccountControl:
>> 0> badPwdCount:
>> 0> codePage:
>> 0> countryCode:
>> 0> badPasswordTime:
>> 0> lastLogoff:
>> 0> lastLogon:
>> 0> pwdLastSet:
>> 0> primaryGroupID:
>> 0> objectSid:
>> 0> accountExpires:
>> 0> logonCount:
>> 0> sAMAccountName:
>> 0> sAMAccountType:
>> 0> userPrincipalName:
>> 0> objectCategory:
>> 0> dSCorePropagationData:
>> 0> lastLogonTimestamp:
>>
>> 2013/8/25 Kirk Jantzer <ki...@gmail.com>:
>> > It appears your queryfilter may be incorrect - You are trying to match
>> the
>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you put
>> into
>> > the username field in CS matches whatever is in the 'disPlayname' field
>> in
>> > AD (this can be found by opening AD Users and Computers, selecting the
>> menu
>> > option to show advanced properties, then looking at the user, then
>> clicking
>> > the 'attributes' tab.
>> >
>> >
>> > Regards,
>> >
>> > Kirk Jantzer
>> > http://about.met/kirkjantzer
>> >
>> >
>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <on...@gmail.com> wrote:
>> >
>> >> Cloudstack4.1.1
>> >> (1). i create same user: dota on Active Directory and CS
>> >> (2). i have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com,
>> >> it is ok,so active directory ldap is ready.
>> >> (3). have two user under ou=member, dc=lab,dc=com: dota , csuser01
>> >> (4). enable integration.api.port =8096, and restart CS-mangement
>> >>
>> >> Q1: from the CS log, ldap server configed, but IE response false,
>> >> what is correct information?
>> >>
>> >> Q2: how many user should be created on both Active Directory and CS ?
>> >> or only one for ldap config, active directory create other user just
>> >> for CS use
>> >>
>> >> Q3: what will change in UI when ldap config success? can see users
>> >> imported from Active Directory ? can use csuser01 to login CS ?(i try
>> >> log in but failure)
>> >>
>> >>
>> >>
>> >>
>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192.168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter=%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json
>> >>
>> >> ####### Got this response:#####
>> >> { "ldapconfigresponse" : { "ldapconfig" :
>> >>
>> >>
>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota,OU=member,DC=lab,DC=com"}
>> >> } }
>> >>
>> >> ####### CS log #########
>> >> 2013-08-24 21:10:44,453 DEBUG
>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null) The
>> >> ldap server is configured: 192.168.123.61
>> >>
>> >> ######## other thing i checked ######
>> >> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals
>> >> (2) when create dota in CS, "Network Domain" i put lab.com, username i
>> >> put dota
>> >>
>>
Re: How is Cloudstack work with Active Directory
Posted by Ian Duffy <ia...@ianduffy.ie>.
Try sAMAccountName=%u
On 26 August 2013 03:15, 不坏阿峰 <on...@gmail.com> wrote:
> in AD 2008, do not have uid, so i user disPlayname=%u, %u is the
> cloudstack username.
>
> i also follow this ,install cloudmoney and ldapconfig it.
>
> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloudstack-v401.html
>
> > ldap config hostname=192.168.123.61 searchbase=ou=member,DC=lab,DC=com
> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com
> bindpass=123@lab port=389
> ldapconfig:
> binddn = CN=dota,ou=member,DC=lab,DC=com
> hostname = 192.168.123.61
> port = false
> queryfilter = (diaplayname=%u)
> searchbase = ou=member,DC=lab,DC=com
>
> >> Dn: CN=dota,OU=member,DC=lab,DC=com
> 0> objectClass:
> 0> cn:
> 0> distinguishedName:
> 0> instanceType:
> 0> whenCreated:
> 0> whenChanged:
> 0> displayName:
> 0> uSNCreated:
> 0> uSNChanged:
> 0> name:
> 0> objectGUID:
> 0> userAccountControl:
> 0> badPwdCount:
> 0> codePage:
> 0> countryCode:
> 0> badPasswordTime:
> 0> lastLogoff:
> 0> lastLogon:
> 0> pwdLastSet:
> 0> primaryGroupID:
> 0> objectSid:
> 0> accountExpires:
> 0> logonCount:
> 0> sAMAccountName:
> 0> sAMAccountType:
> 0> userPrincipalName:
> 0> objectCategory:
> 0> dSCorePropagationData:
> 0> lastLogonTimestamp:
>
> 2013/8/25 Kirk Jantzer <ki...@gmail.com>:
> > It appears your queryfilter may be incorrect - You are trying to match
> the
> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you put
> into
> > the username field in CS matches whatever is in the 'disPlayname' field
> in
> > AD (this can be found by opening AD Users and Computers, selecting the
> menu
> > option to show advanced properties, then looking at the user, then
> clicking
> > the 'attributes' tab.
> >
> >
> > Regards,
> >
> > Kirk Jantzer
> > http://about.met/kirkjantzer
> >
> >
> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <on...@gmail.com> wrote:
> >
> >> Cloudstack4.1.1
> >> (1). i create same user: dota on Active Directory and CS
> >> (2). i have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com,
> >> it is ok,so active directory ldap is ready.
> >> (3). have two user under ou=member, dc=lab,dc=com: dota , csuser01
> >> (4). enable integration.api.port =8096, and restart CS-mangement
> >>
> >> Q1: from the CS log, ldap server configed, but IE response false,
> >> what is correct information?
> >>
> >> Q2: how many user should be created on both Active Directory and CS ?
> >> or only one for ldap config, active directory create other user just
> >> for CS use
> >>
> >> Q3: what will change in UI when ldap config success? can see users
> >> imported from Active Directory ? can use csuser01 to login CS ?(i try
> >> log in but failure)
> >>
> >>
> >>
> >>
> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192.168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter=%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json
> >>
> >> ####### Got this response:#####
> >> { "ldapconfigresponse" : { "ldapconfig" :
> >>
> >>
> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota,OU=member,DC=lab,DC=com"}
> >> } }
> >>
> >> ####### CS log #########
> >> 2013-08-24 21:10:44,453 DEBUG
> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null) The
> >> ldap server is configured: 192.168.123.61
> >>
> >> ######## other thing i checked ######
> >> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals
> >> (2) when create dota in CS, "Network Domain" i put lab.com, username i
> >> put dota
> >>
>
Re: How is Cloudstack work with Active Directory
Posted by 不坏阿峰 <on...@gmail.com>.
in AD 2008, do not have uid, so i user disPlayname=%u, %u is the
cloudstack username.
i also follow this ,install cloudmoney and ldapconfig it.
http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloudstack-v401.html
> ldap config hostname=192.168.123.61 searchbase=ou=member,DC=lab,DC=com queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com bindpass=123@lab port=389
ldapconfig:
binddn = CN=dota,ou=member,DC=lab,DC=com
hostname = 192.168.123.61
port = false
queryfilter = (diaplayname=%u)
searchbase = ou=member,DC=lab,DC=com
>> Dn: CN=dota,OU=member,DC=lab,DC=com
0> objectClass:
0> cn:
0> distinguishedName:
0> instanceType:
0> whenCreated:
0> whenChanged:
0> displayName:
0> uSNCreated:
0> uSNChanged:
0> name:
0> objectGUID:
0> userAccountControl:
0> badPwdCount:
0> codePage:
0> countryCode:
0> badPasswordTime:
0> lastLogoff:
0> lastLogon:
0> pwdLastSet:
0> primaryGroupID:
0> objectSid:
0> accountExpires:
0> logonCount:
0> sAMAccountName:
0> sAMAccountType:
0> userPrincipalName:
0> objectCategory:
0> dSCorePropagationData:
0> lastLogonTimestamp:
2013/8/25 Kirk Jantzer <ki...@gmail.com>:
> It appears your queryfilter may be incorrect - You are trying to match the
> %u in CloudStack to 'disPlayname' in AD? Verify that whatever you put into
> the username field in CS matches whatever is in the 'disPlayname' field in
> AD (this can be found by opening AD Users and Computers, selecting the menu
> option to show advanced properties, then looking at the user, then clicking
> the 'attributes' tab.
>
>
> Regards,
>
> Kirk Jantzer
> http://about.met/kirkjantzer
>
>
> On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <on...@gmail.com> wrote:
>
>> Cloudstack4.1.1
>> (1). i create same user: dota on Active Directory and CS
>> (2). i have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com,
>> it is ok,so active directory ldap is ready.
>> (3). have two user under ou=member, dc=lab,dc=com: dota , csuser01
>> (4). enable integration.api.port =8096, and restart CS-mangement
>>
>> Q1: from the CS log, ldap server configed, but IE response false,
>> what is correct information?
>>
>> Q2: how many user should be created on both Active Directory and CS ?
>> or only one for ldap config, active directory create other user just
>> for CS use
>>
>> Q3: what will change in UI when ldap config success? can see users
>> imported from Active Directory ? can use csuser01 to login CS ?(i try
>> log in but failure)
>>
>>
>>
>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192.168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter=%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json
>>
>> ####### Got this response:#####
>> { "ldapconfigresponse" : { "ldapconfig" :
>>
>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota,OU=member,DC=lab,DC=com"}
>> } }
>>
>> ####### CS log #########
>> 2013-08-24 21:10:44,453 DEBUG
>> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null) The
>> ldap server is configured: 192.168.123.61
>>
>> ######## other thing i checked ######
>> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals
>> (2) when create dota in CS, "Network Domain" i put lab.com, username i
>> put dota
>>
Re: How is Cloudstack work with Active Directory
Posted by Kirk Jantzer <ki...@gmail.com>.
It appears your queryfilter may be incorrect - You are trying to match the
%u in CloudStack to 'disPlayname' in AD? Verify that whatever you put into
the username field in CS matches whatever is in the 'disPlayname' field in
AD (this can be found by opening AD Users and Computers, selecting the menu
option to show advanced properties, then looking at the user, then clicking
the 'attributes' tab.
Regards,
Kirk Jantzer
http://about.met/kirkjantzer
On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <on...@gmail.com> wrote:
> Cloudstack4.1.1
> (1). i create same user: dota on Active Directory and CS
> (2). i have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com,
> it is ok,so active directory ldap is ready.
> (3). have two user under ou=member, dc=lab,dc=com: dota , csuser01
> (4). enable integration.api.port =8096, and restart CS-mangement
>
> Q1: from the CS log, ldap server configed, but IE response false,
> what is correct information?
>
> Q2: how many user should be created on both Active Directory and CS ?
> or only one for ldap config, active directory create other user just
> for CS use
>
> Q3: what will change in UI when ldap config success? can see users
> imported from Active Directory ? can use csuser01 to login CS ?(i try
> log in but failure)
>
>
>
> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192.168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter=%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json
>
> ####### Got this response:#####
> { "ldapconfigresponse" : { "ldapconfig" :
>
> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member,DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota,OU=member,DC=lab,DC=com"}
> } }
>
> ####### CS log #########
> 2013-08-24 21:10:44,453 DEBUG
> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null) The
> ldap server is configured: 192.168.123.61
>
> ######## other thing i checked ######
> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals
> (2) when create dota in CS, "Network Domain" i put lab.com, username i
> put dota
>