You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Mevludin Blazevic <mb...@uni-koblenz.de> on 2021/12/14 10:04:25 UTC
"Add LDAP account" returns empty user list
Hi all,
when I try to set up a connection to our LDAP server I am getting an
empty list after clicking on the "Add LDAP button". I have already set
up the basedn, confuigured a bind.principal by using the dn (beginning
with uid= instead of cn=) and a bind password. No LDAP exception is
logged, but when I try to change the password or the principal dn I am
getting an LDAP exception, so I assume that the connection can be
established. My configuration:
LDAP: my-ldap-server.de:389 (no domain was assigned)
basedn: dc=my-domain, dc=de
bind-principal: uid=<my-user>,ou=ou1,dc=my-domain, dc=de
ldap.provider: openldap
ldap.group.object: groupOfUniqueNames
ldap.nested.groups.enable: true
ldap.search.group.principle: (for example
"cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de")
ldap.user.memberof.attribute: memberOf
ldap.user.object: inetOrgPerson
ldap.username.attribute: uid
ldap.read.timeout: 1000
ldap.request.page.size: 1000
For testing purposes, I run ldapsearch on the same machine where
cloudstack-management is installed. For example:
ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
"uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
dc=my-domain, dc=de "(ou=ou1)" --> returning a (long) list of LDAP entrys
ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
"uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
dc=my-domain, dc=de "(cn=cloustack-user)" --> returning a dn with a list
of all group members
ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
"uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
dc=my-domain, dc=de "(uid=person1)" --> returns an LDAP entry
Cloudstack-Management log after clicking on "Add LDAP account":
2021-12-14 10:59:32,204 DEBUG [o.a.c.l.LdapContextFactory]
(qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
initializing ldap with provider url: ldap://my-ldap-server.de:389
2021-12-14 10:59:32,212 TRACE [o.a.c.a.c.LdapListUsersCmd]
(qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8) returning
unfiltered list of ldap users
I have also stopped the firewall on the cloudstack-management machine.
Still an empty list.
Does anyone have any idea why an empty list is displayed on the
Cloudstack UI? Hope you can help me out.
Best Regards
Mevludin
Re: "Add LDAP account" returns empty user list
Posted by Daan Hoogland <da...@gmail.com>.
Mevludin,
I completely ignored this mail and forgot about it. Have you gotten any
further?
On Thu, Nov 10, 2022 at 3:05 PM Mevludin Blazevic <mb...@uni-koblenz.de>
wrote:
> Daan,
>
> so I assume for manual import which I want to use I can leave
> "ldap.user.memberof.attribute" empty? If I do so, I am getting an LDAP
> exception in the management logs:
>
> (logid:8e0b6291) ldap Exception:
> at
> java.naming/com.sun.jndi.ldap.Filter.encodeSimpleFilter(Filter.java:446)
> at
> java.naming/com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:146)
> at
> java.naming/com.sun.jndi.ldap.Filter.encodeFilterList(Filter.java:741)
> at
> java.naming/com.sun.jndi.ldap.Filter.encodeComplexFilter(Filter.java:657)
> at
> java.naming/com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:104)
> at
> java.naming/com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74)
> at
> java.naming/com.sun.jndi.ldap.LdapClient.search(LdapClient.java:547)
> at
> java.naming/com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2014)
> at
> java.naming/com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1873)
> at
> java.naming/com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
> at
>
> org.apache.cloudstack.ldap.OpenLdapUserManagerImpl.searchUsers(OpenLdapUserManagerImpl.java:329)
> at
>
> org.apache.cloudstack.ldap.OpenLdapUserManagerImpl.getUsers(OpenLdapUserManagerImpl.java:228)
> at
>
> org.apache.cloudstack.ldap.OpenLdapUserManagerImpl.getUsers(OpenLdapUserManagerImpl.java:223)
> at
>
> org.apache.cloudstack.ldap.LdapManagerImpl.getUsers(LdapManagerImpl.java:309)
>
> Otherwise, if memberOf attribute is set, the ACS seems to look only
> after the memberOf attribute in LDAP which currently not exists.
>
> Am 10.11.2022 um 13:49 schrieb Daan Hoogland:
> > Mevludin,
> > If you want the "autosync" feature, there is no way around it. Manual
> > import and "autoimport" work without the automatic attributes, of which
> > memberof is an example of.
> >
> > On Thu, Nov 10, 2022 at 1:42 PM Mevludin Blazevic <
> mblazevic@uni-koblenz.de>
> > wrote:
> >
> >> Hi there,
> >>
> >> some time ago I had issues with setting up LDAP for our ACS instance. It
> >> seems like that the LDAP functionality works only with the "memberOf"
> >> attribute which ApacheDS do not seem to support this (according to the
> >> latest ACS doc). Is there any way to avoid searching for the memberOf
> >> attribute in ACS if the LDAP does not have such attribute?
> >>
> >> Regards
> >>
> >> Mevludin
> >>
> >>
> >>> mevludin,
> >>>
> >>> the base dn should be just that, not any group below it. Did you try
> >>> clearing the search group principle?
> >>> If ldap.group.user.uniquemember is "uniquemember", the group should
> show
> >>> `uniquemember: uid=person1,ou=ou1,dc=my-domain, dc=de` for all those
> >> users,
> >>> and not member: `uid=person1,ou=ou1,dc=my-domain, dc=de`. It seems
> >>> something is off with your configuration in LDAP. I am not sure if this
> >> is
> >>> needed for autoimport, the the empty principle group would be if the
> >>> correct membership attribute isn't set.
> >>>
> >>> On Tue, Dec 14, 2021 at 5:29 PM Mevludin Blazevic <
> >> mblazevic@uni-koblenz.de>
> >>> wrote:
> >>>
> >>>> Hi Daan,
> >>>>
> >>>> value for ldap.group.user.uniquemember is "uniquemember". I have also
> >>>> tried to set up the basedn as "ou=ou1,dc=my-domain,dc=de" to get all
> >>>> users of ou1, list is still empty..
> >>>>
> >>>> Am 14.12.2021 um 16:55 schrieb Daan Hoogland:
> >>>>> ok Mevludin,
> >>>>> can try and you empty
> >>>>>
> >>>>> ldap.search.group.principle (remove the
> >>>>> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de"), if you have one all
> >> your
> >>>>> users must have the memberOf attribute filled with that group.
> >>>>>
> >>>>>
> >>>>> Can you share your value for ldap.group.user.uniquemember?
> >>>>>
> >>>>>
> >>>>> On Tue, Dec 14, 2021 at 4:18 PM Mevludin Blazevic <
> >>>> mblazevic@uni-koblenz.de>
> >>>>> wrote:
> >>>>>
> >>>>>> Hi Daan,
> >>>>>>
> >>>>>> yes, I am trying to use the manual import, we will not have much
> >>>>>> Cloudstack users so manually importing them once would be enough.
> >>>>>>
> >>>>>> I've added the LDAP configuration via the GUI under Configuration ->
> >>>>>> LDAP Configuration (only server and port, no domain). Then I
> >> configured
> >>>>>> the basedn and the other properties from my previous e-mail using
> the
> >>>>>> Global Settings view.
> >>>>>>
> >>>>>> The users do not have a memberOf attribute yet. Nevertheless, the
> >> group
> >>>>>> knows its members and yes, the group has a series of uniqueMember
> >>>>>> attributes, for example:
> >>>>>>
> >>>>>> member: uid=person1,ou=ou1,dc=my-domain, dc=de
> >>>>>> member: uid=person2,ou=ou1,dc=my-domain, dc=de
> >>>>>> member: uid=person3,ou=ou1,dc=my-domain, dc=de
> >>>>>> member: uid=person4,ou=ou1,dc=my-domain, dc=de
> >>>>>> member:
> >>>>>> member: uid=person5,ou=ou1,dc=my-domain, dc=de
> >>>>>> member: uid=person6,ou=ou1,dc=my-domain, dc=de
> >>>>>> member: uid=person7,ou=ou1,dc=my-domain, dc=de
> >>>>>> member: uid=person8,ou=ou1,dc=my-domain, dc=de
> >>>>>> member: uid=person9,ou=ou1,dc=my-domain, dc=de
> >>>>>> member: uid=person10,ou=ou1,dc=my-domain, dc=de
> >>>>>> memberUid: person1
> >>>>>> memberUid: person2
> >>>>>> memberUid: person3
> >>>>>> memberUid: person4
> >>>>>> memberUid: person5
> >>>>>> memberUid: person6
> >>>>>> memberUid: person7
> >>>>>> memberUid: person8
> >>>>>> memberUid: person9
> >>>>>> memberUid: person10
> >>>>>>
> >>>>>> Is the manual import possible if there is no memberOf attribute?
> >>>>>>
> >>>>>> Best Regards
> >>>>>>
> >>>>>> Mevludin
> >>>>>>
> >>>>>> Am 14.12.2021 um 12:36 schrieb Daan Hoogland:
> >>>>>>> Mevludin,
> >>>>>>> I suppose you are using the documentation to add your LDAP. which
> >>>>>> strategy
> >>>>>>> are you using, manual import, autoimport or autosync?
> >>>>>>> By the looks it seems you want the manual import, but I am not
> sure.
> >>>>>>> Does the user have a memberOf attribute?
> >>>>>>> Does the group cloudstack-user have a series of uniqueMember
> >>>> attributes?
> >>>>>>> On Tue, Dec 14, 2021 at 11:04 AM Mevludin Blazevic<
> >>>>>> mblazevic@uni-koblenz.de>
> >>>>>>> wrote:
> >>>>>>>
> >>>>>>>> Hi all,
> >>>>>>>>
> >>>>>>>> when I try to set up a connection to our LDAP server I am getting
> an
> >>>>>>>> empty list after clicking on the "Add LDAP button". I have already
> >> set
> >>>>>>>> up the basedn, confuigured a bind.principal by using the dn
> >> (beginning
> >>>>>>>> with uid= instead of cn=) and a bind password. No LDAP exception
> is
> >>>>>>>> logged, but when I try to change the password or the principal dn
> I
> >> am
> >>>>>>>> getting an LDAP exception, so I assume that the connection can be
> >>>>>>>> established. My configuration:
> >>>>>>>>
> >>>>>>>> LDAP: my-ldap-server.de:389 (no domain was assigned)
> >>>>>>>> basedn: dc=my-domain, dc=de
> >>>>>>>> bind-principal: uid=<my-user>,ou=ou1,dc=my-domain, dc=de
> >>>>>>>> ldap.provider: openldap
> >>>>>>>> ldap.group.object: groupOfUniqueNames
> >>>>>>>> ldap.nested.groups.enable: true
> >>>>>>>> ldap.search.group.principle: (for example
> >>>>>>>> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de")
> >>>>>>>> ldap.user.memberof.attribute: memberOf
> >>>>>>>> ldap.user.object: inetOrgPerson
> >>>>>>>> ldap.username.attribute: uid
> >>>>>>>> ldap.read.timeout: 1000
> >>>>>>>> ldap.request.page.size: 1000
> >>>>>>>>
> >>>>>>>> For testing purposes, I run ldapsearch on the same machine where
> >>>>>>>> cloudstack-management is installed. For example:
> >>>>>>>>
> >>>>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> >>>>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>"
> -b
> >>>>>>>> dc=my-domain, dc=de "(ou=ou1)" --> returning a (long) list of LDAP
> >>>>>> entrys
> >>>>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> >>>>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>"
> -b
> >>>>>>>> dc=my-domain, dc=de "(cn=cloustack-user)" --> returning a dn with
> a
> >>>> list
> >>>>>>>> of all group members
> >>>>>>>>
> >>>>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> >>>>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>"
> -b
> >>>>>>>> dc=my-domain, dc=de "(uid=person1)" --> returns an LDAP entry
> >>>>>>>>
> >>>>>>>> Cloudstack-Management log after clicking on "Add LDAP account":
> >>>>>>>>
> >>>>>>>> 2021-12-14 10:59:32,204 DEBUG [o.a.c.l.LdapContextFactory]
> >>>>>>>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
> >>>>>>>> initializing ldap with provider url:ldap://my-ldap-server.de:389
> >>>>>>>> 2021-12-14 10:59:32,212 TRACE [o.a.c.a.c.LdapListUsersCmd]
> >>>>>>>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
> >>>> returning
> >>>>>>>> unfiltered list of ldap users
> >>>>>>>>
> >>>>>>>> I have also stopped the firewall on the cloudstack-management
> >> machine.
> >>>>>>>> Still an empty list.
> >>>>>>>>
> >>>>>>>> Does anyone have any idea why an empty list is displayed on the
> >>>>>>>> Cloudstack UI? Hope you can help me out.
> >>>>>>>>
> >>>>>>>> Best Regards
> >>>>>>>>
> >>>>>>>> Mevludin
> >>>>>>>>
> >>>>>>>>
> >
> --
> Mevludin Blazevic, M.Sc.
>
> University of Koblenz-Landau
> Computing Centre (GHRKO)
> Universitaetsstrasse 1
> D-56070 Koblenz, Germany
> Room A023
> Tel: +49 261/287-1326
>
>
--
Daan
Re: "Add LDAP account" returns empty user list
Posted by Mevludin Blazevic <mb...@uni-koblenz.de>.
Daan,
so I assume for manual import which I want to use I can leave
"ldap.user.memberof.attribute" empty? If I do so, I am getting an LDAP
exception in the management logs:
(logid:8e0b6291) ldap Exception:
at
java.naming/com.sun.jndi.ldap.Filter.encodeSimpleFilter(Filter.java:446)
at
java.naming/com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:146)
at
java.naming/com.sun.jndi.ldap.Filter.encodeFilterList(Filter.java:741)
at
java.naming/com.sun.jndi.ldap.Filter.encodeComplexFilter(Filter.java:657)
at
java.naming/com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:104)
at
java.naming/com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74)
at
java.naming/com.sun.jndi.ldap.LdapClient.search(LdapClient.java:547)
at
java.naming/com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2014)
at
java.naming/com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1873)
at
java.naming/com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1798)
at
org.apache.cloudstack.ldap.OpenLdapUserManagerImpl.searchUsers(OpenLdapUserManagerImpl.java:329)
at
org.apache.cloudstack.ldap.OpenLdapUserManagerImpl.getUsers(OpenLdapUserManagerImpl.java:228)
at
org.apache.cloudstack.ldap.OpenLdapUserManagerImpl.getUsers(OpenLdapUserManagerImpl.java:223)
at
org.apache.cloudstack.ldap.LdapManagerImpl.getUsers(LdapManagerImpl.java:309)
Otherwise, if memberOf attribute is set, the ACS seems to look only
after the memberOf attribute in LDAP which currently not exists.
Am 10.11.2022 um 13:49 schrieb Daan Hoogland:
> Mevludin,
> If you want the "autosync" feature, there is no way around it. Manual
> import and "autoimport" work without the automatic attributes, of which
> memberof is an example of.
>
> On Thu, Nov 10, 2022 at 1:42 PM Mevludin Blazevic <mb...@uni-koblenz.de>
> wrote:
>
>> Hi there,
>>
>> some time ago I had issues with setting up LDAP for our ACS instance. It
>> seems like that the LDAP functionality works only with the "memberOf"
>> attribute which ApacheDS do not seem to support this (according to the
>> latest ACS doc). Is there any way to avoid searching for the memberOf
>> attribute in ACS if the LDAP does not have such attribute?
>>
>> Regards
>>
>> Mevludin
>>
>>
>>> mevludin,
>>>
>>> the base dn should be just that, not any group below it. Did you try
>>> clearing the search group principle?
>>> If ldap.group.user.uniquemember is "uniquemember", the group should show
>>> `uniquemember: uid=person1,ou=ou1,dc=my-domain, dc=de` for all those
>> users,
>>> and not member: `uid=person1,ou=ou1,dc=my-domain, dc=de`. It seems
>>> something is off with your configuration in LDAP. I am not sure if this
>> is
>>> needed for autoimport, the the empty principle group would be if the
>>> correct membership attribute isn't set.
>>>
>>> On Tue, Dec 14, 2021 at 5:29 PM Mevludin Blazevic <
>> mblazevic@uni-koblenz.de>
>>> wrote:
>>>
>>>> Hi Daan,
>>>>
>>>> value for ldap.group.user.uniquemember is "uniquemember". I have also
>>>> tried to set up the basedn as "ou=ou1,dc=my-domain,dc=de" to get all
>>>> users of ou1, list is still empty..
>>>>
>>>> Am 14.12.2021 um 16:55 schrieb Daan Hoogland:
>>>>> ok Mevludin,
>>>>> can try and you empty
>>>>>
>>>>> ldap.search.group.principle (remove the
>>>>> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de"), if you have one all
>> your
>>>>> users must have the memberOf attribute filled with that group.
>>>>>
>>>>>
>>>>> Can you share your value for ldap.group.user.uniquemember?
>>>>>
>>>>>
>>>>> On Tue, Dec 14, 2021 at 4:18 PM Mevludin Blazevic <
>>>> mblazevic@uni-koblenz.de>
>>>>> wrote:
>>>>>
>>>>>> Hi Daan,
>>>>>>
>>>>>> yes, I am trying to use the manual import, we will not have much
>>>>>> Cloudstack users so manually importing them once would be enough.
>>>>>>
>>>>>> I've added the LDAP configuration via the GUI under Configuration ->
>>>>>> LDAP Configuration (only server and port, no domain). Then I
>> configured
>>>>>> the basedn and the other properties from my previous e-mail using the
>>>>>> Global Settings view.
>>>>>>
>>>>>> The users do not have a memberOf attribute yet. Nevertheless, the
>> group
>>>>>> knows its members and yes, the group has a series of uniqueMember
>>>>>> attributes, for example:
>>>>>>
>>>>>> member: uid=person1,ou=ou1,dc=my-domain, dc=de
>>>>>> member: uid=person2,ou=ou1,dc=my-domain, dc=de
>>>>>> member: uid=person3,ou=ou1,dc=my-domain, dc=de
>>>>>> member: uid=person4,ou=ou1,dc=my-domain, dc=de
>>>>>> member:
>>>>>> member: uid=person5,ou=ou1,dc=my-domain, dc=de
>>>>>> member: uid=person6,ou=ou1,dc=my-domain, dc=de
>>>>>> member: uid=person7,ou=ou1,dc=my-domain, dc=de
>>>>>> member: uid=person8,ou=ou1,dc=my-domain, dc=de
>>>>>> member: uid=person9,ou=ou1,dc=my-domain, dc=de
>>>>>> member: uid=person10,ou=ou1,dc=my-domain, dc=de
>>>>>> memberUid: person1
>>>>>> memberUid: person2
>>>>>> memberUid: person3
>>>>>> memberUid: person4
>>>>>> memberUid: person5
>>>>>> memberUid: person6
>>>>>> memberUid: person7
>>>>>> memberUid: person8
>>>>>> memberUid: person9
>>>>>> memberUid: person10
>>>>>>
>>>>>> Is the manual import possible if there is no memberOf attribute?
>>>>>>
>>>>>> Best Regards
>>>>>>
>>>>>> Mevludin
>>>>>>
>>>>>> Am 14.12.2021 um 12:36 schrieb Daan Hoogland:
>>>>>>> Mevludin,
>>>>>>> I suppose you are using the documentation to add your LDAP. which
>>>>>> strategy
>>>>>>> are you using, manual import, autoimport or autosync?
>>>>>>> By the looks it seems you want the manual import, but I am not sure.
>>>>>>> Does the user have a memberOf attribute?
>>>>>>> Does the group cloudstack-user have a series of uniqueMember
>>>> attributes?
>>>>>>> On Tue, Dec 14, 2021 at 11:04 AM Mevludin Blazevic<
>>>>>> mblazevic@uni-koblenz.de>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> when I try to set up a connection to our LDAP server I am getting an
>>>>>>>> empty list after clicking on the "Add LDAP button". I have already
>> set
>>>>>>>> up the basedn, confuigured a bind.principal by using the dn
>> (beginning
>>>>>>>> with uid= instead of cn=) and a bind password. No LDAP exception is
>>>>>>>> logged, but when I try to change the password or the principal dn I
>> am
>>>>>>>> getting an LDAP exception, so I assume that the connection can be
>>>>>>>> established. My configuration:
>>>>>>>>
>>>>>>>> LDAP: my-ldap-server.de:389 (no domain was assigned)
>>>>>>>> basedn: dc=my-domain, dc=de
>>>>>>>> bind-principal: uid=<my-user>,ou=ou1,dc=my-domain, dc=de
>>>>>>>> ldap.provider: openldap
>>>>>>>> ldap.group.object: groupOfUniqueNames
>>>>>>>> ldap.nested.groups.enable: true
>>>>>>>> ldap.search.group.principle: (for example
>>>>>>>> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de")
>>>>>>>> ldap.user.memberof.attribute: memberOf
>>>>>>>> ldap.user.object: inetOrgPerson
>>>>>>>> ldap.username.attribute: uid
>>>>>>>> ldap.read.timeout: 1000
>>>>>>>> ldap.request.page.size: 1000
>>>>>>>>
>>>>>>>> For testing purposes, I run ldapsearch on the same machine where
>>>>>>>> cloudstack-management is installed. For example:
>>>>>>>>
>>>>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
>>>>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
>>>>>>>> dc=my-domain, dc=de "(ou=ou1)" --> returning a (long) list of LDAP
>>>>>> entrys
>>>>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
>>>>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
>>>>>>>> dc=my-domain, dc=de "(cn=cloustack-user)" --> returning a dn with a
>>>> list
>>>>>>>> of all group members
>>>>>>>>
>>>>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
>>>>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
>>>>>>>> dc=my-domain, dc=de "(uid=person1)" --> returns an LDAP entry
>>>>>>>>
>>>>>>>> Cloudstack-Management log after clicking on "Add LDAP account":
>>>>>>>>
>>>>>>>> 2021-12-14 10:59:32,204 DEBUG [o.a.c.l.LdapContextFactory]
>>>>>>>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
>>>>>>>> initializing ldap with provider url:ldap://my-ldap-server.de:389
>>>>>>>> 2021-12-14 10:59:32,212 TRACE [o.a.c.a.c.LdapListUsersCmd]
>>>>>>>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
>>>> returning
>>>>>>>> unfiltered list of ldap users
>>>>>>>>
>>>>>>>> I have also stopped the firewall on the cloudstack-management
>> machine.
>>>>>>>> Still an empty list.
>>>>>>>>
>>>>>>>> Does anyone have any idea why an empty list is displayed on the
>>>>>>>> Cloudstack UI? Hope you can help me out.
>>>>>>>>
>>>>>>>> Best Regards
>>>>>>>>
>>>>>>>> Mevludin
>>>>>>>>
>>>>>>>>
>
--
Mevludin Blazevic, M.Sc.
University of Koblenz-Landau
Computing Centre (GHRKO)
Universitaetsstrasse 1
D-56070 Koblenz, Germany
Room A023
Tel: +49 261/287-1326
Re: "Add LDAP account" returns empty user list
Posted by Daan Hoogland <da...@gmail.com>.
Mevludin,
If you want the "autosync" feature, there is no way around it. Manual
import and "autoimport" work without the automatic attributes, of which
memberof is an example of.
On Thu, Nov 10, 2022 at 1:42 PM Mevludin Blazevic <mb...@uni-koblenz.de>
wrote:
> Hi there,
>
> some time ago I had issues with setting up LDAP for our ACS instance. It
> seems like that the LDAP functionality works only with the "memberOf"
> attribute which ApacheDS do not seem to support this (according to the
> latest ACS doc). Is there any way to avoid searching for the memberOf
> attribute in ACS if the LDAP does not have such attribute?
>
> Regards
>
> Mevludin
>
>
> > mevludin,
> >
> > the base dn should be just that, not any group below it. Did you try
> > clearing the search group principle?
> > If ldap.group.user.uniquemember is "uniquemember", the group should show
> > `uniquemember: uid=person1,ou=ou1,dc=my-domain, dc=de` for all those
> users,
> > and not member: `uid=person1,ou=ou1,dc=my-domain, dc=de`. It seems
> > something is off with your configuration in LDAP. I am not sure if this
> is
> > needed for autoimport, the the empty principle group would be if the
> > correct membership attribute isn't set.
> >
> > On Tue, Dec 14, 2021 at 5:29 PM Mevludin Blazevic <
> mblazevic@uni-koblenz.de>
> > wrote:
> >
> >> Hi Daan,
> >>
> >> value for ldap.group.user.uniquemember is "uniquemember". I have also
> >> tried to set up the basedn as "ou=ou1,dc=my-domain,dc=de" to get all
> >> users of ou1, list is still empty..
> >>
> >> Am 14.12.2021 um 16:55 schrieb Daan Hoogland:
> >>> ok Mevludin,
> >>> can try and you empty
> >>>
> >>> ldap.search.group.principle (remove the
> >>> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de"), if you have one all
> your
> >>> users must have the memberOf attribute filled with that group.
> >>>
> >>>
> >>> Can you share your value for ldap.group.user.uniquemember?
> >>>
> >>>
> >>> On Tue, Dec 14, 2021 at 4:18 PM Mevludin Blazevic <
> >> mblazevic@uni-koblenz.de>
> >>> wrote:
> >>>
> >>>> Hi Daan,
> >>>>
> >>>> yes, I am trying to use the manual import, we will not have much
> >>>> Cloudstack users so manually importing them once would be enough.
> >>>>
> >>>> I've added the LDAP configuration via the GUI under Configuration ->
> >>>> LDAP Configuration (only server and port, no domain). Then I
> configured
> >>>> the basedn and the other properties from my previous e-mail using the
> >>>> Global Settings view.
> >>>>
> >>>> The users do not have a memberOf attribute yet. Nevertheless, the
> group
> >>>> knows its members and yes, the group has a series of uniqueMember
> >>>> attributes, for example:
> >>>>
> >>>> member: uid=person1,ou=ou1,dc=my-domain, dc=de
> >>>> member: uid=person2,ou=ou1,dc=my-domain, dc=de
> >>>> member: uid=person3,ou=ou1,dc=my-domain, dc=de
> >>>> member: uid=person4,ou=ou1,dc=my-domain, dc=de
> >>>> member:
> >>>> member: uid=person5,ou=ou1,dc=my-domain, dc=de
> >>>> member: uid=person6,ou=ou1,dc=my-domain, dc=de
> >>>> member: uid=person7,ou=ou1,dc=my-domain, dc=de
> >>>> member: uid=person8,ou=ou1,dc=my-domain, dc=de
> >>>> member: uid=person9,ou=ou1,dc=my-domain, dc=de
> >>>> member: uid=person10,ou=ou1,dc=my-domain, dc=de
> >>>> memberUid: person1
> >>>> memberUid: person2
> >>>> memberUid: person3
> >>>> memberUid: person4
> >>>> memberUid: person5
> >>>> memberUid: person6
> >>>> memberUid: person7
> >>>> memberUid: person8
> >>>> memberUid: person9
> >>>> memberUid: person10
> >>>>
> >>>> Is the manual import possible if there is no memberOf attribute?
> >>>>
> >>>> Best Regards
> >>>>
> >>>> Mevludin
> >>>>
> >>>> Am 14.12.2021 um 12:36 schrieb Daan Hoogland:
> >>>>> Mevludin,
> >>>>> I suppose you are using the documentation to add your LDAP. which
> >>>> strategy
> >>>>> are you using, manual import, autoimport or autosync?
> >>>>> By the looks it seems you want the manual import, but I am not sure.
> >>>>> Does the user have a memberOf attribute?
> >>>>> Does the group cloudstack-user have a series of uniqueMember
> >> attributes?
> >>>>>
> >>>>> On Tue, Dec 14, 2021 at 11:04 AM Mevludin Blazevic<
> >>>> mblazevic@uni-koblenz.de>
> >>>>> wrote:
> >>>>>
> >>>>>> Hi all,
> >>>>>>
> >>>>>> when I try to set up a connection to our LDAP server I am getting an
> >>>>>> empty list after clicking on the "Add LDAP button". I have already
> set
> >>>>>> up the basedn, confuigured a bind.principal by using the dn
> (beginning
> >>>>>> with uid= instead of cn=) and a bind password. No LDAP exception is
> >>>>>> logged, but when I try to change the password or the principal dn I
> am
> >>>>>> getting an LDAP exception, so I assume that the connection can be
> >>>>>> established. My configuration:
> >>>>>>
> >>>>>> LDAP: my-ldap-server.de:389 (no domain was assigned)
> >>>>>> basedn: dc=my-domain, dc=de
> >>>>>> bind-principal: uid=<my-user>,ou=ou1,dc=my-domain, dc=de
> >>>>>> ldap.provider: openldap
> >>>>>> ldap.group.object: groupOfUniqueNames
> >>>>>> ldap.nested.groups.enable: true
> >>>>>> ldap.search.group.principle: (for example
> >>>>>> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de")
> >>>>>> ldap.user.memberof.attribute: memberOf
> >>>>>> ldap.user.object: inetOrgPerson
> >>>>>> ldap.username.attribute: uid
> >>>>>> ldap.read.timeout: 1000
> >>>>>> ldap.request.page.size: 1000
> >>>>>>
> >>>>>> For testing purposes, I run ldapsearch on the same machine where
> >>>>>> cloudstack-management is installed. For example:
> >>>>>>
> >>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> >>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
> >>>>>> dc=my-domain, dc=de "(ou=ou1)" --> returning a (long) list of LDAP
> >>>> entrys
> >>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> >>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
> >>>>>> dc=my-domain, dc=de "(cn=cloustack-user)" --> returning a dn with a
> >> list
> >>>>>> of all group members
> >>>>>>
> >>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> >>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
> >>>>>> dc=my-domain, dc=de "(uid=person1)" --> returns an LDAP entry
> >>>>>>
> >>>>>> Cloudstack-Management log after clicking on "Add LDAP account":
> >>>>>>
> >>>>>> 2021-12-14 10:59:32,204 DEBUG [o.a.c.l.LdapContextFactory]
> >>>>>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
> >>>>>> initializing ldap with provider url:ldap://my-ldap-server.de:389
> >>>>>> 2021-12-14 10:59:32,212 TRACE [o.a.c.a.c.LdapListUsersCmd]
> >>>>>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
> >> returning
> >>>>>> unfiltered list of ldap users
> >>>>>>
> >>>>>> I have also stopped the firewall on the cloudstack-management
> machine.
> >>>>>> Still an empty list.
> >>>>>>
> >>>>>> Does anyone have any idea why an empty list is displayed on the
> >>>>>> Cloudstack UI? Hope you can help me out.
> >>>>>>
> >>>>>> Best Regards
> >>>>>>
> >>>>>> Mevludin
> >>>>>>
> >>>>>>
> >>>>
>
--
Daan
Re: "Add LDAP account" returns empty user list
Posted by Mevludin Blazevic <mb...@uni-koblenz.de>.
Hi there,
some time ago I had issues with setting up LDAP for our ACS instance. It
seems like that the LDAP functionality works only with the "memberOf"
attribute which ApacheDS do not seem to support this (according to the
latest ACS doc). Is there any way to avoid searching for the memberOf
attribute in ACS if the LDAP does not have such attribute?
Regards
Mevludin
> mevludin,
>
> the base dn should be just that, not any group below it. Did you try
> clearing the search group principle?
> If ldap.group.user.uniquemember is "uniquemember", the group should show
> `uniquemember: uid=person1,ou=ou1,dc=my-domain, dc=de` for all those users,
> and not member: `uid=person1,ou=ou1,dc=my-domain, dc=de`. It seems
> something is off with your configuration in LDAP. I am not sure if this is
> needed for autoimport, the the empty principle group would be if the
> correct membership attribute isn't set.
>
> On Tue, Dec 14, 2021 at 5:29 PM Mevludin Blazevic <mb...@uni-koblenz.de>
> wrote:
>
>> Hi Daan,
>>
>> value for ldap.group.user.uniquemember is "uniquemember". I have also
>> tried to set up the basedn as "ou=ou1,dc=my-domain,dc=de" to get all
>> users of ou1, list is still empty..
>>
>> Am 14.12.2021 um 16:55 schrieb Daan Hoogland:
>>> ok Mevludin,
>>> can try and you empty
>>>
>>> ldap.search.group.principle (remove the
>>> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de"), if you have one all your
>>> users must have the memberOf attribute filled with that group.
>>>
>>>
>>> Can you share your value for ldap.group.user.uniquemember?
>>>
>>>
>>> On Tue, Dec 14, 2021 at 4:18 PM Mevludin Blazevic <
>> mblazevic@uni-koblenz.de>
>>> wrote:
>>>
>>>> Hi Daan,
>>>>
>>>> yes, I am trying to use the manual import, we will not have much
>>>> Cloudstack users so manually importing them once would be enough.
>>>>
>>>> I've added the LDAP configuration via the GUI under Configuration ->
>>>> LDAP Configuration (only server and port, no domain). Then I configured
>>>> the basedn and the other properties from my previous e-mail using the
>>>> Global Settings view.
>>>>
>>>> The users do not have a memberOf attribute yet. Nevertheless, the group
>>>> knows its members and yes, the group has a series of uniqueMember
>>>> attributes, for example:
>>>>
>>>> member: uid=person1,ou=ou1,dc=my-domain, dc=de
>>>> member: uid=person2,ou=ou1,dc=my-domain, dc=de
>>>> member: uid=person3,ou=ou1,dc=my-domain, dc=de
>>>> member: uid=person4,ou=ou1,dc=my-domain, dc=de
>>>> member:
>>>> member: uid=person5,ou=ou1,dc=my-domain, dc=de
>>>> member: uid=person6,ou=ou1,dc=my-domain, dc=de
>>>> member: uid=person7,ou=ou1,dc=my-domain, dc=de
>>>> member: uid=person8,ou=ou1,dc=my-domain, dc=de
>>>> member: uid=person9,ou=ou1,dc=my-domain, dc=de
>>>> member: uid=person10,ou=ou1,dc=my-domain, dc=de
>>>> memberUid: person1
>>>> memberUid: person2
>>>> memberUid: person3
>>>> memberUid: person4
>>>> memberUid: person5
>>>> memberUid: person6
>>>> memberUid: person7
>>>> memberUid: person8
>>>> memberUid: person9
>>>> memberUid: person10
>>>>
>>>> Is the manual import possible if there is no memberOf attribute?
>>>>
>>>> Best Regards
>>>>
>>>> Mevludin
>>>>
>>>> Am 14.12.2021 um 12:36 schrieb Daan Hoogland:
>>>>> Mevludin,
>>>>> I suppose you are using the documentation to add your LDAP. which
>>>> strategy
>>>>> are you using, manual import, autoimport or autosync?
>>>>> By the looks it seems you want the manual import, but I am not sure.
>>>>> Does the user have a memberOf attribute?
>>>>> Does the group cloudstack-user have a series of uniqueMember
>> attributes?
>>>>>
>>>>> On Tue, Dec 14, 2021 at 11:04 AM Mevludin Blazevic<
>>>> mblazevic@uni-koblenz.de>
>>>>> wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> when I try to set up a connection to our LDAP server I am getting an
>>>>>> empty list after clicking on the "Add LDAP button". I have already set
>>>>>> up the basedn, confuigured a bind.principal by using the dn (beginning
>>>>>> with uid= instead of cn=) and a bind password. No LDAP exception is
>>>>>> logged, but when I try to change the password or the principal dn I am
>>>>>> getting an LDAP exception, so I assume that the connection can be
>>>>>> established. My configuration:
>>>>>>
>>>>>> LDAP: my-ldap-server.de:389 (no domain was assigned)
>>>>>> basedn: dc=my-domain, dc=de
>>>>>> bind-principal: uid=<my-user>,ou=ou1,dc=my-domain, dc=de
>>>>>> ldap.provider: openldap
>>>>>> ldap.group.object: groupOfUniqueNames
>>>>>> ldap.nested.groups.enable: true
>>>>>> ldap.search.group.principle: (for example
>>>>>> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de")
>>>>>> ldap.user.memberof.attribute: memberOf
>>>>>> ldap.user.object: inetOrgPerson
>>>>>> ldap.username.attribute: uid
>>>>>> ldap.read.timeout: 1000
>>>>>> ldap.request.page.size: 1000
>>>>>>
>>>>>> For testing purposes, I run ldapsearch on the same machine where
>>>>>> cloudstack-management is installed. For example:
>>>>>>
>>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
>>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
>>>>>> dc=my-domain, dc=de "(ou=ou1)" --> returning a (long) list of LDAP
>>>> entrys
>>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
>>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
>>>>>> dc=my-domain, dc=de "(cn=cloustack-user)" --> returning a dn with a
>> list
>>>>>> of all group members
>>>>>>
>>>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
>>>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
>>>>>> dc=my-domain, dc=de "(uid=person1)" --> returns an LDAP entry
>>>>>>
>>>>>> Cloudstack-Management log after clicking on "Add LDAP account":
>>>>>>
>>>>>> 2021-12-14 10:59:32,204 DEBUG [o.a.c.l.LdapContextFactory]
>>>>>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
>>>>>> initializing ldap with provider url:ldap://my-ldap-server.de:389
>>>>>> 2021-12-14 10:59:32,212 TRACE [o.a.c.a.c.LdapListUsersCmd]
>>>>>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
>> returning
>>>>>> unfiltered list of ldap users
>>>>>>
>>>>>> I have also stopped the firewall on the cloudstack-management machine.
>>>>>> Still an empty list.
>>>>>>
>>>>>> Does anyone have any idea why an empty list is displayed on the
>>>>>> Cloudstack UI? Hope you can help me out.
>>>>>>
>>>>>> Best Regards
>>>>>>
>>>>>> Mevludin
>>>>>>
>>>>>>
>>>>
Re: "Add LDAP account" returns empty user list
Posted by Daan Hoogland <da...@gmail.com>.
mevludin,
the base dn should be just that, not any group below it. Did you try
clearing the search group principle?
If ldap.group.user.uniquemember is "uniquemember", the group should show
`uniquemember: uid=person1,ou=ou1,dc=my-domain, dc=de` for all those users,
and not member: `uid=person1,ou=ou1,dc=my-domain, dc=de`. It seems
something is off with your configuration in LDAP. I am not sure if this is
needed for autoimport, the the empty principle group would be if the
correct membership attribute isn't set.
On Tue, Dec 14, 2021 at 5:29 PM Mevludin Blazevic <mb...@uni-koblenz.de>
wrote:
> Hi Daan,
>
> value for ldap.group.user.uniquemember is "uniquemember". I have also
> tried to set up the basedn as "ou=ou1,dc=my-domain,dc=de" to get all
> users of ou1, list is still empty..
>
> Am 14.12.2021 um 16:55 schrieb Daan Hoogland:
> > ok Mevludin,
> > can try and you empty
> >
> > ldap.search.group.principle (remove the
> > "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de"), if you have one all your
> > users must have the memberOf attribute filled with that group.
> >
> >
> > Can you share your value for ldap.group.user.uniquemember?
> >
> >
> > On Tue, Dec 14, 2021 at 4:18 PM Mevludin Blazevic <
> mblazevic@uni-koblenz.de>
> > wrote:
> >
> >> Hi Daan,
> >>
> >> yes, I am trying to use the manual import, we will not have much
> >> Cloudstack users so manually importing them once would be enough.
> >>
> >> I've added the LDAP configuration via the GUI under Configuration ->
> >> LDAP Configuration (only server and port, no domain). Then I configured
> >> the basedn and the other properties from my previous e-mail using the
> >> Global Settings view.
> >>
> >> The users do not have a memberOf attribute yet. Nevertheless, the group
> >> knows its members and yes, the group has a series of uniqueMember
> >> attributes, for example:
> >>
> >> member: uid=person1,ou=ou1,dc=my-domain, dc=de
> >> member: uid=person2,ou=ou1,dc=my-domain, dc=de
> >> member: uid=person3,ou=ou1,dc=my-domain, dc=de
> >> member: uid=person4,ou=ou1,dc=my-domain, dc=de
> >> member:
> >> member: uid=person5,ou=ou1,dc=my-domain, dc=de
> >> member: uid=person6,ou=ou1,dc=my-domain, dc=de
> >> member: uid=person7,ou=ou1,dc=my-domain, dc=de
> >> member: uid=person8,ou=ou1,dc=my-domain, dc=de
> >> member: uid=person9,ou=ou1,dc=my-domain, dc=de
> >> member: uid=person10,ou=ou1,dc=my-domain, dc=de
> >> memberUid: person1
> >> memberUid: person2
> >> memberUid: person3
> >> memberUid: person4
> >> memberUid: person5
> >> memberUid: person6
> >> memberUid: person7
> >> memberUid: person8
> >> memberUid: person9
> >> memberUid: person10
> >>
> >> Is the manual import possible if there is no memberOf attribute?
> >>
> >> Best Regards
> >>
> >> Mevludin
> >>
> >> Am 14.12.2021 um 12:36 schrieb Daan Hoogland:
> >>> Mevludin,
> >>> I suppose you are using the documentation to add your LDAP. which
> >> strategy
> >>> are you using, manual import, autoimport or autosync?
> >>> By the looks it seems you want the manual import, but I am not sure.
> >>> Does the user have a memberOf attribute?
> >>> Does the group cloudstack-user have a series of uniqueMember
> attributes?
> >>>
> >>>
> >>> On Tue, Dec 14, 2021 at 11:04 AM Mevludin Blazevic<
> >> mblazevic@uni-koblenz.de>
> >>> wrote:
> >>>
> >>>> Hi all,
> >>>>
> >>>> when I try to set up a connection to our LDAP server I am getting an
> >>>> empty list after clicking on the "Add LDAP button". I have already set
> >>>> up the basedn, confuigured a bind.principal by using the dn (beginning
> >>>> with uid= instead of cn=) and a bind password. No LDAP exception is
> >>>> logged, but when I try to change the password or the principal dn I am
> >>>> getting an LDAP exception, so I assume that the connection can be
> >>>> established. My configuration:
> >>>>
> >>>> LDAP: my-ldap-server.de:389 (no domain was assigned)
> >>>> basedn: dc=my-domain, dc=de
> >>>> bind-principal: uid=<my-user>,ou=ou1,dc=my-domain, dc=de
> >>>> ldap.provider: openldap
> >>>> ldap.group.object: groupOfUniqueNames
> >>>> ldap.nested.groups.enable: true
> >>>> ldap.search.group.principle: (for example
> >>>> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de")
> >>>> ldap.user.memberof.attribute: memberOf
> >>>> ldap.user.object: inetOrgPerson
> >>>> ldap.username.attribute: uid
> >>>> ldap.read.timeout: 1000
> >>>> ldap.request.page.size: 1000
> >>>>
> >>>> For testing purposes, I run ldapsearch on the same machine where
> >>>> cloudstack-management is installed. For example:
> >>>>
> >>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> >>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
> >>>> dc=my-domain, dc=de "(ou=ou1)" --> returning a (long) list of LDAP
> >> entrys
> >>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> >>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
> >>>> dc=my-domain, dc=de "(cn=cloustack-user)" --> returning a dn with a
> list
> >>>> of all group members
> >>>>
> >>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> >>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
> >>>> dc=my-domain, dc=de "(uid=person1)" --> returns an LDAP entry
> >>>>
> >>>> Cloudstack-Management log after clicking on "Add LDAP account":
> >>>>
> >>>> 2021-12-14 10:59:32,204 DEBUG [o.a.c.l.LdapContextFactory]
> >>>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
> >>>> initializing ldap with provider url:ldap://my-ldap-server.de:389
> >>>> 2021-12-14 10:59:32,212 TRACE [o.a.c.a.c.LdapListUsersCmd]
> >>>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
> returning
> >>>> unfiltered list of ldap users
> >>>>
> >>>> I have also stopped the firewall on the cloudstack-management machine.
> >>>> Still an empty list.
> >>>>
> >>>> Does anyone have any idea why an empty list is displayed on the
> >>>> Cloudstack UI? Hope you can help me out.
> >>>>
> >>>> Best Regards
> >>>>
> >>>> Mevludin
> >>>>
> >>>>
> >> --
> >> Mevludin Blazevic, M.Sc.
> >>
> >> University of Koblenz-Landau
> >> Computing Centre (GHRKO)
> >> Universitaetsstrasse 1
> >> D-56070 Koblenz, Germany
> >> Room A023
> >> Tel: +49 261/287-1326
> >>
> >>
> --
> Mevludin Blazevic, M.Sc.
>
> University of Koblenz-Landau
> Computing Centre (GHRKO)
> Universitaetsstrasse 1
> D-56070 Koblenz, Germany
> Room A023
> Tel: +49 261/287-1326
>
>
--
Daan
Re: "Add LDAP account" returns empty user list
Posted by Mevludin Blazevic <mb...@uni-koblenz.de>.
Hi Daan,
value for ldap.group.user.uniquemember is "uniquemember". I have also
tried to set up the basedn as "ou=ou1,dc=my-domain,dc=de" to get all
users of ou1, list is still empty..
Am 14.12.2021 um 16:55 schrieb Daan Hoogland:
> ok Mevludin,
> can try and you empty
>
> ldap.search.group.principle (remove the
> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de"), if you have one all your
> users must have the memberOf attribute filled with that group.
>
>
> Can you share your value for ldap.group.user.uniquemember?
>
>
> On Tue, Dec 14, 2021 at 4:18 PM Mevludin Blazevic <mb...@uni-koblenz.de>
> wrote:
>
>> Hi Daan,
>>
>> yes, I am trying to use the manual import, we will not have much
>> Cloudstack users so manually importing them once would be enough.
>>
>> I've added the LDAP configuration via the GUI under Configuration ->
>> LDAP Configuration (only server and port, no domain). Then I configured
>> the basedn and the other properties from my previous e-mail using the
>> Global Settings view.
>>
>> The users do not have a memberOf attribute yet. Nevertheless, the group
>> knows its members and yes, the group has a series of uniqueMember
>> attributes, for example:
>>
>> member: uid=person1,ou=ou1,dc=my-domain, dc=de
>> member: uid=person2,ou=ou1,dc=my-domain, dc=de
>> member: uid=person3,ou=ou1,dc=my-domain, dc=de
>> member: uid=person4,ou=ou1,dc=my-domain, dc=de
>> member:
>> member: uid=person5,ou=ou1,dc=my-domain, dc=de
>> member: uid=person6,ou=ou1,dc=my-domain, dc=de
>> member: uid=person7,ou=ou1,dc=my-domain, dc=de
>> member: uid=person8,ou=ou1,dc=my-domain, dc=de
>> member: uid=person9,ou=ou1,dc=my-domain, dc=de
>> member: uid=person10,ou=ou1,dc=my-domain, dc=de
>> memberUid: person1
>> memberUid: person2
>> memberUid: person3
>> memberUid: person4
>> memberUid: person5
>> memberUid: person6
>> memberUid: person7
>> memberUid: person8
>> memberUid: person9
>> memberUid: person10
>>
>> Is the manual import possible if there is no memberOf attribute?
>>
>> Best Regards
>>
>> Mevludin
>>
>> Am 14.12.2021 um 12:36 schrieb Daan Hoogland:
>>> Mevludin,
>>> I suppose you are using the documentation to add your LDAP. which
>> strategy
>>> are you using, manual import, autoimport or autosync?
>>> By the looks it seems you want the manual import, but I am not sure.
>>> Does the user have a memberOf attribute?
>>> Does the group cloudstack-user have a series of uniqueMember attributes?
>>>
>>>
>>> On Tue, Dec 14, 2021 at 11:04 AM Mevludin Blazevic<
>> mblazevic@uni-koblenz.de>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> when I try to set up a connection to our LDAP server I am getting an
>>>> empty list after clicking on the "Add LDAP button". I have already set
>>>> up the basedn, confuigured a bind.principal by using the dn (beginning
>>>> with uid= instead of cn=) and a bind password. No LDAP exception is
>>>> logged, but when I try to change the password or the principal dn I am
>>>> getting an LDAP exception, so I assume that the connection can be
>>>> established. My configuration:
>>>>
>>>> LDAP: my-ldap-server.de:389 (no domain was assigned)
>>>> basedn: dc=my-domain, dc=de
>>>> bind-principal: uid=<my-user>,ou=ou1,dc=my-domain, dc=de
>>>> ldap.provider: openldap
>>>> ldap.group.object: groupOfUniqueNames
>>>> ldap.nested.groups.enable: true
>>>> ldap.search.group.principle: (for example
>>>> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de")
>>>> ldap.user.memberof.attribute: memberOf
>>>> ldap.user.object: inetOrgPerson
>>>> ldap.username.attribute: uid
>>>> ldap.read.timeout: 1000
>>>> ldap.request.page.size: 1000
>>>>
>>>> For testing purposes, I run ldapsearch on the same machine where
>>>> cloudstack-management is installed. For example:
>>>>
>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
>>>> dc=my-domain, dc=de "(ou=ou1)" --> returning a (long) list of LDAP
>> entrys
>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
>>>> dc=my-domain, dc=de "(cn=cloustack-user)" --> returning a dn with a list
>>>> of all group members
>>>>
>>>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
>>>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
>>>> dc=my-domain, dc=de "(uid=person1)" --> returns an LDAP entry
>>>>
>>>> Cloudstack-Management log after clicking on "Add LDAP account":
>>>>
>>>> 2021-12-14 10:59:32,204 DEBUG [o.a.c.l.LdapContextFactory]
>>>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
>>>> initializing ldap with provider url:ldap://my-ldap-server.de:389
>>>> 2021-12-14 10:59:32,212 TRACE [o.a.c.a.c.LdapListUsersCmd]
>>>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8) returning
>>>> unfiltered list of ldap users
>>>>
>>>> I have also stopped the firewall on the cloudstack-management machine.
>>>> Still an empty list.
>>>>
>>>> Does anyone have any idea why an empty list is displayed on the
>>>> Cloudstack UI? Hope you can help me out.
>>>>
>>>> Best Regards
>>>>
>>>> Mevludin
>>>>
>>>>
>> --
>> Mevludin Blazevic, M.Sc.
>>
>> University of Koblenz-Landau
>> Computing Centre (GHRKO)
>> Universitaetsstrasse 1
>> D-56070 Koblenz, Germany
>> Room A023
>> Tel: +49 261/287-1326
>>
>>
--
Mevludin Blazevic, M.Sc.
University of Koblenz-Landau
Computing Centre (GHRKO)
Universitaetsstrasse 1
D-56070 Koblenz, Germany
Room A023
Tel: +49 261/287-1326
Re: "Add LDAP account" returns empty user list
Posted by Daan Hoogland <da...@gmail.com>.
ok Mevludin,
can try and you empty
ldap.search.group.principle (remove the
"cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de"), if you have one all your
users must have the memberOf attribute filled with that group.
Can you share your value for ldap.group.user.uniquemember?
On Tue, Dec 14, 2021 at 4:18 PM Mevludin Blazevic <mb...@uni-koblenz.de>
wrote:
> Hi Daan,
>
> yes, I am trying to use the manual import, we will not have much
> Cloudstack users so manually importing them once would be enough.
>
> I've added the LDAP configuration via the GUI under Configuration ->
> LDAP Configuration (only server and port, no domain). Then I configured
> the basedn and the other properties from my previous e-mail using the
> Global Settings view.
>
> The users do not have a memberOf attribute yet. Nevertheless, the group
> knows its members and yes, the group has a series of uniqueMember
> attributes, for example:
>
> member: uid=person1,ou=ou1,dc=my-domain, dc=de
> member: uid=person2,ou=ou1,dc=my-domain, dc=de
> member: uid=person3,ou=ou1,dc=my-domain, dc=de
> member: uid=person4,ou=ou1,dc=my-domain, dc=de
> member:
> member: uid=person5,ou=ou1,dc=my-domain, dc=de
> member: uid=person6,ou=ou1,dc=my-domain, dc=de
> member: uid=person7,ou=ou1,dc=my-domain, dc=de
> member: uid=person8,ou=ou1,dc=my-domain, dc=de
> member: uid=person9,ou=ou1,dc=my-domain, dc=de
> member: uid=person10,ou=ou1,dc=my-domain, dc=de
> memberUid: person1
> memberUid: person2
> memberUid: person3
> memberUid: person4
> memberUid: person5
> memberUid: person6
> memberUid: person7
> memberUid: person8
> memberUid: person9
> memberUid: person10
>
> Is the manual import possible if there is no memberOf attribute?
>
> Best Regards
>
> Mevludin
>
> Am 14.12.2021 um 12:36 schrieb Daan Hoogland:
> > Mevludin,
> > I suppose you are using the documentation to add your LDAP. which
> strategy
> > are you using, manual import, autoimport or autosync?
> > By the looks it seems you want the manual import, but I am not sure.
> > Does the user have a memberOf attribute?
> > Does the group cloudstack-user have a series of uniqueMember attributes?
> >
> >
> > On Tue, Dec 14, 2021 at 11:04 AM Mevludin Blazevic<
> mblazevic@uni-koblenz.de>
> > wrote:
> >
> >> Hi all,
> >>
> >> when I try to set up a connection to our LDAP server I am getting an
> >> empty list after clicking on the "Add LDAP button". I have already set
> >> up the basedn, confuigured a bind.principal by using the dn (beginning
> >> with uid= instead of cn=) and a bind password. No LDAP exception is
> >> logged, but when I try to change the password or the principal dn I am
> >> getting an LDAP exception, so I assume that the connection can be
> >> established. My configuration:
> >>
> >> LDAP: my-ldap-server.de:389 (no domain was assigned)
> >> basedn: dc=my-domain, dc=de
> >> bind-principal: uid=<my-user>,ou=ou1,dc=my-domain, dc=de
> >> ldap.provider: openldap
> >> ldap.group.object: groupOfUniqueNames
> >> ldap.nested.groups.enable: true
> >> ldap.search.group.principle: (for example
> >> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de")
> >> ldap.user.memberof.attribute: memberOf
> >> ldap.user.object: inetOrgPerson
> >> ldap.username.attribute: uid
> >> ldap.read.timeout: 1000
> >> ldap.request.page.size: 1000
> >>
> >> For testing purposes, I run ldapsearch on the same machine where
> >> cloudstack-management is installed. For example:
> >>
> >> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> >> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
> >> dc=my-domain, dc=de "(ou=ou1)" --> returning a (long) list of LDAP
> entrys
> >>
> >> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> >> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
> >> dc=my-domain, dc=de "(cn=cloustack-user)" --> returning a dn with a list
> >> of all group members
> >>
> >> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> >> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
> >> dc=my-domain, dc=de "(uid=person1)" --> returns an LDAP entry
> >>
> >> Cloudstack-Management log after clicking on "Add LDAP account":
> >>
> >> 2021-12-14 10:59:32,204 DEBUG [o.a.c.l.LdapContextFactory]
> >> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
> >> initializing ldap with provider url:ldap://my-ldap-server.de:389
> >> 2021-12-14 10:59:32,212 TRACE [o.a.c.a.c.LdapListUsersCmd]
> >> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8) returning
> >> unfiltered list of ldap users
> >>
> >> I have also stopped the firewall on the cloudstack-management machine.
> >> Still an empty list.
> >>
> >> Does anyone have any idea why an empty list is displayed on the
> >> Cloudstack UI? Hope you can help me out.
> >>
> >> Best Regards
> >>
> >> Mevludin
> >>
> >>
> --
> Mevludin Blazevic, M.Sc.
>
> University of Koblenz-Landau
> Computing Centre (GHRKO)
> Universitaetsstrasse 1
> D-56070 Koblenz, Germany
> Room A023
> Tel: +49 261/287-1326
>
>
--
Daan
Re: "Add LDAP account" returns empty user list
Posted by Mevludin Blazevic <mb...@uni-koblenz.de>.
Hi Daan,
yes, I am trying to use the manual import, we will not have much
Cloudstack users so manually importing them once would be enough.
I've added the LDAP configuration via the GUI under Configuration ->
LDAP Configuration (only server and port, no domain). Then I configured
the basedn and the other properties from my previous e-mail using the
Global Settings view.
The users do not have a memberOf attribute yet. Nevertheless, the group
knows its members and yes, the group has a series of uniqueMember
attributes, for example:
member: uid=person1,ou=ou1,dc=my-domain, dc=de
member: uid=person2,ou=ou1,dc=my-domain, dc=de
member: uid=person3,ou=ou1,dc=my-domain, dc=de
member: uid=person4,ou=ou1,dc=my-domain, dc=de
member:
member: uid=person5,ou=ou1,dc=my-domain, dc=de
member: uid=person6,ou=ou1,dc=my-domain, dc=de
member: uid=person7,ou=ou1,dc=my-domain, dc=de
member: uid=person8,ou=ou1,dc=my-domain, dc=de
member: uid=person9,ou=ou1,dc=my-domain, dc=de
member: uid=person10,ou=ou1,dc=my-domain, dc=de
memberUid: person1
memberUid: person2
memberUid: person3
memberUid: person4
memberUid: person5
memberUid: person6
memberUid: person7
memberUid: person8
memberUid: person9
memberUid: person10
Is the manual import possible if there is no memberOf attribute?
Best Regards
Mevludin
Am 14.12.2021 um 12:36 schrieb Daan Hoogland:
> Mevludin,
> I suppose you are using the documentation to add your LDAP. which strategy
> are you using, manual import, autoimport or autosync?
> By the looks it seems you want the manual import, but I am not sure.
> Does the user have a memberOf attribute?
> Does the group cloudstack-user have a series of uniqueMember attributes?
>
>
> On Tue, Dec 14, 2021 at 11:04 AM Mevludin Blazevic<mb...@uni-koblenz.de>
> wrote:
>
>> Hi all,
>>
>> when I try to set up a connection to our LDAP server I am getting an
>> empty list after clicking on the "Add LDAP button". I have already set
>> up the basedn, confuigured a bind.principal by using the dn (beginning
>> with uid= instead of cn=) and a bind password. No LDAP exception is
>> logged, but when I try to change the password or the principal dn I am
>> getting an LDAP exception, so I assume that the connection can be
>> established. My configuration:
>>
>> LDAP: my-ldap-server.de:389 (no domain was assigned)
>> basedn: dc=my-domain, dc=de
>> bind-principal: uid=<my-user>,ou=ou1,dc=my-domain, dc=de
>> ldap.provider: openldap
>> ldap.group.object: groupOfUniqueNames
>> ldap.nested.groups.enable: true
>> ldap.search.group.principle: (for example
>> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de")
>> ldap.user.memberof.attribute: memberOf
>> ldap.user.object: inetOrgPerson
>> ldap.username.attribute: uid
>> ldap.read.timeout: 1000
>> ldap.request.page.size: 1000
>>
>> For testing purposes, I run ldapsearch on the same machine where
>> cloudstack-management is installed. For example:
>>
>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
>> dc=my-domain, dc=de "(ou=ou1)" --> returning a (long) list of LDAP entrys
>>
>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
>> dc=my-domain, dc=de "(cn=cloustack-user)" --> returning a dn with a list
>> of all group members
>>
>> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
>> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
>> dc=my-domain, dc=de "(uid=person1)" --> returns an LDAP entry
>>
>> Cloudstack-Management log after clicking on "Add LDAP account":
>>
>> 2021-12-14 10:59:32,204 DEBUG [o.a.c.l.LdapContextFactory]
>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
>> initializing ldap with provider url:ldap://my-ldap-server.de:389
>> 2021-12-14 10:59:32,212 TRACE [o.a.c.a.c.LdapListUsersCmd]
>> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8) returning
>> unfiltered list of ldap users
>>
>> I have also stopped the firewall on the cloudstack-management machine.
>> Still an empty list.
>>
>> Does anyone have any idea why an empty list is displayed on the
>> Cloudstack UI? Hope you can help me out.
>>
>> Best Regards
>>
>> Mevludin
>>
>>
--
Mevludin Blazevic, M.Sc.
University of Koblenz-Landau
Computing Centre (GHRKO)
Universitaetsstrasse 1
D-56070 Koblenz, Germany
Room A023
Tel: +49 261/287-1326
Re: "Add LDAP account" returns empty user list
Posted by Daan Hoogland <da...@gmail.com>.
Mevludin,
I suppose you are using the documentation to add your LDAP. which strategy
are you using, manual import, autoimport or autosync?
By the looks it seems you want the manual import, but I am not sure.
Does the user have a memberOf attribute?
Does the group cloudstack-user have a series of uniqueMember attributes?
On Tue, Dec 14, 2021 at 11:04 AM Mevludin Blazevic <mb...@uni-koblenz.de>
wrote:
> Hi all,
>
> when I try to set up a connection to our LDAP server I am getting an
> empty list after clicking on the "Add LDAP button". I have already set
> up the basedn, confuigured a bind.principal by using the dn (beginning
> with uid= instead of cn=) and a bind password. No LDAP exception is
> logged, but when I try to change the password or the principal dn I am
> getting an LDAP exception, so I assume that the connection can be
> established. My configuration:
>
> LDAP: my-ldap-server.de:389 (no domain was assigned)
> basedn: dc=my-domain, dc=de
> bind-principal: uid=<my-user>,ou=ou1,dc=my-domain, dc=de
> ldap.provider: openldap
> ldap.group.object: groupOfUniqueNames
> ldap.nested.groups.enable: true
> ldap.search.group.principle: (for example
> "cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de")
> ldap.user.memberof.attribute: memberOf
> ldap.user.object: inetOrgPerson
> ldap.username.attribute: uid
> ldap.read.timeout: 1000
> ldap.request.page.size: 1000
>
> For testing purposes, I run ldapsearch on the same machine where
> cloudstack-management is installed. For example:
>
> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
> dc=my-domain, dc=de "(ou=ou1)" --> returning a (long) list of LDAP entrys
>
> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
> dc=my-domain, dc=de "(cn=cloustack-user)" --> returning a dn with a list
> of all group members
>
> ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
> "uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
> dc=my-domain, dc=de "(uid=person1)" --> returns an LDAP entry
>
> Cloudstack-Management log after clicking on "Add LDAP account":
>
> 2021-12-14 10:59:32,204 DEBUG [o.a.c.l.LdapContextFactory]
> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
> initializing ldap with provider url: ldap://my-ldap-server.de:389
> 2021-12-14 10:59:32,212 TRACE [o.a.c.a.c.LdapListUsersCmd]
> (qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8) returning
> unfiltered list of ldap users
>
> I have also stopped the firewall on the cloudstack-management machine.
> Still an empty list.
>
> Does anyone have any idea why an empty list is displayed on the
> Cloudstack UI? Hope you can help me out.
>
> Best Regards
>
> Mevludin
>
>
--
Daan