You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Valery Ciareszka <va...@gmail.com> on 2013/08/20 18:21:15 UTC
ldap query filter
Hi all,
>From CS 4.1 docs:
The CloudStack query filter wildcards are:
Query Filter Wildcard Description
%u User name
%e Email address
%n First and last name
However, I faced a situation when we have two different domains with
identical users.
Let's consider ROOT/user1 has corresponding entry at ldap and
ROOT/MYDOMAIN/user1 does not.
ROOT/user1 is able to authenticate as ROOT/MYDOMAIN/user1 using ldap
password.
My question is: is there query filter wildcard to match domain name ?
env used: CS 4.1.0
--
Regards,
Valery
http://protocol.by/slayer
Re: ldap query filter
Posted by Kirk Jantzer <ki...@gmail.com>.
Not that I doubted you, but I had to check for myself- I removed the
network domain from the accounts and they were able to login fine.
Regards,
Kirk Jantzer
http://about.met/kirkjantzer
On Tue, Aug 20, 2013 at 3:41 PM, Ian Duffy <ia...@ianduffy.ie> wrote:
> From what I recall of code that I browsed through the "network domain"
> field is not read during the LDAP authentication phase.
>
>
> On 20 August 2013 20:27, Kirk Jantzer <ki...@gmail.com> wrote:
>
> > To add, if root/user1 and root/mydomain/user1 have the network domain
> > credentials set, they should look in ldap, right??
> >
> >
> > Regards,
> >
> > Kirk Jantzer
> > http://about.met/kirkjantzer
> >
> >
> > On Tue, Aug 20, 2013 at 3:21 PM, Ian Duffy <ia...@ianduffy.ie> wrote:
> >
> > > >
> > > > ROOT/user1 is able to authenticate as ROOT/MYDOMAIN/user1 using ldap
> > > > password.
> > >
> > >
> > > Interesting never thought of that possibility. This is partially due to
> > the
> > > nature of how Cloudstack's authentication engine works.
> > >
> > > So what happens is when you attempt to login your username/password is
> > > passed down through different authentication systems so...
> > > Attempt auth against DB using SHA1 pass
> > > Attempt auth against DB using MD5 pass
> > > ....
> > > Attempt auth using LDAP
> > >
> > > For the LDAP stage only the username/password is given. The Username is
> > > looked up in LDAP and a principle. Using this principle and the
> supplied
> > > password a bind is made. Should be bind be successful the user is
> > > authenticated.
> > >
> > > As far as I'm aware there is no work around for this without modifying
> > > source. My general rule of thumb for it would be to not mix
> > authentication,
> > > either go all internal CS users or all LDAP based users.
> > >
> > >
> > > On 20 August 2013 17:21, Valery Ciareszka <va...@gmail.com>
> > > wrote:
> > >
> > > > Hi all,
> > > >
> > > > From CS 4.1 docs:
> > > >
> > > > The CloudStack query filter wildcards are:
> > > > Query Filter Wildcard Description
> > > > %u User name
> > > > %e Email address
> > > > %n First and last name
> > > >
> > > > However, I faced a situation when we have two different domains with
> > > > identical users.
> > > > Let's consider ROOT/user1 has corresponding entry at ldap and
> > > > ROOT/MYDOMAIN/user1 does not.
> > > > ROOT/user1 is able to authenticate as ROOT/MYDOMAIN/user1 using ldap
> > > > password.
> > > >
> > > > My question is: is there query filter wildcard to match domain name ?
> > > >
> > > > env used: CS 4.1.0
> > > > --
> > > > Regards,
> > > > Valery
> > > >
> > > > http://protocol.by/slayer
> > > >
> > >
> >
>
Re: ldap query filter
Posted by Ian Duffy <ia...@ianduffy.ie>.
>From what I recall of code that I browsed through the "network domain"
field is not read during the LDAP authentication phase.
On 20 August 2013 20:27, Kirk Jantzer <ki...@gmail.com> wrote:
> To add, if root/user1 and root/mydomain/user1 have the network domain
> credentials set, they should look in ldap, right??
>
>
> Regards,
>
> Kirk Jantzer
> http://about.met/kirkjantzer
>
>
> On Tue, Aug 20, 2013 at 3:21 PM, Ian Duffy <ia...@ianduffy.ie> wrote:
>
> > >
> > > ROOT/user1 is able to authenticate as ROOT/MYDOMAIN/user1 using ldap
> > > password.
> >
> >
> > Interesting never thought of that possibility. This is partially due to
> the
> > nature of how Cloudstack's authentication engine works.
> >
> > So what happens is when you attempt to login your username/password is
> > passed down through different authentication systems so...
> > Attempt auth against DB using SHA1 pass
> > Attempt auth against DB using MD5 pass
> > ....
> > Attempt auth using LDAP
> >
> > For the LDAP stage only the username/password is given. The Username is
> > looked up in LDAP and a principle. Using this principle and the supplied
> > password a bind is made. Should be bind be successful the user is
> > authenticated.
> >
> > As far as I'm aware there is no work around for this without modifying
> > source. My general rule of thumb for it would be to not mix
> authentication,
> > either go all internal CS users or all LDAP based users.
> >
> >
> > On 20 August 2013 17:21, Valery Ciareszka <va...@gmail.com>
> > wrote:
> >
> > > Hi all,
> > >
> > > From CS 4.1 docs:
> > >
> > > The CloudStack query filter wildcards are:
> > > Query Filter Wildcard Description
> > > %u User name
> > > %e Email address
> > > %n First and last name
> > >
> > > However, I faced a situation when we have two different domains with
> > > identical users.
> > > Let's consider ROOT/user1 has corresponding entry at ldap and
> > > ROOT/MYDOMAIN/user1 does not.
> > > ROOT/user1 is able to authenticate as ROOT/MYDOMAIN/user1 using ldap
> > > password.
> > >
> > > My question is: is there query filter wildcard to match domain name ?
> > >
> > > env used: CS 4.1.0
> > > --
> > > Regards,
> > > Valery
> > >
> > > http://protocol.by/slayer
> > >
> >
>
Re: ldap query filter
Posted by Kirk Jantzer <ki...@gmail.com>.
To add, if root/user1 and root/mydomain/user1 have the network domain
credentials set, they should look in ldap, right??
Regards,
Kirk Jantzer
http://about.met/kirkjantzer
On Tue, Aug 20, 2013 at 3:21 PM, Ian Duffy <ia...@ianduffy.ie> wrote:
> >
> > ROOT/user1 is able to authenticate as ROOT/MYDOMAIN/user1 using ldap
> > password.
>
>
> Interesting never thought of that possibility. This is partially due to the
> nature of how Cloudstack's authentication engine works.
>
> So what happens is when you attempt to login your username/password is
> passed down through different authentication systems so...
> Attempt auth against DB using SHA1 pass
> Attempt auth against DB using MD5 pass
> ....
> Attempt auth using LDAP
>
> For the LDAP stage only the username/password is given. The Username is
> looked up in LDAP and a principle. Using this principle and the supplied
> password a bind is made. Should be bind be successful the user is
> authenticated.
>
> As far as I'm aware there is no work around for this without modifying
> source. My general rule of thumb for it would be to not mix authentication,
> either go all internal CS users or all LDAP based users.
>
>
> On 20 August 2013 17:21, Valery Ciareszka <va...@gmail.com>
> wrote:
>
> > Hi all,
> >
> > From CS 4.1 docs:
> >
> > The CloudStack query filter wildcards are:
> > Query Filter Wildcard Description
> > %u User name
> > %e Email address
> > %n First and last name
> >
> > However, I faced a situation when we have two different domains with
> > identical users.
> > Let's consider ROOT/user1 has corresponding entry at ldap and
> > ROOT/MYDOMAIN/user1 does not.
> > ROOT/user1 is able to authenticate as ROOT/MYDOMAIN/user1 using ldap
> > password.
> >
> > My question is: is there query filter wildcard to match domain name ?
> >
> > env used: CS 4.1.0
> > --
> > Regards,
> > Valery
> >
> > http://protocol.by/slayer
> >
>
Re: ldap query filter
Posted by Ian Duffy <ia...@ianduffy.ie>.
>
> ROOT/user1 is able to authenticate as ROOT/MYDOMAIN/user1 using ldap
> password.
Interesting never thought of that possibility. This is partially due to the
nature of how Cloudstack's authentication engine works.
So what happens is when you attempt to login your username/password is
passed down through different authentication systems so...
Attempt auth against DB using SHA1 pass
Attempt auth against DB using MD5 pass
....
Attempt auth using LDAP
For the LDAP stage only the username/password is given. The Username is
looked up in LDAP and a principle. Using this principle and the supplied
password a bind is made. Should be bind be successful the user is
authenticated.
As far as I'm aware there is no work around for this without modifying
source. My general rule of thumb for it would be to not mix authentication,
either go all internal CS users or all LDAP based users.
On 20 August 2013 17:21, Valery Ciareszka <va...@gmail.com> wrote:
> Hi all,
>
> From CS 4.1 docs:
>
> The CloudStack query filter wildcards are:
> Query Filter Wildcard Description
> %u User name
> %e Email address
> %n First and last name
>
> However, I faced a situation when we have two different domains with
> identical users.
> Let's consider ROOT/user1 has corresponding entry at ldap and
> ROOT/MYDOMAIN/user1 does not.
> ROOT/user1 is able to authenticate as ROOT/MYDOMAIN/user1 using ldap
> password.
>
> My question is: is there query filter wildcard to match domain name ?
>
> env used: CS 4.1.0
> --
> Regards,
> Valery
>
> http://protocol.by/slayer
>