Same difficulty here. The way it worked was defining the truststore globally. Just after that I defined the ldap configuration inside a domain.
Using API: cmk -p user@myprofile update configuration name='ldap.truststore' value='/etc/cloudstack/management/cloud.jks' cmk -p user@myprofile update configuration name='ldap.truststore.password' value=PASSWORD cmk -p user@myprofile add ldapconfiguration hostname=ldapserver.mydomain port=636 domainid="domain uuid here" cmk -p user@myprofile update configuration name='ldap.basedn' value='...............' domainid="domain uuid here" . . . Realize that API accepts configure the ldap.truststore for one domain, but this has no effect. cmk -p user@myprofile update configuration name='ldap.truststore' value='/etc/cloudstack/management/cloud.jks' domainid="domain uuid here" <------- When I configured ldap.truststore in one domain, the connection didn't use SSL. Tks! On 2021/06/07 20:56:18 Yordan Kostov wrote: > Dear community, > > Currently trying to reconfigure working ACS LDAP authentication to LDAPs but I believe something of importance may be missing in the guide ( https://docs.cloudstack.apache.org/en/latest/adminguide/accounts.html#ldap-ssl ). > It says that if ldap.truststore and ldap.truststore.password are configured it will switch working to LDAPS but that is not the case. > The logs confirm LDAP protocol is used when adding host after updating the config - "(logid:aafbef8a) initializing ldap with provider url: ldap://X.X.X.X:636"; > > Here are a few questions to round the issue: > > * API docs (LDAPCONFIG - https://cloudstack.apache.org/api/apidocs-4.15/apis/ldapConfig.html) mention the ability to enable SSL and bind certificate for an ldap host but there is no option to define the domain for the specific ldap configuration. > * What if multiple domains are present and their configs use the same ldap server. Can the SSL of one domain ldap config be changed one at a time or is this based on ldap host level > * ldap.truststore - is syntax something like /opt/CAROOT.crt going to work or it originates from a default directory? > * ldap.truststore.password - what if the certificate is without password, is it going to work? > > Any example commands on how this can be done through cloudmonkey will be much appreciated! > > Best regards, > Jordan > > > -- __________________________ Aviso de confidencialidade Esta mensagem da Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), empresa publica federal regida pelo disposto na Lei Federal no. 5.851, de 7 de dezembro de 1972, e enviada exclusivamente a seu destinatario e pode conter informacoes confidenciais, protegidas por sigilo profissional. Sua utilizacao desautorizada e ilegal e sujeita o infrator as penas da lei. Se voce a recebeu indevidamente, queira, por gentileza, reenvia-la ao emitente, esclarecendo o equivoco. Confidentiality note This message from Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), a government company established under Brazilian law (5.851/72), is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you are not the addressee, please send it back, elucidating the failure.
