[jira] [Commented] (CLOUDSTACK-10239) User LDAP authentication not working in UI (but works via API)

Fri, 26 Jan 2018 04:05:52 -0800 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16340964#comment-16340964
 ] 

ASF GitHub Bot commented on CLOUDSTACK-10239:
---------------------------------------------

rhtyd closed pull request #2430: CLOUDSTACK-10239 default provider if needed
URL: https://github.com/apache/cloudstack/pull/2430
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git 
a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/api/command/LinkDomainToLdapCmd.java
 
b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/api/command/LinkDomainToLdapCmd.java
index 00140952051..a64193aaf55 100644
--- 
a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/api/command/LinkDomainToLdapCmd.java
+++ 
b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/api/command/LinkDomainToLdapCmd.java
@@ -54,11 +54,11 @@
     @Parameter(name = ApiConstants.TYPE, type = CommandType.STRING, required = 
true, description = "type of the ldap name. GROUP or OU")
     private String type;
 
-    @Parameter(name = ApiConstants.LDAP_DOMAIN, type = CommandType.STRING, 
required = true, description = "name of the group or OU in LDAP")
+    @Parameter(name = ApiConstants.LDAP_DOMAIN, type = CommandType.STRING, 
required = false, description = "name of the group or OU in LDAP")
     private String ldapDomain;
 
     @Deprecated
-    @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = 
true, description = "name of the group or OU in LDAP")
+    @Parameter(name = ApiConstants.NAME, type = CommandType.STRING, required = 
false, description = "name of the group or OU in LDAP")
     private String name;
 
     @Parameter(name = ApiConstants.ADMIN, type = CommandType.STRING, required 
= false, description = "domain admin username in LDAP ")
diff --git 
a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapContextFactory.java
 
b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapContextFactory.java
index b141f053008..70f7a564111 100644
--- 
a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapContextFactory.java
+++ 
b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapContextFactory.java
@@ -25,6 +25,7 @@
 import javax.naming.ldap.InitialLdapContext;
 import javax.naming.ldap.LdapContext;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.log4j.Logger;
 
 public class LdapContextFactory {
@@ -40,12 +41,10 @@ public LdapContextFactory(final LdapConfiguration 
ldapConfiguration) {
         _ldapConfiguration = ldapConfiguration;
     }
 
-    // TODO add optional domain (optional only for backwards compatibility)
     public LdapContext createBindContext(Long domainId) throws 
NamingException, IOException {
         return createBindContext(null, domainId);
     }
 
-    // TODO add optional domain (optional only for backwards compatibility)
     public LdapContext createBindContext(final String providerUrl, Long 
domainId) throws NamingException, IOException {
         final String bindPrincipal = 
_ldapConfiguration.getBindPrincipal(domainId);
         final String bindPassword = 
_ldapConfiguration.getBindPassword(domainId);
@@ -80,9 +79,13 @@ private void enableSSL(final Hashtable<String, String> 
environment) {
 
     private Hashtable<String, String> getEnvironment(final String principal, 
final String password, final String providerUrl, final boolean isSystemContext, 
Long domainId) {
         final String factory = _ldapConfiguration.getFactory();
-        final String url = providerUrl == null ? 
_ldapConfiguration.getProviderUrl(domainId) : providerUrl;
+        String url = providerUrl == null ? 
_ldapConfiguration.getProviderUrl(domainId) : providerUrl;
+        if (StringUtils.isEmpty(url) && domainId != null) {
+            //try a default ldap implementation
+            url = _ldapConfiguration.getProviderUrl(null);
+        }
 
-        final Hashtable<String, String> environment = new Hashtable<String, 
String>();
+        final Hashtable<String, String> environment = new Hashtable<>();
 
         environment.put(Context.INITIAL_CONTEXT_FACTORY, factory);
         environment.put(Context.PROVIDER_URL, url);
diff --git 
a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapManager.java
 
b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapManager.java
index 002242c8f02..2dceae1db32 100644
--- 
a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapManager.java
+++ 
b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapManager.java
@@ -52,7 +52,6 @@
     @Deprecated
     LdapConfigurationResponse deleteConfiguration(String hostname, int port, 
Long domainId) throws InvalidParameterValueException;
 
-    // TODO username is only unique withing domain scope (add domain id to 
call)
     LdapUser getUser(final String username, Long domainId) throws 
NoLdapUserMatchingQueryException;
 
     LdapUser getUser(String username, String type, String name, Long domainId) 
throws NoLdapUserMatchingQueryException;
diff --git 
a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapManagerImpl.java
 
b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapManagerImpl.java
index b82231c99d7..547c10b7b1d 100644
--- 
a/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapManagerImpl.java
+++ 
b/plugins/user-authenticators/ldap/src/org/apache/cloudstack/ldap/LdapManagerImpl.java
@@ -313,7 +313,7 @@ public boolean isLdapEnabled() {
 
     @Override
     public LinkDomainToLdapResponse linkDomainToLdap(LinkDomainToLdapCmd cmd) {
-        Validate.isTrue(_ldapConfiguration.getBaseDn(cmd.getDomainId()) == 
null, "can not configure an ldap server and an ldap group/ou to a domain");
+        Validate.isTrue(_ldapConfiguration.getBaseDn(cmd.getDomainId()) == 
null, "can not link a domain unless a basedn is configured for it.");
         Validate.notEmpty(cmd.getLdapDomain(), "ldapDomain cannot be empty, 
please supply a GROUP or OU name");
         return 
linkDomainToLdap(cmd.getDomainId(),cmd.getType(),cmd.getLdapDomain(),cmd.getAccountType());
     }
@@ -356,8 +356,9 @@ public LdapTrustMapVO getLinkedLdapGroup(long domainId, 
String group) {
         return _ldapTrustMapDao.findGroupInDomain(domainId, group);
     }
 
-    @Override public LinkAccountToLdapResponse 
linkAccountToLdap(LinkAccountToLdapCmd cmd) {
-        Validate.notNull(_ldapConfiguration.getBaseDn(cmd.getDomainId()), "can 
not configure an ldap server and an ldap group/ou to a domain");
+    @Override
+    public LinkAccountToLdapResponse linkAccountToLdap(LinkAccountToLdapCmd 
cmd) {
+        Validate.notNull(_ldapConfiguration.getBaseDn(cmd.getDomainId()), "can 
not link an account to ldap in a domain for which no basdn is configured");
         Validate.notNull(cmd.getDomainId(), "domainId cannot be null.");
         Validate.notEmpty(cmd.getAccountName(), "accountName cannot be 
empty.");
         Validate.notEmpty(cmd.getLdapDomain(), "ldapDomain cannot be empty, 
please supply a GROUP or OU name");
diff --git 
a/plugins/user-authenticators/ldap/test/org/apache/cloudstack/api/command/LdapCreateAccountCmdTest.java
 
b/plugins/user-authenticators/ldap/test/org/apache/cloudstack/api/command/LdapCreateAccountCmdTest.java
index a4eccbf0856..55d7f624b53 100644
--- 
a/plugins/user-authenticators/ldap/test/org/apache/cloudstack/api/command/LdapCreateAccountCmdTest.java
+++ 
b/plugins/user-authenticators/ldap/test/org/apache/cloudstack/api/command/LdapCreateAccountCmdTest.java
@@ -62,10 +62,10 @@ public void failureToRetrieveLdapUser() throws Exception {
     }
 
     @Test(expected = ServerApiException.class)
-    public void failedCreationDueToANullResponseFromCloudstackAccountCreater() 
throws Exception {
+    public void failedCreationDueToANullResponseFromCloudstackAccountCreator() 
throws Exception {
         // We have an LdapManager, AccountService and LdapCreateAccountCmd
         LdapUser mrMurphy = new LdapUser("rmurphy", "rmur...@cloudstack.org", 
"Ryan", "Murphy", "cn=rmurphy,ou=engineering,dc=cloudstack,dc=org", 
"engineering", false, null);
-        when(ldapManager.getUser(anyString(), 
isNull(Long.class))).thenReturn(mrMurphy);
+        when(ldapManager.getUser(anyString(), 
isNull(Long.class))).thenReturn(mrMurphy).thenReturn(mrMurphy);
         ldapCreateAccountCmd.execute();
         fail("An exception should have been thrown: " + 
ServerApiException.class);
     }


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> User LDAP authentication not working in UI (but works via API)
> --------------------------------------------------------------
>
>                 Key: CLOUDSTACK-10239
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10239
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: Management Server
>    Affects Versions: 4.11.0.0
>         Environment: CentOS 7, KVM, MSAD
>            Reporter: Jean-Francois Nadeau
>            Assignee: Daan Hoogland
>            Priority: Major
>
> hi,
> I setup LDAP authentication with the microsoft AD ldap provider and get 
> different behaviors in the UI vs using the API (cs python cli)
> Through the UI,  I can see the list of our AD users using the "Add ldap 
> account" action but selecting a user and adding it returns there are no 
> username by that name:
> INFO  [c.c.a.ApiServer] (qtp510113906-20:ctx-e32d5ff4 ctx-c3c50b46) 
> (logid:89c8c538) No LDAP user exists with the username of <user>
>  
> Doing the same thing from though CLI works fine:
> $ cs ldapCreateAccount username=markp accounttype=1 account=admin
>  ...
> {
>  "account": "admin", 
>  "accountid": "0683fdb0-fbae-11e7-9574-96a9f76bb706", 
>  "accounttype": 1, 
>  "created": "2018-01-18T19:21:31+0000", 
>  "domain": "ROOT", 
>  "domainid": "d9bbe213-fbad-11e7-9574-96a9f76bb706", 
> "firstname": "Mark", 
>  "id": "5ed90ce8-5c54-4f72-8579-639947f5c368", 
>  "iscallerchilddomain": false, 
>  "isdefault": false, 
>  "lastname": "p", 
>  "roleid": "f8a368af-fbad-11e7-9574-96a9f76bb706", 
>  "rolename": "Root Admin", 
>  "roletype": "Admin", 
>  "state": "enabled", 
>  "username": "markp", 
>  "usersource": "ldap"
>  }
>  
> Also,  once this user is added,  he can not login in the UI using his LDAP 
> credentials with the same error in the ms logs.  Then,  if i generate keys 
> for that same admin user,  he can use the API without problems.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to