Is possible to use CloudStack and LDAP with posixGroup and memberUid?

[Jorge Luiz Correa]

Hi! This is just my first post here and I'm looking for some help to
understand more about LDAP use. I'm using CloudStack 4.15.2.0 and an
OpenLDAP server. I need to configure autosync to map an account to a LDAP
group. My LDAP uses as group entity the posixGroup type.

Could CloudStack use groups of that type? If yes, how can I configure it in
this way?

My tests just work if I create a group of type groupOfNames
(objectClass=groupOfNames with entries like member=userone member=usertwo).
But, I already have an OpenLDAP server with a lot of groups using
objectClass=posixGroup (with entries like memberUid=userone
memberUid=usertwo). I would like to use them.

Looking the slapd log I see a query with the following filter:

(&(objectClass=inetOrgPerson)(uid=userone)(|(memberOf=cn=groupaccount1,ou=groups,dc=domain)))

Reading about LDAP groups (in general), to use posixGroup it looks like the
client should implement this, a way to check for users inside posixGroups.
The log above appears to check users in groups using the memberof scheme. I
didn't understand yet if CloudStack could operate like this.

Is there a way to delete a "link accounttoldap" configuration? I always
have to delete the account to make new testes, didn't find a way to delete
this mapping.

Thank you!
:)

-- 
Jorge Luiz Corrêa
Embrapa Agricultura Digital

echo "CkpvcmdlIEx1aXogQ29ycmVhCkFu
YWxpc3RhIGRlIFJlZGVzIGUgU2VndXJhbm
NhCkVtYnJhcGEgQWdyaWN1bHR1cmEgRGln
aXRhbCAtIE5USQpBdi4gQW5kcmUgVG9zZW
xsbywgMjA5IChCYXJhbyBHZXJhbGRvKQpD
RVAgMTMwODMtODg2IC0gQ2FtcGluYXMsIF
NQClRlbGVmb25lOiAoMTkpIDMyMTEtNTg4
Mgpqb3JnZS5sLmNvcnJlYUBlbWJyYXBhLm
JyCgo="|base64 -d

-- 
__
Aviso de confidencialidade

Esta mensagem da 
Empresa  Brasileira de Pesquisa  Agropecuaria (Embrapa), empresa publica 
federal  regida pelo disposto  na Lei Federal no. 5.851,  de 7 de dezembro 
de 1972,  e  enviada exclusivamente  a seu destinatario e pode conter 
informacoes  confidenciais, protegidas  por sigilo profissional.  Sua 
utilizacao desautorizada  e ilegal e  sujeita o infrator as penas da lei. 
Se voce  a recebeu indevidamente, queira, por gentileza, reenvia-la ao 
emitente, esclarecendo o equivoco.

Confidentiality note

This message from 
Empresa  Brasileira de Pesquisa  Agropecuaria (Embrapa), a government 
company  established under  Brazilian law (5.851/72), is directed 
exclusively to  its addressee  and may contain confidential data,  
protected under  professional secrecy  rules. Its unauthorized  use is 
illegal and  may subject the transgressor to the law's penalties. If you 
are not the addressee, please send it back, elucidating the failure.

[VOTE] Apache CloudStack 4.16.0.0 (RC2)

[Nicolas Vazquez]

Hi All,

I have created a 4.16.0.0 release (RC2), with the following artifacts up for 
testing and a vote:

Git Branch and Commit SHA:
https://github.com/apache/cloudstack/tree/4.16.0.0-RC20211025T0851
Commit: 1e070be4c9a87650f48707a44efff2796dfa802a

Source release (checksums and signatures are available at the same location):
https://dist.apache.org/repos/dist/dev/cloudstack/4.16.0.0/

PGP release keys (signed using 656E1BCC8CB54F84):
https://dist.apache.org/repos/dist/release/cloudstack/KEYS

The vote will be open until 28th October 2021, 16.00 CET (72h).

For sanity in tallying the vote, can PMC members please be sure to indicate 
"(binding)" with their vote?

[ ] +1  approve
[ ] +0  no opinion
[ ] -1  disapprove (and reason why)

For users convenience, the packages from this release candidate (RC2) and
4.16.0 systemvmtemplates are available here:
https://download.cloudstack.org/testing/41600-RC2/
https://download.cloudstack.org/systemvm/4.16/

Regards,
Nicolas Vazquez


 

CloudStack Collaboration Conference: The event is now OPEN

[Ivet Petrova]

Hi all,

I hope you have a nice start of the new week :)

I am writing with some updates for the CloudStack Collaboration Conference. Тhe 
event is approaching and I would like to invite you all to join it, bu 
registering here:
- https://events.hubilo.com/cloudstack-collaboration-conference/register

We already have over 200 registrations, but I am sure we can make a record 
together. Please, share the link with your colleagues, who might be interested.

Our final agenda is announced here: http://cloudstackcollab.org/

As the event is now open, you can log in the portal and start interacting with 
other participants. Also you can review the exhibitors.

I strongly encourage everyone to register now, as we will have some attractive 
awards during the event, for the people collected a maximum number of points in 
the leaderboard.
At the last event we were giving away Amazon vouchers worth 500 EUR ;)

Kind regards,


 

Re: Network selection specifically for Hosting provider

[Vivek Kumar]

Hello Ranjit,

When you add secondary IPs to the instance, it means you will provide the same 
subnet IP in secondary interface of the NIC, So you have to configure your VM 
in such a way so that they can obtain the IP from DHCP ( You create sub 
interface of your primary interface i.e tho is your primary then eth0:0, eth0:1 
is your sub interface . 

If you are adding another network in your VM it means that you are adding a 
additional NIC in your VM thus - You will have to configure your second NIC 
config file inside of the VM so that it can get the IP from DHCP ( i.e eth0, 
eth1 ).



Vivek Kumar
Sr. Manager - Cloud & DevOps 
IndiQus Technologies
M +91 7503460090 
www.indiqus.com




> On 23-Oct-2021, at 2:27 AM, Ranjit Jadhav  wrote:
> 
> Thanks for getting back to me. At the ACS level network is configured fine
> but at the OS level, it does not get updated. By default, OS is using DHCP.
> 
> In this case, how can we automatically configure secondary IP on the server
> i.e. CentOS, Ubuntu, Windows etc.
> 
> Thank you,
> Ranjit
> 
> On Wed, Oct 20, 2021 at 12:05 PM Wei ZHOU  wrote:
> 
>> Hi,
>> 
>> For each isolated network with source NAT, cloudstack assigns a public IP
>> to the network as the source NAT IP. Therefore it is not an issue.
>> 
>> To add secondary IPs, go to vm details -> NICs tab -> choose a NIC -> click
>> icon 'Edit secondary IPs'.
>> 
>> -Wei
>> 
>> On Tue, 19 Oct 2021 at 23:35, Ranjit Jadhav 
>> wrote:
>> 
>>> Hello guys,
>>> 
>>> We are using Xenserver for host and configured Isolated Network . but
>>> we are facing the following issues
>>> 
>>> 1) One IP gets reserved for source-nat per user
>>> 
>>> 2) How can we assign secondary IP to the instance.
>>> 
>>> There are a few more issues/queries related to the network.
>>> 
>>> Thanks and Regards,
>>> Ranjit
>>> 
>> 

RE: Apache Cloudstack Instance Console Question

[William Hankard]

Thank you for the detailed information.   This is what I was looking for. Will 
test it out.  Thanks again.
 
 Bill
 
 Sent from my iPhone using HCL Verse
 
 
   On Oct 25, 2021, 4:47:44 AM, rohit.ya...@shapeblue.com wrote:
  
  From: rohit.ya...@shapeblue.com
  To: users@cloudstack.apache.org
  Cc: 
  Date: Oct 25, 2021, 4:47:44 AM
  Subject: [EXTERNAL] Re: Apache Cloudstack Instance Console Question
  
 Some correction - for WAN with single public IP we need both port 80/443 
and 8080 for CPVM and port 8080 for ACS mgmt server.
   Therefore, the setup may use domains to proxy the hosts per needs. In my 
test setup I use nginx proxy manager (https://nginxproxymanager.com ) and have 
domains such as:
   example.com -> WAN IP
   console.example.com -> WAN IP
   The config would be to let a proxy manager proxy to hosts by the domains, 
for ex:
   example.com & console.example.com -> mapped to WAN IP
   WAN IP ports 80, 443, 8080 -> forward to ACS mgmt server host ports 80, 443, 

   Run the proxy manager on ACS mgmt server host that listens on ports 80, 443, 
 to do SSL termination and proxy as:
   example.com:80/443 -> proxy -> ACS mgmt server port:8080
   console.example.com:80/443/8080 -> proxy -> CPVM ports 80/443/8080 (for 
websockets use the config shared in previous reply).
   Regards.
   
   From: Rohit Yadav 
   Sent: Monday, October 25, 2021 13:59
   To: users@cloudstack.apache.org 
   Subject: Re: Apache Cloudstack Instance Console Question
   Hi William,
   The novnc console in browser tries to connect to CPVM's port 8080 that you 
need to port forward/enable.
   1. f you've an unsecured setup, you'll need to port forward as follows:
   WAN port 80 -> ACS mgmt server IP port 8080
   WAN port 8080 -> CPVM public IP port 8080
   (also enable/allow firewall rules for port 80, 8080)
   You can then access your mgmt server using, http:///client.
   2. If you need domain+SSL termination, then you can do the same as say using 
nginx:
   Create domain records:
   A record for example.com -> WAN IP
   A record for console.example.com -> WAN IP
   ACS global settings: (restarting mgmt server required)
   consoleproxy.sslEnabled -> true
   consoleproxy.url.domain -> console.example.com
   WAN port 443 -> nginx 443 ssl -> proxy to ACS mgmt server IP port 8080
   WAN port 8080 -> nginx 8080 ssl -> proxy to CPVM port 8080 with following:
   nginx websockets config can look like: (in this example, CPVM has IP 
192.168.1.20)
listen 8080  ssl http2;
location /websockify {
  proxy_pass http://192.168.1.20:8080/websockify ;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
  proxy_cache_bypass $http_upgrade;
  proxy_buffering off;
  proxy_ignore_client_abort off;
  proxy_read_timeout 86400;
}
   Note: in case you re-create the CPVM and its IP changes you'll need to 
update the configs suitably.
   Regards.
   
   From: David Jumani 
   Sent: Monday, October 25, 2021 10:53
   To: users@cloudstack.apache.org 
   Subject: Re: Apache Cloudstack Instance Console Question
   Hi William,
   You'll need to add a firewall rule to allow traffic from the public IP of 
the console proxy running on port 80. You can find the IP of the proxy over at 
Infrastructure > SystemVMs. (Or inspect the VM console page and have a look at 
the URL in the iframe)
   The console proxy also uses WebSockets, so I'm not sure if simple port 
forwarding will work but give it a shot!
   
   From: William Hankard 
   Sent: Saturday, October 23, 2021 4:09 AM
   To: users@cloudstack.apache.org 
   Subject: Apache Cloudstack Instance Console Question
   Hello,
   I am having an issue with accessing an instance console on my Cloudstack
   environment.
   My setup is as follows:
   1) Opnsense Firewall with 1 wan port and 1 lan port
   2) Red Hat Management server on lan subnet
   3) Red Hat KVM Hypervisor on lan subnet
   I have setup a port forward rule from my WAN network to the internal LAN
   network to my management server.   I can access the management server fine
   through
   the firewall with my browser.  The issue I am having is when I create an
   instance and try to access the console I get a timeout.  I am thinking
   maybe I don't have some
   port open or there is some console / novnc configuration that needs to be
   done.   Any pointers would be appreciated.
   Bill
   William D. Hankard
   Senior Enterprise Virtualization Architect / Backend Developer
   IBM Security
   X-Force Threat Intelligence and Integration Lab
   william_hank...@us.ibm.com
   Phone: 617-910-8562
   
   
   

RE: Apache Cloudstack Instance Console Question

[William Hankard]

Thank you for your response.  Will give it a shot
 
 Bill
 
 Sent from my iPhone using HCL Verse
 
 
   On Oct 25, 2021, 1:24:04 AM, david.jum...@shapeblue.com wrote:
  
  From: david.jum...@shapeblue.com
  To: users@cloudstack.apache.org
  Cc: 
  Date: Oct 25, 2021, 1:24:04 AM
  Subject: [EXTERNAL] Re: Apache Cloudstack Instance Console Question
  
 Hi William,
   You'll need to add a firewall rule to allow traffic from the public IP of 
the console proxy running on port 80. You can find the IP of the proxy over at 
Infrastructure > SystemVMs. (Or inspect the VM console page and have a look at 
the URL in the iframe)
   The console proxy also uses WebSockets, so I'm not sure if simple port 
forwarding will work but give it a shot!
   
   From: William Hankard 
   Sent: Saturday, October 23, 2021 4:09 AM
   To: users@cloudstack.apache.org 
   Subject: Apache Cloudstack Instance Console Question
   Hello,
   I am having an issue with accessing an instance console on my Cloudstack
   environment.
   My setup is as follows:
   1) Opnsense Firewall with 1 wan port and 1 lan port
   2) Red Hat Management server on lan subnet
   3) Red Hat KVM Hypervisor on lan subnet
   I have setup a port forward rule from my WAN network to the internal LAN
   network to my management server.   I can access the management server fine
   through
   the firewall with my browser.  The issue I am having is when I create an
   instance and try to access the console I get a timeout.  I am thinking
   maybe I don't have some
   port open or there is some console / novnc configuration that needs to be
   done.   Any pointers would be appreciated.
   Bill
   William D. Hankard
   Senior Enterprise Virtualization Architect / Backend Developer
   IBM Security
   X-Force Threat Intelligence and Integration Lab
   william_hank...@us.ibm.com
   Phone: 617-910-8562
   
   
   

Re: Apache Cloudstack Instance Console Question

[Rohit Yadav]

Some correction - for WAN with single public IP we need both port 80/443 and 
8080 for CPVM and port 8080 for ACS mgmt server.

Therefore, the setup may use domains to proxy the hosts per needs. In my test 
setup I use nginx proxy manager 
(https://nginxproxymanager.com) and have 
domains such as:

example.com -> WAN IP
console.example.com -> WAN IP

The config would be to let a proxy manager proxy to hosts by the domains, for 
ex:

example.com & console.example.com -> mapped to WAN IP

WAN IP ports 80, 443, 8080 -> forward to ACS mgmt server host ports 80, 443, 


Run the proxy manager on ACS mgmt server host that listens on ports 80, 443, 
 to do SSL termination and proxy as:

example.com:80/443 -> proxy -> ACS mgmt server port:8080
console.example.com:80/443/8080 -> proxy -> CPVM ports 80/443/8080 (for 
websockets use the config shared in previous reply).


Regards.


From: Rohit Yadav 
Sent: Monday, October 25, 2021 13:59
To: users@cloudstack.apache.org 
Subject: Re: Apache Cloudstack Instance Console Question

Hi William,

The novnc console in browser tries to connect to CPVM's port 8080 that you need 
to port forward/enable.

1. f you've an unsecured setup, you'll need to port forward as follows:
WAN port 80 -> ACS mgmt server IP port 8080
WAN port 8080 -> CPVM public IP port 8080
(also enable/allow firewall rules for port 80, 8080)

You can then access your mgmt server using, http:///client.

2. If you need domain+SSL termination, then you can do the same as say using 
nginx:

Create domain records:
A record for example.com -> WAN IP
A record for console.example.com -> WAN IP

ACS global settings: (restarting mgmt server required)
consoleproxy.sslEnabled -> true
consoleproxy.url.domain -> console.example.com

WAN port 443 -> nginx 443 ssl -> proxy to ACS mgmt server IP port 8080
WAN port 8080 -> nginx 8080 ssl -> proxy to CPVM port 8080 with following:

nginx websockets config can look like: (in this example, CPVM has IP 
192.168.1.20)

  listen 8080  ssl http2;
  location /websockify {
proxy_pass http://192.168.1.20:8080/websockify;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_cache_bypass $http_upgrade;
proxy_buffering off;
proxy_ignore_client_abort off;
proxy_read_timeout 86400;
  }

Note: in case you re-create the CPVM and its IP changes you'll need to update 
the configs suitably.


Regards.


From: David Jumani 
Sent: Monday, October 25, 2021 10:53
To: users@cloudstack.apache.org 
Subject: Re: Apache Cloudstack Instance Console Question

Hi William,

You'll need to add a firewall rule to allow traffic from the public IP of the 
console proxy running on port 80. You can find the IP of the proxy over at 
Infrastructure > SystemVMs. (Or inspect the VM console page and have a look at 
the URL in the iframe)
The console proxy also uses WebSockets, so I'm not sure if simple port 
forwarding will work but give it a shot!

From: William Hankard 
Sent: Saturday, October 23, 2021 4:09 AM
To: users@cloudstack.apache.org 
Subject: Apache Cloudstack Instance Console Question

Hello,

I am having an issue with accessing an instance console on my Cloudstack
environment.
My setup is as follows:

1) Opnsense Firewall with 1 wan port and 1 lan port
2) Red Hat Management server on lan subnet
3) Red Hat KVM Hypervisor on lan subnet

I have setup a port forward rule from my WAN network to the internal LAN
network to my management server.   I can access the management server fine
through
the firewall with my browser.  The issue I am having is when I create an
instance and try to access the console I get a timeout.  I am thinking
maybe I don't have some
port open or there is some console / novnc configuration that needs to be
done.   Any pointers would be appreciated.

Bill
William D. Hankard
Senior Enterprise Virtualization Architect / Backend Developer
IBM Security
X-Force Threat Intelligence and Integration Lab
william_hank...@us.ibm.com
Phone: 617-910-8562








 

Re: Apache Cloudstack Instance Console Question

[Rohit Yadav]

Hi William,

The novnc console in browser tries to connect to CPVM's port 8080 that you need 
to port forward/enable.

1. f you've an unsecured setup, you'll need to port forward as follows:
WAN port 80 -> ACS mgmt server IP port 8080
WAN port 8080 -> CPVM public IP port 8080
(also enable/allow firewall rules for port 80, 8080)

You can then access your mgmt server using, http:///client.

2. If you need domain+SSL termination, then you can do the same as say using 
nginx:

Create domain records:
A record for example.com -> WAN IP
A record for console.example.com -> WAN IP

ACS global settings: (restarting mgmt server required)
consoleproxy.sslEnabled -> true
consoleproxy.url.domain -> console.example.com

WAN port 443 -> nginx 443 ssl -> proxy to ACS mgmt server IP port 8080
WAN port 8080 -> nginx 8080 ssl -> proxy to CPVM port 8080 with following:

nginx websockets config can look like: (in this example, CPVM has IP 
192.168.1.20)

  listen 8080  ssl http2;
  location /websockify {
proxy_pass http://192.168.1.20:8080/websockify;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_cache_bypass $http_upgrade;
proxy_buffering off;
proxy_ignore_client_abort off;
proxy_read_timeout 86400;
  }

Note: in case you re-create the CPVM and its IP changes you'll need to update 
the configs suitably.


Regards.


From: David Jumani 
Sent: Monday, October 25, 2021 10:53
To: users@cloudstack.apache.org 
Subject: Re: Apache Cloudstack Instance Console Question

Hi William,

You'll need to add a firewall rule to allow traffic from the public IP of the 
console proxy running on port 80. You can find the IP of the proxy over at 
Infrastructure > SystemVMs. (Or inspect the VM console page and have a look at 
the URL in the iframe)
The console proxy also uses WebSockets, so I'm not sure if simple port 
forwarding will work but give it a shot!

From: William Hankard 
Sent: Saturday, October 23, 2021 4:09 AM
To: users@cloudstack.apache.org 
Subject: Apache Cloudstack Instance Console Question

Hello,

I am having an issue with accessing an instance console on my Cloudstack
environment.
My setup is as follows:

1) Opnsense Firewall with 1 wan port and 1 lan port
2) Red Hat Management server on lan subnet
3) Red Hat KVM Hypervisor on lan subnet

I have setup a port forward rule from my WAN network to the internal LAN
network to my management server.   I can access the management server fine
through
the firewall with my browser.  The issue I am having is when I create an
instance and try to access the console I get a timeout.  I am thinking
maybe I don't have some
port open or there is some console / novnc configuration that needs to be
done.   Any pointers would be appreciated.

Bill
William D. Hankard
Senior Enterprise Virtualization Architect / Backend Developer
IBM Security
X-Force Threat Intelligence and Integration Lab
william_hank...@us.ibm.com
Phone: 617-910-8562