To add, if root/user1 and root/mydomain/user1 have the network domain credentials set, they should look in ldap, right??
Regards, Kirk Jantzer http://about.met/kirkjantzer On Tue, Aug 20, 2013 at 3:21 PM, Ian Duffy <i...@ianduffy.ie> wrote: > > > > ROOT/user1 is able to authenticate as ROOT/MYDOMAIN/user1 using ldap > > password. > > > Interesting never thought of that possibility. This is partially due to the > nature of how Cloudstack's authentication engine works. > > So what happens is when you attempt to login your username/password is > passed down through different authentication systems so... > Attempt auth against DB using SHA1 pass > Attempt auth against DB using MD5 pass > .... > Attempt auth using LDAP > > For the LDAP stage only the username/password is given. The Username is > looked up in LDAP and a principle. Using this principle and the supplied > password a bind is made. Should be bind be successful the user is > authenticated. > > As far as I'm aware there is no work around for this without modifying > source. My general rule of thumb for it would be to not mix authentication, > either go all internal CS users or all LDAP based users. > > > On 20 August 2013 17:21, Valery Ciareszka <valery.teres...@gmail.com> > wrote: > > > Hi all, > > > > From CS 4.1 docs: > > > > The CloudStack query filter wildcards are: > > Query Filter Wildcard Description > > %u User name > > %e Email address > > %n First and last name > > > > However, I faced a situation when we have two different domains with > > identical users. > > Let's consider ROOT/user1 has corresponding entry at ldap and > > ROOT/MYDOMAIN/user1 does not. > > ROOT/user1 is able to authenticate as ROOT/MYDOMAIN/user1 using ldap > > password. > > > > My question is: is there query filter wildcard to match domain name ? > > > > env used: CS 4.1.0 > > -- > > Regards, > > Valery > > > > http://protocol.by/slayer > > >
