Not that I doubted you, but I had to check for myself- I removed the network domain from the accounts and they were able to login fine.
Regards, Kirk Jantzer http://about.met/kirkjantzer On Tue, Aug 20, 2013 at 3:41 PM, Ian Duffy <i...@ianduffy.ie> wrote: > From what I recall of code that I browsed through the "network domain" > field is not read during the LDAP authentication phase. > > > On 20 August 2013 20:27, Kirk Jantzer <kirk.jant...@gmail.com> wrote: > > > To add, if root/user1 and root/mydomain/user1 have the network domain > > credentials set, they should look in ldap, right?? > > > > > > Regards, > > > > Kirk Jantzer > > http://about.met/kirkjantzer > > > > > > On Tue, Aug 20, 2013 at 3:21 PM, Ian Duffy <i...@ianduffy.ie> wrote: > > > > > > > > > > ROOT/user1 is able to authenticate as ROOT/MYDOMAIN/user1 using ldap > > > > password. > > > > > > > > > Interesting never thought of that possibility. This is partially due to > > the > > > nature of how Cloudstack's authentication engine works. > > > > > > So what happens is when you attempt to login your username/password is > > > passed down through different authentication systems so... > > > Attempt auth against DB using SHA1 pass > > > Attempt auth against DB using MD5 pass > > > .... > > > Attempt auth using LDAP > > > > > > For the LDAP stage only the username/password is given. The Username is > > > looked up in LDAP and a principle. Using this principle and the > supplied > > > password a bind is made. Should be bind be successful the user is > > > authenticated. > > > > > > As far as I'm aware there is no work around for this without modifying > > > source. My general rule of thumb for it would be to not mix > > authentication, > > > either go all internal CS users or all LDAP based users. > > > > > > > > > On 20 August 2013 17:21, Valery Ciareszka <valery.teres...@gmail.com> > > > wrote: > > > > > > > Hi all, > > > > > > > > From CS 4.1 docs: > > > > > > > > The CloudStack query filter wildcards are: > > > > Query Filter Wildcard Description > > > > %u User name > > > > %e Email address > > > > %n First and last name > > > > > > > > However, I faced a situation when we have two different domains with > > > > identical users. > > > > Let's consider ROOT/user1 has corresponding entry at ldap and > > > > ROOT/MYDOMAIN/user1 does not. > > > > ROOT/user1 is able to authenticate as ROOT/MYDOMAIN/user1 using ldap > > > > password. > > > > > > > > My question is: is there query filter wildcard to match domain name ? > > > > > > > > env used: CS 4.1.0 > > > > -- > > > > Regards, > > > > Valery > > > > > > > > http://protocol.by/slayer > > > > > > > > > >
