i have tried search ldap from global settings before, but can not find. my Cloudstack upgrade from 4.0.2, maybe the new database scheme not be imported ?
2013/8/26 Suresh Sadhu <suresh.sa...@citrix.com>: > IAN did this part, please visit below link: > > https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1 > > regards > sadhu > > -----Original Message----- > From: 不坏阿峰 [mailto:onlydeb...@gmail.com] > Sent: 26 August 2013 14:20 > To: users@cloudstack.apache.org > Subject: Re: How is Cloudstack work with Active Directory > > thank you for your quick reply. > hope that CS4.2 can user external ldap server easily. > > and is there some script to import AD ldap user into cs ? > > > > 2013/8/26 Suresh Sadhu <suresh.sa...@citrix.com>: >> Please find my answers below: >> >> >> -----Original Message----- >> From: 不坏阿峰 [mailto:onlydeb...@gmail.com] >> Sent: 26 August 2013 13:21 >> To: users@cloudstack.apache.org >> Subject: Re: How is Cloudstack work with Active Directory >> >> about my Question, when use active directory LDAP for >> authentication , if i want use 3 user in AD, i need create 3 same >> account in CS ? >> >> *******************sadhu********** >> yes ,as per the current implementation ..it requires same accounts in CS. >> **************** >> just now ,i test use dota, this user exist both on AD and CS, just >> different password. i test use dota and user password in AD, can >> login. >> >> as my experience, if use a LDAP server, just need one user to bind the >> ldap, then can query and do authentication on all user in the >> specific OU. but CS seam some different. >> >> **************sadhu******* >> Yes you are right ,One user is enough to bind and rest of users will >> validate but in CS case initial verification happens at DB level and if its >> fail then authentication happens at LDAP level. due to this reason(firest >> ;level authentication happening in db level) you need to create same >> user(like same user with different password) in CS as well. Hope this info >> will help. >> ********* >> >> could you explain it? >> >> thanks >> >> 2013/8/26 Ian Duffy <i...@ianduffy.ie>: >>> Try sAMAccountName=%u >>> >>> >>> On 26 August 2013 03:15, 不坏阿峰 <onlydeb...@gmail.com> wrote: >>> >>>> in AD 2008, do not have uid, so i user disPlayname=%u, %u is the >>>> cloudstack username. >>>> >>>> i also follow this ,install cloudmoney and ldapconfig it. >>>> >>>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloud >>>> stack-v401.html >>>> >>>> > ldap config hostname=192.168.123.61 >>>> > searchbase=ou=member,DC=lab,DC=com >>>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com >>>> bindpass=123@lab port=389 >>>> ldapconfig: >>>> binddn = CN=dota,ou=member,DC=lab,DC=com hostname = 192.168.123.61 >>>> port = false queryfilter = (diaplayname=%u) searchbase = >>>> ou=member,DC=lab,DC=com >>>> >>>> >> Dn: CN=dota,OU=member,DC=lab,DC=com >>>> 0> objectClass: >>>> 0> cn: >>>> 0> distinguishedName: >>>> 0> instanceType: >>>> 0> whenCreated: >>>> 0> whenChanged: >>>> 0> displayName: >>>> 0> uSNCreated: >>>> 0> uSNChanged: >>>> 0> name: >>>> 0> objectGUID: >>>> 0> userAccountControl: >>>> 0> badPwdCount: >>>> 0> codePage: >>>> 0> countryCode: >>>> 0> badPasswordTime: >>>> 0> lastLogoff: >>>> 0> lastLogon: >>>> 0> pwdLastSet: >>>> 0> primaryGroupID: >>>> 0> objectSid: >>>> 0> accountExpires: >>>> 0> logonCount: >>>> 0> sAMAccountName: >>>> 0> sAMAccountType: >>>> 0> userPrincipalName: >>>> 0> objectCategory: >>>> 0> dSCorePropagationData: >>>> 0> lastLogonTimestamp: >>>> >>>> 2013/8/25 Kirk Jantzer <kirk.jant...@gmail.com>: >>>> > It appears your queryfilter may be incorrect - You are trying to >>>> > match >>>> the >>>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you >>>> > put >>>> into >>>> > the username field in CS matches whatever is in the 'disPlayname' >>>> > field >>>> in >>>> > AD (this can be found by opening AD Users and Computers, selecting >>>> > the >>>> menu >>>> > option to show advanced properties, then looking at the user, then >>>> clicking >>>> > the 'attributes' tab. >>>> > >>>> > >>>> > Regards, >>>> > >>>> > Kirk Jantzer >>>> > http://about.met/kirkjantzer >>>> > >>>> > >>>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <onlydeb...@gmail.com> wrote: >>>> > >>>> >> Cloudstack4.1.1 >>>> >> (1). i create same user: dota on Active Directory and CS (2). i >>>> >> have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com, >>>> >> it is ok,so active directory ldap is ready. >>>> >> (3). have two user under ou=member, dc=lab,dc=com: dota , >>>> >> csuser01 (4). enable integration.api.port =8096, and restart >>>> >> CS-mangement >>>> >> >>>> >> Q1: from the CS log, ldap server configed, but IE response >>>> >> false, what is correct information? >>>> >> >>>> >> Q2: how many user should be created on both Active Directory and CS ? >>>> >> or only one for ldap config, active directory create other user just >>>> >> for CS use >>>> >> >>>> >> Q3: what will change in UI when ldap config success? can see >>>> >> users imported from Active Directory ? can use csuser01 to login >>>> >> CS ?(i try log in but failure) >>>> >> >>>> >> >>>> >> >>>> >> >>>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192 >>>> .168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter >>>> =%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2C >>>> DC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json >>>> >> >>>> >> ####### Got this response:##### >>>> >> { "ldapconfigresponse" : { "ldapconfig" : >>>> >> >>>> >> >>>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member, >>>> DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota >>>> ,OU=member,DC=lab,DC=com"} >>>> >> } } >>>> >> >>>> >> ####### CS log ######### >>>> >> 2013-08-24 21:10:44,453 DEBUG >>>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null) >>>> >> The ldap server is configured: 192.168.123.61 >>>> >> >>>> >> ######## other thing i checked ###### >>>> >> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals >>>> >> (2) when create dota in CS, "Network Domain" i put lab.com, >>>> >> username i put dota >>>> >> >>>>