follow Ian suggestion. sAMAccountName=%u , work for windows 2008 AD
2013/8/26 Kirk Jantzer <kirk.jant...@gmail.com>: > What Suresh is refering to is something someone is working on for a future > version of CS. In the current versions, I'm not aware of any global > settings for ldap. See this blog post about creating a script a script to > sync your LDAP users into CS. While this may not work for you, it is a > starting point on the idea behind bulk adding LDAP based users into CS. > > I take from your reply earlier that things are working as expected now?? > > > Regards, > > Kirk Jantzer > http://about.me/kirkjantzer > > > On Mon, Aug 26, 2013 at 10:31 AM, 不坏阿峰 <onlydeb...@gmail.com> wrote: > >> i have tried search ldap from global settings before, but can not find. >> my Cloudstack upgrade from 4.0.2, maybe the new database scheme not be >> imported ? >> >> 2013/8/26 Suresh Sadhu <suresh.sa...@citrix.com>: >> > IAN did this part, please visit below link: >> > >> > https://www.youtube.com/watch?v=-3LG8wP7Zac&hd=1 >> > >> > regards >> > sadhu >> > >> > -----Original Message----- >> > From: 不坏阿峰 [mailto:onlydeb...@gmail.com] >> > Sent: 26 August 2013 14:20 >> > To: users@cloudstack.apache.org >> > Subject: Re: How is Cloudstack work with Active Directory >> > >> > thank you for your quick reply. >> > hope that CS4.2 can user external ldap server easily. >> > >> > and is there some script to import AD ldap user into cs ? >> > >> > >> > >> > 2013/8/26 Suresh Sadhu <suresh.sa...@citrix.com>: >> >> Please find my answers below: >> >> >> >> >> >> -----Original Message----- >> >> From: 不坏阿峰 [mailto:onlydeb...@gmail.com] >> >> Sent: 26 August 2013 13:21 >> >> To: users@cloudstack.apache.org >> >> Subject: Re: How is Cloudstack work with Active Directory >> >> >> >> about my Question, when use active directory LDAP for >> >> authentication , if i want use 3 user in AD, i need create 3 same >> >> account in CS ? >> >> >> >> *******************sadhu********** >> >> yes ,as per the current implementation ..it requires same accounts in >> CS. >> >> **************** >> >> just now ,i test use dota, this user exist both on AD and CS, just >> >> different password. i test use dota and user password in AD, can >> >> login. >> >> >> >> as my experience, if use a LDAP server, just need one user to bind the >> >> ldap, then can query and do authentication on all user in the >> >> specific OU. but CS seam some different. >> >> >> >> **************sadhu******* >> >> Yes you are right ,One user is enough to bind and rest of users will >> validate but in CS case initial verification happens at DB level and if >> its fail then authentication happens at LDAP level. due to this >> reason(firest ;level authentication happening in db level) you need to >> create same user(like same user with different password) in CS as well. >> Hope this info will help. >> >> ********* >> >> >> >> could you explain it? >> >> >> >> thanks >> >> >> >> 2013/8/26 Ian Duffy <i...@ianduffy.ie>: >> >>> Try sAMAccountName=%u >> >>> >> >>> >> >>> On 26 August 2013 03:15, 不坏阿峰 <onlydeb...@gmail.com> wrote: >> >>> >> >>>> in AD 2008, do not have uid, so i user disPlayname=%u, %u is the >> >>>> cloudstack username. >> >>>> >> >>>> i also follow this ,install cloudmoney and ldapconfig it. >> >>>> >> >>>> http://kirkjantzer.blogspot.com/2013/03/ldap-authentication-in-cloud >> >>>> stack-v401.html >> >>>> >> >>>> > ldap config hostname=192.168.123.61 >> >>>> > searchbase=ou=member,DC=lab,DC=com >> >>>> queryfilter=(diaplayname=%u) binddn=CN=dota,ou=member,DC=lab,DC=com >> >>>> bindpass=123@lab port=389 >> >>>> ldapconfig: >> >>>> binddn = CN=dota,ou=member,DC=lab,DC=com hostname = 192.168.123.61 >> >>>> port = false queryfilter = (diaplayname=%u) searchbase = >> >>>> ou=member,DC=lab,DC=com >> >>>> >> >>>> >> Dn: CN=dota,OU=member,DC=lab,DC=com >> >>>> 0> objectClass: >> >>>> 0> cn: >> >>>> 0> distinguishedName: >> >>>> 0> instanceType: >> >>>> 0> whenCreated: >> >>>> 0> whenChanged: >> >>>> 0> displayName: >> >>>> 0> uSNCreated: >> >>>> 0> uSNChanged: >> >>>> 0> name: >> >>>> 0> objectGUID: >> >>>> 0> userAccountControl: >> >>>> 0> badPwdCount: >> >>>> 0> codePage: >> >>>> 0> countryCode: >> >>>> 0> badPasswordTime: >> >>>> 0> lastLogoff: >> >>>> 0> lastLogon: >> >>>> 0> pwdLastSet: >> >>>> 0> primaryGroupID: >> >>>> 0> objectSid: >> >>>> 0> accountExpires: >> >>>> 0> logonCount: >> >>>> 0> sAMAccountName: >> >>>> 0> sAMAccountType: >> >>>> 0> userPrincipalName: >> >>>> 0> objectCategory: >> >>>> 0> dSCorePropagationData: >> >>>> 0> lastLogonTimestamp: >> >>>> >> >>>> 2013/8/25 Kirk Jantzer <kirk.jant...@gmail.com>: >> >>>> > It appears your queryfilter may be incorrect - You are trying to >> >>>> > match >> >>>> the >> >>>> > %u in CloudStack to 'disPlayname' in AD? Verify that whatever you >> >>>> > put >> >>>> into >> >>>> > the username field in CS matches whatever is in the 'disPlayname' >> >>>> > field >> >>>> in >> >>>> > AD (this can be found by opening AD Users and Computers, selecting >> >>>> > the >> >>>> menu >> >>>> > option to show advanced properties, then looking at the user, then >> >>>> clicking >> >>>> > the 'attributes' tab. >> >>>> > >> >>>> > >> >>>> > Regards, >> >>>> > >> >>>> > Kirk Jantzer >> >>>> > http://about.met/kirkjantzer >> >>>> > >> >>>> > >> >>>> > On Sat, Aug 24, 2013 at 12:48 PM, 不坏阿峰 <onlydeb...@gmail.com> >> wrote: >> >>>> > >> >>>> >> Cloudstack4.1.1 >> >>>> >> (1). i create same user: dota on Active Directory and CS (2). i >> >>>> >> have test ldap query by binddn cn=dota,ou=member,dc=lab,dc=com, >> >>>> >> it is ok,so active directory ldap is ready. >> >>>> >> (3). have two user under ou=member, dc=lab,dc=com: dota , >> >>>> >> csuser01 (4). enable integration.api.port =8096, and restart >> >>>> >> CS-mangement >> >>>> >> >> >>>> >> Q1: from the CS log, ldap server configed, but IE response >> >>>> >> false, what is correct information? >> >>>> >> >> >>>> >> Q2: how many user should be created on both Active Directory and >> CS ? >> >>>> >> or only one for ldap config, active directory create other user >> just >> >>>> >> for CS use >> >>>> >> >> >>>> >> Q3: what will change in UI when ldap config success? can see >> >>>> >> users imported from Active Directory ? can use csuser01 to login >> >>>> >> CS ?(i try log in but failure) >> >>>> >> >> >>>> >> >> >>>> >> >> >>>> >> >> >>>> http://192.168.230.2:8096/client/api?command=ldapConfig&hostname=192 >> >>>> .168.123.61&searchbase=OU%3Dmember%2CDC%3Dlab%2CDC%3Dcom&queryfilter >> >>>> =%28%26%28disPlayname%3D%25u%29%29&binddn=CN%3Ddota%2COU%3Dmember%2C >> >>>> DC%3Dlab%2CDC%3Dcom&bindpass=123@lab&port=389&response=json >> >>>> >> >> >>>> >> ####### Got this response:##### >> >>>> >> { "ldapconfigresponse" : { "ldapconfig" : >> >>>> >> >> >>>> >> >> >>>> {"hostname":"192.168.123.61","port":"false","searchbase":"OU=member, >> >>>> DC=lab,DC=com","queryfilter":"(&(disPlayname=%u))","binddn":"CN=dota >> >>>> ,OU=member,DC=lab,DC=com"} >> >>>> >> } } >> >>>> >> >> >>>> >> ####### CS log ######### >> >>>> >> 2013-08-24 21:10:44,453 DEBUG >> >>>> >> [cloud.configuration.ConfigurationManagerImpl] (ApiServer-4:null) >> >>>> >> The ldap server is configured: 192.168.123.61 >> >>>> >> >> >>>> >> ######## other thing i checked ###### >> >>>> >> (1) in CS4.1.1 ,sharedFunctions.js , var md5HashedLogin = fals >> >>>> >> (2) when create dota in CS, "Network Domain" i put lab.com, >> >>>> >> username i put dota >> >>>> >> >> >>>> >>