Yordan,
sorry to keep you waiting all week till my friday maillist session ;)
As for ssl enabled or not, the code is due some improvements but at the
moment the presence of a trustore configuration is all that is needed to
enable ssl. From the ldap-plugin:
```
public boolean getSSLStatus() {
boolean sslStatus = false;
if (getTrustStore() != null && getTrustStorePassword() != null) {
sslStatus = true;
}
return sslStatus;
}
```
I have not used this myself, so can't confirm it works, and you might
have hit a bug.
* API docs (LDAPCONFIG -
https://cloudstack.apache.org/api/apidocs-4.15/apis/ldapConfig.html)
mention the ability to enable SSL and bind certificate for an ldap
host but there is no option to define the domain for the specific ldap
configuration.
What version are you using? the latest version does allow you to
specify a domain. In some version before you could only do this in the
API (since 4.13 I think, there is actually no @since on the domain
parameter and that's my bad :( )
* What if multiple domains are present and their configs use the same
ldap server. Can the SSL of one domain ldap config be changed one at a time
or is this based on ldap host level
The description of ssl enabling above is at system level.
* ldap.truststore - is syntax something like /opt/CAROOT.crt going to
work or it originates from a default directory?
yes, in theory
* ldap.truststore.password - what if the certificate is without
password, is it going to work?
no, as the code above shows.
Here's a very unworthy script only suitable for testing and fooling around:
```
#!/bin/bash
[ -z "$LDAP1PASSWORD" -o -z "$LDAP2PASSWORD" ] && exit 1
ROOTDOMAIN=`cloudmonkey -d json list domains name=ROOT filter=id | jq
.domain[0].id`
LDAP1PASSWORD="strikt geheim"
# mapping domain and account(s) from ldap server 1
MAPPEDDOMAIN1=`cloudmonkey -d json create domain name=mappedDomain1
parentdomainid=$ROOTDOMAIN | jq .domain.id`
cloudmonkey -d json add ldapconfiguration hostname=10.1.2.5 port=389
domainid=$MAPPEDDOMAIN1
cloudmonkey -d json update configuration domainid=$MAPPEDDOMAIN1
name="ldap.basedn" value="dc=acs,dc=echt,dc=net"
cloudmonkey -d json update configuration domainid=$MAPPEDDOMAIN1
name='ldap.bind.principal' value='cn=admin,dc=acs,dc=echt,dc=net'
cloudmonkey -d json update configuration domainid=$MAPPEDDOMAIN1
name='ldap.bind.password' value=$LDAP1PASSWORD
cloudmonkey -d json update configuration domainid=$MAPPEDDOMAIN1
name='ldap.search.group.principle'
value='cn=AcsAccessGroup,dc=acs,dc=echt,dc=net'
cloudmonkey -d json update configuration domainid=$MAPPEDDOMAIN1
name='ldap.user.memberof.attribute' value='memberOf'
cloudmonkey -d json ldap createaccount account='seniors' accounttype=2
domainid=$MAPPEDDOMAIN1 username=yordan
cloudmonkey -d json link accounttoldap account='seniors' accounttype=2
domainid=$MAPPEDDOMAIN1
ldapdomain='cn=AcsSeniorAdmins,ou=AcsGroups,dc=acs,dc=echt,dc=net'
type=GROUP
cloudmonkey -d json ldap createaccount account='juniors' accounttype=0
domainid=$MAPPEDDOMAIN1 username=jordan cloudmonkey -d json link
accounttoldap account='juniors' accounttype=0 domainid=$MAPPEDDOMAIN1
ldapdomain='cn=AcsJuniorAdmins,ou=AcsGroups,dc=acs,dc=echt,dc=net'
type=GROUP
```
names have been changed to protect the guilty
hope any of this helps you,
On Mon, Jun 7, 2021 at 10:56 PM Yordan Kostov <yord...@nsogroup.com> wrote:
> Dear community,
>
> Currently trying to reconfigure working ACS LDAP
> authentication to LDAPs but I believe something of importance may be
> missing in the guide (
> https://docs.cloudstack.apache.org/en/latest/adminguide/accounts.html#ldap-ssl
> ).
> It says that if ldap.truststore and
> ldap.truststore.password are configured it will switch working to LDAPS but
> that is not the case.
> The logs confirm LDAP protocol is used when adding host
> after updating the config - "(logid:aafbef8a) initializing ldap with
> provider url: ldap://X.X.X.X:636";
>
> Here are a few questions to round the issue:
>
> * API docs (LDAPCONFIG -
> https://cloudstack.apache.org/api/apidocs-4.15/apis/ldapConfig.html)
> mention the ability to enable SSL and bind certificate for an ldap host but
> there is no option to define the domain for the specific ldap configuration.
> * What if multiple domains are present and their configs use the same
> ldap server. Can the SSL of one domain ldap config be changed one at a time
> or is this based on ldap host level
> * ldap.truststore - is syntax something like /opt/CAROOT.crt going to
> work or it originates from a default directory?
> * ldap.truststore.password - what if the certificate is without
> password, is it going to work?
>
> Any example commands on how this can be done through cloudmonkey will be
> much appreciated!
>
> Best regards,
> Jordan
>
>
>
--
Daan
