tanks Jorge, Can you describe this in a github issue, please? On Mon, Nov 22, 2021 at 7:53 PM Jorge Luiz Correa <jorge.l.cor...@embrapa.br.invalid> wrote:
> Same difficulty here. The way it worked was defining the truststore > globally. Just after that I defined the ldap configuration inside a domain. > > Using API: > > cmk -p user@myprofile update configuration name='ldap.truststore' > value='/etc/cloudstack/management/cloud.jks' > cmk -p user@myprofile update configuration name='ldap.truststore.password' > value=PASSWORD > cmk -p user@myprofile add ldapconfiguration hostname=ldapserver.mydomain > port=636 domainid="domain uuid here" > cmk -p user@myprofile update configuration name='ldap.basedn' > value='...............' domainid="domain uuid here" > . > . > . > > > Realize that API accepts configure the ldap.truststore for one domain, but > this has no effect. > > cmk -p user@myprofile update configuration name='ldap.truststore' > value='/etc/cloudstack/management/cloud.jks' domainid="domain uuid here" > <------- > > When I configured ldap.truststore in one domain, the connection didn't use > SSL. > > Tks! > > On 2021/06/07 20:56:18 Yordan Kostov wrote: > > Dear community, > > > > Currently trying to reconfigure working ACS LDAP > authentication to LDAPs but I believe something of importance may be > missing in the guide ( > > https://docs.cloudstack.apache.org/en/latest/adminguide/accounts.html#ldap-ssl > ). > > It says that if ldap.truststore and > ldap.truststore.password are configured it will switch working to LDAPS but > that is not the case. > > The logs confirm LDAP protocol is used when adding host > after updating the config - "(logid:aafbef8a) initializing ldap with > provider url: ldap://X.X.X.X:636"; > > > > Here are a few questions to round the issue: > > > > * API docs (LDAPCONFIG - > https://cloudstack.apache.org/api/apidocs-4.15/apis/ldapConfig.html) > mention the ability to enable SSL and bind certificate for an ldap host but > there is no option to define the domain for the specific ldap > configuration. > > * What if multiple domains are present and their configs use the same > ldap server. Can the SSL of one domain ldap config be changed one at a time > or is this based on ldap host level > > * ldap.truststore - is syntax something like /opt/CAROOT.crt going to > work or it originates from a default directory? > > * ldap.truststore.password - what if the certificate is without > password, is it going to work? > > > > Any example commands on how this can be done through cloudmonkey will be > much appreciated! > > > > Best regards, > > Jordan > > > > > > > > -- > __________________________ > Aviso de confidencialidade > > Esta mensagem da > Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), empresa publica > federal regida pelo disposto na Lei Federal no. 5.851, de 7 de dezembro > de 1972, e enviada exclusivamente a seu destinatario e pode conter > informacoes confidenciais, protegidas por sigilo profissional. Sua > utilizacao desautorizada e ilegal e sujeita o infrator as penas da lei. > Se voce a recebeu indevidamente, queira, por gentileza, reenvia-la ao > emitente, esclarecendo o equivoco. > > Confidentiality note > > This message from > Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), a government > company established under Brazilian law (5.851/72), is directed > exclusively to its addressee and may contain confidential data, > protected under professional secrecy rules. Its unauthorized use is > illegal and may subject the transgressor to the law's penalties. If you > are not the addressee, please send it back, elucidating the failure. > -- Daan
