search

apache / cloudstack

Apache CloudStack is an opensource Infrastructure as a Service (IaaS) cloud computing platform
https://cloudstack.apache.org/
Apache License 2.0
2k stars 1.09k forks source link

CloudStack Add Ldap Account Empty List #8910

Open yuangeqingian opened 5 months ago

yuangeqingian commented 5 months ago

CloudStack Version: 4.19.0.1 OS Version: Ubuntu 22 Ldap Search can work with stable output for query: image

Global ldap setting in ACS UI: image image image

My Ldap Configuration: image

While I add account, the user list showed empty: image

boring-cyborg[bot] commented 5 months ago

Thanks for opening your first issue here! Be sure to follow the issue template!

yuangeqingian commented 5 months ago

Also, I did some test, trying to bind ldap to a domain, this error comes out: Request failed. (530) com.cloud.exception.InvalidParameterValueException: Unable to bind to the given LDAP server

I checked logs in ACS management.log, this error comes out:

DEBUG [o.a.c.l.LdapContextFactory] (qtp1789718525-1052:ctx-bf2f48df ctx-f171c9d9) (logid:7d7a3c5c) initializing ldap with provider url: ldap://dir.slb.com:389 DEBUG [o.a.c.l.LdapManagerImpl] (qtp1789718525-1052:ctx-bf2f48df ctx-f171c9d9) (logid:7d7a3c5c) NamingException while doing an LDAP bind javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090449, comment: AcceptSecurityContext error, data 52e, v3839] at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3259) at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3205) at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2991)

INFO [c.c.a.ApiServer] (qtp1789718525-1052:ctx-bf2f48df ctx-f171c9d9) (logid:7d7a3c5c) com.cloud.exception.InvalidParameterValueException: Unable to bind to the given LDAP server

yuangeqingian commented 5 months ago

My ldapsearch CLI works ok, but in ACS, it can't list the ldap users.

Could you please help this?

Thanks in advance

DaanHoogland commented 5 months ago

@yuangeqingian , at first look, the excpetion says that the bind fails. This should mean the login is wrong.

By the looks of you cofiguration you are going for the manual import of accounts option, is that right?

The bind principal uses DC=DIR in capitals and the basedn uses dc=dir in lowercase. Can you check if that makes a difference?

Do you see any other exceptions in your logs or any error on the ldap side?

yuangeqingian commented 5 months ago

@yuangeqingian , at first look, the excpetion says that the bind fails. This should mean the login is wrong.

By the looks of you cofiguration you are going for the manual import of accounts option, is that right?

The bind principal uses DC=DIR in capitals and the basedn uses dc=dir in lowercase. Can you check if that makes a difference?

Do you see any other exceptions in your logs or any error on the ldap side?

1: Yes, I tried to use manual login 2: I tried all capital and all in lowercase, all didn't work 3: the acs management log showed below: DEBUG [o.a.c.l.LdapContextFactory] initializing ldap with provider url: ldap://dir.slb.com:389 DEBUG [o.a.c.l.LdapManagerImpl] NamingException while doing an LDAP bind

DaanHoogland commented 5 months ago

Do you have a more extensive stacktrace for this error?

From the given in-/output I see that on the cli you use -D "dir\Bgc_domain_join" while this is not in the bind principal nor in the binddn. Can this be the issue?

yuangeqingian commented 5 months ago

Do you have a more extensive stacktrace for this error?

From the given in-/output I see that on the cli you use -D "dir\Bgc_domain_join" while this is not in the bind principal nor in the binddn. Can this be the issue?

No, the ldapsearch works perfectly:

image

yuangeqingian commented 5 months ago

Do you have a more extensive stacktrace for this error?

From the given in-/output I see that on the cli you use -D "dir\Bgc_domain_join" while this is not in the bind principal nor in the binddn. Can this be the issue?

Any more trouble shooting suggestions?

DaanHoogland commented 5 months ago

well, can you configure Apache Directory Studio, just in case it is a java issue? (https://directory.apache.org/studio/)

I usually don't use microsoftad, so can't help you there. You can try to configure an openldap installation. Or use an online service like jumpcloud.

yuangeqingian commented 5 months ago

well, can you configure Apache Directory Studio, just in case it is a java issue? (https://directory.apache.org/studio/)

I usually don't use microsoftad, so can't help you there. You can try to configure an openldap installation. Or use an online service like jumpcloud.

First: thanks for the quick response. Second: I'm trying to involve cloudstack to my company, I thought ACS can support enterprise level. But now I can't even bind my company AD server, can't pass a POC, it's will be pity if the POC just end like this.

Third: Do you know where else I can ask questions about that? I don't know how to raise question on mailing list.

Thanks a lot in advance!

DaanHoogland commented 5 months ago

@yuangeqingian the manual import you are trying is not really suitable for enterprise implementations I think , but it should work. You can try the autosync method as described in the docs.

You can ask question on users@cloudstack.apache.org. these are free style, so just state your problem with as much detail as possible and ask your questions. You can also ask here. In both cases you are relying on volunteers so answers may be late and not applicable to you exactly. This is open source.

There are options for commercial support, when you are ready for that.

yuangeqingian commented 5 months ago

@yuangeqingian the manual import you are trying is not really suitable for enterprise implementations I think , but it should work. You can try the autosync method as described in the docs.

You can ask question on users@cloudstack.apache.org. these are free style, so just state your problem with as much detail as possible and ask your questions. You can also ask here. In both cases you are relying on volunteers so answers may be late and not applicable to you exactly. This is open source.

There are options for commercial support, when you are ready for that.

I did some changes and some other info came out, somehow I successfully bind the ldap to domain using cli below: image In ACS UI I can see the new added ldap: image

But this time, when I tried to add user, the add ldap user button is gone: image

yuangeqingian commented 5 months ago

@DaanHoogland any idea how can I fix issue above?

DaanHoogland commented 5 months ago

@yuangeqingian have a look at the doc about ldap and there is also this old upgrade note, maybe it is relevant for you as well.

The above seems an autoimport setup. I do not know why that would remove the add ldap account button, but it means that accounts will be added to the linked domain automatically for users defined in ldap.

yuangeqingian commented 5 months ago

@yuangeqingian have a look at the doc about ldap and there is also this old upgrade note, maybe it is relevant for you as well.

The above seems an autoimport setup. I do not know why that would remove the add ldap account button, but it means that accounts will be added to the linked domain automatically for users defined in ldap.

Let me check again to see if issue was on my side and get back to you again