Tuesday 18 June 2013

Configuring cloudstack to authenticate against LDAP

Cloudstack currently has some basic implementation for authenticating against LDAP. In this post I will detail how I configured it to authenticate against the OpenLDAP server I setup in a past post.

Login as an admin, navigate to the accounts page and create a new user. The domain must match your LDAP domain and the username must match the username on LDAP. The password can be anything as it is ignored.

Go into global settings and enable API access by setting integration.api.port. Finally navigate to http://ip-of-your-manager:8096/client/api?command=ldapConfig and give it the following parameters like the following: host: ldap.clouddev.lan
searchBase: ou=users,dc=clouddev,dc=lan
queryfilter: (&(uid=%u))
binddn: CN=Manager,DC=clouddev,DC=lan
bindpass: PASSWORD
port: 389

 an example url for this would be as follows:

http://ip-of-your-manager:8096/client/api?command=ldapConfig&hostname=ldap.clouddev.lan&searchbase=OU%3DUsers,DC%3Dclouddev,DC%3Dlan&queryfilter=%28%26%28uid%3D%25u%29%29&binddn=CN%3DManager,DC%3Dclouddev,DC%3Dlan&bindpass=PASSWORD&port=389&response=json


Note: In versions 4.2.0> there is a UI feature under global settings for configuring authentication against an LDAP server. However when I used it I found it ran HTML encoding on my query filter. Opened a bug report for this: https://issues.apache.org/jira/browse/CLOUDSTACK-3044
Posted by

5 comments:

  1. Unknown26 July 2013 at 04:44

    On CS 4.1, I've setup a admin-domain user with uid similar to the ldap user.

    Added the Network Domain during account creation to reflect our organisation ldap domain and ran the above http encoded url.

    It's still not authenticating against the ldap password.
    Am i missing something?

    Thomas

    ReplyDelete
  2. Ian Duffy26 July 2013 at 05:07

    Hi Thomas,

    Doesn't sound like your missing anything.

    Can you confirm that hitting the ldapConfig URL returned a successful response?

    ReplyDelete
  3. Unknown30 July 2013 at 01:48

    yes it did.

    I've seen the cloudstack + ldap video you have shared on youtube. Is that feature part of the cloudstack 4.2 pending release?

    In the below DB table, are these values encrypted by default?
    database:cloud
    table : configuration


    mysql> select * from configuration where description like '%ldap%' ;
    +----------+----------+-------------------+---------------+----------------------------------+----------------------------------------------------------------------------+
    | category | instance | component | name | value | description |
    +----------+----------+-------------------+---------------+----------------------------------+----------------------------------------------------------------------------+
    | Hidden | DEFAULT | management-server | ldap.hostname | 6LDg1KrWp3owoRk6WM3gdGL7VIBnwrDN | Hostname or ip address of the ldap server eg: my.ldap.com |
    | Hidden | DEFAULT | management-server | ldap.port | xYeN4WZWLWy+zpcqbPZWjw== | Specify the LDAP port if required, default is 389 |
    | Hidden | DEFAULT | management-server | ldap.usessl | n3xmO/yERQlpvrxGDghxCw== | Check Use SSL if the external LDAP server is configured for LDAP over SSL. |
    +----------+----------+-------------------+---------------+----------------------------------+----------------------------------------------------------------------------+


    In the file: /usr/share/cloudstack-management/webapps/client/WEB-INF/classes/nonossComponentContext.xml, I was sure there were 4 bean entries in total a few days back.










    In the file: sharedFunctions.js, I've left the values as default.
    grep -i md5 /usr/share/cloudstack-management/webapps/client/scripts/sharedFunctions.js
    // Default password is MD5 hashed. Set the following variable to false to disable this.
    var md5Hashed = false;
    var md5HashedLogin = false;


    The current error as per cloudstack logs:
    2013-07-29 12:25:42,971 DEBUG [cloud.user.AccountManagerImpl] (catalina-exec-20:null) Attempting to log in user: tjoseph1 in domain 2
    2013-07-29 12:25:42,972 DEBUG [server.auth.MD5UserAuthenticator] (catalina-exec-20:null) Retrieving user: tjoseph1
    2013-07-29 12:25:42,976 DEBUG [server.auth.MD5UserAuthenticator] (catalina-exec-20:null) Password does not match
    2013-07-29 12:25:42,976 DEBUG [server.auth.LDAPUserAuthenticator] (catalina-exec-20:null) Retrieving user: tjoseph1
    2013-07-29 12:25:43,009 INFO [server.auth.LDAPUserAuthenticator] (catalina-exec-20:null) DN from LDAP =uid=tjoseph1
    2013-07-29 12:25:43,014 WARN [server.auth.LDAPUserAuthenticator] (catalina-exec-20:null) Authentication failed due to [LDAP: error code 49 - Invalid Credentials]

    ReplyDelete
  4. Ian Duffy30 July 2013 at 12:17

    Hi Thomas,

    Sadly those features will not be seen until 4.3.

    Just looking at your log.... can you paste what you are using as a query filter? thanks.

    ReplyDelete
  5. 21st Century Software Solutions28 September 2014 at 21:22

    LDAP Online Training, ONLINE TRAINING – IT SUPPORT – CORPORATE TRAINING http://www.21cssindia.com/courses/ldap-online-training-103.html The 21st Century Software Solutions of India offers one of the Largest conglomerations of Software Training, IT Support, Corporate Training institute in India - +919000444287 - +917386622889 - Visakhapatnam,Hyderabad LDAP Online Training, LDAP Training, LDAP, LDAP Online Training| LDAP Training| LDAP| "Courses at 21st Century Software Solutions
    Talend Online Training -Hyperion Online Training - IBM Unica Online Training - Siteminder Online Training - SharePoint Online Training - Informatica Online Training - SalesForce Online Training - Many more… | Call Us +917386622889 - +919000444287 - contact@21cssindia.com
    Visit: http://www.21cssindia.com/courses.html"

    ReplyDelete

Subscribe to: Post Comments (Atom)