XOCE Integration with OpenLDAP

DustinB

This is the most relevant information I can find regarding OpenLDAP integration for use with Xen Orchestra.

https://xen-orchestra.com/docs/ldap.html

stormi

@wesleylc1 you probably mean Xen Orchestra. XOCE is just a helper script from the community to install Xen Orchestra from the sources.

DustinB

@stormi I believe @wesleylc1 thinks you are suggesting this a script issue rather than a ldap configuration issue.

@wesleylc1 can you confirm your ldap settings from within the plugin.

stormi

@DustinB If that's the case, then let's state that it's not what I meant. I'm just clarifying names

wesleylc1

Hi @DustinB an image with the settings used by my openldap server.

Captura de tela de 2019-06-24 09-56-39.png

Captura de tela de 2019-06-24 10-05-23.png

plugin.test
{
  "id": "auth-ldap",
  "data": {
    "username": "ws02",
    "password": "* obfuscated *"
  }
}
{
  "message": "192.168.45.11 is an invalid LDAP url (protocol)",
  "name": "TypeError",
  "stack": "TypeError: 192.168.45.11 is an invalid LDAP url (protocol)
    at Object.parse (/opt/xen-orchestra/node_modules/ldapjs/lib/url.js:16:13)
    at new Client (/opt/xen-orchestra/node_modules/ldapjs/lib/client/client.js:310:16)
    at createClient (/opt/xen-orchestra/node_modules/ldapjs/lib/client/index.js:54:12)
    at /opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:184:32
    at Generator.next (<anonymous>)
    at asyncGeneratorStep (/opt/xen-orchestra/packages/xo-server-auth-ldap/dist/index.js:24:103)
    at _next (/opt/xen-orchestra/packages/xo-server-auth-ldap/dist/index.js:26:194)
    at /opt/xen-orchestra/packages/xo-server-auth-ldap/dist/index.js:26:364
    at Promise._execute (/opt/xen-orchestra/node_modules/bluebird/js/release/debuggability.js:313:9)
    at Promise._resolveFromExecutor (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:488:18)
    at new Promise (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:79:10)
    at /opt/xen-orchestra/packages/xo-server-auth-ldap/dist/index.js:26:97
    at AuthLdap._authenticate (/opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:177:61)
    at AuthLdap.wrapper [as _authenticate] (/opt/xen-orchestra/node_modules/lodash/_createBind.js:23:15)
    at AuthLdap.test (/opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:167:16)
    at /opt/xen-orchestra/packages/xo-server/src/xo-mixins/plugins.js:254:26
    at Generator.next (<anonymous>)
    at asyncGeneratorStep (/opt/xen-orchestra/packages/xo-server/dist/xo-mixins/plugins.js:28:103)
    at _next (/opt/xen-orchestra/packages/xo-server/dist/xo-mixins/plugins.js:30:194)
    at /opt/xen-orchestra/packages/xo-server/dist/xo-mixins/plugins.js:30:364
    at Promise._execute (/opt/xen-orchestra/node_modules/bluebird/js/release/debuggability.js:313:9)
    at Promise._resolveFromExecutor (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:488:18)
    at new Promise (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:79:10)
    at /opt/xen-orchestra/packages/xo-server/dist/xo-mixins/plugins.js:30:97
    at _default.testPlugin (/opt/xen-orchestra/packages/xo-server/src/xo-mixins/plugins.js:228:29)
    at Xo.wrapper (/opt/xen-orchestra/node_modules/lodash/_createBind.js:23:15)
    at Xo.<anonymous> (/opt/xen-orchestra/packages/xo-server/src/api/plugin.js:109:13)
    at Generator.next (<anonymous>)
    at asyncGeneratorStep (/opt/xen-orchestra/packages/xo-server/dist/api/plugin.js:15:103)
    at _next (/opt/xen-orchestra/packages/xo-server/dist/api/plugin.js:17:194)
    at /opt/xen-orchestra/packages/xo-server/dist/api/plugin.js:17:364
    at Promise._execute (/opt/xen-orchestra/node_modules/bluebird/js/release/debuggability.js:313:9)
    at Promise._resolveFromExecutor (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:488:18)
    at new Promise (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:79:10)
    at Xo.<anonymous> (/opt/xen-orchestra/packages/xo-server/dist/api/plugin.js:17:97)
    at Xo.test (/opt/xen-orchestra/packages/xo-server/dist/api/plugin.js:162:16)
    at /opt/xen-orchestra/packages/xo-server/src/xo-mixins/api.js:281:32
    at Generator.next (<anonymous>)
    at asyncGeneratorStep (/opt/xen-orchestra/packages/xo-server/dist/xo-mixins/api.js:38:103)
    at _next (/opt/xen-orchestra/packages/xo-server/dist/xo-mixins/api.js:40:194)
    at tryCatcher (/opt/xen-orchestra/node_modules/bluebird/js/release/util.js:16:23)
    at Promise._settlePromiseFromHandler (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:517:31)
    at Promise._settlePromise (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:574:18)
    at Promise._settlePromiseCtx (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:611:10)
    at _drainQueueStep (/opt/xen-orchestra/node_modules/bluebird/js/release/async.js:142:12)
    at _drainQueue (/opt/xen-orchestra/node_modules/bluebird/js/release/async.js:131:9)
    at Async._drainQueues (/opt/xen-orchestra/node_modules/bluebird/js/release/async.js:147:5)
    at Immediate.Async.drainQueues (/opt/xen-orchestra/node_modules/bluebird/js/release/async.js:17:14)
    at runCallback (timers.js:810:20)
    at tryOnImmediate (timers.js:768:5)
    at processImmediate [as _immediateCallback] (timers.js:745:5)"
}

Best regards,
Wesley Santos

borzel

@wesleylc1 the URI should look like: ldap://<ip or fqdn>

wesleylc1

@borzel, I made the adjustment, now a new error appears.

plugin.test
{
  "id": "auth-ldap",
  "data": {
    "username": "marcos",
    "password": "* obfuscated *"
  }
}
{
  "message": "could not authenticate user",
  "name": "Error",
  "stack": "Error: could not authenticate user
    at _authenticate.then.result (/opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:172:14)
    at tryCatcher (/opt/xen-orchestra/node_modules/bluebird/js/release/util.js:16:23)
    at Promise._settlePromiseFromHandler (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:517:31)
    at Promise._settlePromise (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:574:18)
    at Promise._settlePromise0 (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:619:10)
    at Promise._settlePromises (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:699:18)
    at _drainQueueStep (/opt/xen-orchestra/node_modules/bluebird/js/release/async.js:138:12)
    at _drainQueue (/opt/xen-orchestra/node_modules/bluebird/js/release/async.js:131:9)
    at Async._drainQueues (/opt/xen-orchestra/node_modules/bluebird/js/release/async.js:147:5)
    at Immediate.Async.drainQueues (/opt/xen-orchestra/node_modules/bluebird/js/release/async.js:17:14)
    at runCallback (timers.js:810:20)
    at tryOnImmediate (timers.js:768:5)
    at processImmediate [as _immediateCallback] (timers.js:745:5)"
}

Best regards,
Wesley Santos

borzel

@wesleylc1 at this stage I'm out

@olivierlambert or @julien-f maybe can help.

wesleylc1

@borzel, thank you.

wesleylc1

Hello, I was able to login with my ldap login, but I would like to specify a ldap user group.

Best regards,
Wesley Santos

olivierlambert

So use a filter with the group you want.

wesleylc1

Changes made, as below.

Captura de tela de 2019-06-24 15-12-07.png

Best regards,
Wesley Santos

olivierlambert

Why the group name is between < >?

wesleylc1

I made the changes, but I continue with errors.

Captura de tela de 2019-06-24 15-26-48.png

Group settings in "OpenLDAP".

Captura de tela de 2019-06-24 15-21-35.png

plugin.test
{
  "id": "auth-ldap",
  "data": {
    "username": "ws02",
    "password": "* obfuscated *"
  }
}
{
  "message": "could not authenticate user",
  "name": "Error",
  "stack": "Error: could not authenticate user
    at _authenticate.then.result (/opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:172:14)
    at tryCatcher (/opt/xen-orchestra/node_modules/bluebird/js/release/util.js:16:23)
    at Promise._settlePromiseFromHandler (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:517:31)
    at Promise._settlePromise (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:574:18)
    at Promise._settlePromise0 (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:619:10)
    at Promise._settlePromises (/opt/xen-orchestra/node_modules/bluebird/js/release/promise.js:699:18)
    at _drainQueueStep (/opt/xen-orchestra/node_modules/bluebird/js/release/async.js:138:12)
    at _drainQueue (/opt/xen-orchestra/node_modules/bluebird/js/release/async.js:131:9)
    at Async._drainQueues (/opt/xen-orchestra/node_modules/bluebird/js/release/async.js:147:5)
    at Immediate.Async.drainQueues (/opt/xen-orchestra/node_modules/bluebird/js/release/async.js:17:14)
    at runCallback (timers.js:810:20)
    at tryOnImmediate (timers.js:768:5)
    at processImmediate [as _immediateCallback] (timers.js:745:5)"
}

Best regards,
Wesley Santos

olivierlambert

I don't think that's the right syntax. But it's not a XO issue, it's a LDAP setting issue. Check what filter would work with your LDAP server, and it will work.

borzel

@wesleylc1 maybe the memberOf= needs a LDAP-Value like CN=blabla,OU=yadayada,DC=whatever?

wesleylc1

@olivierlambert
I think the error is related to the attributes of "OpenLDAP", but I'm not sure how to filter.

olivierlambert

You need to find/read documentation on LDAP filter for your server. Then it will work

wesleylc1

Dear, is it possible to search with the "group and users" option?
Best regards,
Wesley Santos

julien-f

@wesleylc1 As @olivierlambert said, this is an LDAP config issue, you need to know the structure of your LDAP server.

The auth-ldap plugin comes with a CLI which is useful to test various configuration and figure out what is wrong:

$ /usr/local/lib/node_modules/xo-server-auth-ldap/dist/test-cli.js
? uri