XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Issues synchronizing LDAP groups (Active Directory)

    Scheduled Pinned Locked Moved Xen Orchestra
    bugsblocked
    16 Posts 7 Posters 3.2k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      Kajetan321
      last edited by

      To troubleshoot, I have installed ldapsearch on XOA via ssh (sudo apt-get install ldap-utils) and edited /etc/ldap/ldap.conf. After fine tuning some settings I was able to get ldapsearch to return results. When I attempt to use "the same" settings to configure the XOA LDAP plugin however, I get this in the logs: "could not authenticate user"

      Here is what's inside my /etc/ldap/ldap.conf:

      #
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
BASE   OU=Accounts,DC=lan,DC=company,DC=com

#URI    ldap://ldap.example.com ldap://ldap-provider.example.com:666
URI    ldaps://server.lan.company.com

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

# TLS certificates (needed for GnuTLS)
TLS_CACERT      /etc/ssl/certs/company_root.pem

      Executing this at the XOA command line I get a long list of entries pertaining to my AD users:

      ldapsearch -H ldaps://server.lan.company.com -x -D user@lan.company.com -w password

      My plugin settings are as follows:
      ldaps://server.lan.company.com
      /etc/ssl/certs/company_root.pem
      Check certificate: Yes
      Use StartTLS: off
      Base: OU=Accounts,DC=lan,DC=company,DC=com

      dn: user@lan.company.com
      password: password
      User filter: (uid={{name}})
      ID attribute: dn

      Any hints on how to trouble shoot this further?

      pdoniasP 1 Reply Last reply Reply Quote 0
      • pdoniasP Offline
        pdonias Vates 🪐 XO Team @Kajetan321
        last edited by

        Hi @kajetan321, please add this to your xo-server config file:

        [logs]
level = 'debug'

        then test the plugin again and check xo-server's output when the error occurs to help identify what's causing the issue.

        K 1 Reply Last reply Reply Quote 0
        • K Offline
          Kajetan321 @pdonias
          last edited by

          @pdonias Thanks for getting back to me. I enabled debug level under logs and rebooted the VM. Here is what the logs show:

          Jan 12 17:37:05 xoa xo-server[536]: 2022-01-12T22:37:05.296Z xo:xo-server-auth-ldap DEBUG attempting to bind with as user@lan.company.com...
Jan 12 17:37:05 xoa xo-server[536]: 2022-01-12T22:37:05.313Z xo:xo-server-auth-ldap DEBUG successfully bound as user@lan.company.com
Jan 12 17:37:05 xoa xo-server[536]: 2022-01-12T22:37:05.314Z xo:xo-server-auth-ldap DEBUG searching for entries...
Jan 12 17:37:05 xoa xo-server[536]: 2022-01-12T22:37:05.336Z xo:xo-server-auth-ldap DEBUG 0 entries found
Jan 12 17:37:05 xoa xo-server[536]: 2022-01-12T22:37:05.336Z xo:xo-server-auth-ldap DEBUG could not authenticate user@lan.company.com
Jan 12 17:37:05 xoa xo-server[536]: 2022-01-12T22:37:05.373Z xo:api WARN user | plugin.test(...) [89ms] =!> Error: could not authenticate user

          I copied and pasted the user name and password from the ldapsearch command. Ldapsearch command still works.

          TheNorthernLightT 1 Reply Last reply Reply Quote 0
          • TheNorthernLightT Offline
            TheNorthernLight @Kajetan321
            last edited by

            @kajetan321 So I literally got this to work this afternoon after lots of fiddling around (and trying several different "working" configs).

            I ended up doing:
            url: ldap://10.10.x.x:389/
            check cert = OFF
            Use StartTLS = OFF
            base= DC=company,DC=com
            Credentials:
            dn = adqueryaccount@company.com
            password = ....
            user filter=(userPrincipalName={{name}})
            ID Attribute= dn

            The part that tripped me up forever was the Credential DN. I was putting all sorts of values, not realizing the simple UPN would work. Also the user used to query AD, needs to have the matching UPN suffix as your regular users. My account was defaulted to an internal .lan domain. It kept failing. As soon as I changed its UPN to match my corporate.com domain, everything started working.

            You can test this, by simply using YOUR domain admin username/psw in the dn and password sections to test with. This eliminates the username being the source of the problems.

            K 1 Reply Last reply Reply Quote 0
            • olivierlambertO Offline
              olivierlambert Vates 🪐 Co-Founder CEO
              last edited by

              That's the issue with LDAP configuration: there's nothing we can do on our side to make it work "out of the box", since it's 100% dependent on each LDAP server configuration 😞

              K 1 Reply Last reply Reply Quote 1
              • K Offline
                Kajetan321 @TheNorthernLight
                last edited by

                @thenorthernlight Thanks! It appears I had two problems with the configuration I posted earlier that were causing the Test plugin to fail:

                Use StartTLS should be off
                User filter should be (userPrincipalName={{name}})

                Now onto testing if actual AD logons are working.

                Cheers.

                1 Reply Last reply Reply Quote 1
                • K Offline
                  Kajetan321 @olivierlambert
                  last edited by

                  @olivierlambert May I propose a Windows Active Directory plugin? It should only require the domain name and credentials to "join the domain". I believe Synology has this setup, as does QNAP. I would strongly suspect that Windows Server has a specific way of setup up LDAP if using defaults during install. I believe I read on Phoronix that Ubuntu now supports "joining the domain" during the install process as well. By "joining the domain" I mean automatic LDAP configuration and domain controller root certificate should be added XO's trusted certificates.

                  For someone like me who never really dealt with or set up LDAP, this would make XO way more appealing to use. Just my two cents.

                  Thank you for all your work, other than this I'm really impressed with XO, especially the backups!

                  Cheers.

                  1 Reply Last reply Reply Quote 0
                  • olivierlambertO Offline
                    olivierlambert Vates 🪐 Co-Founder CEO
                    last edited by

                    Thanks for the feedback @Kajetan321 However, I have 0 idea on what it means and how it would work. Assistance will be welcome.

                    C 1 Reply Last reply Reply Quote 0
                    • C Offline
                      cjackson @olivierlambert
                      last edited by

                      I had a lot of trouble getting the LDAP integration to work with Active Directory domain controllers, So i wanted to share my configuration and make it easier on others trying to do the same thing in the future.

                      Using this config i was able to get everything working, but i found a few limitations:

                      1. Xen Orchestra cannot find any group members where the member has the "Primary Group" attribute set.
                      2. Only direct members of a group are recognized (nested groups don't work).
                      3. When signing in, i have to specify "username" instead of "username@cxlab.domain.com"
                      4. Groups are created by clicking "Synchronize LDAP groups", however users are not created until they sign into XOA the first time.
                      5. Users are not deleted from Xen Orchestra when they are removed from the domain. (but they can no longer log in to XOA)

                      auth-ldap (v0.10.6) - LDAP authentication plugin for XO-Server
                      Auto-load at server start [checked]

                      Configuration

                      URI: ldap://domaincontroller1.cxlab.domain.com

  **Certificate Authorities**
  Check certificate [disabled]
  Use StartTLS [disabled]
  Base: DC=cxlab,DC=domain,DC=com

  **Credentials**
  dn: cxadmin@cxlab.domain.com
  password: ******************

User filter: (sAMAccountName={{name}})
ID attribute: dn

  **Synchronize groups**
  [checked] Fill information (optional)
  Base: CN=Users,DC=cxlab,DC=domain,DC=com
  Filter: (ObjectClass=group)
  ID attribute: dn
  Display name attribute: cn

    **Members mapping**
    Group attribute: member
    User attribute: dn
                      TheNorthernLightT 1 Reply Last reply Reply Quote 0
                      • TheNorthernLightT Offline
                        TheNorthernLight @cjackson
                        last edited by

                        @cjackson The reason the login is just username, is because you've specified sAMAccountName. If you want to use email address, change this to UserPrincipleName. Obviously, verify the UPN in your AD box, but that should be the persons email address if your domain it setup correctly.

                        I dont believe most LDAP query tools support nested group security (its a common issue). Not an excuse, just an observation btw.

                        1 Reply Last reply Reply Quote 0
                        • K kagbasi-wgsdac referenced this topic on
                        • First post
                          Last post