XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Active directory authentication

    Scheduled Pinned Locked Moved Xen Orchestra
    12 Posts 2 Posters 650 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dinhngtu Vates 🪐 XCP-ng Team
      last edited by

      You should put your root CA in a file accessible on the XO VM (e.g. /usr/local/share/ca-certificates/ad-root.crt. Point the CA setting to this part and enable "Check certificate". You must use a service account for binding.

      G 1 Reply Last reply Reply Quote 0
      • G Offline
        gonzametal @dinhngtu
        last edited by

        @dinhngtu said in Active directory authentication:

        /usr/local/share/ca-certificates/

        Same error. Put the ca root crt in that folder, complete the item with the path of that cert, checked "ckeck certificate" (try starttls on or off). I think XO do not support the enabled protocols, or something like this. Is there any wat to debug this?

        1 Reply Last reply Reply Quote 0
        • D Offline
          dinhngtu Vates 🪐 XCP-ng Team
          last edited by

          How did you specify your auth-ldap settings (URI, bind credentials, search parameters)? It worked for me when I used the URI ldaps://your-domain-controller-fqdn.

          G 1 Reply Last reply Reply Quote 0
          • G Offline
            gonzametal @dinhngtu
            last edited by

            @dinhngtu
            uri: ldaps://ad-server.domain.ar

            Certificate Authorities
            item: /usr/local/share/ca-certificates/domain-ca-root.crt

            check certificate: on

            starttls: (tested on or off)

            base: OU=Usuarios,DC=domain,DC=AR

            credentials: xo_ad@domain.ar
            password xxxxxxx

            user fileter: (userPrincipalName={{name}})

            ID attribute*: DN

            test data
            username: test-user@domain.ar
            passwrd: xxxxxxx

            1 Reply Last reply Reply Quote 0
            • D Offline
              dinhngtu Vates 🪐 XCP-ng Team
              last edited by dinhngtu

              The exact configuration as yours worked fine in my environment. What happens when you try to search LDAP manually with Ldp.exe?

              G 1 Reply Last reply Reply Quote -1
              • G Offline
                gonzametal @dinhngtu
                last edited by

                @dinhngtu From Windows, ldp.exe works fine

                G 1 Reply Last reply Reply Quote 0
                • G Offline
                  gonzametal @gonzametal
                  last edited by

                  @gonzametal ldp, to 636 port and ssl works fine

                  1 Reply Last reply Reply Quote 0
                  • D Offline
                    dinhngtu Vates 🪐 XCP-ng Team
                    last edited by

                    How did you issue LDAPS certificates to your domain controller? Do you get the correct certificate when doing openssl s_client -connect ad-server.domain.ar:636 ?

                    What about ldapsearch from Linux: LDAPTLS_REQCERT=never ldapsearch -H ldaps://ad-server.domain.ar -x -D xo_ad@domain.ar -w ... -b 'OU=Usuarios,DC=domain,DC=AR' -s sub ? This should give the correct query output.

                    G 1 Reply Last reply Reply Quote 0
                    • G Offline
                      gonzametal @dinhngtu
                      last edited by

                      @dinhngtu It is strange.
                      The ldapsearch command returns as expected, but openssl s_client returns "no peer certificate available".

                      openssl s_client --connect server.domain.ar:636
                      CONNECTED(00000003)
                      write:errno=104

                      no peer certificate available

                      No client certificate CA names sent

                      SSL handshake has read 0 bytes and written 331 bytes
                      Verification: OK

                      New, (NONE), Cipher is (NONE)
                      Secure Renegotiation IS NOT supported
                      Compression: NONE
                      Expansion: NONE
                      No ALPN negotiated
                      Early data was not sent
                      Verify return code: 0 (ok)

                      No firewall nothing. LDP.exe works fine

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        dinhngtu Vates 🪐 XCP-ng Team
                        last edited by

                        Did you choose Use SSL in Ldp.exe? Either your AD SSL certificate is misconfigured or something is blocking connection from your Linux host.

                        G 1 Reply Last reply Reply Quote 0
                        • G Offline
                          gonzametal @dinhngtu
                          last edited by

                          @dinhngtu LDP is using SSL, and no firewall between, so I think there be a ldaps misconfiguration

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post