XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Active directory authentication

    Scheduled Pinned Locked Moved Xen Orchestra
    12 Posts 2 Posters 1.2k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      gonzametal @dinhngtu
      last edited by

      @dinhngtu said in Active directory authentication:

      /usr/local/share/ca-certificates/

      Same error. Put the ca root crt in that folder, complete the item with the path of that cert, checked "ckeck certificate" (try starttls on or off). I think XO do not support the enabled protocols, or something like this. Is there any wat to debug this?

      1 Reply Last reply Reply Quote 0
      • D Offline
        dinhngtu Vates 🪐 XCP-ng Team
        last edited by

        How did you specify your auth-ldap settings (URI, bind credentials, search parameters)? It worked for me when I used the URI ldaps://your-domain-controller-fqdn.

        G 1 Reply Last reply Reply Quote 0
        • G Offline
          gonzametal @dinhngtu
          last edited by

          @dinhngtu
          uri: ldaps://ad-server.domain.ar

          Certificate Authorities
          item: /usr/local/share/ca-certificates/domain-ca-root.crt

          check certificate: on

          starttls: (tested on or off)

          base: OU=Usuarios,DC=domain,DC=AR

          credentials: xo_ad@domain.ar
          password xxxxxxx

          user fileter: (userPrincipalName={{name}})

          ID attribute*: DN

          test data
          username: test-user@domain.ar
          passwrd: xxxxxxx

          1 Reply Last reply Reply Quote 0
          • D Offline
            dinhngtu Vates 🪐 XCP-ng Team
            last edited by dinhngtu

            The exact configuration as yours worked fine in my environment. What happens when you try to search LDAP manually with Ldp.exe?

            G 1 Reply Last reply Reply Quote -1
            • G Offline
              gonzametal @dinhngtu
              last edited by

              @dinhngtu From Windows, ldp.exe works fine

              G 1 Reply Last reply Reply Quote 0
              • G Offline
                gonzametal @gonzametal
                last edited by

                @gonzametal ldp, to 636 port and ssl works fine

                1 Reply Last reply Reply Quote 0
                • D Offline
                  dinhngtu Vates 🪐 XCP-ng Team
                  last edited by

                  How did you issue LDAPS certificates to your domain controller? Do you get the correct certificate when doing openssl s_client -connect ad-server.domain.ar:636 ?

                  What about ldapsearch from Linux: LDAPTLS_REQCERT=never ldapsearch -H ldaps://ad-server.domain.ar -x -D xo_ad@domain.ar -w ... -b 'OU=Usuarios,DC=domain,DC=AR' -s sub ? This should give the correct query output.

                  G 1 Reply Last reply Reply Quote 0
                  • G Offline
                    gonzametal @dinhngtu
                    last edited by

                    @dinhngtu It is strange.
                    The ldapsearch command returns as expected, but openssl s_client returns "no peer certificate available".

                    openssl s_client --connect server.domain.ar:636
                    CONNECTED(00000003)
                    write:errno=104

                    no peer certificate available

                    No client certificate CA names sent

                    SSL handshake has read 0 bytes and written 331 bytes
                    Verification: OK

                    New, (NONE), Cipher is (NONE)
                    Secure Renegotiation IS NOT supported
                    Compression: NONE
                    Expansion: NONE
                    No ALPN negotiated
                    Early data was not sent
                    Verify return code: 0 (ok)

                    No firewall nothing. LDP.exe works fine

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      dinhngtu Vates 🪐 XCP-ng Team
                      last edited by

                      Did you choose Use SSL in Ldp.exe? Either your AD SSL certificate is misconfigured or something is blocking connection from your Linux host.

                      G 1 Reply Last reply Reply Quote 0
                      • G Offline
                        gonzametal @dinhngtu
                        last edited by

                        @dinhngtu LDP is using SSL, and no firewall between, so I think there be a ldaps misconfiguration

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post