XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    XO Community Edition - Ldap Plugin not working ?

    Scheduled Pinned Locked Moved Xen Orchestra
    56 Posts 7 Posters 12.0k Views 8 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • olivierlambertO Offline
      olivierlambert Vates 🪐 Co-Founder CEO
      last edited by

      Trial extended 🙂

      K 1 Reply Last reply Reply Quote 0
      • K Offline
        kagbasi-ngc @olivierlambert
        last edited by

        @olivierlambert Thanks.

        XOA Test results:

        • On Stable v5.102.1 - issue persists. Auth failure occurs with AD group membership at 7.

        • On Latest v5.103.1 - issue persists. Auth failure occurs with AD group membership at 7.

        I can make a screen recording of my testing, if that helps lend more credibility? Just let me know, thanks.

        1 Reply Last reply Reply Quote 0
        • olivierlambertO Offline
          olivierlambert Vates 🪐 Co-Founder CEO
          last edited by olivierlambert

          Ah and now it's logical then 😉 I believe you, this is possibly a bug in XO if you have it both on sources and XOA.

          Worth opening a Github issue!

          K 1 Reply Last reply Reply Quote 0
          • K Offline
            kagbasi-ngc @olivierlambert
            last edited by

            @olivierlambert Awesome, glad I could convince ya 😂. I will submit a Github issue shortly, thanks again.

            K 1 Reply Last reply Reply Quote 0
            • K Offline
              kagbasi-ngc @kagbasi-ngc
              last edited by

              @olivierlambert I have just submitted a Github issue for this - https://github.com/vatesfr/xen-orchestra/issues/8351

              Thanks again for indulging me.

              kismetgerald-ngc created this issue in vatesfr/xen-orchestra

              open LDAP/Active Directory Authentication Fails if User is Member of More than 6 Groups #8351

              C 1 Reply Last reply Reply Quote 0
              • C Offline
                Chico008 @kagbasi-ngc
                last edited by Chico008

                hi, just made a test today after updating to commit 5a501

                in my filter i got this :
                (&(sAMAccountName={{name}})(memberOf=CN="Admins du domaine"))
                because i only want my domain admins to login.

                test failed.

                but, if i only use filter &(sAMAccountName={{name}}))
                test works
                event with my domain admin account who is member of 4 groups.

                now how can i set my filter to only allow domain admin 'Admins du domaine' to be able to login as XO admin ?
                also tried with full DN (CN=Admins du domaine,CN=Users,DC=company,DC=net) but not working either

                K 1 Reply Last reply Reply Quote 0
                • K Offline
                  kagbasi-ngc @Chico008
                  last edited by

                  @Chico008 Don't know if this might help you or not.

                  I generally avoid having spaces inside my Group names. Not sure if somehow the double quotes isn't being handled properly. Anyway, this is what my user filter looks like:

                  (&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUP-HERE>))

                  Earlier today, I figured out how to filter against multiple groups (with help from Serverfault). This user filter checks if the user is a member of GROUPA or GROUPB:

                  (|(&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUPA-HERE>))(&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUPB-HERE>)))

                  In either case, for me at least, neither user can login if they are a member of more than 2 groups in AD.

                  C 1 Reply Last reply Reply Quote 0
                  • C Offline
                    Chico008 @kagbasi-ngc
                    last edited by

                    @kagbasi-ngc
                    just tried with a group name having no space, still the same for me.
                    my user only have 3 groups memberships.

                    thing is, it only failed if i want to filter memberof.

                    if in filter i only put : (&(sAMAccountName={{name}}))
                    anyone in my AD can login to xcp, even those having 6 groups member, and that's not that i want.

                    (&(sAMAccountName={{name}})(memberOf=SG-XCP_Admin))
                    not working, still having the could not authenticate user

                    Code: -32000

Message: could not authenticate user

{
  "message": "could not authenticate user",
  "name": "Error",
  "stack": "Error: could not authenticate user\n    at /opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:246:15\n    at default.testPlugin (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/plugins.mjs:285:5)\n    at Xo.test (file:///opt/xen-orchestra/packages/xo-server/src/api/plugin.mjs:109:3)\n    at Task.runInside (/opt/xen-orchestra/@vates/task/index.js:175:22)\n    at Task.run (/opt/xen-orchestra/@vates/task/index.js:159:20)\n    at Api.#callApiMethod (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/api.mjs:469:18)"
}
                    K 1 Reply Last reply Reply Quote 0
                    • K Offline
                      kagbasi-ngc @Chico008
                      last edited by

                      @Chico008 I suspect it's failing because memberOf must have the full Distinguished Name (DN) of the group, not just the group name.

                      C 1 Reply Last reply Reply Quote 1
                      • C Offline
                        Chico008 @kagbasi-ngc
                        last edited by

                        @kagbasi-ngc

                        tries this a while ago, but my default group are in OU having , or () in their name (i know it's very bad but it's been there before my arrival)

                        tried with a security group in a simple OU
                        this time it worked using fully DN.

                        C 1 Reply Last reply Reply Quote 0
                        • C Offline
                          Chico008 @Chico008
                          last edited by Chico008

                          Just a reminder for myself, or other people in need in the future 🙂
                          thanks again for all people who helped me understanding this

                          Had to reinstall my entire XCP system, and almost forget how to configure Ldap plugin to only allow my admin accout to login

                          So here's my Ldap plugin conf, to allow only admin user (member of specific group) to login.
                          my AD is a windows 2K19 server with active directory without ssl.

                          URI : ldap://dc.domain.net:389
                          no certificate info
                          base : dc=domain,dc=net

                          Credential : Fill = tick
                          DN = full DN of service user (CN=xen,OU=service_account,DC=domain,DC=net)
                          password = password of this account
                          it's a simple account with no specific right, can only read AD and login

                          User Filter, where it can stuck
                          (&(sAMAccountName={{name}})(memberOf=CN=SG-XCP_Admin,OU=service_account,DC=domain,DC=net))

                          • in real my OU have spaces inside their name, it work anyway.
                          • SG-XCP_Admin is a security group having my admin users inside

                          ID Attribute : sAMAccountName

                          and that's all.

                          1 Reply Last reply Reply Quote 2
                          • First post
                            Last post