XO Community Edition - Ldap Plugin not working ?
-
Trial extended
-
@olivierlambert Thanks.
XOA Test results:
-
On Stable v5.102.1 - issue persists. Auth failure occurs with AD group membership at 7.
-
On Latest v5.103.1 - issue persists. Auth failure occurs with AD group membership at 7.
I can make a screen recording of my testing, if that helps lend more credibility? Just let me know, thanks.
-
-
Ah and now it's logical then
I believe you, this is possibly a bug in XO if you have it both on sources and XOA.Worth opening a Github issue!
-
@olivierlambert Awesome, glad I could convince ya
. I will submit a Github issue shortly, thanks again. -
@olivierlambert I have just submitted a Github issue for this - https://github.com/vatesfr/xen-orchestra/issues/8351
Thanks again for indulging me.
-
hi, just made a test today after updating to commit 5a501
in my filter i got this :
(&(sAMAccountName={{name}})(memberOf=CN="Admins du domaine"))
because i only want my domain admins to login.test failed.
but, if i only use filter &(sAMAccountName={{name}}))
test works
event with my domain admin account who is member of 4 groups.now how can i set my filter to only allow domain admin 'Admins du domaine' to be able to login as XO admin ?
also tried with full DN (CN=Admins du domaine,CN=Users,DC=company,DC=net) but not working either -
@Chico008 Don't know if this might help you or not.
I generally avoid having spaces inside my Group names. Not sure if somehow the double quotes isn't being handled properly. Anyway, this is what my user filter looks like:
(&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUP-HERE>))Earlier today, I figured out how to filter against multiple groups (with help from Serverfault). This user filter checks if the user is a member of GROUPA or GROUPB:
(|(&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUPA-HERE>))(&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUPB-HERE>)))In either case, for me at least, neither user can login if they are a member of more than 2 groups in AD.
-
@kagbasi-ngc
just tried with a group name having no space, still the same for me.
my user only have 3 groups memberships.thing is, it only failed if i want to filter memberof.
if in filter i only put : (&(sAMAccountName={{name}}))
anyone in my AD can login to xcp, even those having 6 groups member, and that's not that i want.(&(sAMAccountName={{name}})(memberOf=SG-XCP_Admin))
not working, still having the could not authenticate userCode: -32000 Message: could not authenticate user { "message": "could not authenticate user", "name": "Error", "stack": "Error: could not authenticate user\n at /opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:246:15\n at default.testPlugin (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/plugins.mjs:285:5)\n at Xo.test (file:///opt/xen-orchestra/packages/xo-server/src/api/plugin.mjs:109:3)\n at Task.runInside (/opt/xen-orchestra/@vates/task/index.js:175:22)\n at Task.run (/opt/xen-orchestra/@vates/task/index.js:159:20)\n at Api.#callApiMethod (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/api.mjs:469:18)" } -
@Chico008 I suspect it's failing because
memberOfmust have the full Distinguished Name (DN) of the group, not just the group name. -
tries this a while ago, but my default group are in OU having , or () in their name (i know it's very bad but it's been there before my arrival)
tried with a security group in a simple OU
this time it worked using fully DN.
