XO Community Edition - Ldap Plugin not working ?
-
And with a fresh XOA you do not have the problem, even on
latest? -
@olivierlambert I have an XOA instance on the
Stablechannel (v5.102.1) which I'd pulled down earlier to troubleshoot another issue with you, however, my trial has ended so all the plugins have been unloaded.I can test if you'll reactivate my trial (kagbasi at wgsdac.org). Let me know.
-
Trial extended
-
@olivierlambert Thanks.
XOA Test results:
-
On Stable v5.102.1 - issue persists. Auth failure occurs with AD group membership at 7.
-
On Latest v5.103.1 - issue persists. Auth failure occurs with AD group membership at 7.
I can make a screen recording of my testing, if that helps lend more credibility? Just let me know, thanks.
-
-
Ah and now it's logical then
I believe you, this is possibly a bug in XO if you have it both on sources and XOA.Worth opening a Github issue!
-
@olivierlambert Awesome, glad I could convince ya
. I will submit a Github issue shortly, thanks again. -
@olivierlambert I have just submitted a Github issue for this - https://github.com/vatesfr/xen-orchestra/issues/8351
Thanks again for indulging me.
-
hi, just made a test today after updating to commit 5a501
in my filter i got this :
(&(sAMAccountName={{name}})(memberOf=CN="Admins du domaine"))
because i only want my domain admins to login.test failed.
but, if i only use filter &(sAMAccountName={{name}}))
test works
event with my domain admin account who is member of 4 groups.now how can i set my filter to only allow domain admin 'Admins du domaine' to be able to login as XO admin ?
also tried with full DN (CN=Admins du domaine,CN=Users,DC=company,DC=net) but not working either -
@Chico008 Don't know if this might help you or not.
I generally avoid having spaces inside my Group names. Not sure if somehow the double quotes isn't being handled properly. Anyway, this is what my user filter looks like:
(&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUP-HERE>))Earlier today, I figured out how to filter against multiple groups (with help from Serverfault). This user filter checks if the user is a member of GROUPA or GROUPB:
(|(&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUPA-HERE>))(&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUPB-HERE>)))In either case, for me at least, neither user can login if they are a member of more than 2 groups in AD.
-
@kagbasi-ngc
just tried with a group name having no space, still the same for me.
my user only have 3 groups memberships.thing is, it only failed if i want to filter memberof.
if in filter i only put : (&(sAMAccountName={{name}}))
anyone in my AD can login to xcp, even those having 6 groups member, and that's not that i want.(&(sAMAccountName={{name}})(memberOf=SG-XCP_Admin))
not working, still having the could not authenticate userCode: -32000 Message: could not authenticate user { "message": "could not authenticate user", "name": "Error", "stack": "Error: could not authenticate user\n at /opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:246:15\n at default.testPlugin (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/plugins.mjs:285:5)\n at Xo.test (file:///opt/xen-orchestra/packages/xo-server/src/api/plugin.mjs:109:3)\n at Task.runInside (/opt/xen-orchestra/@vates/task/index.js:175:22)\n at Task.run (/opt/xen-orchestra/@vates/task/index.js:159:20)\n at Api.#callApiMethod (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/api.mjs:469:18)" } -
@Chico008 I suspect it's failing because
memberOfmust have the full Distinguished Name (DN) of the group, not just the group name. -
@kagbasi-ngc
tries this a while ago, but my default group are in OU having , or () in their name (i know it's very bad but it's been there before my arrival)
tried with a security group in a simple OU
this time it worked using fully DN. -
Just a reminder for myself, or other people in need in the future
thanks again for all people who helped me understanding thisHad to reinstall my entire XCP system, and almost forget how to configure Ldap plugin to only allow my admin accout to login
So here's my Ldap plugin conf, to allow only admin user (member of specific group) to login.
my AD is a windows 2K19 server with active directory without ssl.URI : ldap://dc.domain.net:389
no certificate info
base : dc=domain,dc=netCredential : Fill = tick
DN = full DN of service user (CN=xen,OU=service_account,DC=domain,DC=net)
password = password of this account
it's a simple account with no specific right, can only read AD and loginUser Filter, where it can stuck
(&(sAMAccountName={{name}})(memberOf=CN=SG-XCP_Admin,OU=service_account,DC=domain,DC=net))- in real my OU have spaces inside their name, it work anyway.
- SG-XCP_Admin is a security group having my admin users inside
ID Attribute : sAMAccountName
and that's all.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login