XO Community Edition - Ldap Plugin not working ?
-
@olivierlambert I have an XOA instance on the
Stablechannel (v5.102.1) which I'd pulled down earlier to troubleshoot another issue with you, however, my trial has ended so all the plugins have been unloaded.I can test if you'll reactivate my trial (kagbasi at wgsdac.org). Let me know.
-
Trial extended
-
@olivierlambert Thanks.
XOA Test results:
-
On Stable v5.102.1 - issue persists. Auth failure occurs with AD group membership at 7.
-
On Latest v5.103.1 - issue persists. Auth failure occurs with AD group membership at 7.
I can make a screen recording of my testing, if that helps lend more credibility? Just let me know, thanks.
-
-
Ah and now it's logical then
I believe you, this is possibly a bug in XO if you have it both on sources and XOA.Worth opening a Github issue!
-
@olivierlambert Awesome, glad I could convince ya
. I will submit a Github issue shortly, thanks again. -
@olivierlambert I have just submitted a Github issue for this - https://github.com/vatesfr/xen-orchestra/issues/8351
Thanks again for indulging me.
-
hi, just made a test today after updating to commit 5a501
in my filter i got this :
(&(sAMAccountName={{name}})(memberOf=CN="Admins du domaine"))
because i only want my domain admins to login.test failed.
but, if i only use filter &(sAMAccountName={{name}}))
test works
event with my domain admin account who is member of 4 groups.now how can i set my filter to only allow domain admin 'Admins du domaine' to be able to login as XO admin ?
also tried with full DN (CN=Admins du domaine,CN=Users,DC=company,DC=net) but not working either -
@Chico008 Don't know if this might help you or not.
I generally avoid having spaces inside my Group names. Not sure if somehow the double quotes isn't being handled properly. Anyway, this is what my user filter looks like:
(&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUP-HERE>))Earlier today, I figured out how to filter against multiple groups (with help from Serverfault). This user filter checks if the user is a member of GROUPA or GROUPB:
(|(&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUPA-HERE>))(&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUPB-HERE>)))In either case, for me at least, neither user can login if they are a member of more than 2 groups in AD.
-
@kagbasi-ngc
just tried with a group name having no space, still the same for me.
my user only have 3 groups memberships.thing is, it only failed if i want to filter memberof.
if in filter i only put : (&(sAMAccountName={{name}}))
anyone in my AD can login to xcp, even those having 6 groups member, and that's not that i want.(&(sAMAccountName={{name}})(memberOf=SG-XCP_Admin))
not working, still having the could not authenticate userCode: -32000 Message: could not authenticate user { "message": "could not authenticate user", "name": "Error", "stack": "Error: could not authenticate user\n at /opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:246:15\n at default.testPlugin (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/plugins.mjs:285:5)\n at Xo.test (file:///opt/xen-orchestra/packages/xo-server/src/api/plugin.mjs:109:3)\n at Task.runInside (/opt/xen-orchestra/@vates/task/index.js:175:22)\n at Task.run (/opt/xen-orchestra/@vates/task/index.js:159:20)\n at Api.#callApiMethod (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/api.mjs:469:18)" } -
@Chico008 I suspect it's failing because
memberOfmust have the full Distinguished Name (DN) of the group, not just the group name. -
tries this a while ago, but my default group are in OU having , or () in their name (i know it's very bad but it's been there before my arrival)
tried with a security group in a simple OU
this time it worked using fully DN.
