XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    XO Community Edition - Ldap Plugin not working ?

    Scheduled Pinned Locked Moved Xen Orchestra
    56 Posts 7 Posters 11.1k Views 8 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      kagbasi-ngc @olivierlambert
      last edited by

      @olivierlambert Thanks.

      XOA Test results:

      • On Stable v5.102.1 - issue persists. Auth failure occurs with AD group membership at 7.

      • On Latest v5.103.1 - issue persists. Auth failure occurs with AD group membership at 7.

      I can make a screen recording of my testing, if that helps lend more credibility? Just let me know, thanks.

      1 Reply Last reply Reply Quote 0
      • olivierlambertO Offline
        olivierlambert Vates 🪐 Co-Founder CEO
        last edited by olivierlambert

        Ah and now it's logical then 😉 I believe you, this is possibly a bug in XO if you have it both on sources and XOA.

        Worth opening a Github issue!

        K 1 Reply Last reply Reply Quote 0
        • K Offline
          kagbasi-ngc @olivierlambert
          last edited by

          @olivierlambert Awesome, glad I could convince ya 😂. I will submit a Github issue shortly, thanks again.

          K 1 Reply Last reply Reply Quote 0
          • K Offline
            kagbasi-ngc @kagbasi-ngc
            last edited by

            @olivierlambert I have just submitted a Github issue for this - https://github.com/vatesfr/xen-orchestra/issues/8351

            Thanks again for indulging me.

            kismetgerald-ngc created this issue in vatesfr/xen-orchestra

            open LDAP/Active Directory Authentication Fails if User is Member of More than 6 Groups #8351

            C 1 Reply Last reply Reply Quote 0
            • C Offline
              Chico008 @kagbasi-ngc
              last edited by Chico008

              hi, just made a test today after updating to commit 5a501

              in my filter i got this :
              (&(sAMAccountName={{name}})(memberOf=CN="Admins du domaine"))
              because i only want my domain admins to login.

              test failed.

              but, if i only use filter &(sAMAccountName={{name}}))
              test works
              event with my domain admin account who is member of 4 groups.

              now how can i set my filter to only allow domain admin 'Admins du domaine' to be able to login as XO admin ?
              also tried with full DN (CN=Admins du domaine,CN=Users,DC=company,DC=net) but not working either

              K 1 Reply Last reply Reply Quote 0
              • K Offline
                kagbasi-ngc @Chico008
                last edited by

                @Chico008 Don't know if this might help you or not.

                I generally avoid having spaces inside my Group names. Not sure if somehow the double quotes isn't being handled properly. Anyway, this is what my user filter looks like:

                (&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUP-HERE>))

                Earlier today, I figured out how to filter against multiple groups (with help from Serverfault). This user filter checks if the user is a member of GROUPA or GROUPB:

                (|(&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUPA-HERE>))(&(sAMAccountName={{name}})(memberOf=<INSERT-DN-OF-GROUPB-HERE>)))

                In either case, for me at least, neither user can login if they are a member of more than 2 groups in AD.

                C 1 Reply Last reply Reply Quote 0
                • C Offline
                  Chico008 @kagbasi-ngc
                  last edited by

                  @kagbasi-ngc
                  just tried with a group name having no space, still the same for me.
                  my user only have 3 groups memberships.

                  thing is, it only failed if i want to filter memberof.

                  if in filter i only put : (&(sAMAccountName={{name}}))
                  anyone in my AD can login to xcp, even those having 6 groups member, and that's not that i want.

                  (&(sAMAccountName={{name}})(memberOf=SG-XCP_Admin))
                  not working, still having the could not authenticate user

                  Code: -32000

Message: could not authenticate user

{
  "message": "could not authenticate user",
  "name": "Error",
  "stack": "Error: could not authenticate user\n    at /opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:246:15\n    at default.testPlugin (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/plugins.mjs:285:5)\n    at Xo.test (file:///opt/xen-orchestra/packages/xo-server/src/api/plugin.mjs:109:3)\n    at Task.runInside (/opt/xen-orchestra/@vates/task/index.js:175:22)\n    at Task.run (/opt/xen-orchestra/@vates/task/index.js:159:20)\n    at Api.#callApiMethod (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/api.mjs:469:18)"
}
                  K 1 Reply Last reply Reply Quote 0
                  • K Offline
                    kagbasi-ngc @Chico008
                    last edited by

                    @Chico008 I suspect it's failing because memberOf must have the full Distinguished Name (DN) of the group, not just the group name.

                    C 1 Reply Last reply Reply Quote 1
                    • C Offline
                      Chico008 @kagbasi-ngc
                      last edited by

                      @kagbasi-ngc

                      tries this a while ago, but my default group are in OU having , or () in their name (i know it's very bad but it's been there before my arrival)

                      tried with a security group in a simple OU
                      this time it worked using fully DN.

                      C 1 Reply Last reply Reply Quote 0
                      • C Offline
                        Chico008 @Chico008
                        last edited by Chico008

                        Just a reminder for myself, or other people in need in the future 🙂
                        thanks again for all people who helped me understanding this

                        Had to reinstall my entire XCP system, and almost forget how to configure Ldap plugin to only allow my admin accout to login

                        So here's my Ldap plugin conf, to allow only admin user (member of specific group) to login.
                        my AD is a windows 2K19 server with active directory without ssl.

                        URI : ldap://dc.domain.net:389
                        no certificate info
                        base : dc=domain,dc=net

                        Credential : Fill = tick
                        DN = full DN of service user (CN=xen,OU=service_account,DC=domain,DC=net)
                        password = password of this account
                        it's a simple account with no specific right, can only read AD and login

                        User Filter, where it can stuck
                        (&(sAMAccountName={{name}})(memberOf=CN=SG-XCP_Admin,OU=service_account,DC=domain,DC=net))

                        • in real my OU have spaces inside their name, it work anyway.
                        • SG-XCP_Admin is a security group having my admin users inside

                        ID Attribute : sAMAccountName

                        and that's all.

                        1 Reply Last reply Reply Quote 2
                        • First post
                          Last post