XCP-ng

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups

    Issues synchronizing LDAP groups (Active Directory)

    Xen Orchestra
    bugs blocked
    6
    14
    382
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • olivierlambert
      olivierlambert Vates 🪐 Admin 🧑‍💻 last edited by

      This is a pretty advanced question. @pdonias will take a look when he's back from holidays 🙂 (if you are in a hurry, please create a support ticket with pro support)

      K 1 Reply Last reply Reply Quote 1
      • K
        Kajetan321 @olivierlambert last edited by

        I will patiently wait for @pdonias to be back from holidays😁

        1 Reply Last reply Reply Quote 0
        • K
          Kajetan321 last edited by

          To troubleshoot, I have installed ldapsearch on XOA via ssh (sudo apt-get install ldap-utils) and edited /etc/ldap/ldap.conf. After fine tuning some settings I was able to get ldapsearch to return results. When I attempt to use "the same" settings to configure the XOA LDAP plugin however, I get this in the logs: "could not authenticate user"

          Here is what's inside my /etc/ldap/ldap.conf:

          #
          # LDAP Defaults
          #
          
          # See ldap.conf(5) for details
          # This file should be world readable but not world writable.
          
          #BASE   dc=example,dc=com
          BASE   OU=Accounts,DC=lan,DC=company,DC=com
          
          #URI    ldap://ldap.example.com ldap://ldap-provider.example.com:666
          URI    ldaps://server.lan.company.com
          
          #SIZELIMIT      12
          #TIMELIMIT      15
          #DEREF          never
          
          # TLS certificates (needed for GnuTLS)
          TLS_CACERT      /etc/ssl/certs/company_root.pem
          

          Executing this at the XOA command line I get a long list of entries pertaining to my AD users:

          ldapsearch -H ldaps://server.lan.company.com -x -D user@lan.company.com -w password
          

          My plugin settings are as follows:
          ldaps://server.lan.company.com
          /etc/ssl/certs/company_root.pem
          Check certificate: Yes
          Use StartTLS: off
          Base: OU=Accounts,DC=lan,DC=company,DC=com

          dn: user@lan.company.com
          password: password
          User filter: (uid={{name}})
          ID attribute: dn

          Any hints on how to trouble shoot this further?

          pdonias 1 Reply Last reply Reply Quote 0
          • pdonias
            pdonias Vates 🪐 XO Team 🌐 @Kajetan321 last edited by

            Hi @kajetan321, please add this to your xo-server config file:

            [logs]
            level = 'debug'
            

            then test the plugin again and check xo-server's output when the error occurs to help identify what's causing the issue.

            K 1 Reply Last reply Reply Quote 0
            • K
              Kajetan321 @pdonias last edited by

              @pdonias Thanks for getting back to me. I enabled debug level under logs and rebooted the VM. Here is what the logs show:

              Jan 12 17:37:05 xoa xo-server[536]: 2022-01-12T22:37:05.296Z xo:xo-server-auth-ldap DEBUG attempting to bind with as user@lan.company.com...
              Jan 12 17:37:05 xoa xo-server[536]: 2022-01-12T22:37:05.313Z xo:xo-server-auth-ldap DEBUG successfully bound as user@lan.company.com
              Jan 12 17:37:05 xoa xo-server[536]: 2022-01-12T22:37:05.314Z xo:xo-server-auth-ldap DEBUG searching for entries...
              Jan 12 17:37:05 xoa xo-server[536]: 2022-01-12T22:37:05.336Z xo:xo-server-auth-ldap DEBUG 0 entries found
              Jan 12 17:37:05 xoa xo-server[536]: 2022-01-12T22:37:05.336Z xo:xo-server-auth-ldap DEBUG could not authenticate user@lan.company.com
              Jan 12 17:37:05 xoa xo-server[536]: 2022-01-12T22:37:05.373Z xo:api WARN user | plugin.test(...) [89ms] =!> Error: could not authenticate user
              

              I copied and pasted the user name and password from the ldapsearch command. Ldapsearch command still works.

              TheNorthernLight 1 Reply Last reply Reply Quote 0
              • TheNorthernLight
                TheNorthernLight @Kajetan321 last edited by

                @kajetan321 So I literally got this to work this afternoon after lots of fiddling around (and trying several different "working" configs).

                I ended up doing:
                url: ldap://10.10.x.x:389/
                check cert = OFF
                Use StartTLS = OFF
                base= DC=company,DC=com
                Credentials:
                dn = adqueryaccount@company.com
                password = ....
                user filter=(userPrincipalName={{name}})
                ID Attribute= dn

                The part that tripped me up forever was the Credential DN. I was putting all sorts of values, not realizing the simple UPN would work. Also the user used to query AD, needs to have the matching UPN suffix as your regular users. My account was defaulted to an internal .lan domain. It kept failing. As soon as I changed its UPN to match my corporate.com domain, everything started working.

                You can test this, by simply using YOUR domain admin username/psw in the dn and password sections to test with. This eliminates the username being the source of the problems.

                K 1 Reply Last reply Reply Quote 0
                • olivierlambert
                  olivierlambert Vates 🪐 Admin 🧑‍💻 last edited by

                  That's the issue with LDAP configuration: there's nothing we can do on our side to make it work "out of the box", since it's 100% dependent on each LDAP server configuration 😞

                  K 1 Reply Last reply Reply Quote 1
                  • K
                    Kajetan321 @TheNorthernLight last edited by

                    @thenorthernlight Thanks! It appears I had two problems with the configuration I posted earlier that were causing the Test plugin to fail:

                    Use StartTLS should be off
                    User filter should be (userPrincipalName={{name}})

                    Now onto testing if actual AD logons are working.

                    Cheers.

                    1 Reply Last reply Reply Quote 1
                    • K
                      Kajetan321 @olivierlambert last edited by

                      @olivierlambert May I propose a Windows Active Directory plugin? It should only require the domain name and credentials to "join the domain". I believe Synology has this setup, as does QNAP. I would strongly suspect that Windows Server has a specific way of setup up LDAP if using defaults during install. I believe I read on Phoronix that Ubuntu now supports "joining the domain" during the install process as well. By "joining the domain" I mean automatic LDAP configuration and domain controller root certificate should be added XO's trusted certificates.

                      For someone like me who never really dealt with or set up LDAP, this would make XO way more appealing to use. Just my two cents.

                      Thank you for all your work, other than this I'm really impressed with XO, especially the backups!

                      Cheers.

                      1 Reply Last reply Reply Quote 0
                      • olivierlambert
                        olivierlambert Vates 🪐 Admin 🧑‍💻 last edited by

                        Thanks for the feedback @Kajetan321 However, I have 0 idea on what it means and how it would work. Assistance will be welcome.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post