I had a lot of trouble getting the LDAP integration to work with Active Directory domain controllers, So i wanted to share my configuration and make it easier on others trying to do the same thing in the future.
Using this config i was able to get everything working, but i found a few limitations:
- Xen Orchestra cannot find any group members where the member has the "Primary Group" attribute set.
- Only direct members of a group are recognized (nested groups don't work).
- When signing in, i have to specify "username" instead of "username@cxlab.domain.com"
- Groups are created by clicking "Synchronize LDAP groups", however users are not created until they sign into XOA the first time.
- Users are not deleted from Xen Orchestra when they are removed from the domain. (but they can no longer log in to XOA)
auth-ldap (v0.10.6) - LDAP authentication plugin for XO-Server
Auto-load at server start [checked]
Configuration
URI: ldap://domaincontroller1.cxlab.domain.com
**Certificate Authorities**
Check certificate [disabled]
Use StartTLS [disabled]
Base: DC=cxlab,DC=domain,DC=com
**Credentials**
dn: cxadmin@cxlab.domain.com
password: ******************
User filter: (sAMAccountName={{name}})
ID attribute: dn
**Synchronize groups**
[checked] Fill information (optional)
Base: CN=Users,DC=cxlab,DC=domain,DC=com
Filter: (ObjectClass=group)
ID attribute: dn
Display name attribute: cn
**Members mapping**
Group attribute: member
User attribute: dn