RE: XO Community Edition - Ldap Plugin not working ?

@kagbasi-ngc

tries this a while ago, but my default group are in OU having , or () in their name (i know it's very bad but it's been there before my arrival)

tried with a security group in a simple OU
this time it worked using fully DN.

@kagbasi-ngc
just tried with a group name having no space, still the same for me.
my user only have 3 groups memberships.

thing is, it only failed if i want to filter memberof.

if in filter i only put : (&(sAMAccountName={{name}}))
anyone in my AD can login to xcp, even those having 6 groups member, and that's not that i want.

(&(sAMAccountName={{name}})(memberOf=SG-XCP_Admin))
not working, still having the could not authenticate user

Code: -32000

Message: could not authenticate user

{
  "message": "could not authenticate user",
  "name": "Error",
  "stack": "Error: could not authenticate user\n    at /opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:246:15\n    at default.testPlugin (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/plugins.mjs:285:5)\n    at Xo.test (file:///opt/xen-orchestra/packages/xo-server/src/api/plugin.mjs:109:3)\n    at Task.runInside (/opt/xen-orchestra/@vates/task/index.js:175:22)\n    at Task.run (/opt/xen-orchestra/@vates/task/index.js:159:20)\n    at Api.#callApiMethod (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/api.mjs:469:18)"
}

Hi

I' setting up the Ldap plugin on my XOCE.

My conf seems to be OK, but i can't figure out how i can filter only user from specific group to login and refuse other.

My conf for now
Uri : ldap://s-ad.domain.net:389
base : OU=company,DC=domain,DC=net
credential : account used to connect to Active Directory

userfilter : my problem
Id attribut : sAMAccountName

if i put userfiler : &(sAMAccountName={{name}})
every user in my company can login
if i put (&(sAMAccountName={{name}})(memberOf=CN="XCP Admin"))
no one can login, even users member of "XCP Admin" group.

How can i set filter to allow only users of this group to be able to login ?

hi, just made a test today after updating to commit 5a501

in my filter i got this :
(&(sAMAccountName={{name}})(memberOf=CN="Admins du domaine"))
because i only want my domain admins to login.

test failed.

but, if i only use filter &(sAMAccountName={{name}}))
test works
event with my domain admin account who is member of 4 groups.

now how can i set my filter to only allow domain admin 'Admins du domaine' to be able to login as XO admin ?
also tried with full DN (CN=Admins du domaine,CN=Users,DC=company,DC=net) but not working either

@DustinB
just tried, it's indeed way better than i thought using self-service

thanks

Hi

I'm trying to understand Acl, but can't find out how this effectly works.

I got 2 local users.
admin, can do everything
guest, limited action.

i want guest user to only create/run/manage his VM on the existing pool.
i don't want him to change setting, disconnect SR/network, only create/run/manage HIS vm, not others.

how can i archive that ?

if i make guest admin on the pool, he can do almost everything
if i make it operator, he can stop/launch, but not create VM.

i dont really understand how acl works, any official doc or else ?

@olivierlambert too bad, could be better if pref could be stored in database instead >_<

@Danp
My VM is a Ubuntu server 24.01
i'll try on a debian 12, maybe a docker image to check if it works better or not.

edit : tested on another server OS (Debian), and tested a docker version
Still the same
i can change language, it's set for the sessions running.
but when i come back and login again, laguage set to english by default again.

My browser clear cache and cookie on exit.

@Danp

@kagbasi-ngc

Using DN i have a totally different error on testing connection
Code: -32000

Message: 80090308: LdapErr: DSID-0C090511, comment: AcceptSecurityContext error, data 52e, v4563 Code: 0x31

{
  "code": 49,
  "message": "80090308: LdapErr: DSID-0C090511, comment: AcceptSecurityContext error, data 52e, v4563\u0000 Code: 0x31",
  "name": "Error",
  "stack": "Error: 80090308: LdapErr: DSID-0C090511, comment: AcceptSecurityContext error, data 52e, v4563\u0000 Code: 0x31\n    at Function.parse (/opt/xen-orchestra/node_modules/ldapts/StatusCodeParser.ts:99:16)\n    at Client._sendBind (/opt/xen-orchestra/node_modules/ldapts/Client.ts:638:30)\n    at Client.bind (/opt/xen-orchestra/node_modules/ldapts/Client.ts:272:5)\n    at AuthLdap._authenticate (/opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:270:11)\n    at default.testPlugin (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/plugins.mjs:285:5)\n    at Xo.test (file:///opt/xen-orchestra/packages/xo-server/src/api/plugin.mjs:109:3)\n    at Task.runInside (/opt/xen-orchestra/@vates/task/index.js:172:22)\n    at Task.run (/opt/xen-orchestra/@vates/task/index.js:156:20)\n    at Api.#callApiMethod (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/api.mjs:469:18)"
}

The account i'm testing with have 4 security groups
Service account using to bind only have 1 security group (domain user)
same user is used to bind ldap to other website or software, and works fine.