RE: XO Community Edition - Ldap Plugin not working ?

@kagbasi-ngc

tries this a while ago, but my default group are in OU having , or () in their name (i know it's very bad but it's been there before my arrival)

tried with a security group in a simple OU
this time it worked using fully DN.

@kagbasi-ngc
just tried with a group name having no space, still the same for me.
my user only have 3 groups memberships.

thing is, it only failed if i want to filter memberof.

if in filter i only put : (&(sAMAccountName={{name}}))
anyone in my AD can login to xcp, even those having 6 groups member, and that's not that i want.

(&(sAMAccountName={{name}})(memberOf=SG-XCP_Admin))
not working, still having the could not authenticate user

Code: -32000

Message: could not authenticate user

{
  "message": "could not authenticate user",
  "name": "Error",
  "stack": "Error: could not authenticate user\n    at /opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:246:15\n    at default.testPlugin (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/plugins.mjs:285:5)\n    at Xo.test (file:///opt/xen-orchestra/packages/xo-server/src/api/plugin.mjs:109:3)\n    at Task.runInside (/opt/xen-orchestra/@vates/task/index.js:175:22)\n    at Task.run (/opt/xen-orchestra/@vates/task/index.js:159:20)\n    at Api.#callApiMethod (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/api.mjs:469:18)"
}

Hi

I' setting up the Ldap plugin on my XOCE.

My conf seems to be OK, but i can't figure out how i can filter only user from specific group to login and refuse other.

My conf for now
Uri : ldap://s-ad.domain.net:389
base : OU=company,DC=domain,DC=net
credential : account used to connect to Active Directory

userfilter : my problem
Id attribut : sAMAccountName

if i put userfiler : &(sAMAccountName={{name}})
every user in my company can login
if i put (&(sAMAccountName={{name}})(memberOf=CN="XCP Admin"))
no one can login, even users member of "XCP Admin" group.

How can i set filter to allow only users of this group to be able to login ?

hi, just made a test today after updating to commit 5a501

in my filter i got this :
(&(sAMAccountName={{name}})(memberOf=CN="Admins du domaine"))
because i only want my domain admins to login.

test failed.

but, if i only use filter &(sAMAccountName={{name}}))
test works
event with my domain admin account who is member of 4 groups.

now how can i set my filter to only allow domain admin 'Admins du domaine' to be able to login as XO admin ?
also tried with full DN (CN=Admins du domaine,CN=Users,DC=company,DC=net) but not working either

@DustinB
just tried, it's indeed way better than i thought using self-service

thanks

Hi

I'm trying to understand Acl, but can't find out how this effectly works.

I got 2 local users.
admin, can do everything
guest, limited action.

i want guest user to only create/run/manage his VM on the existing pool.
i don't want him to change setting, disconnect SR/network, only create/run/manage HIS vm, not others.

how can i archive that ?

if i make guest admin on the pool, he can do almost everything
if i make it operator, he can stop/launch, but not create VM.

i dont really understand how acl works, any official doc or else ?

@olivierlambert too bad, could be better if pref could be stored in database instead >_<

@Danp
My VM is a Ubuntu server 24.01
i'll try on a debian 12, maybe a docker image to check if it works better or not.

edit : tested on another server OS (Debian), and tested a docker version
Still the same
i can change language, it's set for the sessions running.
but when i come back and login again, laguage set to english by default again.

My browser clear cache and cookie on exit.

@Danp

@kagbasi-ngc

Using DN i have a totally different error on testing connection
Code: -32000

Message: 80090308: LdapErr: DSID-0C090511, comment: AcceptSecurityContext error, data 52e, v4563 Code: 0x31

{
  "code": 49,
  "message": "80090308: LdapErr: DSID-0C090511, comment: AcceptSecurityContext error, data 52e, v4563\u0000 Code: 0x31",
  "name": "Error",
  "stack": "Error: 80090308: LdapErr: DSID-0C090511, comment: AcceptSecurityContext error, data 52e, v4563\u0000 Code: 0x31\n    at Function.parse (/opt/xen-orchestra/node_modules/ldapts/StatusCodeParser.ts:99:16)\n    at Client._sendBind (/opt/xen-orchestra/node_modules/ldapts/Client.ts:638:30)\n    at Client.bind (/opt/xen-orchestra/node_modules/ldapts/Client.ts:272:5)\n    at AuthLdap._authenticate (/opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:270:11)\n    at default.testPlugin (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/plugins.mjs:285:5)\n    at Xo.test (file:///opt/xen-orchestra/packages/xo-server/src/api/plugin.mjs:109:3)\n    at Task.runInside (/opt/xen-orchestra/@vates/task/index.js:172:22)\n    at Task.run (/opt/xen-orchestra/@vates/task/index.js:156:20)\n    at Api.#callApiMethod (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/api.mjs:469:18)"
}

The account i'm testing with have 4 security groups
Service account using to bind only have 1 security group (domain user)
same user is used to bind ldap to other website or software, and works fine.

@Danp
i'm using XOCE for now for testing

My VM hosting XOCE is a Ubtuntu server 24.04
XOCE installed using this script for github
https://github.com/Jarli01/xenorchestra_installer

no error in log from switching laguage

@Danp
other setting are keeps, like default research filter.

which log can i check for this ?

nothing has been done to the database since XOCE has been installed.

Hi

i'm trying to set my XOCE Web Gui in french.
for that i click on my profile icon, and change language to French
effect is immediate.

But if i close my browser, and come back again, language came back to english.
do i forget to save somewhere ?
i dont see any save profil button

Hi
Came back here

still no news for me.
corrected my conf, i put dn= instead of dc=
and changes my filter to : (&(sAMAccountName={{name}})(memberOf=CN="Admins du domaine"))

so i have

URI : ldap://sdc.domain.net:389
check certificat / tls = NO
base : dc=domain,dc=net

credential
dn : xo_user@domain.net
password : xxxxx

use filter : (&(sAMAccountName={{name}})(memberOf=CN="Admins du domaine"))
Id attribute : sAMAccountName

not i got the Could not authenticate user when i'm testing connection.

Code: -32000

Message: could not authenticate user

{
  "message": "could not authenticate user",
  "name": "Error",
  "stack": "Error: could not authenticate user\n    at /opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:246:15\n    at default.testPlugin (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/plugins.mjs:285:5)\n    at Xo.test (file:///opt/xen-orchestra/packages/xo-server/src/api/plugin.mjs:109:3)\n    at Task.runInside (/opt/xen-orchestra/@vates/task/index.js:172:22)\n    at Task.run (/opt/xen-orchestra/@vates/task/index.js:156:20)\n    at Api.#callApiMethod (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/api.mjs:469:18)"
}

which log can i check to see what's is happening ?

tried testing with just user/password, user@doamin/password
but same error message.

@DustinB
tried your command, it runs OK, restarted the vm hosting XOCE, but still have the same issue
after typing an @ in console, char following are wrong

How can i get the v6 console ?
i'm using XOCE (not XOA) for testing xcp for now.

Hi

I made on update for XOCE recently, and since, when i'm using console on linux guest, after type a special char : [{| console goes crazy and type weird chars

how can i fix this ?
can't use putty or other external tools, this guest is on a virtual network not connected to my physical netword.

Hi
i've set up xen orchestra community edition for my lab, to test XCP-NG and XO.

installation from source is ok, i managed to set tup storage, backup, and Vm running.
But, i would like to set up ldap authentification, and only allow a specific group on my AD to connect to xen orchestra.

our Ldap is strikly internal, not certificate.
is set up like this
URI : ldap://my-dc-01.corp.net:389
check certificat and use tls not checked.
base : dn=corp,dn=net
Credential : service_account@corp.net with it's password
user Filter
This where maybe i miss something
i put : (&(sAMAccountName={{name}})(memberOf="VMAdmin"))

Id Attribute : sAMAccountName

When i test data with my user in the VMAdmin group, i got this error :

Code: -32000

Message: 000020D6: SvcErr: DSID-03100836, problem 5012 (DIR_ERROR), data 0  Code: 0x1

{
  "code": 1,
  "message": "000020D6: SvcErr: DSID-03100836, problem 5012 (DIR_ERROR), data 0\n\u0000 Code: 0x1",
  "name": "Error",
  "stack": "Error: 000020D6: SvcErr: DSID-03100836, problem 5012 (DIR_ERROR), data 0\n\u0000 Code: 0x1\n    at Function.parse (/opt/xen-orchestra/node_modules/ldapts/StatusCodeParser.ts:55:16)\n    at Client._sendSearch (/opt/xen-orchestra/node_modules/ldapts/Client.ts:648:30)\n    at Client.search (/opt/xen-orchestra/node_modules/ldapts/Client.ts:610:5)\n    at AuthLdap._authenticate (/opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:277:42)\n    at default.testPlugin (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/plugins.mjs:285:5)\n    at Xo.test (file:///opt/xen-orchestra/packages/xo-server/src/api/plugin.mjs:109:3)\n    at Task.runInside (/opt/xen-orchestra/@vates/task/index.js:172:22)\n    at Task.run (/opt/xen-orchestra/@vates/task/index.js:156:20)\n    at Api.#callApiMethod (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/api.mjs:469:18)"
}