RE: XOCE - ISO upload is renamed after upload to ISO SR

@Pilow Like BSOD from Microsoft Win95 show

@ph7 that's what i'm doing for now, but i'm still wondering why the renaming, and maby a way to disable this renaming.

But maybe we can't

Hi

Is there a way to prevent XOCE to rename an ISO file upload via XOCE ?

for example : if i upload the iso file : linux-mint.iso, after upload to the nfs storage, it is renamed a04e750f-ba9a-4e58-b3f7-35e04ce3c979.img

thing is, it's pretty anoying, because the same iso source is used for other virtual environement, and having iso file with a UUID is not usable elswhere, because if i'm not on XOCE, i can't know what iso is

@dinhngtu Hi
For my i made on offline Install to solve my issue, installed failed when downloading the kernel from servers, so offline install worked fine for me.

Just a reminder for myself, or other people in need in the future
thanks again for all people who helped me understanding this

Had to reinstall my entire XCP system, and almost forget how to configure Ldap plugin to only allow my admin accout to login

So here's my Ldap plugin conf, to allow only admin user (member of specific group) to login.
my AD is a windows 2K19 server with active directory without ssl.

URI : ldap://dc.domain.net:389
no certificate info
base : dc=domain,dc=net

Credential : Fill = tick
DN = full DN of service user (CN=xen,OU=service_account,DC=domain,DC=net)
password = password of this account
it's a simple account with no specific right, can only read AD and login

User Filter, where it can stuck
(&(sAMAccountName={{name}})(memberOf=CN=SG-XCP_Admin,OU=service_account,DC=domain,DC=net))

• in real my OU have spaces inside their name, it work anyway.
• SG-XCP_Admin is a security group having my admin users inside

ID Attribute : sAMAccountName

and that's all.

@acebmxer Maybe, did you try an offline install, this solved my issue, then after install i could update/upgrade normally.

Ok this is it

seems some Ubuntu mirror are having issue, install offline by disconnecting lan card, install finished fine.

@dinhngtu
iso : ubuntu-24.04.3-live-server-amd64.iso
Sha256 is correct comparing to Ubuntu web site.

But, it may not be because of Xcp :
Tries installaling a new VM on our Vsphere, with the same Iso from different source, same error
seems to be an issue when kernel is downloading from web during install

@olivierlambert only on console screen

HI

I recentrly updated my nodes from xcp-ng 8.2 to 8.3
on theses newly installed nodes, i install XOA from auto-deploy.

I'm trying to install a Linux Ubuntu server 24, but keeps failing during install.
tried using uefi (non secure) or bios, each time install failes.

ISOs comme from my NAS, and VM disk are hosted on a ISCSI Lun

on 8.2 was exactly the same conf, sources, all worked fine, but now i can't :/, and i'm unable to understand the report, i only it failed during kernel install.

my Isos are the same i used for 8.2, on the same NFS Share.

tried installing a win 2K19 server, seems ok, but Ubuntu server can't (even tried a ubuntu server 22, same)

@kagbasi-ngc

tries this a while ago, but my default group are in OU having , or () in their name (i know it's very bad but it's been there before my arrival)

tried with a security group in a simple OU
this time it worked using fully DN.

@kagbasi-ngc
just tried with a group name having no space, still the same for me.
my user only have 3 groups memberships.

thing is, it only failed if i want to filter memberof.

if in filter i only put : (&(sAMAccountName={{name}}))
anyone in my AD can login to xcp, even those having 6 groups member, and that's not that i want.

(&(sAMAccountName={{name}})(memberOf=SG-XCP_Admin))
not working, still having the could not authenticate user

Code: -32000

Message: could not authenticate user

{
  "message": "could not authenticate user",
  "name": "Error",
  "stack": "Error: could not authenticate user\n    at /opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:246:15\n    at default.testPlugin (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/plugins.mjs:285:5)\n    at Xo.test (file:///opt/xen-orchestra/packages/xo-server/src/api/plugin.mjs:109:3)\n    at Task.runInside (/opt/xen-orchestra/@vates/task/index.js:175:22)\n    at Task.run (/opt/xen-orchestra/@vates/task/index.js:159:20)\n    at Api.#callApiMethod (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/api.mjs:469:18)"
}

Hi

I' setting up the Ldap plugin on my XOCE.

My conf seems to be OK, but i can't figure out how i can filter only user from specific group to login and refuse other.

My conf for now
Uri : ldap://s-ad.domain.net:389
base : OU=company,DC=domain,DC=net
credential : account used to connect to Active Directory

userfilter : my problem
Id attribut : sAMAccountName

if i put userfiler : &(sAMAccountName={{name}})
every user in my company can login
if i put (&(sAMAccountName={{name}})(memberOf=CN="XCP Admin"))
no one can login, even users member of "XCP Admin" group.

How can i set filter to allow only users of this group to be able to login ?

hi, just made a test today after updating to commit 5a501

in my filter i got this :
(&(sAMAccountName={{name}})(memberOf=CN="Admins du domaine"))
because i only want my domain admins to login.

test failed.

but, if i only use filter &(sAMAccountName={{name}}))
test works
event with my domain admin account who is member of 4 groups.

now how can i set my filter to only allow domain admin 'Admins du domaine' to be able to login as XO admin ?
also tried with full DN (CN=Admins du domaine,CN=Users,DC=company,DC=net) but not working either

@DustinB
just tried, it's indeed way better than i thought using self-service

thanks

Hi

I'm trying to understand Acl, but can't find out how this effectly works.

I got 2 local users.
admin, can do everything
guest, limited action.

i want guest user to only create/run/manage his VM on the existing pool.
i don't want him to change setting, disconnect SR/network, only create/run/manage HIS vm, not others.

how can i archive that ?

if i make guest admin on the pool, he can do almost everything
if i make it operator, he can stop/launch, but not create VM.

i dont really understand how acl works, any official doc or else ?

@olivierlambert too bad, could be better if pref could be stored in database instead >_<

@Danp
My VM is a Ubuntu server 24.01
i'll try on a debian 12, maybe a docker image to check if it works better or not.

edit : tested on another server OS (Debian), and tested a docker version
Still the same
i can change language, it's set for the sessions running.
but when i come back and login again, laguage set to english by default again.

My browser clear cache and cookie on exit.

@Danp

@kagbasi-ngc

Using DN i have a totally different error on testing connection
Code: -32000

Message: 80090308: LdapErr: DSID-0C090511, comment: AcceptSecurityContext error, data 52e, v4563 Code: 0x31

{
  "code": 49,
  "message": "80090308: LdapErr: DSID-0C090511, comment: AcceptSecurityContext error, data 52e, v4563\u0000 Code: 0x31",
  "name": "Error",
  "stack": "Error: 80090308: LdapErr: DSID-0C090511, comment: AcceptSecurityContext error, data 52e, v4563\u0000 Code: 0x31\n    at Function.parse (/opt/xen-orchestra/node_modules/ldapts/StatusCodeParser.ts:99:16)\n    at Client._sendBind (/opt/xen-orchestra/node_modules/ldapts/Client.ts:638:30)\n    at Client.bind (/opt/xen-orchestra/node_modules/ldapts/Client.ts:272:5)\n    at AuthLdap._authenticate (/opt/xen-orchestra/packages/xo-server-auth-ldap/src/index.js:270:11)\n    at default.testPlugin (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/plugins.mjs:285:5)\n    at Xo.test (file:///opt/xen-orchestra/packages/xo-server/src/api/plugin.mjs:109:3)\n    at Task.runInside (/opt/xen-orchestra/@vates/task/index.js:172:22)\n    at Task.run (/opt/xen-orchestra/@vates/task/index.js:156:20)\n    at Api.#callApiMethod (file:///opt/xen-orchestra/packages/xo-server/src/xo-mixins/api.mjs:469:18)"
}

The account i'm testing with have 4 security groups
Service account using to bind only have 1 security group (domain user)
same user is used to bind ldap to other website or software, and works fine.