XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login
    1. Home
    2. yag
    3. Posts
    Y
    Offline
    • Profile
    • Following 0
    • Followers 0
    • Topics 1
    • Posts 3
    • Groups 0

    Posts

    Recent Best Controversial
    • RE: LDAP Authentication with OpenLDAP backend?

      @olivierlambert Thanks for the reply! I am open to run without Group Sync aswell, but i have not found a way to give my LDAP users operator access to Orchestra without group sync, so if you know how you did that i am eager to know that aswell 😄

      posted in Management
      Y
      yag
    • RE: LDAP Authentication with OpenLDAP backend?

      @yag Bumping this thread. Anyone?

      posted in Management
      Y
      yag
    • LDAP Authentication with OpenLDAP backend?

      Hello!

      Anyone that had success with the ldap-auth plugin and OpenLDAP as LDAP provider? User authentication works fine, but my problem arises during group synchronization.

      Per my understanding you need to synchronize groups to be able to make all LDAP users administrators. I seem to have a mismatch between user & group sync. As previously stated, i can login with my LDAP user, but the group membership is only partially recognized.

      Under "Settings > Groups" i can see my group "lab-users" and it says 1 member, but under "Settings > Users" my user appears, but it states that the user is member of 0 groups.

      I have set administrative rights on every object inside XO on the "lab-users" group, but when i login with my user i cant access anything. But if i try putting the ACLs on the user object instead, i can administrate everything

      Plugin settings:

      User filter: (&(objectClass=inetOrgPerson)(uid={{name}})) 
ID Attribute: uid

Group filter: (&(objectClass=posixGroup)(cn=lab-users))
ID Attribute: gidNumber
Display name attribute: cn

Group attribute: uniqueMember
User attribute: uid

      LDAP attributes:

      User filter: ldapsearch -H ldaps://openldap.myorg.tld -D 'cn=admin,dc=my,dc=organisation,dc=tld' -w 'REDACTED' -b 'dc=my,dc=organisation,dc=tld' "(&(objectClass=inetOrgPerson)(uid=jacjor))"
---
# jacjor, people, my.organisation.tld
dn: uid=jacjor,ou=people,dc=my,dc=organisation,dc=tld 
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
uid: jacjor
...
---

Group filter: ldapsearch -H ldaps://openldap.myorg.tld -D 'cn=admin,dc=my,dc=organisation,dc=tld' -w 'REDACTED' -b 'dc=my,dc=organisation,dc=tld' "(&(objectClass=posixGroup)(cn=lab-users))"

---

# lab-users, groups, my.organisation.tld
dn: cn=lab-users,ou=groups,dc=my,dc=organisation,dc=tld
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
cn: lab-users
gidNumber: 2008
uniqueMember:
uniqueMember: uid=jacjor,ou=people,dc=my,dc=organisation,dc=tld
uniqueMember: uid=lab-test,ou=people,dc=my,dc=organisation,dc=tld

      Am i missing something here? I guess that the group sync cannot access the "uid" attribute, but how to fix this? Can i use anything else. I have tried with both ID attributes as "dn" instead but with no luck.

      posted in Management
      Y
      yag