LDAP config in 3.8.1



  • @jmaurin Oops, sorry, I wanted to say:

    • Clone the ldap stuff in the xo-server/node_modules/ folder.
    • Then, you need to build it. Go into the xo-server-auth-ldap folder and do a npm i.

    It will work that way.



  • It worked! Almost...

    Is there any parameter in the config file to tell which user should be used to connect? I don't have anonymous connection in my AD and i'm getting 'invalid credentials' on xo-server console....



  • The plugin does not use anonymous binding, it attempts to bind directly with the user to authenticate to validate his credentials.
    Make sure the configuration is correct (especially the LDAP base).

    On a side note, the invalid credentials notices may be unrelated because XO-Server attempts to sign the user in with all available auth providers one after the other, therefore the notices may be caused by the other ones.



  • Well, I can't get this to work 😞

    Here are some of the errors (I don't know if is related to LDAP):

    ! xo:main - WebSocket connection +17ms
    xo:api session.signOut(...) +16ms
    xo:api Error: session.signOut(...) → Unauthorized: not authenticated or not enough permissions +36ms
    xo:xapi root@10.107.158.100:443: event.next(...) +1s
    xo:xapi root@10.107.158.115:443: event.next(...) +240ms
    xo:xapi root@10.107.158.112:443: event.next(...) +9ms
    xo:api session.signInWithPassword(...) +6ms
    use session.signIn() instead
    xo:xapi root@10.107.158.112:443: event.next(...) +156ms
    xo:main - WebSocket connection +6ms
    xo:api Error: session.signInWithPassword(...) → TypeError: Cannot set property 'user_id' of undefined +39ms
    TypeError: Cannot set property 'user_id' of undefined

    Also, I've made some changes to index.js of module.

    ! var constr = conf.msaddomain ? username + '@' + conf.msaddomain : 'uid=' + escape(username) + base;

      client.bind(
        constr,
        password,
        function (error) {
          if (error) {
            reject(error);
          } else {
            resolve({ username: username });
          }
    
          client.unbind();
        }
      );
    

    I have made this because in MS AD, you can't use 'uid=' for login (at least in default configuration), you must set full path os users....in my case, I have users in different OU's, so I can't specify only one. To solve this 'login' issue, I should use '@', so it would be: username@domain. The domain is set in xo-server.yaml. But how is implemented user search? I can't find in plugin code. Can I search users in sub-OU's?



  • The plugin is extremely trivial at this point, it does not implement user search in the directory, it only works with a direct bind.

    Unfortunately, 1) I am far from knowledgeable in this area and 2) we do not have an AD to test the plugin for now.

    If you have any resources which might help us to make it work in your case, I will be glad to take a look.

    PS: there are no particular errors related to your issue in the log you gave me.



  • Ok.
    I'm a PHP developer, I don't know much of node.js, but I can learn. 🙂
    I'm not familiar with XO internal binding (for example, how toget events of user input on search box), etc......but I'll try to find out.
    About AD and LDAP, I have all structure here to make my tests. If you have any tips about internal XO structure, would be very cool 🙂



  • Julien, even better.....I can make (and test) functions in plugin to connect and search for users, with parameters for MS AD and pure LDAP (I also have this here)...
    And if you agree, I can send you those code and you (or other XO developer) can 'link' those functions to XO internal code. I only need to know what you expect on each function return.
    For example: you tell me that you need a function that you'll send an username (or part of it) and I need to return if it exists or not (true or false); or I need to return full CN of this user in AD;

    Then, you can merge those two codes.



  • Go on 🙂 send us all the material you can!



  • @olivierlambert Ok! I'll work on it this week and send to you ASAP.



  • Great! Do not forget to ping @julien-f when you got something, this way he'll receive an email when you post stuff 🙂



  • @julien-f
    Julien, look at code that I'm working: Pastebin code
    This code connect to server (MS AD and OpenLDAP) and search for user(s), return one entry for each result.

    But, we still have a little problem. In order to search, we must bind first. To bind in MS AD, it's easy. Use <username>@<domain> and it will work. The problem is with OpenLDAP, where you must use full user DN.
    Ok, you can specify user base DN for users in config file.....but if you have more than onde DN for users, like I have here?
    Example:
    dc=my,dc=domain (base)
    ou=Office1,dc=my,dc=domain (first user's OU)
    ou=Office2,dc=my,dc=domain (second user's OU)

    In this case, binding DN for user one is very different from user 2 and you can't 'know' all possible OU's. My sugestion in this case is one method that I've seen in another script:

    • Specify one binding username used to connect to LDAP server (read-only user)
    • After connection, search for desired username (using ldap search). In this case, search can be done in base-DN and using 'sub' as scope, so the search will be done in entire LDAP
    • After user is found, get his full DN and try to bind again using user's DN and user's password.

    In LDAP search, is possible to use filters and search entire LDAP directory using only base-DN. Unfortunatelly, It's not possible to use this kind of filter/feature to bind.....you MUST use full user DN (so you must alread KNOW user DN).



  • @jmaurin I just pushed a new version implementing your algorithm.

    I believe it should work with AD by setting the filter to (sAMAccountName={{name}}@<domain>) but it has not been tested.



  • @julien-f
    After update repository, got this error:
    xo:plugin loading auth-ldap +26ms ✖ Cannot find module 'auth-ldap' Error: Cannot find module 'auth-ldap'

    Moving files from 'src' folder to one level down, more import errors (bluebird related). Do I need to clean and rebuild something in XO?



  • @jmaurin

    > cd xo-server/node_modules
    > git clone https://github.com/vatesfr/xo-server-auth-ldap.git
    > cd xo-server-auth-ldap
    > npm install
    > npm run build
    


  • @julien-f
    Good news, works fine for both OpenLDAP and MS AD! 🙂

    Using OpenLDAP, admin DN must be full user DN and filter must be with attribute 'uid'.
    Using MS AD, admin DN could be full user DN or <user>@<domain> (both works) and filter must be with attribute 'cn'

    ex (MS AD):
    bind -> dn: "jonis@mydomain.local"
    filter: "(cn={{name}})

    The only thing that's not working is user search in ACL settings, but I guess is not implemented yet, right? So I can login with users in LDAP account, but got just top bar, no VM's or watherver.
    Also, right now all users in AD CAN login in XO......but again, I think this access control is not yet implemented in XO, right?



  • @jmaurin Great news!

    Our goal is just to authenticate users against an LDAP directory. Authorization is done in XOA (authentication is not authorization).

    This is a normal workflow:

    1. any LDAP user without an existing account in XOA is able to login if the correct credentials are given, but won't have any permission (empty view, no risk)
    2. after its first login, you will be able to see it in the ACL view AND give it rights on objects

    So, it's perfectly normal than you won't see all your LDAP users in the ACLs, that's the point 🙂

    If you want only one group of users to connect with LDAP, you can use the filter.

    Finally, a big thanks to @julien-f for the quick and working implementation \o/



  • @olivierlambert hahahaha...."It's ALIVEEEE!!" 😛

    Everything working as expected. 🙂
    ACL working fine, I can see users and set permission for each object.

    Is there any plans to work with LDAP groups? I mean, set group permission on XO/Xen objects.



  • @jmaurin We planned to have extended ACLs to the end of the month. See this issue for details: https://github.com/vatesfr/xo-web/issues/209

    Coupling this to LDAP groups in not planned yet, we'll see this after shipping those extended ACLs first.

    olivierlambert created this issue in vatesfr/xo-web

    closed Second ACLs implementation #209



  • I tried installing ldap plugin. I could able to login.

    But is there any way can I allow only particular AD group users has to login.

    For example My AD I have prodssh group if I specified in the config.xml file
    CN=prodssh,OU=Groups,DC=sp,DC=corp,DC=xyz,DC=net

    filter: '(sAMAccountName={{name}} CN=prodssh,OU=Groups,DC=sp,DC=corp,DC=xyz,DC=net)'

    It not working I could see exception error on the ./xo-server console.

    Another issue is if I allow ldap users to login and given ACLs for the VM. I could not able to view the stats seems to be keep on

    Fetching stats...

    I could not able to view the DiskIO / Network IO

    Is I missing any configuration here.



  • Hi @sjkeerthi

    1/ For LDAP filter: if you stick to the RFC 4515, it should works. We are not experts in LDAP, thus I can't tell about it precisely. The module we are using is this one: https://www.npmjs.com/package/ldapjs
    Anyway, if you have more debug, put them here.

    2/ Stats view for a non-admin user are now working in the next-release branch (thanks to my commit here). Will be merged next week for the 3.9 release.


Log in to reply