LDAP config in 3.8.1



  • Julien, even better.....I can make (and test) functions in plugin to connect and search for users, with parameters for MS AD and pure LDAP (I also have this here)...
    And if you agree, I can send you those code and you (or other XO developer) can 'link' those functions to XO internal code. I only need to know what you expect on each function return.
    For example: you tell me that you need a function that you'll send an username (or part of it) and I need to return if it exists or not (true or false); or I need to return full CN of this user in AD;

    Then, you can merge those two codes.



  • Go on 🙂 send us all the material you can!



  • @olivierlambert Ok! I'll work on it this week and send to you ASAP.



  • Great! Do not forget to ping @julien-f when you got something, this way he'll receive an email when you post stuff 🙂



  • @julien-f
    Julien, look at code that I'm working: Pastebin code
    This code connect to server (MS AD and OpenLDAP) and search for user(s), return one entry for each result.

    But, we still have a little problem. In order to search, we must bind first. To bind in MS AD, it's easy. Use <username>@<domain> and it will work. The problem is with OpenLDAP, where you must use full user DN.
    Ok, you can specify user base DN for users in config file.....but if you have more than onde DN for users, like I have here?
    Example:
    dc=my,dc=domain (base)
    ou=Office1,dc=my,dc=domain (first user's OU)
    ou=Office2,dc=my,dc=domain (second user's OU)

    In this case, binding DN for user one is very different from user 2 and you can't 'know' all possible OU's. My sugestion in this case is one method that I've seen in another script:

    • Specify one binding username used to connect to LDAP server (read-only user)
    • After connection, search for desired username (using ldap search). In this case, search can be done in base-DN and using 'sub' as scope, so the search will be done in entire LDAP
    • After user is found, get his full DN and try to bind again using user's DN and user's password.

    In LDAP search, is possible to use filters and search entire LDAP directory using only base-DN. Unfortunatelly, It's not possible to use this kind of filter/feature to bind.....you MUST use full user DN (so you must alread KNOW user DN).



  • @jmaurin I just pushed a new version implementing your algorithm.

    I believe it should work with AD by setting the filter to (sAMAccountName={{name}}@<domain>) but it has not been tested.



  • @julien-f
    After update repository, got this error:
    xo:plugin loading auth-ldap +26ms ✖ Cannot find module 'auth-ldap' Error: Cannot find module 'auth-ldap'

    Moving files from 'src' folder to one level down, more import errors (bluebird related). Do I need to clean and rebuild something in XO?



  • @jmaurin

    > cd xo-server/node_modules
    > git clone https://github.com/vatesfr/xo-server-auth-ldap.git
    > cd xo-server-auth-ldap
    > npm install
    > npm run build
    


  • @julien-f
    Good news, works fine for both OpenLDAP and MS AD! 🙂

    Using OpenLDAP, admin DN must be full user DN and filter must be with attribute 'uid'.
    Using MS AD, admin DN could be full user DN or <user>@<domain> (both works) and filter must be with attribute 'cn'

    ex (MS AD):
    bind -> dn: "jonis@mydomain.local"
    filter: "(cn={{name}})

    The only thing that's not working is user search in ACL settings, but I guess is not implemented yet, right? So I can login with users in LDAP account, but got just top bar, no VM's or watherver.
    Also, right now all users in AD CAN login in XO......but again, I think this access control is not yet implemented in XO, right?



  • @jmaurin Great news!

    Our goal is just to authenticate users against an LDAP directory. Authorization is done in XOA (authentication is not authorization).

    This is a normal workflow:

    1. any LDAP user without an existing account in XOA is able to login if the correct credentials are given, but won't have any permission (empty view, no risk)
    2. after its first login, you will be able to see it in the ACL view AND give it rights on objects

    So, it's perfectly normal than you won't see all your LDAP users in the ACLs, that's the point 🙂

    If you want only one group of users to connect with LDAP, you can use the filter.

    Finally, a big thanks to @julien-f for the quick and working implementation \o/



  • @olivierlambert hahahaha...."It's ALIVEEEE!!" 😛

    Everything working as expected. 🙂
    ACL working fine, I can see users and set permission for each object.

    Is there any plans to work with LDAP groups? I mean, set group permission on XO/Xen objects.



  • @jmaurin We planned to have extended ACLs to the end of the month. See this issue for details: https://github.com/vatesfr/xo-web/issues/209

    Coupling this to LDAP groups in not planned yet, we'll see this after shipping those extended ACLs first.

    olivierlambert created this issue in vatesfr/xo-web

    closed Second ACLs implementation #209



  • I tried installing ldap plugin. I could able to login.

    But is there any way can I allow only particular AD group users has to login.

    For example My AD I have prodssh group if I specified in the config.xml file
    CN=prodssh,OU=Groups,DC=sp,DC=corp,DC=xyz,DC=net

    filter: '(sAMAccountName={{name}} CN=prodssh,OU=Groups,DC=sp,DC=corp,DC=xyz,DC=net)'

    It not working I could see exception error on the ./xo-server console.

    Another issue is if I allow ldap users to login and given ACLs for the VM. I could not able to view the stats seems to be keep on

    Fetching stats...

    I could not able to view the DiskIO / Network IO

    Is I missing any configuration here.



  • Hi @sjkeerthi

    1/ For LDAP filter: if you stick to the RFC 4515, it should works. We are not experts in LDAP, thus I can't tell about it precisely. The module we are using is this one: https://www.npmjs.com/package/ldapjs
    Anyway, if you have more debug, put them here.

    2/ Stats view for a non-admin user are now working in the next-release branch (thanks to my commit here). Will be merged next week for the 3.9 release.



  • Filter for Active Directory did not work until I used the userPrincipalName. Once I did this, it worked like a charm.

    filter: '(userPrincipalName={{name}})'



  • @Hunter I added your tips to the README, thank you 🙂



  • @Hunter \o/ Happy to see it works! And also thank you for the hint 🙂



  • Authentication actually failed until I put that filter in. May have been due to us using the email address which is the UPN in our Active Directory.



  • @Hunter Well, I can't say, never used any AD in production ^^



  • Hi

    For clarity - to "add it into the configuration file of XO-Server" does this mean add those lines to the end of ../xo-server-master/.xo-server.yaml
    ?

    Thank you


Log in to reply