LDAP config in 3.8.1

  • @julien-f
    Julien, look at code that I'm working: Pastebin code
    This code connect to server (MS AD and OpenLDAP) and search for user(s), return one entry for each result.

    But, we still have a little problem. In order to search, we must bind first. To bind in MS AD, it's easy. Use <username>@<domain> and it will work. The problem is with OpenLDAP, where you must use full user DN.
    Ok, you can specify user base DN for users in config file.....but if you have more than onde DN for users, like I have here?
    dc=my,dc=domain (base)
    ou=Office1,dc=my,dc=domain (first user's OU)
    ou=Office2,dc=my,dc=domain (second user's OU)

    In this case, binding DN for user one is very different from user 2 and you can't 'know' all possible OU's. My sugestion in this case is one method that I've seen in another script:

    • Specify one binding username used to connect to LDAP server (read-only user)
    • After connection, search for desired username (using ldap search). In this case, search can be done in base-DN and using 'sub' as scope, so the search will be done in entire LDAP
    • After user is found, get his full DN and try to bind again using user's DN and user's password.

    In LDAP search, is possible to use filters and search entire LDAP directory using only base-DN. Unfortunatelly, It's not possible to use this kind of filter/feature to bind.....you MUST use full user DN (so you must alread KNOW user DN).

  • @jmaurin I just pushed a new version implementing your algorithm.

    I believe it should work with AD by setting the filter to (sAMAccountName={{name}}@<domain>) but it has not been tested.

  • @julien-f
    After update repository, got this error:
    xo:plugin loading auth-ldap +26ms ✖ Cannot find module 'auth-ldap' Error: Cannot find module 'auth-ldap'

    Moving files from 'src' folder to one level down, more import errors (bluebird related). Do I need to clean and rebuild something in XO?

  • @jmaurin

    > cd xo-server/node_modules
    > git clone https://github.com/vatesfr/xo-server-auth-ldap.git
    > cd xo-server-auth-ldap
    > npm install
    > npm run build

  • @julien-f
    Good news, works fine for both OpenLDAP and MS AD! 🙂

    Using OpenLDAP, admin DN must be full user DN and filter must be with attribute 'uid'.
    Using MS AD, admin DN could be full user DN or <user>@<domain> (both works) and filter must be with attribute 'cn'

    ex (MS AD):
    bind -> dn: "jonis@mydomain.local"
    filter: "(cn={{name}})

    The only thing that's not working is user search in ACL settings, but I guess is not implemented yet, right? So I can login with users in LDAP account, but got just top bar, no VM's or watherver.
    Also, right now all users in AD CAN login in XO......but again, I think this access control is not yet implemented in XO, right?

  • @jmaurin Great news!

    Our goal is just to authenticate users against an LDAP directory. Authorization is done in XOA (authentication is not authorization).

    This is a normal workflow:

    1. any LDAP user without an existing account in XOA is able to login if the correct credentials are given, but won't have any permission (empty view, no risk)
    2. after its first login, you will be able to see it in the ACL view AND give it rights on objects

    So, it's perfectly normal than you won't see all your LDAP users in the ACLs, that's the point 🙂

    If you want only one group of users to connect with LDAP, you can use the filter.

    Finally, a big thanks to @julien-f for the quick and working implementation \o/

  • @olivierlambert hahahaha...."It's ALIVEEEE!!" 😛

    Everything working as expected. 🙂
    ACL working fine, I can see users and set permission for each object.

    Is there any plans to work with LDAP groups? I mean, set group permission on XO/Xen objects.

  • @jmaurin We planned to have extended ACLs to the end of the month. See this issue for details: https://github.com/vatesfr/xo-web/issues/209

    Coupling this to LDAP groups in not planned yet, we'll see this after shipping those extended ACLs first.

    olivierlambert created this issue in vatesfr/xo-web

    closed Second ACLs implementation #209

  • I tried installing ldap plugin. I could able to login.

    But is there any way can I allow only particular AD group users has to login.

    For example My AD I have prodssh group if I specified in the config.xml file

    filter: '(sAMAccountName={{name}} CN=prodssh,OU=Groups,DC=sp,DC=corp,DC=xyz,DC=net)'

    It not working I could see exception error on the ./xo-server console.

    Another issue is if I allow ldap users to login and given ACLs for the VM. I could not able to view the stats seems to be keep on

    Fetching stats...

    I could not able to view the DiskIO / Network IO

    Is I missing any configuration here.

  • Hi @sjkeerthi

    1/ For LDAP filter: if you stick to the RFC 4515, it should works. We are not experts in LDAP, thus I can't tell about it precisely. The module we are using is this one: https://www.npmjs.com/package/ldapjs
    Anyway, if you have more debug, put them here.

    2/ Stats view for a non-admin user are now working in the next-release branch (thanks to my commit here). Will be merged next week for the 3.9 release.

  • Filter for Active Directory did not work until I used the userPrincipalName. Once I did this, it worked like a charm.

    filter: '(userPrincipalName={{name}})'

  • @Hunter I added your tips to the README, thank you 🙂

  • @Hunter \o/ Happy to see it works! And also thank you for the hint 🙂

  • Authentication actually failed until I put that filter in. May have been due to us using the email address which is the UPN in our Active Directory.

  • @Hunter Well, I can't say, never used any AD in production ^^

  • Hi

    For clarity - to "add it into the configuration file of XO-Server" does this mean add those lines to the end of ../xo-server-master/.xo-server.yaml

    Thank you

  • @fergoTF Indeed. Why? Do you have some issues?

  • Hi
    Yes I do - I get this error when trying a ldap account:

      xo:api Error: session.signInWithPassword(...) → InvalidCredential: invalid credential +2ms
      xo:perf blocked for 124ms +154ms
      xo:api Error: session.signInWithPassword(...) → InvalidCredential: invalid credential +15ms
      xo:api session.signInWithPassword(...) → object +53ms
      xo:api session.signInWithPassword(...) → object +2ms
      xo:api session.signInWithToken(...) +307ms
    use session.signIn() instead
      xo:api session.signInWithToken(...) → object +4ms
      xo:api xo.getAllObjects(...) +120ms



  • Ah don't worry I got it working just needed some tinkering with the yaml 🙂



  • @fergoTF Nice 🙂

Log in to reply