LDAP config in 3.8.1



  • @jmaurin I just pushed a new version implementing your algorithm.

    I believe it should work with AD by setting the filter to (sAMAccountName={{name}}@<domain>) but it has not been tested.



  • @julien-f
    After update repository, got this error:
    xo:plugin loading auth-ldap +26ms ✖ Cannot find module 'auth-ldap' Error: Cannot find module 'auth-ldap'

    Moving files from 'src' folder to one level down, more import errors (bluebird related). Do I need to clean and rebuild something in XO?



  • @jmaurin

    > cd xo-server/node_modules
    > git clone https://github.com/vatesfr/xo-server-auth-ldap.git
    > cd xo-server-auth-ldap
    > npm install
    > npm run build
    


  • @julien-f
    Good news, works fine for both OpenLDAP and MS AD! 🙂

    Using OpenLDAP, admin DN must be full user DN and filter must be with attribute 'uid'.
    Using MS AD, admin DN could be full user DN or <user>@<domain> (both works) and filter must be with attribute 'cn'

    ex (MS AD):
    bind -> dn: "jonis@mydomain.local"
    filter: "(cn={{name}})

    The only thing that's not working is user search in ACL settings, but I guess is not implemented yet, right? So I can login with users in LDAP account, but got just top bar, no VM's or watherver.
    Also, right now all users in AD CAN login in XO......but again, I think this access control is not yet implemented in XO, right?



  • @jmaurin Great news!

    Our goal is just to authenticate users against an LDAP directory. Authorization is done in XOA (authentication is not authorization).

    This is a normal workflow:

    1. any LDAP user without an existing account in XOA is able to login if the correct credentials are given, but won't have any permission (empty view, no risk)
    2. after its first login, you will be able to see it in the ACL view AND give it rights on objects

    So, it's perfectly normal than you won't see all your LDAP users in the ACLs, that's the point 🙂

    If you want only one group of users to connect with LDAP, you can use the filter.

    Finally, a big thanks to @julien-f for the quick and working implementation \o/



  • @olivierlambert hahahaha...."It's ALIVEEEE!!" 😛

    Everything working as expected. 🙂
    ACL working fine, I can see users and set permission for each object.

    Is there any plans to work with LDAP groups? I mean, set group permission on XO/Xen objects.



  • @jmaurin We planned to have extended ACLs to the end of the month. See this issue for details: https://github.com/vatesfr/xo-web/issues/209

    Coupling this to LDAP groups in not planned yet, we'll see this after shipping those extended ACLs first.

    olivierlambert created this issue in vatesfr/xo-web

    closed Second ACLs implementation #209



  • I tried installing ldap plugin. I could able to login.

    But is there any way can I allow only particular AD group users has to login.

    For example My AD I have prodssh group if I specified in the config.xml file
    CN=prodssh,OU=Groups,DC=sp,DC=corp,DC=xyz,DC=net

    filter: '(sAMAccountName={{name}} CN=prodssh,OU=Groups,DC=sp,DC=corp,DC=xyz,DC=net)'

    It not working I could see exception error on the ./xo-server console.

    Another issue is if I allow ldap users to login and given ACLs for the VM. I could not able to view the stats seems to be keep on

    Fetching stats...

    I could not able to view the DiskIO / Network IO

    Is I missing any configuration here.



  • Hi @sjkeerthi

    1/ For LDAP filter: if you stick to the RFC 4515, it should works. We are not experts in LDAP, thus I can't tell about it precisely. The module we are using is this one: https://www.npmjs.com/package/ldapjs
    Anyway, if you have more debug, put them here.

    2/ Stats view for a non-admin user are now working in the next-release branch (thanks to my commit here). Will be merged next week for the 3.9 release.



  • Filter for Active Directory did not work until I used the userPrincipalName. Once I did this, it worked like a charm.

    filter: '(userPrincipalName={{name}})'



  • @Hunter I added your tips to the README, thank you 🙂



  • @Hunter \o/ Happy to see it works! And also thank you for the hint 🙂



  • Authentication actually failed until I put that filter in. May have been due to us using the email address which is the UPN in our Active Directory.



  • @Hunter Well, I can't say, never used any AD in production ^^



  • Hi

    For clarity - to "add it into the configuration file of XO-Server" does this mean add those lines to the end of ../xo-server-master/.xo-server.yaml
    ?

    Thank you



  • @fergoTF Indeed. Why? Do you have some issues?



  • Hi
    Yes I do - I get this error when trying a ldap account:

      xo:api Error: session.signInWithPassword(...) → InvalidCredential: invalid credential +2ms
      xo:perf blocked for 124ms +154ms
      xo:api Error: session.signInWithPassword(...) → InvalidCredential: invalid credential +15ms
      xo:api session.signInWithPassword(...) → object +53ms
      xo:api session.signInWithPassword(...) → object +2ms
      xo:api session.signInWithToken(...) +307ms
    use session.signIn() instead
      xo:api session.signInWithToken(...) → object +4ms
      xo:api xo.getAllObjects(...) +120ms
    

    Cheers

    Ferg



  • Ah don't worry I got it working just needed some tinkering with the yaml 🙂

    Cheers

    f



  • @fergoTF Nice 🙂



  • Not sure where I am having an issue. Configured both in the command line and through the gui and the test works in CL and shows a successful lookup but when I go to login to the page I get this error in syslog.

    TypeError: Cannot read property 'createUserOnFirstSignin' of undefined


Log in to reply