Re: "Add LDAP account" returns empty user list

[Mevludin Blazevic]

Hi Daan,

value for ldap.group.user.uniquemember is "uniquemember". I have also 
tried to set up the basedn as "ou=ou1,dc=my-domain,dc=de" to get all 
users of ou1, list is still empty..

Am 14.12.2021 um 16:55 schrieb Daan Hoogland:
ok Mevludin,
can try and you empty

ldap.search.group.principle (remove the
"cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de"), if you have one all your
users must have the memberOf attribute filled with that group.


Can you share your value for ldap.group.user.uniquemember?


On Tue, Dec 14, 2021 at 4:18 PM Mevludin Blazevic <mblaze...@uni-koblenz.de>
wrote:

Hi Daan,

yes, I am trying to use the manual import, we will not have much
Cloudstack users so manually importing them once would be enough.

I've added the LDAP configuration via the GUI under Configuration ->
LDAP Configuration (only server and port, no domain). Then I configured
the basedn and the other properties from my previous e-mail using the
Global Settings view.

The users do not have a memberOf attribute yet. Nevertheless, the group
knows its members and yes, the group has a series of uniqueMember
attributes, for example:

member: uid=person1,ou=ou1,dc=my-domain, dc=de
member: uid=person2,ou=ou1,dc=my-domain, dc=de
member: uid=person3,ou=ou1,dc=my-domain, dc=de
member: uid=person4,ou=ou1,dc=my-domain, dc=de
member:
member: uid=person5,ou=ou1,dc=my-domain, dc=de
member: uid=person6,ou=ou1,dc=my-domain, dc=de
member: uid=person7,ou=ou1,dc=my-domain, dc=de
member: uid=person8,ou=ou1,dc=my-domain, dc=de
member: uid=person9,ou=ou1,dc=my-domain, dc=de
member: uid=person10,ou=ou1,dc=my-domain, dc=de
memberUid: person1
memberUid: person2
memberUid: person3
memberUid: person4
memberUid: person5
memberUid: person6
memberUid: person7
memberUid: person8
memberUid: person9
memberUid: person10

Is the manual import possible if there is no memberOf attribute?

Best Regards

Mevludin

Am 14.12.2021 um 12:36 schrieb Daan Hoogland:
Mevludin,
I suppose you are using the documentation to add your LDAP. which
strategy
are you using, manual import, autoimport or autosync?
By the looks it seems you want the manual import, but I am not sure.
Does the user have a memberOf attribute?
Does the group cloudstack-user have a series of uniqueMember attributes?


On Tue, Dec 14, 2021 at 11:04 AM Mevludin Blazevic<
mblaze...@uni-koblenz.de>
wrote:

Hi all,

when I try to set up a connection to our LDAP server I am getting an
empty list after clicking on the "Add LDAP button". I have already set
up the basedn, confuigured a bind.principal by using the dn (beginning
with uid= instead of cn=) and a bind password. No LDAP exception is
logged, but when I try to change the password or the principal dn I am
getting an LDAP exception, so I assume that the connection can be
established. My configuration:

LDAP: my-ldap-server.de:389 (no domain was assigned)
basedn: dc=my-domain, dc=de
bind-principal: uid=<my-user>,ou=ou1,dc=my-domain, dc=de
ldap.provider: openldap
ldap.group.object: groupOfUniqueNames
ldap.nested.groups.enable: true
ldap.search.group.principle: (for example
"cn=cloustack-user,ou=Ou1,dc=my-domain,dc=de")
ldap.user.memberof.attribute: memberOf
ldap.user.object: inetOrgPerson
ldap.username.attribute: uid
ldap.read.timeout: 1000
ldap.request.page.size: 1000

For testing purposes, I run ldapsearch on the same machine where
cloudstack-management is installed. For example:

ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
"uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
dc=my-domain, dc=de "(ou=ou1)" --> returning a (long) list of LDAP
entrys
ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
"uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
dc=my-domain, dc=de "(cn=cloustack-user)" --> returning a dn with a list
of all group members

ldapsearch -ZZ -LLL -o ldif-wrap=no -c -h my-ldap-server.de -D
"uid=<my-user>,ou=<our-ou>,dc=my-domain, dc=de" -w "<mypassword>" -b
dc=my-domain, dc=de "(uid=person1)" --> returns an LDAP entry

Cloudstack-Management log after clicking on "Add LDAP account":

2021-12-14 10:59:32,204 DEBUG [o.a.c.l.LdapContextFactory]
(qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8)
initializing ldap with provider url:ldap://my-ldap-server.de:389
2021-12-14 10:59:32,212 TRACE [o.a.c.a.c.LdapListUsersCmd]
(qtp187472540-1210:ctx-64b28371 ctx-59c7bea2) (logid:5e17abe8) returning
unfiltered list of ldap users

I have also stopped the firewall on the cloudstack-management machine.
Still an empty list.

Does anyone have any idea why an empty list is displayed on the
Cloudstack UI? Hope you can help me out.

Best Regards

Mevludin


--
Mevludin Blazevic, M.Sc.

University of Koblenz-Landau
Computing Centre (GHRKO)
Universitaetsstrasse 1
D-56070 Koblenz, Germany
Room A023
Tel: +49 261/287-1326


--
Mevludin Blazevic, M.Sc.

University of Koblenz-Landau
Computing Centre (GHRKO)
Universitaetsstrasse 1
D-56070 Koblenz, Germany
Room A023
Tel: +49 261/287-1326