CloudStack Add Ldap Account Empty List

[yuangeqingian]

CloudStack Version: 4.19.0.1
OS Version: Ubuntu 22
Ldap Search can work with stable output for query:

Global ldap setting in ACS UI:

My Ldap Configuration:

While I add account, the user list showed empty:

[boring-cyborg[bot]]

Thanks for opening your first issue here! Be sure to follow the issue template!

[yuangeqingian]

Also, I did some test, trying to bind ldap to a domain, this error comes out:
Request failed. (530)
com.cloud.exception.InvalidParameterValueException: Unable to bind to the given LDAP server

I checked logs in ACS management.log, this error comes out:

DEBUG [o.a.c.l.LdapContextFactory] (qtp1789718525-1052:ctx-bf2f48df ctx-f171c9d9) (logid:7d7a3c5c) initializing ldap with provider url: ldap://dir.slb.com:389
DEBUG [o.a.c.l.LdapManagerImpl] (qtp1789718525-1052:ctx-bf2f48df ctx-f171c9d9) (logid:7d7a3c5c) NamingException while doing an LDAP bind
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090449, comment: AcceptSecurityContext error, data 52e, v3839]
at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3259)
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3205)
at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2991)

INFO [c.c.a.ApiServer] (qtp1789718525-1052:ctx-bf2f48df ctx-f171c9d9) (logid:7d7a3c5c) com.cloud.exception.InvalidParameterValueException: Unable to bind to the given LDAP server

[yuangeqingian]

My ldapsearch CLI works ok, but in ACS, it can't list the ldap users.

Could you please help this?

Thanks in advance

[DaanHoogland]

@yuangeqingian , at first look, the excpetion says that the bind fails. This should mean the login is wrong.

By the looks of you cofiguration you are going for the manual import of accounts option, is that right?

The bind principal uses DC=DIR in capitals and the basedn uses dc=dir in lowercase. Can you check if that makes a difference?

Do you see any other exceptions in your logs or any error on the ldap side?

[yuangeqingian]

@yuangeqingian , at first look, the excpetion says that the bind fails. This should mean the login is wrong.

By the looks of you cofiguration you are going for the manual import of accounts option, is that right?

The bind principal uses DC=DIR in capitals and the basedn uses dc=dir in lowercase. Can you check if that makes a difference?

Do you see any other exceptions in your logs or any error on the ldap side?

1: Yes, I tried to use manual login
2: I tried all capital and all in lowercase, all didn't work
3: the acs management log showed below:
DEBUG [o.a.c.l.LdapContextFactory] initializing ldap with provider url: ldap://dir.slb.com:389
DEBUG [o.a.c.l.LdapManagerImpl] NamingException while doing an LDAP bind

[DaanHoogland]

Do you have a more extensive stacktrace for this error?

From the given in-/output I see that on the cli you use -D "dir\Bgc_domain_join" while this is not in the bind principal nor in the binddn. Can this be the issue?

[yuangeqingian]

Do you have a more extensive stacktrace for this error?

From the given in-/output I see that on the cli you use -D "dir\Bgc_domain_join" while this is not in the bind principal nor in the binddn. Can this be the issue?

No, the ldapsearch works perfectly:

[yuangeqingian]

Do you have a more extensive stacktrace for this error?

From the given in-/output I see that on the cli you use -D "dir\Bgc_domain_join" while this is not in the bind principal nor in the binddn. Can this be the issue?

Any more trouble shooting suggestions?

[DaanHoogland]

well, can you configure Apache Directory Studio, just in case it is a java issue? (https://directory.apache.org/studio/)

I usually don't use microsoftad, so can't help you there. You can try to configure an openldap installation. Or use an online service like jumpcloud.

[yuangeqingian]

well, can you configure Apache Directory Studio, just in case it is a java issue? (https://directory.apache.org/studio/)

I usually don't use microsoftad, so can't help you there. You can try to configure an openldap installation. Or use an online service like jumpcloud.

First: thanks for the quick response.
Second: I'm trying to involve cloudstack to my company, I thought ACS can support enterprise level.
But now I can't even bind my company AD server, can't pass a POC, it's will be pity if the POC just end like this.

Third: Do you know where else I can ask questions about that? I don't know how to raise question on mailing list.

Thanks a lot in advance!

[DaanHoogland]

@yuangeqingian the manual import you are trying is not really suitable for enterprise implementations I think , but it should work. You can try the autosync method as described in the docs.

You can ask question on users@cloudstack.apache.org. these are free style, so just state your problem with as much detail as possible and ask your questions. You can also ask here. In both cases you are relying on volunteers so answers may be late and not applicable to you exactly. This is open source.

There are options for commercial support, when you are ready for that.

[yuangeqingian]

@yuangeqingian the manual import you are trying is not really suitable for enterprise implementations I think , but it should work. You can try the autosync method as described in the docs.

You can ask question on users@cloudstack.apache.org. these are free style, so just state your problem with as much detail as possible and ask your questions. You can also ask here. In both cases you are relying on volunteers so answers may be late and not applicable to you exactly. This is open source.

There are options for commercial support, when you are ready for that.

I did some changes and some other info came out, somehow I successfully bind the ldap to domain using cli below:

In ACS UI I can see the new added ldap:

But this time, when I tried to add user, the add ldap user button is gone:

[yuangeqingian]

@DaanHoogland any idea how can I fix issue above?

[DaanHoogland]

@yuangeqingian have a look at the doc about ldap
and there is also this old upgrade note, maybe it is relevant for you as well.

The above seems an autoimport setup. I do not know why that would remove the add ldap account button, but it means that accounts will be added to the linked domain automatically for users defined in ldap.

[yuangeqingian]

@yuangeqingian have a look at the doc about ldap and there is also this old upgrade note, maybe it is relevant for you as well.

The above seems an autoimport setup. I do not know why that would remove the add ldap account button, but it means that accounts will be added to the linked domain automatically for users defined in ldap.

Let me check again to see if issue was on my side and get back to you again