Active Directory Authentication Not Showing Users, Groups

0
votes

I’m trying to get Active Directory authentication working with Eucalyptus, but I’m not able to login to the console with the configured credentials. I’ve the following in my .lic file:

PROPERTY        authentication.ldap_integration_configuration   {
  "ldap-service":{
    "server-url":"ldap://<ldap-server-ip>:389",
    "auth-method":"simple",
    "user-auth-method":"simple",
    "auth-principal":"eucalyptus@mydomain",
    "auth-credentials":"{RSA/ECB/PKCS1Padding}oRv4cHzkJqBxqnT3S/w9tXAOAkrblaw/iGZtuXw4GWipcGbfthrthrDCt8U6P5G4re6eLd9hzcNYxPIdoNqEDeiWF9hfJB8Ndf1kEDV0xGXnzTHhI14F1DcaaasYMkvrqUqcefKrSmsGyg4JtcHF96kEtj3bhsdfsdfw3IpuRn0o4y2+iMoq+JkxOFogHuhGhtdMa7fsdfsdf232m0vOrFUeln5uI619yEFmoVtIsOZbF6tEJsM64GzSbtl0dOaSCdnHmOYeQ6ksfFcdmxz0/1QMOakHC+ntdGTZrO+83UQYGWue9IjKXP0dWTCpXNnp6+P6un+jY2cM25bR3uw==",
    "use-ssl":"false",
    "ignore-ssl-cert-validation":"true",
    "krb5-conf":"/etc/krb5.conf",
  },

  "sync":{
    "enable":"true",
    "auto":"true",
    "interval":"6000",
    "clean-deletion":"true",
  },

  "accounting-groups":{
    "base-dn":"OU=Eucalyptus,OU=Groups,MY_BASE_DN",
    "id-attribute":"cn",
    "member-attribute":"member",
    "member-item-type":"cn",
    "selection":{
        "filter":"(&(objectClass=group)(!(memberOf=*)))"
    }
  },

  "groups":{
    "base-dn":" OU=Sec Groups,MY_BASE_DN",
    "id-attribute":"cn",
    "member-attribute":"member",
    "member-item-type":"cn",
    "selection":{
        "filter":"(&(objectClass=group)(memberOf=*))",
    }
  },

  "users":{
    "base-dn":"MY_BASE_DN”,
    "id-attribute":"cn",
    "user-info-attributes":{
        "displayname":"Full name"
    },
    "selection":{
        "filter":"(&(objectClass=organizationalPerson)(objectClass=user))"
    }
  },
}

And the LDAP sync status:

# euare-getldapsyncstatus
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
SyncEnabled     true
InSync  false

In the log files, I see the following:

Mon Dec 29 11:31:14 2014 ERROR [LdapSync:LDAP sync] User admin is reserved for Eucalyptus only. Sync will skip this user from LDAP.

I’ve an accounting group added to the accounting-groups base dn, and I see that group when I run the list command:

# euare-accountlist
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
(eucalyptus)blockstorage        886472098984
eucalyptus      144711845746
mygroup     752874470188

However, no members of that accounting group appear:

# euare-grouplistbypath
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
Groups
# euare-userlistbypath
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
arn:aws:iam::144711845746:user/admin

I’ve tried every combination of username, DOMAIN\username, username@domain that I can think of, but I still can’t login to the Eucalyptus console. Any suggestions?

Thanks, Dan

1
active-directoryeucalyptus

1 Answers

0
votes

Ok, so in answer to my own question, it appears as if it was working. After logging into the console using the admin login credentials created during the install/configure, I was able to see that the users were being created correctly. I made one small tweak to the .lic file, namely I set the id-attribute to use sAMAccountName rather than cn to meet user expectations for their login.

"users":{
  "base-dn":"MY_BASE_DN”,
  "id-attribute":"sAMAccountName",
  "user-info-attributes":{
      "displayname":"Full name"
  },
  "selection":{
      "filter":"(&(objectClass=organizationalPerson)(objectClass=user))"
  }

Also, I failed to pass in the the account name when running the euare-userlistbypath, namely:

euare-userlistbypath --as-account mygroup

Running with the account retrieves the user list as expected.