0

I’m trying to get Active Directory authentication working with Eucalyptus, but I’m not able to login to the console with the configured credentials. I’ve the following in my .lic file:

PROPERTY        authentication.ldap_integration_configuration   {
  "ldap-service":{
    "server-url":"ldap://<ldap-server-ip>:389",
    "auth-method":"simple",
    "user-auth-method":"simple",
    "auth-principal":"eucalyptus@mydomain",
    "auth-credentials":"{RSA/ECB/PKCS1Padding}oRv4cHzkJqBxqnT3S/w9tXAOAkrblaw/iGZtuXw4GWipcGbfthrthrDCt8U6P5G4re6eLd9hzcNYxPIdoNqEDeiWF9hfJB8Ndf1kEDV0xGXnzTHhI14F1DcaaasYMkvrqUqcefKrSmsGyg4JtcHF96kEtj3bhsdfsdfw3IpuRn0o4y2+iMoq+JkxOFogHuhGhtdMa7fsdfsdf232m0vOrFUeln5uI619yEFmoVtIsOZbF6tEJsM64GzSbtl0dOaSCdnHmOYeQ6ksfFcdmxz0/1QMOakHC+ntdGTZrO+83UQYGWue9IjKXP0dWTCpXNnp6+P6un+jY2cM25bR3uw==",
    "use-ssl":"false",
    "ignore-ssl-cert-validation":"true",
    "krb5-conf":"/etc/krb5.conf",
  },

  "sync":{
    "enable":"true",
    "auto":"true",
    "interval":"6000",
    "clean-deletion":"true",
  },

  "accounting-groups":{
    "base-dn":"OU=Eucalyptus,OU=Groups,MY_BASE_DN",
    "id-attribute":"cn",
    "member-attribute":"member",
    "member-item-type":"cn",
    "selection":{
        "filter":"(&(objectClass=group)(!(memberOf=*)))"
    }
  },

  "groups":{
    "base-dn":" OU=Sec Groups,MY_BASE_DN",
    "id-attribute":"cn",
    "member-attribute":"member",
    "member-item-type":"cn",
    "selection":{
        "filter":"(&(objectClass=group)(memberOf=*))",
    }
  },

  "users":{
    "base-dn":"MY_BASE_DN”,
    "id-attribute":"cn",
    "user-info-attributes":{
        "displayname":"Full name"
    },
    "selection":{
        "filter":"(&(objectClass=organizationalPerson)(objectClass=user))"
    }
  },
}

And the LDAP sync status:

# euare-getldapsyncstatus
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
SyncEnabled     true
InSync  false

In the log files, I see the following:

Mon Dec 29 11:31:14 2014 ERROR [LdapSync:LDAP sync] User admin is reserved for Eucalyptus only. Sync will skip this user from LDAP.

I’ve an accounting group added to the accounting-groups base dn, and I see that group when I run the list command:

# euare-accountlist
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
(eucalyptus)blockstorage        886472098984
eucalyptus      144711845746
mygroup     752874470188

However, no members of that accounting group appear:

# euare-grouplistbypath
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
Groups
# euare-userlistbypath
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
arn:aws:iam::144711845746:user/admin

I’ve tried every combination of username, DOMAIN\username, username@domain that I can think of, but I still can’t login to the Eucalyptus console. Any suggestions?

Thanks, Dan

dthagard
  • 823
  • 7
  • 23

1 Answers1

0

Ok, so in answer to my own question, it appears as if it was working. After logging into the console using the admin login credentials created during the install/configure, I was able to see that the users were being created correctly. I made one small tweak to the .lic file, namely I set the id-attribute to use sAMAccountName rather than cn to meet user expectations for their login.

"users":{
  "base-dn":"MY_BASE_DN”,
  "id-attribute":"sAMAccountName",
  "user-info-attributes":{
      "displayname":"Full name"
  },
  "selection":{
      "filter":"(&(objectClass=organizationalPerson)(objectClass=user))"
  }

Also, I failed to pass in the the account name when running the euare-userlistbypath, namely:

euare-userlistbypath --as-account mygroup

Running with the account retrieves the user list as expected.

dthagard
  • 823
  • 7
  • 23
  • Oh, and adding `(!(sAMAccountName=admin))` to the users filter gets rid of the admin LDAP sync error. – dthagard Dec 30 '14 at 19:52