Active directory Active Directory身份验证未显示用户、组
我正在尝试使用Eucalyptus进行Active Directory身份验证,但无法使用配置的凭据登录控制台。我的.lic文件中包含以下内容:Active directory Active Directory身份验证未显示用户、组,active-directory,eucalyptus,Active Directory,Eucalyptus,我正在尝试使用Eucalyptus进行Active Directory身份验证,但无法使用配置的凭据登录控制台。我的.lic文件中包含以下内容: PROPERTY authentication.ldap_integration_configuration { "ldap-service":{ "server-url":"ldap://<ldap-server-ip>:389", "auth-method":"simple", "user-
PROPERTY authentication.ldap_integration_configuration {
"ldap-service":{
"server-url":"ldap://<ldap-server-ip>:389",
"auth-method":"simple",
"user-auth-method":"simple",
"auth-principal":"eucalyptus@mydomain",
"auth-credentials":"{RSA/ECB/PKCS1Padding}oRv4cHzkJqBxqnT3S/w9tXAOAkrblaw/iGZtuXw4GWipcGbfthrthrDCt8U6P5G4re6eLd9hzcNYxPIdoNqEDeiWF9hfJB8Ndf1kEDV0xGXnzTHhI14F1DcaaasYMkvrqUqcefKrSmsGyg4JtcHF96kEtj3bhsdfsdfw3IpuRn0o4y2+iMoq+JkxOFogHuhGhtdMa7fsdfsdf232m0vOrFUeln5uI619yEFmoVtIsOZbF6tEJsM64GzSbtl0dOaSCdnHmOYeQ6ksfFcdmxz0/1QMOakHC+ntdGTZrO+83UQYGWue9IjKXP0dWTCpXNnp6+P6un+jY2cM25bR3uw==",
"use-ssl":"false",
"ignore-ssl-cert-validation":"true",
"krb5-conf":"/etc/krb5.conf",
},
"sync":{
"enable":"true",
"auto":"true",
"interval":"6000",
"clean-deletion":"true",
},
"accounting-groups":{
"base-dn":"OU=Eucalyptus,OU=Groups,MY_BASE_DN",
"id-attribute":"cn",
"member-attribute":"member",
"member-item-type":"cn",
"selection":{
"filter":"(&(objectClass=group)(!(memberOf=*)))"
}
},
"groups":{
"base-dn":" OU=Sec Groups,MY_BASE_DN",
"id-attribute":"cn",
"member-attribute":"member",
"member-item-type":"cn",
"selection":{
"filter":"(&(objectClass=group)(memberOf=*))",
}
},
"users":{
"base-dn":"MY_BASE_DN”,
"id-attribute":"cn",
"user-info-attributes":{
"displayname":"Full name"
},
"selection":{
"filter":"(&(objectClass=organizationalPerson)(objectClass=user))"
}
},
}
在日志文件中,我看到以下内容:
Mon Dec 29 11:31:14 2014 ERROR [LdapSync:LDAP sync] User admin is reserved for Eucalyptus only. Sync will skip this user from LDAP.
我已将一个会计组添加到会计组基本dn中,并且在运行list命令时看到该组:
# euare-accountlist
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
(eucalyptus)blockstorage 886472098984
eucalyptus 144711845746
mygroup 752874470188
但是,没有出现该会计组的成员:
# euare-grouplistbypath
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
Groups
# euare-userlistbypath
EUARE_URL environment variable is deprecated; use AWS_IAM_URL instead
arn:aws:iam::144711845746:user/admin
我尝试了用户名、域\用户名的各种组合,username@domain我可以想到,但我仍然无法登录到Eucalyptus控制台。有什么建议吗
谢谢,
Dan好的,那么在回答我自己的问题时,它看起来好像在工作。使用安装/配置期间创建的管理员登录凭据登录控制台后,我能够看到用户的创建是正确的。我对.lic文件做了一个小改动,即我将id属性设置为使用sAMAccountName而不是cn,以满足用户对其登录的期望
"users":{
"base-dn":"MY_BASE_DN”,
"id-attribute":"sAMAccountName",
"user-info-attributes":{
"displayname":"Full name"
},
"selection":{
"filter":"(&(objectClass=organizationalPerson)(objectClass=user))"
}
此外,在运行euare userlistbypath时,我未能传入帐户名,即:
euare-userlistbypath --as-account mygroup
使用帐户运行将按预期检索用户列表。Oh,将(!(sAMAccountName=admin))
添加到用户筛选器将消除管理员LDAP同步错误。
euare-userlistbypath --as-account mygroup