Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP/Active Directory Authentication Fails if User is Member of More than 6 Groups #8351

Open
kismetgerald-ngc opened this issue Feb 14, 2025 · 0 comments
Open

LDAP/Active Directory Authentication Fails if User is Member of More than 6 Groups #8351

kismetgerald-ngc opened this issue Feb 14, 2025 · 0 comments
Labels
type: bug 🐛

Comments

@kismetgerald-ngc
Copy link

Are you using XOA or XO from the sources?

both

Which release channel?

both

Provide your commit number

8f877

Describe the bug

I'm reporting this as a potential bug with the auth-ldap plugin, after some troubleshooting exercises with @olivierlambert via the community forum. I certainly respect your time and don't want to waste it, but I also believe this report has some merit and should receive some attention.

Essentially, what I'm seeing - in both XOA and XO (from sources - built directly using your documentation instructions and by using @ronivay's install script), that LDAP authentication fails when the user being authenticated is a member of more than 6 groups.

The reference forum postings:

  1. https://xcp-ng.org/forum/topic/7321/existing-ad-users-cannot-login-to-xoce-but-new-users-can
  2. https://xcp-ng.org/forum/topic/10076/xo-community-edition-ldap-plugin-not-working

I'm available to assist with further testing or to provide any additional error messages that will help drill down to the root cause and fix this.

Error message

To reproduce

  1. Login to XO and go to 'SETTINGS > PLUGINS'
  2. Click the + button to the right of the auth-ldap plugin
  3. Configure the plugin with parameters similar to the following (see code block below).
  4. Go to Active Directory Computers and Users, and take note of how many groups the subject account is a member of. If less than 7, proceed to test the plugin - it should succeed. Keep incrementing and testing until you reach 7 groups, test should now fail.

LDAP/AD Configuration

URI:  ldap://DC01:389
Certificate Authorities (left blank)
Check certificate = No
Use StartTLS = No

Base:  OU=Users,OU=LabNET,DC=LabNET,DC=local

Credentials (fill this out)
dn: "Put here the Distinguished Name of whichever account you're using to bind to AD"
password:  "goes without saying"

User filter:  (&(sAMAccountName=({name}))(memberOf=CN=XenOrchestra_Admins,OU=Groups,OU=LabNET,DC=LabNET,DC=local))
ID attribute:  sAMAccountName

Synchronize groups (fill this in if you want to control login based on group membership)
Base: OU=Groups,OU=LabNET,DC=LabNET,DC=local
Filter:  (objectClass=group)
ID attribute:  dn
Display name attribute:  cn

Members mapping (fill this out)
Group attribute:  member
User attribute:  dn

Expected behavior

LDAP/Active Directory authentication should be successful, irrespective of how many groups a user is member of.

Screenshots

No response

Node

22.14.0

Hypervisor

XCP-ng 8.3.0

Additional context

Bug report filed with @olivierlambert's concurrence
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug 🐛
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kismetgerald-ngc