Summary

While the cloudstack documentation is excellent in regards to setting up LDAP/AD authentication I felt that it left out some very basic but important steps. This should hopefully fill in the gaps.

Configuration

If you take a look at the cloustack documentation LDAP section you will notice various API calls. I initially thought that you somehow had to somehow attach this API call to each user in order to let them authenticate with the password stored in AD/LDAP. Instead, the API call actually configures the management service so LDAP authentication would work, must like other products that have integrated LDAP auth.

Enabling port 8096

All the LDAP examples in the documentation query the API on port 8096, you will find that this will not work out of the box. (This is the port to access the API without authentication as explained here.)

  1. Goto your cloudstack management interface
  2. Global Settings
    1. set integration.api.port to 8096
    2. restart cloud-management service
  3. Test connection to api
    1. curl http://cloudstack:8096/api?command=listHosts
Disabling MD5 hash

This is a workaround for bug CS-14680 you cannot authenticate to AD/LDAP without disabling this.

You need to change the file called /usr/share/cloud/management/webapps/client/scripts/sharedFunctions.js

From:

[root@cloudstack scripts]# cat /usr/share/cloud/management/webapps/client/scripts/sharedFunctions.js | grep md5var 
md5Hashed = true;
var md5HashedLogin = true;
[root@cloudstack scripts]#

To: 

[root@cloudstack scripts]# cat /usr/share/cloud/management/webapps/client/scripts/sharedFunctions.js | grep md5var 
md5Hashed = true;
var md5HashedLogin = false;
[root@cloudstack scripts]#

Restart management services

  • service cloud-management restart

If you need to support both LDAP auth and the internal MySQL database there is also a recommended patch in CS-16325.

  • No labels