ISSUE TYPE
COMPONENT NAME
CLOUDSTACK VERSION
CONFIGURATION
Using many domains.
Trying to use LDAP server with TLS.
All certificates generated and tested.
Keystore configured and tested.
OS / ENVIRONMENT
Ubuntu Server 20.04.3 LTS.
KVM.
cloudstack-management 4.15.2.0~focal
SUMMARY
Need to communicate management server with LDAP using TLS (LDAPS). Documentation says if ldap.truststore and ldap.truststore.password are configured it will switch working to LDAPS. It just happens when these parameters are configured globally but using API it is possible to configure them inside a domain. When configured inside a domain we have no effect.
STEPS TO REPRODUCE
Try to configure ldap.truststore and ldap.truststore.password for a domain:
cmk -p user@myprofile update configuration name='ldap.truststore' value='/etc/cloudstack/management/cloud.jks' domainid="e8b2ec00-21e2-430b-bd9b-a31c3d642bbf"
cmk -p user@myprofile update configuration name='ldap.truststore.password' value=PASSWORD domainid="e8b2ec00-21e2-430b-bd9b-a31c3d642bbf"
EXPECTED RESULTS
LDAPS enabled and communication between management and LDAP servers using TLS.
ACTUAL RESULTS
LDAPS is not enabled.
LDAP server logs shows "initializing ldap with provider url: ldap://ldapserver.domain:636".
All queries trying to log in a user use ldap:// too, not ldaps://.
If we configure ldap.truststore and ldap.truststore.password globally (not for a domain), so we can make LDAPS to work.
cmk -p user@myprofile update configuration name='ldap.truststore' value='/etc/cloudstack/management/cloud.jks'
cmk -p user@myprofile update configuration name='ldap.truststore.password' value=PASSWORD
# Until here no domain was specified!
cmk -p user@myprofile add ldapconfiguration hostname=ldapserver.mydomain port=636 domainid="e8b2ec00-21e2-430b-bd9b-a31c3d642bbf"
cmk -p user@myprofile update configuration name='ldap.basedn' value='...............' domainid="e8b2ec00-21e2-430b-bd9b-a31c3d642bbf"
I think the code is looking for ldap.truststore and ldap.truststore.password only in global configuration. It would be interesting looking inside domain configurations too. So, each domain could have a different LDAP configuration. As the API accepts the domainid= parameter to configure the truststore, I believe that the initial idea was this, but something is not working as well.
ISSUE TYPE
COMPONENT NAME
CLOUDSTACK VERSION
CONFIGURATION
Using many domains.
Trying to use LDAP server with TLS.
All certificates generated and tested.
Keystore configured and tested.
OS / ENVIRONMENT
Ubuntu Server 20.04.3 LTS.
KVM.
cloudstack-management 4.15.2.0~focal
SUMMARY
Need to communicate management server with LDAP using TLS (LDAPS). Documentation says if ldap.truststore and ldap.truststore.password are configured it will switch working to LDAPS. It just happens when these parameters are configured globally but using API it is possible to configure them inside a domain. When configured inside a domain we have no effect.
STEPS TO REPRODUCE
Try to configure ldap.truststore and ldap.truststore.password for a domain:
cmk -p user@myprofile update configuration name='ldap.truststore' value='/etc/cloudstack/management/cloud.jks' domainid="e8b2ec00-21e2-430b-bd9b-a31c3d642bbf"
cmk -p user@myprofile update configuration name='ldap.truststore.password' value=PASSWORD domainid="e8b2ec00-21e2-430b-bd9b-a31c3d642bbf"
EXPECTED RESULTS
ACTUAL RESULTS
If we configure ldap.truststore and ldap.truststore.password globally (not for a domain), so we can make LDAPS to work.
I think the code is looking for ldap.truststore and ldap.truststore.password only in global configuration. It would be interesting looking inside domain configurations too. So, each domain could have a different LDAP configuration. As the API accepts the domainid= parameter to configure the truststore, I believe that the initial idea was this, but something is not working as well.