Windows auth_active_directory

[mbaldazzi85]

follow this way:
https://ravada.readthedocs.io/en/latest/docs/auth_active_directory.html#admin-users

apt-get install libtest-spelling-perl
apt-get install cpanminus
cpanm Auth::ActiveDirectory

in the /etc/ravada.conf had add

ldap:
server: 192.168.242.102
port: 389
domain: pippo.local
principal: [email protected]

always fails...

Anyone know a way to test authentication from the CLI?

[frankiejol]

Hello @mbaldazzi85. We added some code to auth to AD in a branch some time ago but I don't think it got to the release because of lack of testing on a real Active Directory Server.
You may try this branch https://github.com/UPC/ravada/tree/392_ad and test it on a live AD. There is also some documents about how to run Ravada from a development github branch:

• https://ravada.readthedocs.io/en/latest/docs/INSTALL_devel.html
• https://ravada.readthedocs.io/en/latest/devel-docs/run.html

We need some help here, and thought this is not in our priority list I will work on it if we get some error report. It is a really good new feature to add and most of the work has already been done. Thanks !

[frankiejol]

The related issue for this is #392 , one of the oldest still open. Hopefully we can close it soon.

[ahellquist]

I am in the process of setting up a POC and wanted to use the devel branch to be up to date.
Does the devel branch include basic AD or is the 392_ad still the only one ?
Version 1.0.0 was recently released, does that include any ad functionality ?

[frankiejol]

Hi @ahellquist I am sorry Active Directory still hasn't been fully implemented. None of these branches supports it.

[AKA9124]

Hello!
I have Active Directory using Windows Server 2012
I wanted to try make users who want access the VM in Webpage ravada vdi just need using their user & password from their AD account to login in webpage. Because if creating a new user in admin Webpage one by one, it will need a long time.

I have read the documentation and also checking in this github documentation, but it make me more confused...
Can someone tell me how to do that step by step ?

[frankiejol]

Hello @AKA9124 . We started with this feature but it was left behind because we couldn't test it properly. We had recently an issue with an user who I guess configured the LDAP settings in Ravada to match AD.

#1821 (comment)

See if it works. If not I will resurrect this old branch in the next beta release.

[AKA9124]

Thanks! I'll try

[AKA9124]

Hello @frankiejol i have try what you say, and its worked ! Now I can login to ravada webadmin using an account from Windows Server
But I have some question :

• Why in ravada webpage I only can use an FullName username to login?
  Fox example, I have account :
  Full Name : Jhonny Xin
  Logon : [email protected]
  I only can using Jhonny Xin only for login to ravada webadmin, if I am using joxin or [email protected] it always Access denied
  Is this the limit of ravada vdi ? (Because in windows we using username joxin or [email protected] to login domain, i mean user usually use this way, so i wanted they familiar with how to login to ravada webadmin, just need login like using windows)

• Can we limit users to only can use some VM ?
  Example, i have 3 VM, Windows 10, Windows7, and Linux. And i want joxin to only can access Windows10 and Windows7.

[frankiejol]

It is fantastic you succeeded login with AD. We will definitely add it to the docs.

As for the first question you ask. Ravada only passes the user and password to the AD using the fields defined in the settings. Probably you have something like this:
field: sAMAccountName

May be you can set another field to use for the user name that matches with the email.

About the second question. The short answer is yes. You can limit the access to the virtual machines using LDAP. I haven't tried with AD but it is worth checking. Check in the base machine options in the Access tab. You can limit access for groups, or you can set it with an LDAP attribute.

[AKA9124]

Thanks for your reply !

• About field: sAMAccountName I change it to field: userPrincipalName , so users will use an email info & password for login to ravada web, I also try so user can use both their userlogon and email using field: sAMAccountName userPrincipalName combined but idk why it's not working.

• About restriction users, why i cant add a group in here ? Is there something i should prepare in windows server first ?
  

Here my Windows Server for grouping user who can login to ravada web, in ravada.conf i setup : filter: 'memberOf=CN=ravada-users,DC=mytestserver,DC=com'

[frankiejol]

Hello @AKA9124 , it is fantastic you managed to login this way.

About restriction users, why i cant add a group in here ? Is there something i should prepare in windows server first ?

Well, it looks like Windows AD doesn't like the way we create groups. I wonder if you tried any other type of groups like groupOfUniqueNames or posixGroup . Watching the second screenshot, I am not user what you trying to do. I guess you are creating the group from within the AD manager itself. That would be a good option. If you manage to do that and inspect how this group is created and how members are added to it we could use it. Even if I had to tweak the code somehow.

There is a way to dump the contents of an LDAP entry from within Ravada CLI typing this:
rvd_back --test-ldap
That will ask for an username and password and dump the fields. Probably it will not help a lot but at least it will show the Object Class for the entry. This way we can know a little bit more about group internals.

Come on, it will not be easy but I am sure we will get something great for AD here. Thanks for your help !

[AKA9124]

I want that each user accessing VDI can be filtered according to group / division, this filter will make users accessing VDI only able to access VMs that are specific to their group or division
i have try many ways but i still cant import group from Windows AD to Ravada VDI, using groupOfUniqueNames and posixGroup have a same result, I don't know why

and I try did something else so that VDI can detect what group or member the logged in user is from, so that it can limit users from accessing each machine. And when I try rvd_back --test-ldap I found some line code primaryGroupID: <number>
After I search I found it that this attribute is an id number of group where current user belong. Then it turns out that based on this ID, we can filter users who want to access the VM.
Like picture below :

With this setup, we can limit every users Groups in Windows AD who want access the VM.

To find primaryGroupID where user belong, we can use rvd_back --test-ldap with user account or in Windows AD using attribute editor

[frankiejol]

@AKA9124 you did it great. It is amazing you found about this primaryGroupID attribute. Thank you very much for explaining it so well. I will add a task so we can research AD a little bit more and manage this groups the same we do with LDAP ones. Meanwhile I will write a new AD entry in the docs. Can we reuse part of your text and screenshots ? We will properly credit your name.

[AKA9124]

Yes of course! I am happy to hear that

[AKA9124]

Additionally, because primaryGroupID: <number> is a number showing current users primary group belong. We should set primary group for users in Windows Server Member Of in users setting menu :

Here users belong to 3 groups, but users-IT is they primary group ID, so when run rvd_back --test-ldap the result number in primaryGroupID: <number> will be users-IT ID group number. And this can be set as filter in Ravada Web
(I forgot set one user primary group that make me confuse for 1 hour why my filter is not working for this one user (シ_ _ )シ
so I hope this comment will help in future)

[rajpatel-msstate]

Hey guys,

I am still stuck on this issue. I used the LDAP attribute of primary group, but it still does not recognize it. When I look at the user, I see that the user is successfully logs in, but it won't have access to the VM. I noticed on the admin interface that the user is not a member of any LDAP/AD group even though I know it is.

For example:
Name: Jane Doe
Login: sAMAccountName
Password: LDAP Password:
memberOf: GroupA, GroupB, GroupC

In the Access tab of the VM
Under the sub-category of Group, I can filter using the "sAMAccountName" of the group.

I can further see that, the logged in user has "DistinguishedName" listed which belongs to the logged on user but is not the same as "sAMAccountName".

In my opinion, the only thing it is missing is the checking of the group membership in LDAP based on "field". Could either of you please point me to the code where you think is checking for it?

Any help you can provide is greatly appreciated!

Raj Patel