The required feature described as a wish
Steps to reproduce the issue
- Add a ldap configuration
- Create domain
- Link the domain to LDAP
or execute the api
https://cloudstack.apache.org/api/apidocs-4.20/apis/linkDomainToLdap.html
(localcloud) 🐱 > link domaintoldap domainid=394cbde8-efe2-4ef2-bac0-fa5958fa4134 type=GROUP accounttype=2 ldapdomain=cn=dev-team,ou=Telco-Bng,dc=example,dc=in admin=admin
{
"LinkDomainToLdap": {
"accounttype": 2,
"domainid": "394cbde8-efe2-4ef2-bac0-fa5958fa4134",
"ldapdomain": "cn=qa-team,dc=example,dc=in",
"name": "cn=qa-team,dc=example,dc=in",
"type": "GROUP"
}
}
- Check the database table
mysql> select * from ldap_trust_map;
+----+-----------+-------+-------------------------------------------+--------------+------------+
| id | domain_id | type | name | account_type | account_id |
+----+-----------+-------+-------------------------------------------+--------------+------------+
| 22 | 25 | GROUP | cn=dev-team,ou=Telco-Bng,dc=example,dc=in | 2 | 0 |
-
Currently there is no update the configuration via API call
-
If an admin tries to execute API call again or perform the same action from UI , admin user will hit a exception
Logs
2025-08-19 06:52:25,182 DEBUG [c.c.a.ApiServlet] (qtp253011924-25:[ctx-f25a19f8]) (logid:aafa8e9e) ===START=== 10.0.3.251 -- POST
2025-08-19 06:52:25,182 DEBUG [c.c.a.ApiServlet] (qtp253011924-25:[ctx-f25a19f8]) (logid:aafa8e9e) Two factor authentication is already verified for the user 2, so skipping
2025-08-19 06:52:25,190 DEBUG [c.c.a.ApiServer] (qtp253011924-25:[ctx-f25a19f8, ctx-aebf2303]) (logid:aafa8e9e) CIDRs from which account 'Account [{"accountName":"admin","id":2,"uuid":"41afc720-7731-11f0-9a5b-1e00900003a2"}]' is allowed to perform API calls: 0.0.0.0/0,::/0
2025-08-19 06:52:25,192 INFO [o.a.c.a.DynamicRoleBasedAPIAccessChecker] (qtp253011924-25:[ctx-f25a19f8, ctx-aebf2303]) (logid:aafa8e9e) Account for user id 41b07ac1-7731-11f0-9a5b-1e00900003a2 is Root Admin or Domain Admin, all APIs are allowed.
2025-08-19 06:52:25,192 DEBUG [o.a.c.a.StaticRoleBasedAPIAccessChecker] (qtp253011924-25:[ctx-f25a19f8, ctx-aebf2303]) (logid:aafa8e9e) RoleService is enabled. We will use it instead of StaticRoleBasedAPIAccessChecker.
2025-08-19 06:52:25,192 DEBUG [o.a.c.r.ApiRateLimitServiceImpl] (qtp253011924-25:[ctx-f25a19f8, ctx-aebf2303]) (logid:aafa8e9e) API rate limiting is disabled. We will not use ApiRateLimitService.
2025-08-19 06:52:25,197 ERROR [o.a.c.l.d.LdapTrustMapDaoImpl] (qtp253011924-25:[ctx-f25a19f8, ctx-aebf2303]) (logid:aafa8e9e) DB Exception on: HikariProxyPreparedStatement@239902172 wrapping com.mysql.cj.jdbc.ServerPreparedStatement[181]: INSERT INTO ldap_trust_map (ldap_trust_map.type, ldap_trust_map.name, ldap_trust_map.domain_id, ldap_trust_map.account_id, ldap_trust_map.account_type) VALUES ('OU', x'6f753d54656c636f2d426e672c64633d6578616d706c652c64633d696e', 25, 0, 0) java.sql.SQLIntegrityConstraintViolationException: Duplicate entry '25-0' for key 'ldap_trust_map.uk_ldap_trust_map__bind_location'
at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:118)
at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122)
at com.mysql.cj.jdbc.ServerPreparedStatement.serverExecute(ServerPreparedStatement.java:555)
at com.mysql.cj.jdbc.ServerPreparedStatement.executeInternal(ServerPreparedStatement.java:339)
at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1061)
at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1009)
at com.mysql.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1320)
at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:994)
at com.zaxxer.hikari.pool.ProxyPreparedStatement.executeUpdate(ProxyPreparedStatement.java:61)
at com.zaxxer.hikari.pool.HikariProxyPreparedStatement.executeUpdate(HikariProxyPreparedStatement.java)
at com.cloud.utils.db.GenericDaoBase.persist(GenericDaoBase.java:1636)
at jdk.internal.reflect.GeneratedMethodAccessor12.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:569)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at com.cloud.utils.db.TransactionContextInterceptor.invoke(TransactionContextInterceptor.java:34)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:175)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215)
at jdk.proxy3/jdk.proxy3.$Proxy517.persist(Unknown Source)
at org.apache.cloudstack.ldap.LdapManagerImpl.linkDomainToLdap(LdapManagerImpl.java:418)
at org.apache.cloudstack.ldap.LdapManagerImpl.linkDomainToLdap(LdapManagerImpl.java:4
2025-08-19 06:52:25,201 DEBUG [c.c.u.d.T.Transaction] (qtp253011924-25:[ctx-f25a19f8, ctx-aebf2303]) (logid:aafa8e9e) Rolling back the transaction: Time = 3 Name = qtp253011924-25; called by -TransactionLegacy.rollback:905-TransactionLegacy.removeUpTo:848-TransactionLegacy.close:672-TransactionContextInterceptor.invoke:36-ReflectiveMethodInvocation.proceed:175-ExposeInvocationInterceptor.invoke:97-ReflectiveMethodInvocation.proceed:186-JdkDynamicAopProxy.invoke:215-$Proxy517.persist:-1-LdapManagerImpl.linkDomainToLdap:418-LdapManagerImpl.linkDomainToLdap:408-LinkDomainToLdapCmd.execute:95
2025-08-19 06:52:25,206 ERROR [c.c.a.ApiServer] (qtp253011924-25:[ctx-f25a19f8, ctx-aebf2303]) (logid:aafa8e9e) unhandled exception executing api command: [Ljava.lang.String;@7eab7506 javax.persistence.EntityExistsException: Entity already exists
2025-08-19 06:52:25,210 DEBUG [c.c.a.ApiServlet] (qtp253011924-25:[ctx-f25a19f8, ctx-aebf2303]) (logid:aafa8e9e) ===END=== 10.0.3.251 -- POST
Currently, there is only deleteLdapConfiguration API
https://cloudstack.apache.org/api/apidocs-4.20/apis/deleteLdapConfiguration.html
Expected behaviour
Admin user should be able to Unlink Domain to LDAP and do the same activity from the UI
If there is already a domain linked to LDAP, UI should throw a Message saying its not possible or already configured
The required feature described as a wish
Steps to reproduce the issue
or execute the api
https://cloudstack.apache.org/api/apidocs-4.20/apis/linkDomainToLdap.html
(localcloud) 🐱 > link domaintoldap domainid=394cbde8-efe2-4ef2-bac0-fa5958fa4134 type=GROUP accounttype=2 ldapdomain=cn=dev-team,ou=Telco-Bng,dc=example,dc=in admin=admin
{
"LinkDomainToLdap": {
"accounttype": 2,
"domainid": "394cbde8-efe2-4ef2-bac0-fa5958fa4134",
"ldapdomain": "cn=qa-team,dc=example,dc=in",
"name": "cn=qa-team,dc=example,dc=in",
"type": "GROUP"
}
}
Currently there is no update the configuration via API call
If an admin tries to execute API call again or perform the same action from UI , admin user will hit a exception
Logs
Currently, there is only deleteLdapConfiguration API
https://cloudstack.apache.org/api/apidocs-4.20/apis/deleteLdapConfiguration.html
Expected behaviour
Admin user should be able to Unlink Domain to LDAP and do the same activity from the UI
If there is already a domain linked to LDAP, UI should throw a Message saying its not possible or already configured