[one-users] extended ldap_auth module
Daniel Molina Aranda
danmolin at fdi.ucm.es
Thu Feb 3 09:28:13 PST 2011
Hi Carsten,
You are right, the current implementation assumes the same username. We just
implemented the basic functionality, so this contribution is very useful for
people that want to combine LDAP authentication with OpenNebula in a
extended way, thanks for sharing it with us.
We have added a new section to our website, called "Community Wiki" inside
the Documentation tab. We want this section to be a place to find useful
howtos, configurations or extensions for OpenNebula, build by the community
users. We would be more than happy if you add this extension to this new
section. We are still developing this new wiki but I can create you an
account. If you are interested, just send me a private message.
Thanks again for the contribution.
On 3 February 2011 00:52, <Carsten.Friedrich at csiro.au> wrote:
> The current ldap_auth module is assuming that the username is the same as
> the LDAP dn entry. In more complex LDAP installations this is often not the
> case and LDAP authentication is a bit more complicated:
>
>
>
> * Bind as a dedicated “search LDAP user”
>
> * Search the directory tree for the username
>
> * Get the DN from the search result
>
> * Bind as the DN with the user password
>
>
>
> I modified the current ldap_auth.rb to use this more complex process if
> the auth.conf file defines “search_filter”. In this case it expects
> “search_filter” to contain a suitable search string with “@@LOGIN@@”
> instead of the user name (to be replaced at runtime). E.g. something like:
> “(&(cn=@@LOGIN@@)(objectClass=user))”
>
>
>
> It also expects the following config entries:
>
> * sec_principal : the DN of the LDAP search user.
>
> * sec_passwd: The password for the sec_principal
>
> * search_base: The base in the LDAP tree from which to search
>
>
>
> Code below:
>
>
>
> #
> --------------------------------------------------------------------------
>
> # Copyright 2010, C12G Labs S.L., CSIRO
>
> #
>
> # This file is part of OpenNebula Ldap Authentication.
>
> #
>
> # OpenNebula Ldap Authentication is free software: you can redistribute it
> and/or modify
>
> # it under the terms of the GNU General Public License as published by
>
> # the Free Software Foundation, either version 3 of the License, or the
> hope
>
> # That it will be useful, but (at your option) any later version.
>
> #
>
> # OpenNebula Ldap Authentication is distributed in WITHOUT ANY WARRANTY;
> without even
>
> # the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
>
> # PURPOSE. See the GNU General Public License for more details.
>
> #
>
> # You should have received a copy of the GNU General Public License
>
> # along with OpenNebula Ldap Authentication . If not, see <
> http://www.gnu.org/licenses/>
>
> #
> --------------------------------------------------------------------------
>
> require 'rubygems'
>
>
>
> require 'net/ldap'
>
>
>
> # Ldap authentication module.
>
>
>
> class LdapAuth
>
> def initialize(config)
>
> @config = config
>
> end
>
>
>
> def getLdap(user, password)
>
> ldap = Net::LDAP.new
>
> ldap.host = @config[:ldap][:host]
>
> ldap.port = @config[:ldap][:port]
>
> ldap.auth user, password
>
> ldap
>
> end
>
>
>
> def getLdapDN(user)
>
> search_filter = @config[:ldap][:search_filter]
>
> if (search_filter.nil?)
>
> return user
>
> end
>
>
>
> search_filter = search_filter.gsub("@@LOGIN@@", user)
>
> ldap = getLdap(@config[:ldap][:sec_principal],
> @config[:ldap][:sec_passwd])
>
> begin
>
> ldap.search( :base => @config[:ldap][:search_base], :attributes =>
> 'dn',
>
> :filter => search_filter, :return_result => true ) do
> |entry|
>
> STDERR.puts "Found #{entry.dn}"
>
> return entry.dn
>
> end
>
> rescue Exception => e
>
> STDERR.puts "LDAP search failed: #{e.message}"
>
> end
>
> return nil
>
> end
>
>
>
> def auth(user_id, user, password, token)
>
> dn = getLdapDN(user)
>
> if(dn.nil?)
>
> STDERR.puts("User #{user} not found in LDAP")
>
> return false
>
> end
>
>
>
> begin
>
> if getLdap(dn, token).bind
>
> STDERR.puts "User #{user} authenticated!"
>
> return true
>
> end
>
> rescue Exception => e
>
> STDERR.puts "User authentication failed for #{entry.dn}:
> #{e.message}"
>
> return false
>
> end
>
>
>
> STDERR.puts "User #{user} could not be authenticated."
>
> return false
>
> end
>
> end
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
--
Daniel Molina, Cloud Technology Engineer/Researcher
DSA Research Group: web http://dsa-research.org and blog
http://blog.dsa-research.org
OpenNebula Open Source Toolkit for Cloud Computing:
http://www.OpenNebula.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20110203/31ef81d8/attachment-0003.htm>
More information about the Users
mailing list