[one-users] extended ldap_auth module
Carsten.Friedrich at csiro.au
Carsten.Friedrich at csiro.au
Wed Feb 2 15:52:36 PST 2011
The current ldap_auth module is assuming that the username is the same as the LDAP dn entry. In more complex LDAP installations this is often not the case and LDAP authentication is a bit more complicated:
* Bind as a dedicated "search LDAP user"
* Search the directory tree for the username
* Get the DN from the search result
* Bind as the DN with the user password
I modified the current ldap_auth.rb to use this more complex process if the auth.conf file defines "search_filter". In this case it expects "search_filter" to contain a suitable search string with "@@LOGIN@@" instead of the user name (to be replaced at runtime). E.g. something like: "(&(cn=@@LOGIN@@)(objectClass=user))"
It also expects the following config entries:
* sec_principal : the DN of the LDAP search user.
* sec_passwd: The password for the sec_principal
* search_base: The base in the LDAP tree from which to search
Code below:
# --------------------------------------------------------------------------
# Copyright 2010, C12G Labs S.L., CSIRO
#
# This file is part of OpenNebula Ldap Authentication.
#
# OpenNebula Ldap Authentication is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or the hope
# That it will be useful, but (at your option) any later version.
#
# OpenNebula Ldap Authentication is distributed in WITHOUT ANY WARRANTY; without even
# the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with OpenNebula Ldap Authentication . If not, see <http://www.gnu.org/licenses/>
# --------------------------------------------------------------------------
require 'rubygems'
require 'net/ldap'
# Ldap authentication module.
class LdapAuth
def initialize(config)
@config = config
end
def getLdap(user, password)
ldap = Net::LDAP.new
ldap.host = @config[:ldap][:host]
ldap.port = @config[:ldap][:port]
ldap.auth user, password
ldap
end
def getLdapDN(user)
search_filter = @config[:ldap][:search_filter]
if (search_filter.nil?)
return user
end
search_filter = search_filter.gsub("@@LOGIN@@", user)
ldap = getLdap(@config[:ldap][:sec_principal], @config[:ldap][:sec_passwd])
begin
ldap.search( :base => @config[:ldap][:search_base], :attributes => 'dn',
:filter => search_filter, :return_result => true ) do |entry|
STDERR.puts "Found #{entry.dn}"
return entry.dn
end
rescue Exception => e
STDERR.puts "LDAP search failed: #{e.message}"
end
return nil
end
def auth(user_id, user, password, token)
dn = getLdapDN(user)
if(dn.nil?)
STDERR.puts("User #{user} not found in LDAP")
return false
end
begin
if getLdap(dn, token).bind
STDERR.puts "User #{user} authenticated!"
return true
end
rescue Exception => e
STDERR.puts "User authentication failed for #{entry.dn}: #{e.message}"
return false
end
STDERR.puts "User #{user} could not be authenticated."
return false
end
end
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20110203/99e131db/attachment.htm>
More information about the Users
mailing list