[one-users] extended ldap_auth module

Carsten.Friedrich at csiro.au Carsten.Friedrich at csiro.au
Wed Feb 2 15:52:36 PST 2011


The current ldap_auth module is assuming that the username is the same as the LDAP dn entry. In more complex LDAP installations this is often not the case and LDAP authentication is a bit more complicated:

* Bind as a dedicated "search LDAP user"
* Search the directory tree for the username
* Get the DN from the search result
* Bind as the DN with the user password

 I modified the current ldap_auth.rb to use this more complex process if the auth.conf file defines "search_filter". In this case it expects "search_filter" to contain a suitable search string with "@@LOGIN@@" instead of the user name (to be replaced at runtime). E.g. something like: "(&(cn=@@LOGIN@@)(objectClass=user))"

It also expects the following config entries:
* sec_principal : the DN of the LDAP search user.
* sec_passwd: The password for the sec_principal
* search_base: The base in the LDAP tree from which to search

Code below:

# --------------------------------------------------------------------------
# Copyright 2010, C12G Labs S.L., CSIRO
#
# This file is part of OpenNebula Ldap Authentication.
#
# OpenNebula Ldap Authentication is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or the hope
# That it will be useful, but (at your option) any later version.
#
# OpenNebula Ldap Authentication is distributed in WITHOUT ANY WARRANTY; without even
# the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE.  See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with OpenNebula Ldap Authentication . If not, see <http://www.gnu.org/licenses/>
# --------------------------------------------------------------------------
require 'rubygems'

require 'net/ldap'

# Ldap authentication module.

class LdapAuth
    def initialize(config)
        @config = config
    end

    def getLdap(user, password)
      ldap = Net::LDAP.new
      ldap.host = @config[:ldap][:host]
      ldap.port = @config[:ldap][:port]
      ldap.auth user, password
      ldap
    end

    def getLdapDN(user)
      search_filter = @config[:ldap][:search_filter]
      if (search_filter.nil?)
        return user
      end

      search_filter = search_filter.gsub("@@LOGIN@@", user)
      ldap = getLdap(@config[:ldap][:sec_principal], @config[:ldap][:sec_passwd])
      begin
        ldap.search( :base => @config[:ldap][:search_base], :attributes => 'dn',
                     :filter => search_filter, :return_result => true ) do |entry|
          STDERR.puts "Found #{entry.dn}"
          return entry.dn
        end
      rescue Exception => e
        STDERR.puts "LDAP search failed: #{e.message}"
      end
      return nil
    end

    def auth(user_id, user, password, token)
      dn = getLdapDN(user)
      if(dn.nil?)
        STDERR.puts("User #{user} not found in LDAP")
        return false
      end

      begin
        if getLdap(dn, token).bind
          STDERR.puts "User #{user} authenticated!"
          return true
        end
      rescue  Exception => e
        STDERR.puts "User authentication failed for #{entry.dn}: #{e.message}"
        return false
      end

      STDERR.puts "User #{user} could not be authenticated."
      return false
    end
  end

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20110203/99e131db/attachment.htm>


More information about the Users mailing list