[one-users] Unable to login to Sunstone/OCCI via LDAP (Users Digest, Vol 60, Issue 16)

Rolandas Naujikas rolandas.naujikas at mif.vu.lt
Wed Feb 6 22:28:18 PST 2013


Hi,

We made Opennebula (3.8.3) Self Service portal (OCCI web UI) to work 
with LDAP authentication by using this patch:

sed -i 's/CryptoJS.SHA1(password)/password/' /(location of depends on 
installation)/occi/ui/public/js/login.js

and putting ":auth: occi" to occi-server.conf

That is because OCCI transfers SHA1 hashed password to occi-server and 
it could not do LDAP bind with it (exept if your LDAP contains clear 
text passwords or SHA1 hash). With this patch clear password is 
transported to occi-server and it could do LDAP bind against LDAP users.

Regards, Rolandas Naujikas

P.S. We are using https reverse proxy also.

On 2013-02-06 15:15, Vassilis Vatikiotis wrote:
> Hello all,
>
> I'm trying to enable the LDAP auth method so my users can login to
> OCCI web UI and although I've followed the steps from the docs in ONE
> site so far I haven;t managed it.
>
> The /etc/one/oned.conf AUTH_MAD section is:
> AUTH_MAD = [
>      executable = "one_auth_mad",
>      authn = "ssh,x509,ldap,default,server_cipher,server_x509"
> ]
>
> The /etc/one/auth/ldap_auth.conf is:
> server 1:
>      :user: 'cn=xxx,ou=xxxx,dc=xxx,dc=xxx,dc=xxx'
>      :password: 'xxxx'
>      :auth_method: :simple
>      :host: 'ldap.xxx.xxx.xxx'
>      :port: 389
>      :base: 'ou=xxx,dc=xxx,dc=xxx,dc=xxx'
>      :user_field: 'uid'
>
> :order:
>      - server 1
>
> The above ldap setting work as I've tested them inside irb, using the
> ruby class defined in /etc/lib/one/ruby/ldap_auth.rb. I can search my
> LDAP database and get results
>
> I've also copied the ldap directory to a default one, like,
> $ cp -R /var/lib/one/remotes/auth/ldap /var/lib/one/remotes/auth/default
>
> What puzzles me is that whenever I try to login to OCCI (or sunstone)
> I cannot see any auth related queries in /var/log/one/oned.log. It's
> as if the ldap and default settings in authn of AUTH_MAD are completly
> ignored. At the same time, no queries are performed in the LDAP
> backend.
>
> I haven't done the last step where a $HOME/.one/one_auth file
> containing a user_dn:password
> entry cause I'm unsure of what it means.
>
> Any ideas?
>
>
>
>




More information about the Users mailing list