[one-users] LDAP on Ubuntu Precise
Javier Fontan
jfontan at opennebula.org
Wed Jul 3 05:32:25 PDT 2013
I have to test this in more depth with the versions you have. For us
it is working properly and does lot let a user with a wrong password
to log in. I'll come back to you as soon as I find what could be
happening.
On Sat, Jun 29, 2013 at 3:33 AM, Justin Ryan <justin.ryan at kixeye.com> wrote:
>
> Hi,
>
> I'm pretty new to OpenNebula and had some trouble getting LDAP integration
> to work. I made the following changes to ldap_auth.rb and am now up and
> running. Am I missing something, or does this need a bug (or several bugs)?
> I am not very experienced with ruby, but hacked my way through it.
>
> 1) multi-line ldap.search() statements resulted in syntax errors. Reducing
> them to a single line fixed it
>
> 2) Our LDAP server keeps group members like this:
>
> member: uid=jryan,ou=People,dc=awesome,dc=com
>
> which didn't work as a filter in the group matching section, even when the
> whole search() was on one line. I used a Net::LDAP::Filter object with the
> same filter string, and it worked.
>
> 3) The cloning of the initial Net::LDAP object to test the user's
> credentials resulted in the script binding as the user who did the initial
> search, which of course was able to bind. This meant that no matter what
> password the user passed in, as long as they were in the LDAP directory and
> in the group specified, their user was created in ONE and they could
> repeatedly log in -- security hole!!!!
>
> I wiped out the auth info from the cloned ldap object and replaced it with
> the user's credentials.
>
> root at ops-vm-opennebula:/usr/lib/one/ruby/opennebula# diff
> ldap_auth.rb{,.new} -u
> --- ldap_auth.rb 2013-05-17 10:57:50.000000000 -0700
> +++ ldap_auth.rb.new 2013-06-28 18:24:28.305292002 -0700
> @@ -52,9 +52,7 @@
>
> def find_user(name)
> begin
> - result=@ldap.search(
> - :base => @options[:base],
> - :filter => "#{@options[:user_field]}=#{name}")
> + result=@ldap.search( :base => @options[:base], :filter =>
> "#{@options[:user_field]}=#{name}")
>
> if result && result.first
> [result.first.dn,
> result.first[@options[:user_group_field]]]
> @@ -73,9 +71,8 @@
> end
>
> def is_in_group?(user, group)
> - result=@ldap.search(
> - :base => group,
> - :filter => "(#{@options[:group_field]}=#{user.first})")
> + filter = Net::LDAP::Filter.eq(@options[:group_field],user.first)
> + result=@ldap.search( :base => group, :filter => filter )
>
> if result && result.first
> true
> @@ -87,13 +84,10 @@
> def authenticate(user, password)
> ldap=@ldap.clone
>
> - auth={
> - :method => @options[:auth_method],
> - :username => user,
> - :password => password
> - }
> + ldap.auth nil,nil
> + ldap.auth user, password
>
> - if ldap.bind(auth)
> + if ldap.bind()
> true
> else
> false
>
>
> $ ruby -v
> ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
>
> $ dpkg -l |grep ruby-net-ldap
> ii ruby-net-ldap 0.0.4-1 LDAP
> client library for Ruby
>
> $ cat /etc/issue
> Ubuntu 12.04.2 LTS Server
>
> $ dpkg -l |grep opennebula
> ii opennebula 4.0.1-1
> controller which executes the OpenNebula cluster services
> ii opennebula-common 4.0.1-1 empty
> package to create OpenNebula users and directories
> ii opennebula-node 4.0.1-1 empty
> package to prepare a machine as OpenNebula Node
> ii opennebula-sunstone 4.0.1-1 web
> interface to which executes the OpenNebula cluster services
> ii opennebula-tools 4.0.1-1
> Command-line tools for OpenNebula Cloud
> ii ruby-opennebula 4.0.1-1 Ruby
> bindings for OpenNebula Cloud API (OCA)
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
--
Join us at OpenNebulaConf2013 in Berlin from the 24th to the 26th of
September 2013!
Javier Fontán Muiños
Project Engineer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org | jfontan at opennebula.org | @OpenNebula
More information about the Users
mailing list