[one-users] LDAP on Ubuntu Precise
Justin Ryan
justin.ryan at kixeye.com
Fri Jun 28 18:33:43 PDT 2013
Hi,
I'm pretty new to OpenNebula and had some trouble getting LDAP integration
to work. I made the following changes to ldap_auth.rb and am now up and
running. Am I missing something, or does this need a bug (or several bugs)?
I am not very experienced with ruby, but hacked my way through it.
1) multi-line ldap.search() statements resulted in syntax errors. Reducing
them to a single line fixed it
2) Our LDAP server keeps group members like this:
member: uid=jryan,ou=People,dc=awesome,dc=com
which didn't work as a filter in the group matching section, even when the
whole search() was on one line. I used a Net::LDAP::Filter object with the
same filter string, and it worked.
3) The cloning of the initial Net::LDAP object to test the user's
credentials resulted in the script binding as the user who did the initial
search, which of course was able to bind. This meant that no matter what
password the user passed in, as long as they were in the LDAP directory and
in the group specified, their user was created in ONE and they could
repeatedly log in -- security hole!!!!
I wiped out the auth info from the cloned ldap object and replaced it with
the user's credentials.
root at ops-vm-opennebula:/usr/lib/one/ruby/opennebula# diff
ldap_auth.rb{,.new} -u
--- ldap_auth.rb 2013-05-17 10:57:50.000000000 -0700
+++ ldap_auth.rb.new 2013-06-28 18:24:28.305292002 -0700
@@ -52,9 +52,7 @@
def find_user(name)
begin
- result=@ldap.search(
- :base => @options[:base],
- :filter => "#{@options[:user_field]}=#{name}")
+ result=@ldap.search( :base => @options[:base], :filter =>
"#{@options[:user_field]}=#{name}")
if result && result.first
[result.first.dn,
result.first[@options[:user_group_field]]]
@@ -73,9 +71,8 @@
end
def is_in_group?(user, group)
- result=@ldap.search(
- :base => group,
- :filter => "(#{@options[:group_field]}=#{user.first})")
+ filter = Net::LDAP::Filter.eq(@options[:group_field],user.first)
+ result=@ldap.search( :base => group, :filter => filter )
if result && result.first
true
@@ -87,13 +84,10 @@
def authenticate(user, password)
ldap=@ldap.clone
- auth={
- :method => @options[:auth_method],
- :username => user,
- :password => password
- }
+ ldap.auth nil,nil
+ ldap.auth user, password
- if ldap.bind(auth)
+ if ldap.bind()
true
else
false
$ ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
$ dpkg -l |grep ruby-net-ldap
ii ruby-net-ldap 0.0.4-1 LDAP
client library for Ruby
$ cat /etc/issue
Ubuntu 12.04.2 LTS Server
$ dpkg -l |grep opennebula
ii opennebula 4.0.1-1
controller which executes the OpenNebula cluster services
ii opennebula-common 4.0.1-1 empty
package to create OpenNebula users and directories
ii opennebula-node 4.0.1-1 empty
package to prepare a machine as OpenNebula Node
ii opennebula-sunstone 4.0.1-1 web
interface to which executes the OpenNebula cluster services
ii opennebula-tools 4.0.1-1
Command-line tools for OpenNebula Cloud
ii ruby-opennebula 4.0.1-1 Ruby
bindings for OpenNebula Cloud API (OCA)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130628/b5817149/attachment.htm>
More information about the Users
mailing list