[one-users] LDAP/AD authentication problems

Javier Fontan jfontan at opennebula.org
Tue Oct 1 02:56:16 PDT 2013


Can you check with ldapsearch command? Can you authenticate with that
command and an invalid password? Are you using ssl?

For our tests we use slapd as ldap server and a Windows 2008 Server as
Active Directory server.

On Tue, Oct 1, 2013 at 9:52 AM, Andreas Calvo Gómez
<andreas.calvo at scytl.com> wrote:
> Javier,
> We are not using a true AD; instead, we are using Samba 4 as an AD.
> However, it fails either being configured as AD or just plain LDAP.
> I may provide the configuration if necessary, just let me know.
>
> Regards,
>
> On 24/09/13 10:56, Javier Fontan wrote:
>>
>> I've tested the driver from 4.2 with a Windows 2008 server Active
>> directory and does fail when the password is not correct. Could it be
>> an Active Directory configuration?
>>
>> On Fri, Sep 6, 2013 at 4:57 PM, Andreas Calvo Gómez
>> <andreas.calvo at scytl.com> wrote:
>>>
>>> Javier,
>>> Thanks for your time.
>>> We are running the latest version of OpenNebula as of today: version
>>> 4.2.0.
>>>
>>>
>>> On 06/09/13 15:23, Javier Fontan wrote:
>>>>
>>>> It looks really bad. Could you please give use the OpenNebula version
>>>> you are using? I'll do my tests here and will let you know.
>>>>
>>>> I've created a ticket to keep track of this problem:
>>>>
>>>> http://dev.opennebula.org/issues/2307
>>>>
>>>>
>>>> On Wed, Aug 28, 2013 at 6:46 PM, Andreas Calvo Gómez
>>>> <andreas.calvo at scytl.com> wrote:
>>>>>
>>>>> Hi all,
>>>>> I've encountered a strange behavior while trying to configure ONE to
>>>>> authenticate against an AD, either as a proper AD or as a LDAP.
>>>>> If a credential is used to query LDAP and retrieve the complete DN for
>>>>> the
>>>>> user that wants to login, then no matter what password the user has
>>>>> typed
>>>>> it
>>>>> will be listed as authenticated.
>>>>>
>>>>> ldap_auth.conf example:
>>>>> server 1:
>>>>>       :user: 'myuser at mydomain.com'
>>>>>       :password: 'mypassword'
>>>>>       :auth_method: :simple
>>>>>       :host: ad.mydomain.com
>>>>>       :port: 389
>>>>>       :base: 'dc=mydomain,dc=com'
>>>>>       :user_field: 'sAMAccountName'
>>>>> :order:
>>>>>       - server 1
>>>>>
>>>>> If I manually query the authenticate process with a made up password
>>>>> and
>>>>> secret, it is always listed as authenticated.
>>>>>
>>>>> For instance:
>>>>> oneadmin at opennebula:~$ ./remotes/auth/default/authenticate myuser
>>>>> badpassword badpassword
>>>>> Trying server server 1
>>>>> ldap myuser CN=myuser,CN=Users,DC=mydomain,DC=com
>>>>>
>>>>> My guess is that the same user that is used to look up users, performs
>>>>> the
>>>>> authenticate method and always returns a valid user.
>>>>>
>>>>> Or maybe I'm missing something.
>>>>>
>>>>> Any hint?
>>>>>
>>>>> Thanks!
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.opennebula.org
>>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>
>>>>
>>>>
>>> --
>>> Andreas Calvo Gómez
>>> Systems Engineer
>>> Scytl Secure Electronic Voting
>>> Plaça Gal·la Placidia, 1-3, 1st floor · 08006 Barcelona
>>> Phone: + 34 934 230 324
>>> Fax:   + 34 933 251 028
>>> http://www.scytl.com
>>>
>>> NOTICE: The information in this e-mail and in any of its attachments is
>>> confidential and intended solely for the attention and use of the named
>>> addressee(s). If you are not the intended recipient, any disclosure,
>>> copying,
>>> distribution or retaining of this message or any part of it, without the
>>> prior
>>> written consent of Scytl Secure Electronic Voting, SA is prohibited and
>>> may be
>>> unlawful. If you have received this in error, please contact the sender
>>> and
>>> delete the material from any computer.
>>>
>>
>>
>



-- 
Javier Fontán Muiños
Developer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org | @OpenNebula | github.com/jfontan



More information about the Users mailing list