[one-users] LDAP/AD authentication problems

Andreas Calvo Gómez andreas.calvo at scytl.com
Tue Oct 1 03:27:17 PDT 2013


Javier,
I've tried successfully using the ldap client utils:

With invalid password:
oneadmin at opennebula:~$ ldapsearch -h ad.mydomain.com -D 
cn=acalvo,cn=Users,dc=mydomain,dc=com -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
     additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE

With valid password:
oneadmin at opennebula:~$ ldapsearch -h ad.mydomain.com -D 
cn=acalvo,cn=Users,dc=mydomain,dc=com -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

We are not using SSL at this moment (I think it was advised not to use 
it in the documentation).

LDAP configuration:
     :user: 'cn=readonly,cn=users,dc=mydomain,dc=com'
     :password: 'mybindpassword'
     :auth_method: :simple
     :host: ad.mydomain.com
     :port: 389
     :base: 'cn=Users,dc=mydomain,dc=com'

AD configuration:
     :user: 'readonly at mydomain.com'
     :password: 'mybindpassword'
     :auth_method: :simple
     :host: ad.mydomain.com
     :port: 389
     #:encryption: :simple_tls
     :base: 'cn=Users,dc=mydomain,dc=com'

In both cases, the output is the same:
oneadmin at opennebula:~$ ./remotes/auth/default/authenticate acalvo 
badpassword badpassword
Trying server server 1
ldap acalvo CN=acalvo,CN=Users,DC=mydomain,DC=com

Cheers

On 01/10/13 11:56, Javier Fontan wrote:
> Can you check with ldapsearch command? Can you authenticate with that
> command and an invalid password? Are you using ssl?
>
> For our tests we use slapd as ldap server and a Windows 2008 Server as
> Active Directory server.
>
> On Tue, Oct 1, 2013 at 9:52 AM, Andreas Calvo Gómez
> <andreas.calvo at scytl.com> wrote:
>> Javier,
>> We are not using a true AD; instead, we are using Samba 4 as an AD.
>> However, it fails either being configured as AD or just plain LDAP.
>> I may provide the configuration if necessary, just let me know.
>>
>> Regards,
>>
>> On 24/09/13 10:56, Javier Fontan wrote:
>>> I've tested the driver from 4.2 with a Windows 2008 server Active
>>> directory and does fail when the password is not correct. Could it be
>>> an Active Directory configuration?
>>>
>>> On Fri, Sep 6, 2013 at 4:57 PM, Andreas Calvo Gómez
>>> <andreas.calvo at scytl.com> wrote:
>>>> Javier,
>>>> Thanks for your time.
>>>> We are running the latest version of OpenNebula as of today: version
>>>> 4.2.0.
>>>>
>>>>
>>>> On 06/09/13 15:23, Javier Fontan wrote:
>>>>> It looks really bad. Could you please give use the OpenNebula version
>>>>> you are using? I'll do my tests here and will let you know.
>>>>>
>>>>> I've created a ticket to keep track of this problem:
>>>>>
>>>>> http://dev.opennebula.org/issues/2307
>>>>>
>>>>>
>>>>> On Wed, Aug 28, 2013 at 6:46 PM, Andreas Calvo Gómez
>>>>> <andreas.calvo at scytl.com> wrote:
>>>>>> Hi all,
>>>>>> I've encountered a strange behavior while trying to configure ONE to
>>>>>> authenticate against an AD, either as a proper AD or as a LDAP.
>>>>>> If a credential is used to query LDAP and retrieve the complete DN for
>>>>>> the
>>>>>> user that wants to login, then no matter what password the user has
>>>>>> typed
>>>>>> it
>>>>>> will be listed as authenticated.
>>>>>>
>>>>>> ldap_auth.conf example:
>>>>>> server 1:
>>>>>>        :user: 'myuser at mydomain.com'
>>>>>>        :password: 'mypassword'
>>>>>>        :auth_method: :simple
>>>>>>        :host: ad.mydomain.com
>>>>>>        :port: 389
>>>>>>        :base: 'dc=mydomain,dc=com'
>>>>>>        :user_field: 'sAMAccountName'
>>>>>> :order:
>>>>>>        - server 1
>>>>>>
>>>>>> If I manually query the authenticate process with a made up password
>>>>>> and
>>>>>> secret, it is always listed as authenticated.
>>>>>>
>>>>>> For instance:
>>>>>> oneadmin at opennebula:~$ ./remotes/auth/default/authenticate myuser
>>>>>> badpassword badpassword
>>>>>> Trying server server 1
>>>>>> ldap myuser CN=myuser,CN=Users,DC=mydomain,DC=com
>>>>>>
>>>>>> My guess is that the same user that is used to look up users, performs
>>>>>> the
>>>>>> authenticate method and always returns a valid user.
>>>>>>
>>>>>> Or maybe I'm missing something.
>>>>>>
>>>>>> Any hint?
>>>>>>
>>>>>> Thanks!
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at lists.opennebula.org
>>>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>>
>>>>>
>>>> --
>>>> Andreas Calvo Gómez
>>>> Systems Engineer
>>>> Scytl Secure Electronic Voting
>>>> Plaça Gal·la Placidia, 1-3, 1st floor · 08006 Barcelona
>>>> Phone: + 34 934 230 324
>>>> Fax:   + 34 933 251 028
>>>> http://www.scytl.com
>>>>
>>>> NOTICE: The information in this e-mail and in any of its attachments is
>>>> confidential and intended solely for the attention and use of the named
>>>> addressee(s). If you are not the intended recipient, any disclosure,
>>>> copying,
>>>> distribution or retaining of this message or any part of it, without the
>>>> prior
>>>> written consent of Scytl Secure Electronic Voting, SA is prohibited and
>>>> may be
>>>> unlawful. If you have received this in error, please contact the sender
>>>> and
>>>> delete the material from any computer.
>>>>
>>>
>
>



More information about the Users mailing list