[one-users] LDAP/AD authentication problems
Andreas Calvo Gómez
andreas.calvo at scytl.com
Tue Oct 1 03:27:17 PDT 2013
Javier,
I've tried successfully using the ldap client utils:
With invalid password:
oneadmin at opennebula:~$ ldapsearch -h ad.mydomain.com -D
cn=acalvo,cn=Users,dc=mydomain,dc=com -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
With valid password:
oneadmin at opennebula:~$ ldapsearch -h ad.mydomain.com -D
cn=acalvo,cn=Users,dc=mydomain,dc=com -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
We are not using SSL at this moment (I think it was advised not to use
it in the documentation).
LDAP configuration:
:user: 'cn=readonly,cn=users,dc=mydomain,dc=com'
:password: 'mybindpassword'
:auth_method: :simple
:host: ad.mydomain.com
:port: 389
:base: 'cn=Users,dc=mydomain,dc=com'
AD configuration:
:user: 'readonly at mydomain.com'
:password: 'mybindpassword'
:auth_method: :simple
:host: ad.mydomain.com
:port: 389
#:encryption: :simple_tls
:base: 'cn=Users,dc=mydomain,dc=com'
In both cases, the output is the same:
oneadmin at opennebula:~$ ./remotes/auth/default/authenticate acalvo
badpassword badpassword
Trying server server 1
ldap acalvo CN=acalvo,CN=Users,DC=mydomain,DC=com
Cheers
On 01/10/13 11:56, Javier Fontan wrote:
> Can you check with ldapsearch command? Can you authenticate with that
> command and an invalid password? Are you using ssl?
>
> For our tests we use slapd as ldap server and a Windows 2008 Server as
> Active Directory server.
>
> On Tue, Oct 1, 2013 at 9:52 AM, Andreas Calvo Gómez
> <andreas.calvo at scytl.com> wrote:
>> Javier,
>> We are not using a true AD; instead, we are using Samba 4 as an AD.
>> However, it fails either being configured as AD or just plain LDAP.
>> I may provide the configuration if necessary, just let me know.
>>
>> Regards,
>>
>> On 24/09/13 10:56, Javier Fontan wrote:
>>> I've tested the driver from 4.2 with a Windows 2008 server Active
>>> directory and does fail when the password is not correct. Could it be
>>> an Active Directory configuration?
>>>
>>> On Fri, Sep 6, 2013 at 4:57 PM, Andreas Calvo Gómez
>>> <andreas.calvo at scytl.com> wrote:
>>>> Javier,
>>>> Thanks for your time.
>>>> We are running the latest version of OpenNebula as of today: version
>>>> 4.2.0.
>>>>
>>>>
>>>> On 06/09/13 15:23, Javier Fontan wrote:
>>>>> It looks really bad. Could you please give use the OpenNebula version
>>>>> you are using? I'll do my tests here and will let you know.
>>>>>
>>>>> I've created a ticket to keep track of this problem:
>>>>>
>>>>> http://dev.opennebula.org/issues/2307
>>>>>
>>>>>
>>>>> On Wed, Aug 28, 2013 at 6:46 PM, Andreas Calvo Gómez
>>>>> <andreas.calvo at scytl.com> wrote:
>>>>>> Hi all,
>>>>>> I've encountered a strange behavior while trying to configure ONE to
>>>>>> authenticate against an AD, either as a proper AD or as a LDAP.
>>>>>> If a credential is used to query LDAP and retrieve the complete DN for
>>>>>> the
>>>>>> user that wants to login, then no matter what password the user has
>>>>>> typed
>>>>>> it
>>>>>> will be listed as authenticated.
>>>>>>
>>>>>> ldap_auth.conf example:
>>>>>> server 1:
>>>>>> :user: 'myuser at mydomain.com'
>>>>>> :password: 'mypassword'
>>>>>> :auth_method: :simple
>>>>>> :host: ad.mydomain.com
>>>>>> :port: 389
>>>>>> :base: 'dc=mydomain,dc=com'
>>>>>> :user_field: 'sAMAccountName'
>>>>>> :order:
>>>>>> - server 1
>>>>>>
>>>>>> If I manually query the authenticate process with a made up password
>>>>>> and
>>>>>> secret, it is always listed as authenticated.
>>>>>>
>>>>>> For instance:
>>>>>> oneadmin at opennebula:~$ ./remotes/auth/default/authenticate myuser
>>>>>> badpassword badpassword
>>>>>> Trying server server 1
>>>>>> ldap myuser CN=myuser,CN=Users,DC=mydomain,DC=com
>>>>>>
>>>>>> My guess is that the same user that is used to look up users, performs
>>>>>> the
>>>>>> authenticate method and always returns a valid user.
>>>>>>
>>>>>> Or maybe I'm missing something.
>>>>>>
>>>>>> Any hint?
>>>>>>
>>>>>> Thanks!
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at lists.opennebula.org
>>>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>>
>>>>>
>>>> --
>>>> Andreas Calvo Gómez
>>>> Systems Engineer
>>>> Scytl Secure Electronic Voting
>>>> Plaça Gal·la Placidia, 1-3, 1st floor · 08006 Barcelona
>>>> Phone: + 34 934 230 324
>>>> Fax: + 34 933 251 028
>>>> http://www.scytl.com
>>>>
>>>> NOTICE: The information in this e-mail and in any of its attachments is
>>>> confidential and intended solely for the attention and use of the named
>>>> addressee(s). If you are not the intended recipient, any disclosure,
>>>> copying,
>>>> distribution or retaining of this message or any part of it, without the
>>>> prior
>>>> written consent of Scytl Secure Electronic Voting, SA is prohibited and
>>>> may be
>>>> unlawful. If you have received this in error, please contact the sender
>>>> and
>>>> delete the material from any computer.
>>>>
>>>
>
>
More information about the Users
mailing list