[one-users] Opennebula - Active Directory authentication intergration

Javier Fontan jfontan at opennebula.org
Tue Sep 3 12:58:18 PDT 2013


Do you have any non word characters in the DN? Like <, >, [, ] and such.


On Tue, Sep 3, 2013 at 4:36 AM, Shek Mohd Fahmi Abdul Latip <
fahmi.latip at mimos.my> wrote:

>  Hi,****
>
> ** **
>
> Here is my one/auth/ldap_auth.conf settings:****
>
> ** **
>
> server 1:****
>
>     :user: 'one***@*****.****'****
>
>     :password: '********'****
>
>     :auth_method: :simple****
>
>     :host: 10.*.*.*****
>
>     :port: 389****
>
>     :base: 'OU=******,DC=****,DC=******'****
>
>     :user_field: 'sAMAccountName'****
>
> ** **
>
> :order:****
>
>     - server 1****
>
> ** **
>
> And this is my oned.conf looks like:****
>
> ** **
>
> LOG = [****
>
>   system      = "file",****
>
>   debug_level = 3****
>
> ]****
>
> ** **
>
> MANAGER_TIMER = 5****
>
> ** **
>
> MONITORING_INTERVAL              = 10****
>
> ** **
>
> SCRIPTS_REMOTE_DIR=/var/tmp/one****
>
> ** **
>
> PORT = 2633****
>
> ** **
>
> DB = [ backend = "mysql",****
>
>         server  = "localhost",****
>
>         port    = 0,****
>
>         user    = "*******",****
>
>         passwd  = "********",****
>
>         db_name = "opennebula" ]****
>
> ** **
>
> VNC_BASE_PORT = 5900****
>
> ** **
>
> NETWORK_SIZE = 254****
>
> ** **
>
> MAC_PREFIX   = "02:00"****
>
> ** **
>
> ** **
>
> DATASTORE_CAPACITY_CHECK = "yes"****
>
> ** **
>
> DEFAULT_IMAGE_TYPE    = "OS"****
>
> DEFAULT_DEVICE_PREFIX = "hd"****
>
> ** **
>
> ** **
>
> IM_MAD = [****
>
>       name       = "kvm",****
>
>       executable = "one_im_ssh",****
>
>       arguments  = "-r 0 -t 15 kvm" ]****
>
> ** **
>
> ** **
>
> VM_MAD = [****
>
>     name       = "kvm",****
>
>     executable = "one_vmm_exec",****
>
>     arguments  = "-t 15 -r 0 kvm",****
>
>     default    = "vmm_exec/vmm_exec_kvm.conf",****
>
>     type       = "kvm" ]****
>
> ** **
>
> TM_MAD = [****
>
>     executable = "one_tm",****
>
>     arguments  = "-t 15 -d dummy,lvm,shared,qcow2,ssh,vmfs,iscsi,ceph" ]**
> **
>
> ** **
>
> ** **
>
> DATASTORE_MAD = [****
>
>     executable = "one_datastore",****
>
>     arguments  = "-t 15 -d dummy,fs,vmfs,iscsi,lvm,ceph"****
>
> ]****
>
> ** **
>
> HM_MAD = [****
>
>     executable = "one_hm" ]****
>
> ** **
>
> HOST_HOOK = [****
>
>     name      = "error",****
>
>     on        = "ERROR",****
>
>     command   = "ft/host_error.rb",****
>
>     arguments = "$ID -r",****
>
>     remote    = "no" ]****
>
> ** **
>
> VM_HOOK = [****
>
>    name      = "on_failure_recreate",****
>
>    on        = "FAILED",****
>
>    command   = "/usr/bin/env onevm delete --recreate",****
>
>    arguments = "$ID" ]****
>
> ** **
>
> AUTH_MAD = [****
>
>     executable = "one_auth_mad",****
>
>     authn = "ssh,x509,ldap,server_cipher,server_x509,default"****
>
> ]****
>
> ** **
>
> SESSION_EXPIRATION_TIME = 900****
>
> ** **
>
> DEFAULT_UMASK = 177****
>
> ** **
>
> VM_RESTRICTED_ATTR = "CONTEXT/FILES"****
>
> VM_RESTRICTED_ATTR = "NIC/MAC"****
>
> VM_RESTRICTED_ATTR = "NIC/VLAN_ID"****
>
> ** **
>
> IMAGE_RESTRICTED_ATTR = "SOURCE"****
>
> ** **
>
> ONEGATE_ENDPOINT = "http://1**.******:5030"****
>
> ** **
>
> ** **
>
> Best regards,****
>
> .fahmie****
>
> ** **
>
> *From:* Jonathan Chen [mailto:simon8233 at gmail.com]
> *Sent:* Monday, September 02, 2013 10:08 PM
> *To:* Shek Mohd Fahmi Abdul Latip
> *Cc:* users at lists.opennebula.org; Hadi Noira Omar
> *Subject:* Re: [one-users] Opennebula - Active Directory authentication
> intergration****
>
> ** **
>
> maybe you can show your configuration file.****
>
> ** **
>
> like ldap_conf , oned.conf ... etc****
>
> ** **
>
> hidden your ip , account and passwd.****
>
> ** **
>
> will be help them to solve your problem.****
>
> ** **
>
> Jonathan****
>
> ** **
>
> 2013/9/2 Shek Mohd Fahmi Abdul Latip <fahmi.latip at mimos.my>****
>
> Hi experts,****
>
>  ****
>
> I’m using the latest Opennebula 4.2 on CentOS 6.4. Right now in the middle
> of integrating the authentication system with MS-AD through LDAP protocol.
> ****
>
>  ****
>
> Based on the documentation:****
>
>  ****
>
> To be able to use this driver for users that are still not in the user
> database you must set it to the default driver. To do this go to the auth
> drivers directory and copy the directory ldap to default. In system-wide
> installations you can do this using this command:****
>
> $ cp -R /var/lib/one/remotes/auth/ldap /var/lib/one/remotes/auth/default**
> **
>
>  ****
>
>  ****
>
> What I can understand, if the user account is not exist on the opennebula
> database, it will still be able to retrieve and authenticate via LDAP/AD. I
> did this configuration and somehow I got the error as mention below.****
>
>  ****
>
>  ****
>
>  ****
>
> I’ve followed the documentation provided on
> http://opennebula.org/documentation:rel4.2:ldap#active_directory somehow,
> it works partially with error that I can’t really understand.****
>
>  ****
>
> Here is the error message that can be found in the oned.log:****
>
>  ****
>
> Mon Sep  2 11:24:05 2013 [AuM][D]: Message received: AUTHENTICATE SUCCESS
> 16 ldap fahmi.latipCN=******,OU=******,OU=*****,OU=Users,OU=*****,DC=******,DC=*******
> ****
>
>  ****
>
> Mon Sep  2 11:24:05 2013 [AuM][E]: Can't create user: Error transforming
> the User to XML.. Driver response: ldap fahmi.latip
> CN=******,OU=******,OU=*****,OU=Users,OU=*****,DC=******,DC=***********
>
> Mon Sep  2 11:24:05 2013 [ReM][D]: Req:9744 UID:- UserInfo invoked, -1****
>
> Mon Sep  2 11:24:05 2013 [ReM][E]: Req:9744 UID:- UserInfo result FAILURE
> [UserInfo] User couldn't be authenticated, aborting call.****
>
>  ****
>
> Anyone facing the similar issue before? Any clue what action need to be
> taken to solve this problem? Or is this method some kind of impossible?***
> *
>
>  ****
>
> Best regards,****
>
> .fahmie****
>
>  ****
>
>  ****
>
>  ****
>
> ------------------------------------------------------------------
> -
> -
> DISCLAIMER:
>
> This e-mail (including any attachments) is for the addressee(s)
> only and may contain confidential information. If you are not the
> intended recipient, please note that any dealing, review,
> distribution, printing, copying or use of this e-mail is strictly
> prohibited. If you have received this email in error, please notify
> the sender immediately and delete the original message.
> MIMOS Berhad is a research and development institution under
> the purview of the Malaysian Ministry of Science, Technology and
> Innovation. Opinions, conclusions and other information in this e-
> mail that do not relate to the official business of MIMOS Berhad
> and/or its subsidiaries shall be understood as neither given nor
> endorsed by MIMOS Berhad and/or its subsidiaries and neither
> MIMOS Berhad nor its subsidiaries accepts responsibility for the
> same. All liability arising from or in connection with computer
> viruses and/or corrupted e-mails is excluded to the fullest extent
> permitted by law.
>
> ****
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org****
>
> ** **
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>


-- 
Join us at OpenNebulaConf2013 in Berlin from the 24th to the 26th of
September 2013!

Javier Fontán Muiños
Developer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org | @OpenNebula | github.com/jfontan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130903/afbddc7f/attachment-0002.htm>


More information about the Users mailing list