[one-users] Opennebula - Active Directory authentication intergration

Shek Mohd Fahmi Abdul Latip fahmi.latip at mimos.my
Tue Sep 3 17:39:42 PDT 2013


Hi Javier,

Yes, I got "_" (normal underscore symbol) inside one of my DN entry as in the OU name. Is there any problem with that? If yes, any workaround to make it works? Kindly advised.

Best regards,
.fahmie

From: Javier Fontan [mailto:jfontan at opennebula.org]
Sent: Wednesday, September 04, 2013 3:58 AM
To: Shek Mohd Fahmi Abdul Latip
Cc: users at lists.opennebula.org; Hadi Noira Omar
Subject: Re: [one-users] Opennebula - Active Directory authentication intergration

Do you have any non word characters in the DN? Like <, >, [, ] and such.

On Tue, Sep 3, 2013 at 4:36 AM, Shek Mohd Fahmi Abdul Latip <fahmi.latip at mimos.my<mailto:fahmi.latip at mimos.my>> wrote:
Hi,

Here is my one/auth/ldap_auth.conf settings:

server 1:
    :user: 'one***@*****.****'
    :password: '********'
    :auth_method: :simple
    :host: 10.*.*.*
    :port: 389
    :base: 'OU=******,DC=****,DC=******'
    :user_field: 'sAMAccountName'

:order:
    - server 1

And this is my oned.conf looks like:

LOG = [
  system      = "file",
  debug_level = 3
]

MANAGER_TIMER = 5

MONITORING_INTERVAL              = 10

SCRIPTS_REMOTE_DIR=/var/tmp/one

PORT = 2633

DB = [ backend = "mysql",
        server  = "localhost",
        port    = 0,
        user    = "*******",
        passwd  = "********",
        db_name = "opennebula" ]

VNC_BASE_PORT = 5900

NETWORK_SIZE = 254

MAC_PREFIX   = "02:00"


DATASTORE_CAPACITY_CHECK = "yes"

DEFAULT_IMAGE_TYPE    = "OS"
DEFAULT_DEVICE_PREFIX = "hd"


IM_MAD = [
      name       = "kvm",
      executable = "one_im_ssh",
      arguments  = "-r 0 -t 15 kvm" ]


VM_MAD = [
    name       = "kvm",
    executable = "one_vmm_exec",
    arguments  = "-t 15 -r 0 kvm",
    default    = "vmm_exec/vmm_exec_kvm.conf",
    type       = "kvm" ]

TM_MAD = [
    executable = "one_tm",
    arguments  = "-t 15 -d dummy,lvm,shared,qcow2,ssh,vmfs,iscsi,ceph" ]


DATASTORE_MAD = [
    executable = "one_datastore",
    arguments  = "-t 15 -d dummy,fs,vmfs,iscsi,lvm,ceph"
]

HM_MAD = [
    executable = "one_hm" ]

HOST_HOOK = [
    name      = "error",
    on        = "ERROR",
    command   = "ft/host_error.rb",
    arguments = "$ID -r",
    remote    = "no" ]

VM_HOOK = [
   name      = "on_failure_recreate",
   on        = "FAILED",
   command   = "/usr/bin/env onevm delete --recreate",
   arguments = "$ID" ]

AUTH_MAD = [
    executable = "one_auth_mad",
    authn = "ssh,x509,ldap,server_cipher,server_x509,default"
]

SESSION_EXPIRATION_TIME = 900

DEFAULT_UMASK = 177

VM_RESTRICTED_ATTR = "CONTEXT/FILES"
VM_RESTRICTED_ATTR = "NIC/MAC"
VM_RESTRICTED_ATTR = "NIC/VLAN_ID"

IMAGE_RESTRICTED_ATTR = "SOURCE"

ONEGATE_ENDPOINT = "http://1**.******:5030"


Best regards,
.fahmie

From: Jonathan Chen [mailto:simon8233 at gmail.com<mailto:simon8233 at gmail.com>]
Sent: Monday, September 02, 2013 10:08 PM
To: Shek Mohd Fahmi Abdul Latip
Cc: users at lists.opennebula.org<mailto:users at lists.opennebula.org>; Hadi Noira Omar
Subject: Re: [one-users] Opennebula - Active Directory authentication intergration

maybe you can show your configuration file.

like ldap_conf , oned.conf ... etc

hidden your ip , account and passwd.

will be help them to solve your problem.

Jonathan

2013/9/2 Shek Mohd Fahmi Abdul Latip <fahmi.latip at mimos.my<mailto:fahmi.latip at mimos.my>>
Hi experts,

I'm using the latest Opennebula 4.2 on CentOS 6.4. Right now in the middle of integrating the authentication system with MS-AD through LDAP protocol.

Based on the documentation:

To be able to use this driver for users that are still not in the user database you must set it to the default driver. To do this go to the auth drivers directory and copy the directory ldap to default. In system-wide installations you can do this using this command:
$ cp -R /var/lib/one/remotes/auth/ldap /var/lib/one/remotes/auth/default


What I can understand, if the user account is not exist on the opennebula database, it will still be able to retrieve and authenticate via LDAP/AD. I did this configuration and somehow I got the error as mention below.



I've followed the documentation provided on http://opennebula.org/documentation:rel4.2:ldap#active_directory somehow, it works partially with error that I can't really understand.

Here is the error message that can be found in the oned.log:

Mon Sep  2 11:24:05 2013 [AuM][D]: Message received: AUTHENTICATE SUCCESS 16 ldap fahmi.latip CN=******,OU=******,OU=*****,OU=Users,OU=*****,DC=******,DC=*******

Mon Sep  2 11:24:05 2013 [AuM][E]: Can't create user: Error transforming the User to XML.. Driver response: ldap fahmi.latip CN=******,OU=******,OU=*****,OU=Users,OU=*****,DC=******,DC=*******
Mon Sep  2 11:24:05 2013 [ReM][D]: Req:9744 UID:- UserInfo invoked, -1
Mon Sep  2 11:24:05 2013 [ReM][E]: Req:9744 UID:- UserInfo result FAILURE [UserInfo] User couldn't be authenticated, aborting call.

Anyone facing the similar issue before? Any clue what action need to be taken to solve this problem? Or is this method some kind of impossible?

Best regards,
.fahmie




------------------------------------------------------------------
-
-
DISCLAIMER:

This e-mail (including any attachments) is for the addressee(s)
only and may contain confidential information. If you are not the
intended recipient, please note that any dealing, review,
distribution, printing, copying or use of this e-mail is strictly
prohibited. If you have received this email in error, please notify
the sender immediately and delete the original message.
MIMOS Berhad is a research and development institution under
the purview of the Malaysian Ministry of Science, Technology and
Innovation. Opinions, conclusions and other information in this e-
mail that do not relate to the official business of MIMOS Berhad
and/or its subsidiaries shall be understood as neither given nor
endorsed by MIMOS Berhad and/or its subsidiaries and neither
MIMOS Berhad nor its subsidiaries accepts responsibility for the
same. All liability arising from or in connection with computer
viruses and/or corrupted e-mails is excluded to the fullest extent
permitted by law.

_______________________________________________
Users mailing list
Users at lists.opennebula.org<mailto:Users at lists.opennebula.org>
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org


_______________________________________________
Users mailing list
Users at lists.opennebula.org<mailto:Users at lists.opennebula.org>
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org



--
Join us at OpenNebulaConf2013 in Berlin from the 24th to the 26th of September 2013!

Javier Fontán Muiños
Developer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org<http://www.OpenNebula.org> | @OpenNebula | github.com/jfontan<http://github.com/jfontan>


------------------------------------------------------------------
-
-
DISCLAIMER: 

This e-mail (including any attachments) is for the addressee(s) 
only and may contain confidential information. If you are not the 
intended recipient, please note that any dealing, review, 
distribution, printing, copying or use of this e-mail is strictly 
prohibited. If you have received this email in error, please notify 
the sender  immediately and delete the original message. 
MIMOS Berhad is a research and development institution under 
the purview of the Malaysian Ministry of Science, Technology and 
Innovation. Opinions, conclusions and other information in this e-
mail that do not relate to the official business of MIMOS Berhad 
and/or its subsidiaries shall be understood as neither given nor 
endorsed by MIMOS Berhad and/or its subsidiaries and neither 
MIMOS Berhad nor its subsidiaries accepts responsibility for the 
same. All liability arising from or in connection with computer 
viruses and/or corrupted e-mails is excluded to the fullest extent 
permitted by law.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130904/459989f3/attachment-0002.htm>


More information about the Users mailing list