[one-users] Opennebula - Active Directory authentication intergration

Javier Fontan jfontan at opennebula.org
Wed Sep 4 01:57:44 PDT 2013 

It should not have any problem with a underscore. The error you are
getting is caused because you DN is being incorrectly transformed to
xml. It most probably is some character that is breaking that
serialization. As I don't have the DN I can not reproduce it.

Fortunately the DN in ldap is stored only as extra information and
this can be disabled. Change the file
/var/lib/one/remotes/auth/default/authenticate, line 88, from:

puts "ldap #{escaped_user} #{escaped_secret}"

to

puts "ldap #{escaped_user} -"

This should fix the problem.


On Wed, Sep 4, 2013 at 2:39 AM, Shek Mohd Fahmi Abdul Latip
<fahmi.latip at mimos.my> wrote:
> Hi Javier,
>
>
>
> Yes, I got “_” (normal underscore symbol) inside one of my DN entry as in
> the OU name. Is there any problem with that? If yes, any workaround to make
> it works? Kindly advised.
>
>
>
> Best regards,
>
> .fahmie
>
>
>
> From: Javier Fontan [mailto:jfontan at opennebula.org]
> Sent: Wednesday, September 04, 2013 3:58 AM
>
>
> To: Shek Mohd Fahmi Abdul Latip
> Cc: users at lists.opennebula.org; Hadi Noira Omar
> Subject: Re: [one-users] Opennebula - Active Directory authentication
> intergration
>
>
>
> Do you have any non word characters in the DN? Like <, >, [, ] and such.
>
>
>
> On Tue, Sep 3, 2013 at 4:36 AM, Shek Mohd Fahmi Abdul Latip
> <fahmi.latip at mimos.my> wrote:
>
> Hi,
>
>
>
> Here is my one/auth/ldap_auth.conf settings:
>
>
>
> server 1:
>
>     :user: 'one***@*****.****'
>
>     :password: '********'
>
>     :auth_method: :simple
>
>     :host: 10.*.*.*
>
>     :port: 389
>
>     :base: 'OU=******,DC=****,DC=******'
>
>     :user_field: 'sAMAccountName'
>
>
>
> :order:
>
>     - server 1
>
>
>
> And this is my oned.conf looks like:
>
>
>
> LOG = [
>
>   system      = "file",
>
>   debug_level = 3
>
> ]
>
>
>
> MANAGER_TIMER = 5
>
>
>
> MONITORING_INTERVAL              = 10
>
>
>
> SCRIPTS_REMOTE_DIR=/var/tmp/one
>
>
>
> PORT = 2633
>
>
>
> DB = [ backend = "mysql",
>
>         server  = "localhost",
>
>         port    = 0,
>
>         user    = "*******",
>
>         passwd  = "********",
>
>         db_name = "opennebula" ]
>
>
>
> VNC_BASE_PORT = 5900
>
>
>
> NETWORK_SIZE = 254
>
>
>
> MAC_PREFIX   = "02:00"
>
>
>
>
>
> DATASTORE_CAPACITY_CHECK = "yes"
>
>
>
> DEFAULT_IMAGE_TYPE    = "OS"
>
> DEFAULT_DEVICE_PREFIX = "hd"
>
>
>
>
>
> IM_MAD = [
>
>       name       = "kvm",
>
>       executable = "one_im_ssh",
>
>       arguments  = "-r 0 -t 15 kvm" ]
>
>
>
>
>
> VM_MAD = [
>
>     name       = "kvm",
>
>     executable = "one_vmm_exec",
>
>     arguments  = "-t 15 -r 0 kvm",
>
>     default    = "vmm_exec/vmm_exec_kvm.conf",
>
>     type       = "kvm" ]
>
>
>
> TM_MAD = [
>
>     executable = "one_tm",
>
>     arguments  = "-t 15 -d dummy,lvm,shared,qcow2,ssh,vmfs,iscsi,ceph" ]
>
>
>
>
>
> DATASTORE_MAD = [
>
>     executable = "one_datastore",
>
>     arguments  = "-t 15 -d dummy,fs,vmfs,iscsi,lvm,ceph"
>
> ]
>
>
>
> HM_MAD = [
>
>     executable = "one_hm" ]
>
>
>
> HOST_HOOK = [
>
>     name      = "error",
>
>     on        = "ERROR",
>
>     command   = "ft/host_error.rb",
>
>     arguments = "$ID -r",
>
>     remote    = "no" ]
>
>
>
> VM_HOOK = [
>
>    name      = "on_failure_recreate",
>
>    on        = "FAILED",
>
>    command   = "/usr/bin/env onevm delete --recreate",
>
>    arguments = "$ID" ]
>
>
>
> AUTH_MAD = [
>
>     executable = "one_auth_mad",
>
>     authn = "ssh,x509,ldap,server_cipher,server_x509,default"
>
> ]
>
>
>
> SESSION_EXPIRATION_TIME = 900
>
>
>
> DEFAULT_UMASK = 177
>
>
>
> VM_RESTRICTED_ATTR = "CONTEXT/FILES"
>
> VM_RESTRICTED_ATTR = "NIC/MAC"
>
> VM_RESTRICTED_ATTR = "NIC/VLAN_ID"
>
>
>
> IMAGE_RESTRICTED_ATTR = "SOURCE"
>
>
>
> ONEGATE_ENDPOINT = "http://1**.******:5030"
>
>
>
>
>
> Best regards,
>
> .fahmie
>
>
>
> From: Jonathan Chen [mailto:simon8233 at gmail.com]
> Sent: Monday, September 02, 2013 10:08 PM
> To: Shek Mohd Fahmi Abdul Latip
> Cc: users at lists.opennebula.org; Hadi Noira Omar
> Subject: Re: [one-users] Opennebula - Active Directory authentication
> intergration
>
>
>
> maybe you can show your configuration file.
>
>
>
> like ldap_conf , oned.conf ... etc
>
>
>
> hidden your ip , account and passwd.
>
>
>
> will be help them to solve your problem.
>
>
>
> Jonathan
>
>
>
> 2013/9/2 Shek Mohd Fahmi Abdul Latip <fahmi.latip at mimos.my>
>
> Hi experts,
>
>
>
> I’m using the latest Opennebula 4.2 on CentOS 6.4. Right now in the middle
> of integrating the authentication system with MS-AD through LDAP protocol.
>
>
>
> Based on the documentation:
>
>
>
> To be able to use this driver for users that are still not in the user
> database you must set it to the default driver. To do this go to the auth
> drivers directory and copy the directory ldap to default. In system-wide
> installations you can do this using this command:
>
> $ cp -R /var/lib/one/remotes/auth/ldap /var/lib/one/remotes/auth/default
>
>
>
>
>
> What I can understand, if the user account is not exist on the opennebula
> database, it will still be able to retrieve and authenticate via LDAP/AD. I
> did this configuration and somehow I got the error as mention below.
>
>
>
>
>
>
>
> I’ve followed the documentation provided on
> http://opennebula.org/documentation:rel4.2:ldap#active_directory somehow, it
> works partially with error that I can’t really understand.
>
>
>
> Here is the error message that can be found in the oned.log:
>
>
>
> Mon Sep  2 11:24:05 2013 [AuM][D]: Message received: AUTHENTICATE SUCCESS 16
> ldap fahmi.latip
> CN=******,OU=******,OU=*****,OU=Users,OU=*****,DC=******,DC=*******
>
>
>
> Mon Sep  2 11:24:05 2013 [AuM][E]: Can't create user: Error transforming the
> User to XML.. Driver response: ldap fahmi.latip
> CN=******,OU=******,OU=*****,OU=Users,OU=*****,DC=******,DC=*******
>
> Mon Sep  2 11:24:05 2013 [ReM][D]: Req:9744 UID:- UserInfo invoked, -1
>
> Mon Sep  2 11:24:05 2013 [ReM][E]: Req:9744 UID:- UserInfo result FAILURE
> [UserInfo] User couldn't be authenticated, aborting call.
>
>
>
> Anyone facing the similar issue before? Any clue what action need to be
> taken to solve this problem? Or is this method some kind of impossible?
>
>
>
> Best regards,
>
> .fahmie
>
>
>
>
>
>
>
> ------------------------------------------------------------------
> -
> -
> DISCLAIMER:
>
> This e-mail (including any attachments) is for the addressee(s)
> only and may contain confidential information. If you are not the
> intended recipient, please note that any dealing, review,
> distribution, printing, copying or use of this e-mail is strictly
> prohibited. If you have received this email in error, please notify
> the sender immediately and delete the original message.
> MIMOS Berhad is a research and development institution under
> the purview of the Malaysian Ministry of Science, Technology and
> Innovation. Opinions, conclusions and other information in this e-
> mail that do not relate to the official business of MIMOS Berhad
> and/or its subsidiaries shall be understood as neither given nor
> endorsed by MIMOS Berhad and/or its subsidiaries and neither
> MIMOS Berhad nor its subsidiaries accepts responsibility for the
> same. All liability arising from or in connection with computer
> viruses and/or corrupted e-mails is excluded to the fullest extent
> permitted by law.
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
>
>
>
> --
> Join us at OpenNebulaConf2013 in Berlin from the 24th to the 26th of
> September 2013!
>
> Javier Fontán Muiños
> Developer
> OpenNebula - The Open Source Toolkit for Data Center Virtualization
> www.OpenNebula.org | @OpenNebula | github.com/jfontan
>
> ------------------------------------------------------------------
> -
> -
> DISCLAIMER:
>
> This e-mail (including any attachments) is for the addressee(s)
> only and may contain confidential information. If you are not the
> intended recipient, please note that any dealing, review,
> distribution, printing, copying or use of this e-mail is strictly
> prohibited. If you have received this email in error, please notify
> the sender immediately and delete the original message.
> MIMOS Berhad is a research and development institution under
> the purview of the Malaysian Ministry of Science, Technology and
> Innovation. Opinions, conclusions and other information in this e-
> mail that do not relate to the official business of MIMOS Berhad
> and/or its subsidiaries shall be understood as neither given nor
> endorsed by MIMOS Berhad and/or its subsidiaries and neither
> MIMOS Berhad nor its subsidiaries accepts responsibility for the
> same. All liability arising from or in connection with computer
> viruses and/or corrupted e-mails is excluded to the fullest extent
> permitted by law.
>
>



-- 
Join us at OpenNebulaConf2013 in Berlin from the 24th to the 26th of
September 2013!

Javier Fontán Muiños
Developer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org | @OpenNebula | github.com/jfontan

More information about the Users mailing list