[one-users] LDAP/AD authentication problems

Andreas Calvo Gómez andreas.calvo at scytl.com
Fri Sep 6 07:57:02 PDT 2013 

Javier,
Thanks for your time.
We are running the latest version of OpenNebula as of today: version 4.2.0.

On 06/09/13 15:23, Javier Fontan wrote:
> It looks really bad. Could you please give use the OpenNebula version
> you are using? I'll do my tests here and will let you know.
>
> I've created a ticket to keep track of this problem:
>
> http://dev.opennebula.org/issues/2307
>
>
> On Wed, Aug 28, 2013 at 6:46 PM, Andreas Calvo Gómez
> <andreas.calvo at scytl.com> wrote:
>> Hi all,
>> I've encountered a strange behavior while trying to configure ONE to
>> authenticate against an AD, either as a proper AD or as a LDAP.
>> If a credential is used to query LDAP and retrieve the complete DN for the
>> user that wants to login, then no matter what password the user has typed it
>> will be listed as authenticated.
>>
>> ldap_auth.conf example:
>> server 1:
>>      :user: 'myuser at mydomain.com'
>>      :password: 'mypassword'
>>      :auth_method: :simple
>>      :host: ad.mydomain.com
>>      :port: 389
>>      :base: 'dc=mydomain,dc=com'
>>      :user_field: 'sAMAccountName'
>> :order:
>>      - server 1
>>
>> If I manually query the authenticate process with a made up password and
>> secret, it is always listed as authenticated.
>>
>> For instance:
>> oneadmin at opennebula:~$ ./remotes/auth/default/authenticate myuser
>> badpassword badpassword
>> Trying server server 1
>> ldap myuser CN=myuser,CN=Users,DC=mydomain,DC=com
>>
>> My guess is that the same user that is used to look up users, performs the
>> authenticate method and always returns a valid user.
>>
>> Or maybe I'm missing something.
>>
>> Any hint?
>>
>> Thanks!
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>

-- 
Andreas Calvo Gómez
Systems Engineer
Scytl Secure Electronic Voting
Plaça Gal·la Placidia, 1-3, 1st floor · 08006 Barcelona
Phone: + 34 934 230 324
Fax:   + 34 933 251 028
http://www.scytl.com

NOTICE: The information in this e-mail and in any of its attachments is
confidential and intended solely for the attention and use of the named
addressee(s). If you are not the intended recipient, any disclosure,
copying,
distribution or retaining of this message or any part of it, without the
prior
written consent of Scytl Secure Electronic Voting, SA is prohibited and
may be
unlawful. If you have received this in error, please contact the sender
and
delete the material from any computer.

More information about the Users mailing list