[one-users] Opennebula - Active Directory authentication intergration
Shek Mohd Fahmi Abdul Latip
fahmi.latip at mimos.my
Fri Sep 13 02:17:41 PDT 2013
Hi Javier,
I just tested your advised given below, seems it's working fine for now. I'm able to authenticate using AD without having account registered locally on Opennebula frontend.
Thanks for your advised again. Really appreciate it.
Best regards,
.fahmie
-----Original Message-----
From: Javier Fontan [mailto:jfontan at opennebula.org]
Sent: Wednesday, September 04, 2013 4:58 PM
To: Shek Mohd Fahmi Abdul Latip
Cc: users at lists.opennebula.org; Hadi Noira Omar
Subject: Re: [one-users] Opennebula - Active Directory authentication intergration
It should not have any problem with a underscore. The error you are getting is caused because you DN is being incorrectly transformed to xml. It most probably is some character that is breaking that serialization. As I don't have the DN I can not reproduce it.
Fortunately the DN in ldap is stored only as extra information and this can be disabled. Change the file /var/lib/one/remotes/auth/default/authenticate, line 88, from:
puts "ldap #{escaped_user} #{escaped_secret}"
to
puts "ldap #{escaped_user} -"
This should fix the problem.
On Wed, Sep 4, 2013 at 2:39 AM, Shek Mohd Fahmi Abdul Latip <fahmi.latip at mimos.my<mailto:fahmi.latip at mimos.my>> wrote:
> Hi Javier,
>
>
>
> Yes, I got "_" (normal underscore symbol) inside one of my DN entry as
> in the OU name. Is there any problem with that? If yes, any workaround
> to make it works? Kindly advised.
>
>
>
> Best regards,
>
> .fahmie
>
>
>
> From: Javier Fontan [mailto:jfontan at opennebula.org]
> Sent: Wednesday, September 04, 2013 3:58 AM
>
>
> To: Shek Mohd Fahmi Abdul Latip
> Cc: users at lists.opennebula.org<mailto:users at lists.opennebula.org>; Hadi Noira Omar
> Subject: Re: [one-users] Opennebula - Active Directory authentication
> intergration
>
>
>
> Do you have any non word characters in the DN? Like <, >, [, ] and such.
>
>
>
> On Tue, Sep 3, 2013 at 4:36 AM, Shek Mohd Fahmi Abdul Latip
> <fahmi.latip at mimos.my<mailto:fahmi.latip at mimos.my>> wrote:
>
> Hi,
>
>
>
> Here is my one/auth/ldap_auth.conf settings:
>
>
>
> server 1:
>
> :user: 'one***@*****.****'
>
> :password: '********'
>
> :auth_method: :simple
>
> :host: 10.*.*.*
>
> :port: 389
>
> :base: 'OU=******,DC=****,DC=******'
>
> :user_field: 'sAMAccountName'
>
>
>
> :order:
>
> - server 1
>
>
>
> And this is my oned.conf looks like:
>
>
>
> LOG = [
>
> system = "file",
>
> debug_level = 3
>
> ]
>
>
>
> MANAGER_TIMER = 5
>
>
>
> MONITORING_INTERVAL = 10
>
>
>
> SCRIPTS_REMOTE_DIR=/var/tmp/one
>
>
>
> PORT = 2633
>
>
>
> DB = [ backend = "mysql",
>
> server = "localhost",
>
> port = 0,
>
> user = "*******",
>
> passwd = "********",
>
> db_name = "opennebula" ]
>
>
>
> VNC_BASE_PORT = 5900
>
>
>
> NETWORK_SIZE = 254
>
>
>
> MAC_PREFIX = "02:00"
>
>
>
>
>
> DATASTORE_CAPACITY_CHECK = "yes"
>
>
>
> DEFAULT_IMAGE_TYPE = "OS"
>
> DEFAULT_DEVICE_PREFIX = "hd"
>
>
>
>
>
> IM_MAD = [
>
> name = "kvm",
>
> executable = "one_im_ssh",
>
> arguments = "-r 0 -t 15 kvm" ]
>
>
>
>
>
> VM_MAD = [
>
> name = "kvm",
>
> executable = "one_vmm_exec",
>
> arguments = "-t 15 -r 0 kvm",
>
> default = "vmm_exec/vmm_exec_kvm.conf",
>
> type = "kvm" ]
>
>
>
> TM_MAD = [
>
> executable = "one_tm",
>
> arguments = "-t 15 -d dummy,lvm,shared,qcow2,ssh,vmfs,iscsi,ceph"
> ]
>
>
>
>
>
> DATASTORE_MAD = [
>
> executable = "one_datastore",
>
> arguments = "-t 15 -d dummy,fs,vmfs,iscsi,lvm,ceph"
>
> ]
>
>
>
> HM_MAD = [
>
> executable = "one_hm" ]
>
>
>
> HOST_HOOK = [
>
> name = "error",
>
> on = "ERROR",
>
> command = "ft/host_error.rb",
>
> arguments = "$ID -r",
>
> remote = "no" ]
>
>
>
> VM_HOOK = [
>
> name = "on_failure_recreate",
>
> on = "FAILED",
>
> command = "/usr/bin/env onevm delete --recreate",
>
> arguments = "$ID" ]
>
>
>
> AUTH_MAD = [
>
> executable = "one_auth_mad",
>
> authn = "ssh,x509,ldap,server_cipher,server_x509,default"
>
> ]
>
>
>
> SESSION_EXPIRATION_TIME = 900
>
>
>
> DEFAULT_UMASK = 177
>
>
>
> VM_RESTRICTED_ATTR = "CONTEXT/FILES"
>
> VM_RESTRICTED_ATTR = "NIC/MAC"
>
> VM_RESTRICTED_ATTR = "NIC/VLAN_ID"
>
>
>
> IMAGE_RESTRICTED_ATTR = "SOURCE"
>
>
>
> ONEGATE_ENDPOINT = "http://1**.******:5030"
>
>
>
>
>
> Best regards,
>
> .fahmie
>
>
>
> From: Jonathan Chen [mailto:simon8233 at gmail.com]
> Sent: Monday, September 02, 2013 10:08 PM
> To: Shek Mohd Fahmi Abdul Latip
> Cc: users at lists.opennebula.org<mailto:users at lists.opennebula.org>; Hadi Noira Omar
> Subject: Re: [one-users] Opennebula - Active Directory authentication
> intergration
>
>
>
> maybe you can show your configuration file.
>
>
>
> like ldap_conf , oned.conf ... etc
>
>
>
> hidden your ip , account and passwd.
>
>
>
> will be help them to solve your problem.
>
>
>
> Jonathan
>
>
>
> 2013/9/2 Shek Mohd Fahmi Abdul Latip <fahmi.latip at mimos.my<mailto:fahmi.latip at mimos.my>>
>
> Hi experts,
>
>
>
> I'm using the latest Opennebula 4.2 on CentOS 6.4. Right now in the
> middle of integrating the authentication system with MS-AD through LDAP protocol.
>
>
>
> Based on the documentation:
>
>
>
> To be able to use this driver for users that are still not in the user
> database you must set it to the default driver. To do this go to the
> auth drivers directory and copy the directory ldap to default. In
> system-wide installations you can do this using this command:
>
> $ cp -R /var/lib/one/remotes/auth/ldap
> /var/lib/one/remotes/auth/default
>
>
>
>
>
> What I can understand, if the user account is not exist on the
> opennebula database, it will still be able to retrieve and
> authenticate via LDAP/AD. I did this configuration and somehow I got the error as mention below.
>
>
>
>
>
>
>
> I've followed the documentation provided on
> http://opennebula.org/documentation:rel4.2:ldap#active_directory
> somehow, it works partially with error that I can't really understand.
>
>
>
> Here is the error message that can be found in the oned.log:
>
>
>
> Mon Sep 2 11:24:05 2013 [AuM][D]: Message received: AUTHENTICATE
> SUCCESS 16 ldap fahmi.latip
> CN=******,OU=******,OU=*****,OU=Users,OU=*****,DC=******,DC=*******
>
>
>
> Mon Sep 2 11:24:05 2013 [AuM][E]: Can't create user: Error
> transforming the User to XML.. Driver response: ldap fahmi.latip
> CN=******,OU=******,OU=*****,OU=Users,OU=*****,DC=******,DC=*******
>
> Mon Sep 2 11:24:05 2013 [ReM][D]: Req:9744 UID:- UserInfo invoked, -1
>
> Mon Sep 2 11:24:05 2013 [ReM][E]: Req:9744 UID:- UserInfo result
> FAILURE [UserInfo] User couldn't be authenticated, aborting call.
>
>
>
> Anyone facing the similar issue before? Any clue what action need to
> be taken to solve this problem? Or is this method some kind of impossible?
>
>
>
> Best regards,
>
> .fahmie
>
>
>
>
>
>
>
> ------------------------------------------------------------------
> -
> -
> DISCLAIMER:
>
> This e-mail (including any attachments) is for the addressee(s) only
> and may contain confidential information. If you are not the intended
> recipient, please note that any dealing, review, distribution,
> printing, copying or use of this e-mail is strictly prohibited. If you
> have received this email in error, please notify the sender
> immediately and delete the original message.
> MIMOS Berhad is a research and development institution under the
> purview of the Malaysian Ministry of Science, Technology and
> Innovation. Opinions, conclusions and other information in this e-
> mail that do not relate to the official business of MIMOS Berhad
> and/or its subsidiaries shall be understood as neither given nor
> endorsed by MIMOS Berhad and/or its subsidiaries and neither MIMOS
> Berhad nor its subsidiaries accepts responsibility for the same. All
> liability arising from or in connection with computer viruses and/or
> corrupted e-mails is excluded to the fullest extent permitted by law.
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org<mailto:Users at lists.opennebula.org>
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org<mailto:Users at lists.opennebula.org>
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
>
>
>
> --
> Join us at OpenNebulaConf2013 in Berlin from the 24th to the 26th of
> September 2013!
>
> Javier Fontán Muiños
> Developer
> OpenNebula - The Open Source Toolkit for Data Center Virtualization
> www.OpenNebula.org<http://www.OpenNebula.org> | @OpenNebula | github.com/jfontan
>
> ------------------------------------------------------------------
> -
> -
> DISCLAIMER:
>
> This e-mail (including any attachments) is for the addressee(s) only
> and may contain confidential information. If you are not the intended
> recipient, please note that any dealing, review, distribution,
> printing, copying or use of this e-mail is strictly prohibited. If you
> have received this email in error, please notify the sender
> immediately and delete the original message.
> MIMOS Berhad is a research and development institution under the
> purview of the Malaysian Ministry of Science, Technology and
> Innovation. Opinions, conclusions and other information in this e-
> mail that do not relate to the official business of MIMOS Berhad
> and/or its subsidiaries shall be understood as neither given nor
> endorsed by MIMOS Berhad and/or its subsidiaries and neither MIMOS
> Berhad nor its subsidiaries accepts responsibility for the same. All
> liability arising from or in connection with computer viruses and/or
> corrupted e-mails is excluded to the fullest extent permitted by law.
>
>
--
Join us at OpenNebulaConf2013 in Berlin from the 24th to the 26th of September 2013!
Javier Fontán Muiños
Developer
OpenNebula - The Open Source Toolkit for Data Center Virtualization www.OpenNebula.org<http://www.OpenNebula.org> | @OpenNebula | github.com/jfontan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130913/1c47d698/attachment-0002.htm>
More information about the Users
mailing list