[one-users] LDAP/AD authentication problems

Javier Fontan jfontan at opennebula.org
Tue Sep 24 01:56:12 PDT 2013 

I've tested the driver from 4.2 with a Windows 2008 server Active
directory and does fail when the password is not correct. Could it be
an Active Directory configuration?

On Fri, Sep 6, 2013 at 4:57 PM, Andreas Calvo Gómez
<andreas.calvo at scytl.com> wrote:
> Javier,
> Thanks for your time.
> We are running the latest version of OpenNebula as of today: version 4.2.0.
>
>
> On 06/09/13 15:23, Javier Fontan wrote:
>>
>> It looks really bad. Could you please give use the OpenNebula version
>> you are using? I'll do my tests here and will let you know.
>>
>> I've created a ticket to keep track of this problem:
>>
>> http://dev.opennebula.org/issues/2307
>>
>>
>> On Wed, Aug 28, 2013 at 6:46 PM, Andreas Calvo Gómez
>> <andreas.calvo at scytl.com> wrote:
>>>
>>> Hi all,
>>> I've encountered a strange behavior while trying to configure ONE to
>>> authenticate against an AD, either as a proper AD or as a LDAP.
>>> If a credential is used to query LDAP and retrieve the complete DN for
>>> the
>>> user that wants to login, then no matter what password the user has typed
>>> it
>>> will be listed as authenticated.
>>>
>>> ldap_auth.conf example:
>>> server 1:
>>>      :user: 'myuser at mydomain.com'
>>>      :password: 'mypassword'
>>>      :auth_method: :simple
>>>      :host: ad.mydomain.com
>>>      :port: 389
>>>      :base: 'dc=mydomain,dc=com'
>>>      :user_field: 'sAMAccountName'
>>> :order:
>>>      - server 1
>>>
>>> If I manually query the authenticate process with a made up password and
>>> secret, it is always listed as authenticated.
>>>
>>> For instance:
>>> oneadmin at opennebula:~$ ./remotes/auth/default/authenticate myuser
>>> badpassword badpassword
>>> Trying server server 1
>>> ldap myuser CN=myuser,CN=Users,DC=mydomain,DC=com
>>>
>>> My guess is that the same user that is used to look up users, performs
>>> the
>>> authenticate method and always returns a valid user.
>>>
>>> Or maybe I'm missing something.
>>>
>>> Any hint?
>>>
>>> Thanks!
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>>
>
> --
> Andreas Calvo Gómez
> Systems Engineer
> Scytl Secure Electronic Voting
> Plaça Gal·la Placidia, 1-3, 1st floor · 08006 Barcelona
> Phone: + 34 934 230 324
> Fax:   + 34 933 251 028
> http://www.scytl.com
>
> NOTICE: The information in this e-mail and in any of its attachments is
> confidential and intended solely for the attention and use of the named
> addressee(s). If you are not the intended recipient, any disclosure,
> copying,
> distribution or retaining of this message or any part of it, without the
> prior
> written consent of Scytl Secure Electronic Voting, SA is prohibited and
> may be
> unlawful. If you have received this in error, please contact the sender
> and
> delete the material from any computer.
>



-- 
Join us at OpenNebulaConf2013 in Berlin from the 24th to the 26th of
September 2013!

Javier Fontán Muiños
Developer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org | @OpenNebula | github.com/jfontan

More information about the Users mailing list