[one-users] ldap auth without automatic user creation

Nicolas Bélan nicolas.belan at gmail.com
Thu Feb 6 04:01:46 PST 2014

Thank you for the explanation.

I am trying to detail more the steps I am using.

I have a LDAP tree with users (eg foobar user).
I will setup a VM in one-4.4 and I would like to assign it to foobar.
But, foobar does not exists yet in one (especially sunstone) until
foobar logged in, right ?
So, I would like to add it before any login, and assign its VM to its
user id. So, I create a foobar user (same UID as LDAP) in one.

But, If I create with "oneuser foobar" and set its auth engine to LDAP,
it seems that one do no find it.
It creates a new User ID when foobar logs in. (In fact, if I understand,
it finds the ldap one, and display it without any search in one users DB).
I have two users with the same ID (but numeric ID different), the LDAP
one and the ONE-4.4 one ( :-) ). Which seems "right" with your description.

Is there a way to "map" the oneuser foobar and the ldap one ? or to
"link" both ?

To be clear, I would like to authentify the one user to LDAP, but only
auth may be externalized to ldap.

Thank you

Le 06/02/2014 12:24, Javier Fontan a écrit :
> I'm not sure I've understood the problem. Maybe this explanation helps.
> The user name of a user with ldap driver is used to find it in ldap.
> It first searches for an ldap user with a DN equal to the OpenNebula
> user name. This way you can set the OpenNebula user name to a full dn
> of a user.
> In case there's no user with that dn it searches for users that have a
> field that are equal to the OpenNebula user name. By default this
> field is "cn" but it can be changed in ldap auth configuration file:
> --8<------
>     # field that holds the user name, if not set 'cn' will be used
>     :user_field: 'cn'
> ------>8--
> In this example the field that we want to use as user name is "uid":
> --8<------
> dn: cn=Robert Smith,ou=people,dc=example,dc=com
> objectclass: inetOrgPerson
> cn: Robert Smith
> cn: Robert J Smith
> cn: bob  smith
> sn: smith
> uid: rjsmith
> userpassword: rJsmitH
> ou: Human Resources
> ------>8--
> And we can change the ldap auth "user_field" to "uid".
> The user in OpenNebula should have
> user name: rjsmith
> password: -
> driver: ldap
> On Wed, Feb 5, 2014 at 10:41 AM, Nicolas Bélan <nicolas.belan at gmail.com> wrote:
>> Hello,
>> I tried successfully the LDAP auth using one 4.4, with the 'default'
>> auth engine.
>> So, I am able to log on Sunstone with a user in the right LDAP group, if
>> it is not created on the one user DB.
>> But, I am trying to answer this use case, and I can't achieve it:
>> 1) create a user through sunstone and set it a LDAP scheme auth.
>> 2) assign VM to this user (let's say uid 2)
>> 3) create a correct CN in LDAP DB, and assign it to the right group
>> 4) auth with sunstone GUI
>> I creates a user 3, without any VM (same filter id ...)
>> I would like to (pre)create user in sunstone, and give them accesses
>> later through LDAP auth.
>> Is it possible ?
>> Thank you
>> Best regards,
>> Nicolas.
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org

More information about the Users mailing list