[one-users] ldap auth without automatic user creation
Javier Fontan
jfontan at opennebula.org
Fri Feb 14 02:06:01 PST 2014
Creating manually a user with driver ldap, username the same as the
one in ldap and a dummy password (for example -) should do the trick.
That's what the driver does.
On Thu, Feb 6, 2014 at 1:01 PM, Nicolas Bélan <nicolas.belan at gmail.com> wrote:
> Thank you for the explanation.
>
> I am trying to detail more the steps I am using.
>
> I have a LDAP tree with users (eg foobar user).
> I will setup a VM in one-4.4 and I would like to assign it to foobar.
> But, foobar does not exists yet in one (especially sunstone) until
> foobar logged in, right ?
> So, I would like to add it before any login, and assign its VM to its
> user id. So, I create a foobar user (same UID as LDAP) in one.
>
> But, If I create with "oneuser foobar" and set its auth engine to LDAP,
> it seems that one do no find it.
> It creates a new User ID when foobar logs in. (In fact, if I understand,
> it finds the ldap one, and display it without any search in one users DB).
> I have two users with the same ID (but numeric ID different), the LDAP
> one and the ONE-4.4 one ( :-) ). Which seems "right" with your description.
>
> Is there a way to "map" the oneuser foobar and the ldap one ? or to
> "link" both ?
>
> To be clear, I would like to authentify the one user to LDAP, but only
> auth may be externalized to ldap.
>
> Thank you
> Nicolas
>
>
> Le 06/02/2014 12:24, Javier Fontan a écrit :
>> I'm not sure I've understood the problem. Maybe this explanation helps.
>>
>> The user name of a user with ldap driver is used to find it in ldap.
>> It first searches for an ldap user with a DN equal to the OpenNebula
>> user name. This way you can set the OpenNebula user name to a full dn
>> of a user.
>>
>> In case there's no user with that dn it searches for users that have a
>> field that are equal to the OpenNebula user name. By default this
>> field is "cn" but it can be changed in ldap auth configuration file:
>>
>> --8<------
>> # field that holds the user name, if not set 'cn' will be used
>> :user_field: 'cn'
>> ------>8--
>>
>> In this example the field that we want to use as user name is "uid":
>>
>> --8<------
>> dn: cn=Robert Smith,ou=people,dc=example,dc=com
>> objectclass: inetOrgPerson
>> cn: Robert Smith
>> cn: Robert J Smith
>> cn: bob smith
>> sn: smith
>> uid: rjsmith
>> userpassword: rJsmitH
>> ou: Human Resources
>> ------>8--
>>
>> And we can change the ldap auth "user_field" to "uid".
>>
>> The user in OpenNebula should have
>>
>> user name: rjsmith
>> password: -
>> driver: ldap
>>
>> On Wed, Feb 5, 2014 at 10:41 AM, Nicolas Bélan <nicolas.belan at gmail.com> wrote:
>>> Hello,
>>>
>>> I tried successfully the LDAP auth using one 4.4, with the 'default'
>>> auth engine.
>>>
>>> So, I am able to log on Sunstone with a user in the right LDAP group, if
>>> it is not created on the one user DB.
>>>
>>> But, I am trying to answer this use case, and I can't achieve it:
>>>
>>> 1) create a user through sunstone and set it a LDAP scheme auth.
>>> 2) assign VM to this user (let's say uid 2)
>>> 3) create a correct CN in LDAP DB, and assign it to the right group
>>> 4) auth with sunstone GUI
>>>
>>> I creates a user 3, without any VM (same filter id ...)
>>>
>>> I would like to (pre)create user in sunstone, and give them accesses
>>> later through LDAP auth.
>>> Is it possible ?
>>>
>>> Thank you
>>> Best regards,
>>> Nicolas.
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>
--
Javier Fontán Muiños
Developer
OpenNebula - The Open Source Toolkit for Data Center Virtualization
www.OpenNebula.org | @OpenNebula | github.com/jfontan
More information about the Users
mailing list