[one-users] user authentication failed in LDAP configuration

Stefan Kooman stefan at bit.nl
Thu Jul 3 06:01:26 PDT 2014

Quoting Sudeep Narayan Banerjee (snbanerjee at iitgn.ac.in):
> Dear Sir,
> I am trying to configure ldap in opennebula.
> I have added string *default* under AUTH_MAD in /etc/one/oned.conf file.
> AUTH_MAD = [
>     executable = "one_auth_mad",
> #    authn = "ssh,x509,ldap,server_cipher,server_x509"
>     authn = "ssh,x509,ldap,*default*,server_cipher,server_x509"

There's another part that goes with this [1]:

"To be able to use this driver for users that are still not in the user
database you must set it to the default driver. To do this go to the
auth drivers directory and copy the directory ldap to default. In
system-wide installations you can do this using this command:

$ cp -R /var/lib/one/remotes/auth/ldap /var/lib/one/remotes/auth/default

> Also I have set up the ldap.conf file with below configurations.
> ---------------
>     :auth_method: :simple
>     # Ldap server
> #    :host: localhost
>     :host:  // also can provide the hostname
>     :port: 389
>     # Uncomment this line for tsl conections
>     #:encryption: :simple_tls
>     # base hierarchy where to search for users and groups
>     #:base: 'dc=domain'
>     :base: 'dc=iitgn,dc=ac,dc=in'
>     # group the users need to belong to. If not set any user will do
>     #:group: 'cn=cloud,ou=groups,dc=domain'
>     # field that holds the user name, if not set 'cn' will be used
>     :user_field: 'cn'
>     # for Active Directory use this user_field instead
>     #:user_field: 'sAMAccountName'
>     # field name for group membership, by default it is 'member'
>     #:group_field: 'member'
>     :group_field: 'eduPersonAffiliation'
>     # user field that that is in in the group group_field, if not set 'dn'
> will be used
>     #:user_group_field: 'dn'
> ----------------------------------------------
> Do I need to provide anywhere the password of the ldap server to test its
> connectivity?

Well, basic connectivity checking won't hurt: telnet 389
-> do you get a connection? Any logging on the ldap server itself?

It's virtually impossible to debug ldap authentication issues only by
logging in through opennebula. If you don't connect with the right user,
don't have search permissions on the LDAP tree or whatever you will get
an error but LDAP is not going to tell you what happened. This might be
a time consuming process, be patient, be creative.

I would suggest you install ldapsearch (ldap-utils on ubuntu) and do the
following test to see you get the right output:

ldapsearch -h -w your-password-here -x -D
 binddn -b 'dc=iitgn,dc=ac,dc=in' -s sub
 '(you specific sub here)'

It depends on your LDAP installation/configuration how you have to bind,
what password you need (if at all), etc.

You might find the info in [2] useful.

Good luck,

Gr. Stefan


| BIT BV  http://www.bit.nl/        Kamer van Koophandel 09090351
| GPG: 0xD14839C6                   +31 318 648 688 / info at bit.nl

More information about the Users mailing list