[one-users] User within LDAP group authentication
Manuel Alfonso López Rourich
alfonso.lopez at cenits.es
Fri Oct 10 05:42:26 PDT 2014
Hello,
Thank you very much for your so quickly response, but I would prefer not to
change any OpenNebula script.
Anyway, I wonder why that simple configuration doesn't work. Could someone
who has integrated OpenLDAP groups with OpenNebula let us know his
configuration and OpenLDAP entry types?
Thank you very much
Best regards
2014-10-08 12:42 GMT+02:00 Marcin Stolarek <mstol at icm.edu.pl>:
>
>
> On 10/08/2014 12:32 PM, Manuel Alfonso López Rourich wrote:
>
>> Good morning,
>>
>> I'd like to ask you about an issue with user authentication in SunStone:
>>
>> I've configured SunStone so that new users from an OpenLDAP directory
>> can log in (the user is created automatically in OpenNebula). It works
>> fine but when I configure *:group* in *ldap_auth.conf*, I can't
>> authenticate new users within a LDAP group. The error that ONE throws is
>> clear (*"User ulopez is not in group
>> cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es"*) but I don't know what could
>>
>> be do so that it works. The documentation about LDAP groups with ONE is
>> not very clear for me.
>>
>> The LDAP configuration is:
>>
>> server 1:
>> :auth_method: :simple
>> :host: 10.12.0.3
>> :port: 389
>> :base: 'dc=one,dc=es'
>>
>> # group the users need to belong to. If not set any user will do
>> :group: 'cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es'
>>
>> # field that holds the user name, if not set 'cn' will be used
>> :user_field: 'uid'
>> # field name for group membership, by default it is 'member'
>> :group_field: 'memberUid'
>>
>> # user field that that is in in the group group_field, if not set
>> 'dn' will be used
>> #user_group_field: 'gidNumber'
>>
>> The directory entry for the group is the next one:
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # grupo_nuevo, ou_nueva, one.es <http://one.es>
>> dn: cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es
>> gidNumber: 503
>> cn: grupo_nuevo
>> objectClass: posixGroup
>> objectClass: top
>> memberUid: ulopez
>>
>> # us_nuevo_lopez, grupo_nuevo, ou_nueva, one.es <http://one.es>
>> dn: cn=us_nuevo_lopez,cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es
>> givenName: us_nuevo
>> gidNumber: 503
>> homeDirectory: /home/users/ulopez
>> sn: lopez
>> loginShell: /bin/sh
>> objectClass: inetOrgPerson
>> objectClass: posixAccount
>> objectClass: top
>> uidNumber: 1009
>> uid: ulopez
>> cn: us_nuevo_lopez
>>
>> Thank you very much,
>>
>> Best regards
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>
> Currently openebula supports only scheme with "listofmembers" (not sure if
> haven't make a mistake in name) objecClass.
>
> You can use my patch:
> https://github.com/cinek810/one/commit/925a124c96018aa8b4b44805aafa76
> 280830a461
>
> to support groups in memberUid format.
>
> cheers,
> marcin
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20141010/e242b977/attachment.htm>
More information about the Users
mailing list