[one-users] User within LDAP group authentication
Marcin Stolarek
mstol at icm.edu.pl
Tue Oct 14 07:51:40 PDT 2014
On 10/10/2014 02:42 PM, Manuel Alfonso López Rourich wrote:
> Hello,
>
> Thank you very much for your so quickly response, but I would prefer not
> to change any OpenNebula script.
>
> Anyway, I wonder why that simple configuration doesn't work. Could
> someone who has integrated OpenLDAP groups with OpenNebula let us know
> his configuration and OpenLDAP entry types?
this is very simple change :)
I believe the objecClass: groupofnames in openLDAP will work with
current opennebula implementation.
cheers,
marcin
>
> Thank you very much
>
> Best regards
>
> 2014-10-08 12:42 GMT+02:00 Marcin Stolarek <mstol at icm.edu.pl
> <mailto:mstol at icm.edu.pl>>:
>
>
>
> On 10/08/2014 12:32 PM, Manuel Alfonso López Rourich wrote:
>
> Good morning,
>
> I'd like to ask you about an issue with user authentication in
> SunStone:
>
> I've configured SunStone so that new users from an OpenLDAP
> directory
> can log in (the user is created automatically in OpenNebula). It
> works
> fine but when I configure *:group* in *ldap_auth.conf*, I can't
> authenticate new users within a LDAP group. The error that ONE
> throws is
> clear (*"User ulopez is not in group
> cn=grupo_nuevo,ou=ou_nueva,dc=__one,dc=es"*) but I don't know
> what could
>
> be do so that it works. The documentation about LDAP groups with
> ONE is
> not very clear for me.
>
> The LDAP configuration is:
>
> server 1:
> :auth_method: :simple
> :host: 10.12.0.3
> :port: 389
> :base: 'dc=one,dc=es'
>
> # group the users need to belong to. If not set any user
> will do
> :group: 'cn=grupo_nuevo,ou=ou_nueva,__dc=one,dc=es'
>
> # field that holds the user name, if not set 'cn' will be used
> :user_field: 'uid'
> # field name for group membership, by default it is 'member'
> :group_field: 'memberUid'
>
> # user field that that is in in the group group_field, if
> not set
> 'dn' will be used
> #user_group_field: 'gidNumber'
>
> The directory entry for the group is the next one:
>
> # extended LDIF
> #
> # LDAPv3
> # base <cn=grupo_nuevo,ou=ou_nueva,__dc=one,dc=es> with scope
> subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # grupo_nuevo, ou_nueva, one.es <http://one.es> <http://one.es>
> dn: cn=grupo_nuevo,ou=ou_nueva,dc=__one,dc=es
> gidNumber: 503
> cn: grupo_nuevo
> objectClass: posixGroup
> objectClass: top
> memberUid: ulopez
>
> # us_nuevo_lopez, grupo_nuevo, ou_nueva, one.es <http://one.es>
> <http://one.es>
> dn: cn=us_nuevo_lopez,cn=grupo___nuevo,ou=ou_nueva,dc=one,dc=es
> givenName: us_nuevo
> gidNumber: 503
> homeDirectory: /home/users/ulopez
> sn: lopez
> loginShell: /bin/sh
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> uidNumber: 1009
> uid: ulopez
> cn: us_nuevo_lopez
>
> Thank you very much,
>
> Best regards
>
>
>
>
> _________________________________________________
> Users mailing list
> Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
> http://lists.opennebula.org/__listinfo.cgi/users-opennebula.__org <http://lists.opennebula.org/listinfo.cgi/users-opennebula.org>
>
>
>
> Currently openebula supports only scheme with "listofmembers" (not
> sure if haven't make a mistake in name) objecClass.
>
> You can use my patch:
> https://github.com/cinek810/__one/commit/__925a124c96018aa8b4b44805aafa76__280830a461
> <https://github.com/cinek810/one/commit/925a124c96018aa8b4b44805aafa76280830a461>
>
> to support groups in memberUid format.
>
> cheers,
> marcin
> _________________________________________________
> Users mailing list
> Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
> http://lists.opennebula.org/__listinfo.cgi/users-opennebula.__org
> <http://lists.opennebula.org/listinfo.cgi/users-opennebula.org>
>
>
More information about the Users
mailing list