[one-users] User within LDAP group authentication

Javier Fontan jfontan at opennebula.org
Thu Oct 23 09:37:40 PDT 2014 

You can configure ldap with this parameters to make it work:

The same functionality can be done changing the configuration file:

# field that holds the user name, if not set 'cn' will be used
:user_field: 'uid'

# field name for group membership, by default it is 'member'
:group_field: 'memberUid'

# user field that that is in in the group group_field, if not set 'dn'
will be used
:user_group_field: 'uid'

Cheers

On Fri, Oct 10, 2014 at 2:42 PM, Manuel Alfonso López Rourich
<alfonso.lopez at cenits.es> wrote:
> Hello,
>
> Thank you very much for your so quickly response, but I would prefer not to
> change any OpenNebula script.
>
> Anyway, I wonder why that simple configuration doesn't work. Could someone
> who has integrated OpenLDAP groups with OpenNebula let us know his
> configuration and OpenLDAP entry types?
>
> Thank you very much
>
> Best regards
>
> 2014-10-08 12:42 GMT+02:00 Marcin Stolarek <mstol at icm.edu.pl>:
>>
>>
>>
>> On 10/08/2014 12:32 PM, Manuel Alfonso López Rourich wrote:
>>>
>>> Good morning,
>>>
>>> I'd like to ask you about an issue with user authentication in SunStone:
>>>
>>> I've configured SunStone so that new users from an OpenLDAP directory
>>> can log in (the user is created automatically in OpenNebula). It works
>>> fine but when I configure *:group* in *ldap_auth.conf*, I can't
>>> authenticate new users within a LDAP group. The error that ONE throws is
>>> clear (*"User ulopez is not in group
>>> cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es"*) but I don't know what could
>>>
>>> be do so that it works. The documentation about LDAP groups with ONE is
>>> not very clear for me.
>>>
>>> The LDAP configuration is:
>>>
>>> server 1:
>>>      :auth_method: :simple
>>>      :host: 10.12.0.3
>>>      :port: 389
>>>      :base: 'dc=one,dc=es'
>>>
>>>      # group the users need to belong to. If not set any user will do
>>>      :group: 'cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es'
>>>
>>>      # field that holds the user name, if not set 'cn' will be used
>>>      :user_field: 'uid'
>>>      # field name for group membership, by default it is 'member'
>>>      :group_field: 'memberUid'
>>>
>>>      # user field that that is in in the group group_field, if not set
>>> 'dn' will be used
>>>      #user_group_field: 'gidNumber'
>>>
>>> The directory entry for the group is the next one:
>>>
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es> with scope subtree
>>> # filter: (objectclass=*)
>>> # requesting: ALL
>>> #
>>>
>>> # grupo_nuevo, ou_nueva, one.es <http://one.es>
>>> dn: cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es
>>> gidNumber: 503
>>> cn: grupo_nuevo
>>> objectClass: posixGroup
>>> objectClass: top
>>> memberUid: ulopez
>>>
>>> # us_nuevo_lopez, grupo_nuevo, ou_nueva, one.es <http://one.es>
>>> dn: cn=us_nuevo_lopez,cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es
>>> givenName: us_nuevo
>>> gidNumber: 503
>>> homeDirectory: /home/users/ulopez
>>> sn: lopez
>>> loginShell: /bin/sh
>>> objectClass: inetOrgPerson
>>> objectClass: posixAccount
>>> objectClass: top
>>> uidNumber: 1009
>>> uid: ulopez
>>> cn: us_nuevo_lopez
>>>
>>> Thank you very much,
>>>
>>> Best regards
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>
>>
>> Currently openebula supports only scheme with "listofmembers" (not sure if
>> haven't make a mistake in name) objecClass.
>>
>> You can use my patch:
>>
>> https://github.com/cinek810/one/commit/925a124c96018aa8b4b44805aafa76280830a461
>>
>> to support groups in memberUid format.
>>
>> cheers,
>> marcin
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>



-- 
Javier Fontán Muiños
Developer
OpenNebula - Flexible Enterprise Cloud Made Simple
www.OpenNebula.org | @OpenNebula | github.com/jfontan

More information about the Users mailing list