Hi Carsten,<div><br></div><div>You are right, the current implementation assumes the same username. We just implemented the basic functionality, so this contribution is very useful for people that want to combine LDAP authentication with OpenNebula in a extended way, thanks for sharing it with us. </div>
<div><br></div><div>We have added a new section to our website, called "Community Wiki" inside the Documentation tab. We want this section to be a place to find useful howtos, configurations or extensions for OpenNebula, build by the community users. We would be more than happy if you add this extension to this new section. We are still developing this new wiki but I can create you an account. If you are interested, just send me a private message.</div>
<div><br></div><div>Thanks again for the contribution.</div><div><br><div class="gmail_quote">On 3 February 2011 00:52, <span dir="ltr"><Carsten.Friedrich@csiro.au></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-AU" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span lang="EN-US">The current ldap_auth module is assuming
that the username is the same as the LDAP dn entry. In more complex LDAP
installations this is often not the case and LDAP authentication is a bit more
complicated:</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">* Bind as a dedicated “search LDAP
user”</span></p>
<p class="MsoNormal"><span lang="EN-US">* Search the directory tree for the
username</span></p>
<p class="MsoNormal"><span lang="EN-US">* Get the DN from the search result</span></p>
<p class="MsoNormal"><span lang="EN-US">* Bind as the DN with the user password</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US"> I modified the current ldap_auth.rb
to use this more complex process if the auth.conf file defines “search_filter”.
In this case it expects “search_filter” to contain a suitable
search string with “@@LOGIN@@” instead of the user name (to be
replaced at runtime). E.g. something like: “(&(cn=@@LOGIN@@)(objectClass=user))”</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">It also expects the following config
entries:</span></p>
<p class="MsoNormal"><span lang="EN-US">* sec_principal : the DN of the LDAP search
user.</span></p>
<p class="MsoNormal"><span lang="EN-US">* sec_passwd: The password for the
sec_principal</span></p>
<p class="MsoNormal"><span lang="EN-US">* search_base: The base in the LDAP tree
from which to search</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">Code below:</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">#
--------------------------------------------------------------------------</span></p>
<p class="MsoNormal"><span lang="EN-US"># Copyright 2010, C12G Labs S.L., CSIRO</span></p>
<p class="MsoNormal"><span lang="EN-US">#</span></p>
<p class="MsoNormal"><span lang="EN-US"># This file is part of OpenNebula Ldap
Authentication.</span></p>
<p class="MsoNormal"><span lang="EN-US">#</span></p>
<p class="MsoNormal"><span lang="EN-US"># OpenNebula Ldap Authentication is free
software: you can redistribute it and/or modify</span></p>
<p class="MsoNormal"><span lang="EN-US"># it under the terms of the GNU General
Public License as published by</span></p>
<p class="MsoNormal"><span lang="EN-US"># the Free Software Foundation, either
version 3 of the License, or the hope</span></p>
<p class="MsoNormal"><span lang="EN-US"># That it will be useful, but (at your
option) any later version.</span></p>
<p class="MsoNormal"><span lang="EN-US">#</span></p>
<p class="MsoNormal"><span lang="EN-US"># OpenNebula Ldap Authentication is
distributed in WITHOUT ANY WARRANTY; without even</span></p>
<p class="MsoNormal"><span lang="EN-US"># the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR</span></p>
<p class="MsoNormal"><span lang="EN-US"># PURPOSE. See the GNU General Public
License for more details.</span></p>
<p class="MsoNormal"><span lang="EN-US">#</span></p>
<p class="MsoNormal"><span lang="EN-US"># You should have received a copy of the
GNU General Public License</span></p>
<p class="MsoNormal"><span lang="EN-US"># along with OpenNebula Ldap Authentication
. If not, see <<a href="http://www.gnu.org/licenses/" target="_blank">http://www.gnu.org/licenses/</a>></span></p>
<p class="MsoNormal"><span lang="EN-US">#
--------------------------------------------------------------------------</span></p>
<p class="MsoNormal"><span lang="EN-US">require 'rubygems'</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">require 'net/ldap'</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US"># Ldap authentication module.</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">class LdapAuth</span></p>
<p class="MsoNormal"><span lang="EN-US"> def initialize(config)</span></p>
<p class="MsoNormal"><span lang="EN-US">
@config = config</span></p>
<p class="MsoNormal"><span lang="EN-US"> end</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US"> def getLdap(user,
password) </span></p>
<p class="MsoNormal"><span lang="EN-US"> ldap =
Net::LDAP.new</span></p>
<p class="MsoNormal"><span lang="EN-US"> ldap.host =
@config[:ldap][:host]</span></p>
<p class="MsoNormal"><span lang="EN-US"> ldap.port =
@config[:ldap][:port]</span></p>
<p class="MsoNormal"><span lang="EN-US"> ldap.auth
user, password</span></p>
<p class="MsoNormal"><span lang="EN-US"> ldap</span></p>
<p class="MsoNormal"><span lang="EN-US"> end</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US"> def getLdapDN(user) </span></p>
<p class="MsoNormal"><span lang="EN-US">
search_filter = @config[:ldap][:search_filter]</span></p>
<p class="MsoNormal"><span lang="EN-US"> if
(search_filter.nil?)</span></p>
<p class="MsoNormal"><span lang="EN-US">
return user</span></p>
<p class="MsoNormal"><span lang="EN-US"> end</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">
search_filter = search_filter.gsub("@@LOGIN@@", user)</span></p>
<p class="MsoNormal"><span lang="EN-US"> ldap =
getLdap(@config[:ldap][:sec_principal], @config[:ldap][:sec_passwd])</span></p>
<p class="MsoNormal"><span lang="EN-US"> begin</span></p>
<p class="MsoNormal"><span lang="EN-US">
ldap.search( :base => @config[:ldap][:search_base], :attributes => 'dn', </span></p>
<p class="MsoNormal"><span lang="EN-US">
:filter => search_filter, :return_result => true ) do |entry|</span></p>
<p class="MsoNormal"><span lang="EN-US">
STDERR.puts "Found #{entry.dn}"</span></p>
<p class="MsoNormal"><span lang="EN-US">
return entry.dn</span></p>
<p class="MsoNormal"><span lang="EN-US">
end</span></p>
<p class="MsoNormal"><span lang="EN-US"> rescue
Exception => e </span></p>
<p class="MsoNormal"><span lang="EN-US">
STDERR.puts "LDAP search failed: #{e.message}"</span></p>
<p class="MsoNormal"><span lang="EN-US"> end</span></p>
<p class="MsoNormal"><span lang="EN-US"> return nil</span></p>
<p class="MsoNormal"><span lang="EN-US"> end</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US"> def auth(user_id, user,
password, token)</span></p>
<p class="MsoNormal"><span lang="EN-US"> dn =
getLdapDN(user)</span></p>
<p class="MsoNormal"><span lang="EN-US"> if(dn.nil?)</span></p>
<p class="MsoNormal"><span lang="EN-US">
STDERR.puts("User #{user} not found in LDAP")</span></p>
<p class="MsoNormal"><span lang="EN-US">
return false</span></p>
<p class="MsoNormal"><span lang="EN-US"> end</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US"> begin </span></p>
<p class="MsoNormal"><span lang="EN-US">
if getLdap(dn, token).bind</span></p>
<p class="MsoNormal"><span lang="EN-US">
STDERR.puts "User #{user} authenticated!"</span></p>
<p class="MsoNormal"><span lang="EN-US">
return true</span></p>
<p class="MsoNormal"><span lang="EN-US">
end</span></p>
<p class="MsoNormal"><span lang="EN-US"> rescue
Exception => e </span></p>
<p class="MsoNormal"><span lang="EN-US">
STDERR.puts "User authentication failed for #{entry.dn}:
#{e.message}"</span></p>
<p class="MsoNormal"><span lang="EN-US">
return false</span></p>
<p class="MsoNormal"><span lang="EN-US"> end</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US"> STDERR.puts
"User #{user} could not be authenticated."</span></p>
<p class="MsoNormal"><span lang="EN-US"> return false</span></p>
<p class="MsoNormal"><span lang="EN-US"> end</span></p>
<p class="MsoNormal"><span lang="EN-US"> end</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
</div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Daniel Molina, Cloud Technology Engineer/Researcher<br>DSA Research Group: web <a href="http://dsa-research.org" target="_blank">http://dsa-research.org</a> and blog <a href="http://blog.dsa-research.org" target="_blank">http://blog.dsa-research.org</a><br>
OpenNebula Open Source Toolkit for Cloud Computing: <a href="http://www.OpenNebula.org" target="_blank">http://www.OpenNebula.org</a><br>
</div>