Hi Carsten,<div><br></div><div>Thanks for the ldap plugins improvements, we are certainly evaluating them to include it in the next release.</div><div><br></div><div>About the blog post, I'm going to get in touch with the community manager, since I'm sure it is interesting for the community.</div>
<div><br></div><div>And last but not least, the session in ONE is something we have in our backlog, but it unfortunately won't make it for v3.0. </div><div><br></div><div>Regards,</div><div><br></div><div>-Tino</div>
<div>
<br clear="all">--<br>Constantino Vázquez Blanco | <a href="http://dsa-research.org/tinova" target="_blank">dsa-research.org/tinova</a><br>Virtualization Technology Engineer / Researcher<br>OpenNebula Toolkit | <a href="http://opennebula.org" target="_blank">opennebula.org</a><br>
<br><br><div class="gmail_quote">On Tue, Jun 14, 2011 at 1:45 AM, <span dir="ltr"><Carsten.Friedrich@csiro.au></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
I use the OpenNebula LDAP module against a corporate LDAP server (actually LDAP interface to an AD server). This works quite well, but I had to modify it quite a bit. If you search the mailing list archives you'll find an article on how I did this (it also works with DN names with spaces).<br>
<br>
There may also be an OpenNebula blog article describing it (I wrote it quite a while back, but I'm not sure if the OpenNebula team ever approved / released it).<br>
<br>
Time-outs are a big problem as OpenNebula currently doesn't handle this very gracefully in the authentication module (the limit is hardcoded and no retry strategies). I'm also concerned about all the hits on the LDAP server this produces, especially if you use some polling front-end which updates VM status etc. I hope OpenNebula will eventually get session id, so LDAP authentication has to be done less frequently.<br>
<div class="im"><br>
Carsten<br>
<br>
Carsten Friedrich<br>
Research Team leader<br>
ICT Centre, GPO Box 664,Canberra, ACT 2601<br>
Phone: <a href="tel:%2B61%202%206216%207019" value="+61262167019">+61 2 6216 7019</a><br>
Email: Carsten.Friedrich@csiro.au<br>
Web: <a href="http://www.csiro.au/org/ICT.html" target="_blank">http://www.csiro.au/org/ICT.html</a><br>
<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:users-bounces@lists.opennebula.org">users-bounces@lists.opennebula.org</a> [mailto:<a href="mailto:users-bounces@lists.opennebula.org">users-bounces@lists.opennebula.org</a>] On Behalf Of Carlos A.<br>
</div><div class="im">Sent: Tuesday, 14 June 2011 5:16<br>
To: Carlos A.<br>
Cc: <a href="mailto:users@lists.opennebula.org">users@lists.opennebula.org</a><br>
Subject: Re: [one-users] Problem with ldap authentication<br>
<br>
</div><div><div></div><div class="h5">Hi again,<br>
<br>
more on this! I managed to get a user without whitespaces and I have bad<br>
news:<br>
<br>
while stating a wrong DN/pass is almost instant to refuse connection by<br>
stating an authentication error, I cannot manage to authenticate using<br>
the proper DN/pass. I'm back to the original situation: the execution<br>
expired message.<br>
<br>
In the log I can see the following message for the wrong ID:<br>
<br>
Mon Jun 13 21:11:56 2011 [AuM][D]: Message received: AUTHENTICATE<br>
FAILURE 0 false<br>
<br>
Mon Jun 13 21:11:56 2011 [AuM][E]: Auth Error: false<br>
Mon Jun 13 21:11:56 2011 [ReM][E]: [VirtualMachinePoolInfo] User<br>
couldn't be authenticated, aborting call.<br>
<br>
But nothing for the right ID.<br>
<br>
Any idea on this?<br>
<br>
Regards.<br>
<br>
<br>
El 13/06/11 18:42, Carlos A. escribió:<br>
> Hi Tino,<br>
><br>
> finally I think that I got it. The problem is that my DN has spaces in the CN.<br>
> So I think that the one_auth file is not properly handled and it results in a<br>
> failure whenever an space is used in this file. That is why I got the same<br>
> failure when changing the authentication method to "simple" or to even a<br>
> nonexistent method. It is simply because the authentication method was not<br>
> launched at all because of a previous error.<br>
><br>
> The current problem is that I cannot authenticate because my DN has spaces ;) so<br>
> I cannot use it whithin Open Nebula. But at least I do not get the "expired<br>
> time" error and it outputs an authentication error.<br>
><br>
> Any workaround on this?<br>
><br>
> Regards,<br>
> Carlos A.<br>
><br>
> Mensaje citado por "Carlos A."<<a href="mailto:caralla@upv.es">caralla@upv.es</a>>:<br>
><br>
>> Hi,<br>
>> i get the expected output<br>
>> --<br>
</div></div>>> Enviado desde mi teléfono Android con K-9 Mail. Disculpa mi brevedad<br>
>><br>
>> Tino Vazquez<<a href="mailto:tinova@opennebula.org">tinova@opennebula.org</a>> escribió:<br>
<div class="im">>><br>
>> Hi Carlos,<br>
>><br>
>> Let's try executing the auth mad by hand (the error, from your input,<br>
>> seems not to be exclusive of the ldap addon, but rather of the auth<br>
>> module), to discard missing gems<br>
>><br>
>> # $ONE_LOCATION/lib/mads/one_auth_mad<br>
>><br>
>> after hitting return, it will wait for input, type<br>
>><br>
>> INIT<br>
>><br>
>> you should get<br>
>><br>
>> INIT SUCCESS - -<br>
>><br>
>> Regards,<br>
>><br>
>> -Tino<br>
>><br>
>> --<br>
</div>>> Constantino Vázquez Blanco, MSc<br>
<div class="im">>> OpenNebula Major Contributor<br>
>> <a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | @tinova79<br>
>><br>
>><br>
>><br>
>> On Mon, Jun 13, 2011 at 1:29 PM, Carlos A.<<a href="mailto:caralla@upv.es">caralla@upv.es</a>> wrote:<br>
>>> Hi Tino,<br>
>>><br>
>>> more info on this.<br>
>>><br>
>>> While using my test script to authenticate I can see the sucess in the ldap<br>
>>> server, I cannot see any information when trying to authenticate using ONE<br>
>>><br>
</div>>>> El 13/06/11 12:43, Tino Vazquez escribió:<br>
<div class="im">>>>> Hi Carlos,<br>
>>>><br>
>>>> This may be due to a eager timeout that the core imposes over the ldap<br>
>>>> driver.<br>
>>>><br>
>>>> Please find attached a patch for the OpenNebula source code, please<br>
>>>> apply it, recompile and reinstall, we would appreciate feedback on<br>
>>>> wether this fixes the improper ldap plugin behavior or not.<br>
>>>><br>
>>>> Regards,<br>
>>>><br>
>>>> -Tino<br>
>>>><br>
>>>> --<br>
</div>>>>> Constantino Vázquez Blanco, MSc<br>
<div class="im">>>>> OpenNebula Major Contributor<br>
>>>> <a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | @tinova79<br>
>>>><br>
>>>><br>
>>>><br>
>>>> On Sat, Jun 11, 2011 at 10:22 AM, Carlos A.<<a href="mailto:caralla@upv.es">caralla@upv.es</a>> wrote:<br>
>>>>> Hello,<br>
>>>>><br>
>>>>> any help on this? is ldap addon supposed to work with opennebula 2.2? has<br>
>>>>> anyone tried it?<br>
>>>>><br>
</div>>>>>> El 09/06/2011 10:46, Carlos A. escribió:<br>
<div class="im">>>>>>> Hello,<br>
>>>>>><br>
>>>>>> first of all, thank you for your response.<br>
>>>>>><br>
>>>>>> Once I have managed to make ldap_auth work, I found the following issue:<br>
>>>>>><br>
>>>>>> root@keo01:/srv/cloud/one# onevm list<br>
>>>>>> execution expired<br>
>>>>>><br>
>>>>>> I cannot manage to athenticate against my ldap server. I have tried the<br>
>>>>>> ldap authentication that is carried out by ONE<br>
>>>>>><br>
>>>>>> require 'rubygems'<br>
>>>>>> require 'net/ldap'<br>
>>>>>> ldap = Net::LDAP.new<br>
>>>>>> ldap.host = "my.ldap.server"<br>
>>>>>> ldap.port = 389<br>
>>>>>> ldap.auth "my-dn", "my-pass"<br>
>>>>>> print ldap.bind<br>
>>>>>><br>
>>>>>> It is properly working, as my server authenticates me. I have (of<br>
>>>>>> course)<br>
>>>>>> tried changing the password and it works as expected.<br>
>>>>>><br>
>>>>>> Diving in the code It seems that there is some problem in the file<br>
>>>>>> "src/um/UserPool.cc", at<br>
>>>>>> authm->trigger(AuthManager::AUTHENTICATE,&ar);<br>
>>>>>> ar.wait();<br>
>>>>>><br>
>>>>>> Any idea?<br>
>>>>>><br>
>>>>>><br>
</div>>>>>>> El 09/06/11 00:51, Carsten.Friedrich@csiro.au escribió:<br>
<div><div></div><div class="h5">>>>>>>> The official OpenNebula installation instructions for the ldap driver<br>
>>>>>>> are<br>
>>>>>>> incomplete and miss to mention some software packages that you have to<br>
>>>>>>> install first. I don't remember which ones they were, but you can find<br>
>>>>>>> out<br>
>>>>>>> as follows:<br>
>>>>>>><br>
>>>>>>> * cd to .../lib/ruby<br>
>>>>>>> * execute 'ruby ldap_auth.rb'.<br>
>>>>>>> * Ruby will complain about any missing packages. Install those until<br>
>>>>>>> ruby<br>
>>>>>>> is happy.<br>
>>>>>>><br>
>>>>>>> Carsten<br>
>>>>>>><br>
>>>>>>><br>
>>>>>>> Carsten Friedrich<br>
>>>>>>> Research Team leader<br>
>>>>>>> ICT Centre, GPO Box 664,Canberra, ACT 2601<br>
>>>>>>> Phone: <a href="tel:%2B61%202%206216%207019" value="+61262167019">+61 2 6216 7019</a><br>
>>>>>>> Email: Carsten.Friedrich@csiro.au<br>
>>>>>>> Web: <a href="http://www.csiro.au/org/ICT.html" target="_blank">http://www.csiro.au/org/ICT.html</a><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>><br>
>>>>>>> -----Original Message-----<br>
>>>>>>> From: <a href="mailto:users-bounces@lists.opennebula.org">users-bounces@lists.opennebula.org</a><br>
>>>>>>> [mailto:<a href="mailto:users-bounces@lists.opennebula.org">users-bounces@lists.opennebula.org</a>] On Behalf Of Carlos A.<br>
>>>>>>> Sent: Wednesday, 8 June 2011 18:17<br>
>>>>>>> To: <a href="mailto:users@lists.opennebula.org">users@lists.opennebula.org</a><br>
>>>>>>> Subject: Re: [one-users] Problem with ldap authentication<br>
>>>>>>><br>
>>>>>>> any help on this?<br>
>>>>>>><br>
</div></div>>>>>>>> El 02/06/11 16:55, Carlos A. escribió:<br>
<div><div></div><div class="h5">>>>>>>>> More information on this:<br>
>>>>>>>><br>
>>>>>>>> in /srv/cloud/one/var/oned.log I can see<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [ONE][I]: Init OpenNebula Log system<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [ONE][I]: Log Level: 3<br>
>>>>>>>> [0=ERROR,1=WARNING,2=INFO,3=DEBUG]<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [ONE][I]:<br>
>>>>>>>> _____________________________________________<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [ONE][I]: OpenNebula Configuration File<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [ONE][I]:<br>
>>>>>>>> _____________________________________________<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [ONE][I]:<br>
>>>>>>>> _____________________________________________<br>
>>>>>>>> AUTH_MAD=EXECUTABLE=/srv/cloud/one/lib/mads/one_auth_mad<br>
>>>>>>>> DB=BACKEND=sqlite<br>
>>>>>>>> DEBUG_LEVEL=3<br>
>>>>>>>> DEFAULT_DEVICE_PREFIX=hd<br>
>>>>>>>> DEFAULT_IMAGE_TYPE=OS<br>
>>>>>>>> HM_MAD=EXECUTABLE=one_hm<br>
>>>>>>>> HOST_MONITORING_INTERVAL=600<br>
>>>>>>>> IMAGE_REPOSITORY_PATH=/srv/cloud/one/var//images<br>
>>>>>>>> IM_MAD=ARGUMENTS=-r 0 -t 15 kvm,EXECUTABLE=one_im_ssh,NAME=im_kvm<br>
>>>>>>>> MAC_PREFIX=02:00<br>
>>>>>>>> MANAGER_TIMER=15<br>
>>>>>>>> NETWORK_SIZE=254<br>
>>>>>>>> PORT=2633<br>
>>>>>>>> SCRIPTS_REMOTE_DIR=/var/tmp/one<br>
>>>>>>>> TM_MAD=ARGUMENTS=tm_nfs/tm_nfs.conf,EXECUTABLE=one_tm,NAME=tm_nfs<br>
>>>>>>>> VM_DIR=/srv/cloud/one/var/<br>
>>>>>>>> VM_HOOK=ARGUMENTS=$VMID,COMMAND=image.rb,NAME=image,ON=DONE<br>
>>>>>>>> VM_MAD=ARGUMENTS=-t 15 -r 0<br>
>>>>>>>><br>
>>>>>>>><br>
>>>>>>>><br>
> kvm,DEFAULT=vmm_ssh/vmm_ssh_kvm.conf,EXECUTABLE=one_vmm_ssh,NAME=vmm_kvm,TYPE=kvm<br>
>>>>>>>> VM_POLLING_INTERVAL=600<br>
>>>>>>>> VNC_BASE_PORT=5900<br>
>>>>>>>> _____________________________________________<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [ONE][I]: Bootstraping OpenNebula database.<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [VMM][I]: Starting Virtual Machine Manager...<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [LCM][I]: Starting Life-cycle Manager...<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [VMM][I]: Virtual Machine Manager started.<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [InM][I]: Starting Information Manager...<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [InM][I]: Information Manager started.<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [LCM][I]: Life-cycle Manager started.<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [TrM][I]: Starting Transfer Manager...<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [DiM][I]: Starting Dispatch Manager...<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [TrM][I]: Transfer Manager started.<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [DiM][I]: Dispatch Manager started.<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [ReM][I]: Starting Request Manager...<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [ReM][I]: Starting XML-RPC server, port 2633<br>
>>>>>>>> ...<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [ReM][I]: Request Manager started.<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [HKM][I]: Starting Hook Manager...<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [AuM][I]: Starting Auth Manager...<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [AuM][I]: Authorization Manager started.<br>
>>>>>>>> Thu Jun 2 16:52:09 2011 [HKM][I]: Hook Manager started.<br>
>>>>>>>> Thu Jun 2 16:52:11 2011 [VMM][I]: Loading Virtual Machine Manager<br>
>>>>>>>> drivers.<br>
>>>>>>>> Thu Jun 2 16:52:11 2011 [VMM][I]: Loading driver: vmm_kvm (KVM)<br>
>>>>>>>> Thu Jun 2 16:52:11 2011 [VMM][I]: Driver vmm_kvm loaded.<br>
>>>>>>>> Thu Jun 2 16:52:11 2011 [InM][I]: Loading Information Manager<br>
>>>>>>>> drivers.<br>
>>>>>>>> Thu Jun 2 16:52:11 2011 [InM][I]: Loading driver: im_kvm<br>
>>>>>>>> Thu Jun 2 16:52:11 2011 [InM][I]: Driver im_kvm loaded<br>
>>>>>>>> Thu Jun 2 16:52:11 2011 [TM][I]: Loading Transfer Manager drivers.<br>
>>>>>>>> Thu Jun 2 16:52:11 2011 [VMM][I]: Loading driver: tm_nfs<br>
>>>>>>>> Thu Jun 2 16:52:11 2011 [TM][I]: Driver tm_nfs loaded.<br>
>>>>>>>> Thu Jun 2 16:52:11 2011 [HKM][I]: Loading Hook Manager driver.<br>
>>>>>>>> Thu Jun 2 16:52:11 2011 [HKM][I]: Hook Manager loaded<br>
>>>>>>>> Thu Jun 2 16:52:11 2011 [AuM][I]: Loading Auth. Manager driver.<br>
>>>>>>>> Thu Jun 2 16:52:11 2011 [MAD][E]: MAD did not answer INIT command<br>
>>>>>>>> Thu Jun 2 16:52:12 2011 [ReM][D]: VirtualMachinePoolInfo method<br>
>>>>>>>> invoked<br>
>>>>>>>> Thu Jun 2 16:52:12 2011 [AuM][E]: Auth Error: Could not find<br>
>>>>>>>> Authorization driver<br>
>>>>>>>> Thu Jun 2 16:52:12 2011 [ReM][E]: [VirtualMachinePoolInfo] User<br>
>>>>>>>> couldn't be authenticated, aborting call.<br>
>>>>>>>><br>
>>>>>>>> It seems that it cannot find the driver as a relative path name, but I<br>
>>>>>>>> have also tried to use the full path of the auth driver.<br>
>>>>>>>><br>
>>>>>>>> Any help would be appreciated.<br>
>>>>>>>><br>
>>>>>>>> Regards,<br>
>>>>>>>> Carlos A.<br>
>>>>>>>><br>
>>>>>>>><br>
</div></div>>>>>>>>> El 02/06/11 11:39, Carlos A. escribió:<br>
<div><div></div><div class="h5">>>>>>>>>> Hello,<br>
>>>>>>>>><br>
>>>>>>>>> I have just installed the ldap authentication addon on an fresh ONE<br>
>>>>>>>>> install. I followed the instructions and I found that I cannot<br>
>>>>>>>>> authenticate against the LDAP server.<br>
>>>>>>>>><br>
>>>>>>>>> what am I not doing in a wrong way?<br>
>>>>>>>>><br>
>>>>>>>>> _____________________________________________<br>
>>>>>>>>> carlos@keo01:~$ onevm list<br>
>>>>>>>>> [VirtualMachinePoolInfo] User couldn't be authenticated, aborting<br>
>>>>>>>>> call.<br>
>>>>>>>>><br>
>>>>>>>>> carlos@keo01:~$ tail /srv/cloud/one/var/oned.log<br>
>>>>>>>>> (...)<br>
>>>>>>>>> Thu Jun 2 11:27:22 2011 [AuM][E]: Auth Error: Could not find<br>
>>>>>>>>> Authorization driver<br>
>>>>>>>>> Thu Jun 2 11:27:22 2011 [ReM][E]: [VirtualMachinePoolInfo] User<br>
>>>>>>>>> couldn't be authenticated, aborting call.<br>
>>>>>>>>> (...)<br>
>>>>>>>>><br>
>>>>>>>>> calfonso@keo01:/srv/cloud/one/lib/mads$ ls -l one_auth_mad*<br>
>>>>>>>>> -rwxr-xr-x 1 oneadmin root 1632 Jun 2 09:53 one_auth_mad<br>
>>>>>>>>> -rwxr-xr-x 1 oneadmin root 3341 Jun 2 09:58 one_auth_mad.rb<br>
>>>>>>>>><br>
>>>>>>>>> carlos@keo01:/srv/cloud/one/lib/mads$ ls -l<br>
>>>>>>>>> /srv/cloud/one/lib/ruby/ldap_auth.rb<br>
>>>>>>>>> -rw-r--r-- 1 oneadmin cloud 1340 Jun 2 09:58<br>
>>>>>>>>> /srv/cloud/one/lib/ruby/ldap_auth.rb<br>
>>>>>>>>><br>
>>>>>>>>> *** content of /srv/cloud/one/etc/auth/auth.conf<br>
>>>>>>>>> :database: sqlite://auth.db<br>
>>>>>>>>> :authentication: ldap<br>
>>>>>>>>> :quota:<br>
>>>>>>>>> :enabled: false<br>
>>>>>>>>> :defaults:<br>
>>>>>>>>> :cpu: 10.0<br>
>>>>>>>>> :memory: 1048576<br>
>>>>>>>>> :ldap:<br>
>>>>>>>>> :host: my.ldap.server<br>
>>>>>>>>> :port: 389<br>
>>>>>>>>><br>
>>>>>>>>><br>
>>>>>>>>> *** content of /srv/cloud/one/etc/oned.conf<br>
>>>>>>>>> (...)<br>
>>>>>>>>> AUTH_MAD = [<br>
>>>>>>>>> executable = "one_auth_mad" ]<br>
>>>>>>>>><br>
>>>>>>>>> _____________________________________________<br>
>><br>
<br>
</div></div>_______________________________________________<br>
<div><div></div><div class="h5">Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
</div></div></blockquote></div><br></div>