<div>Hi,</div><br><div class="gmail_quote">On Mon, Mar 25, 2013 at 2:48 PM, Nicolas Bélan <span dir="ltr"><<a href="mailto:nicolas.belan@gmail.com" target="_blank">nicolas.belan@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Hello,<br>
<br>
the problem is that password is in a LDAP tree, and I do not get
clear user password from the user (got it in SHA1) through web
connection.<br>
<br>
I only map ldap[uidnumber] to get various other informations (DNS
owner, SMTP accounting, Support requests and so on).<br>
I would like to keep avoiding getting clear text password to access
OpenNebula Interface.<br>
If it is not possible, I may get access directly to SQL Database,
but this not what I would like to do first ...<br></div></blockquote><div><br></div><div><div>In that case serveradmin is the right approach.</div><div><br></div><div>I see in your first email that you already found login_token in server_cipher_auth.rb. Maybe you were not using the same encryption algorithm, aes-256-cbc?</div>
<div><br></div><div>Regards</div><div><br></div>PS: Please reply to the list, more people may find it useful...<br clear="all"><div>--<br>Carlos Martín, MSc<br>Project Engineer<br>OpenNebula - The Open-source Solution for Data Center Virtualization<div>
<span style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"><a href="http://www.opennebula.org/" target="_blank">www.OpenNebula.org</a> | <a href="mailto:cmartin@opennebula.org" target="_blank">cmartin@opennebula.org</a> | <a href="http://twitter.com/opennebula" target="_blank">@OpenNebula</a></span></div>
</div></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
Regards,<br>
nicolas.<br>
<br>
<div>Le 25/03/2013 11:29, Carlos Martín
Sánchez a écrit :<br>
</div><div><div class="h5">
<blockquote type="cite">Hi,
<div><br>
</div>
<div>The serveradmin users allows more secure communications, and
advanced authentication scenarios, like browser certificates
[1]. But if you are building a simple user interface, you might
want to keep things simple and use the 'username:password'
session token for your xmlrpc requests.</div>
<div><br>
</div>
<div>Regards</div>
<div><br>
</div>
<div>[1] <a href="http://opennebula.org/documentation:rel3.8:sunstone#x509_auth" target="_blank">http://opennebula.org/documentation:rel3.8:sunstone#x509_auth</a><br clear="all">
<div>--<br>
Carlos Martín, MSc<br>
Project Engineer<br>
OpenNebula - The Open-source Solution for Data Center
Virtualization
<div><span style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"><a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:cmartin@opennebula.org" target="_blank">cmartin@opennebula.org</a>
| <a href="http://twitter.com/opennebula" target="_blank">@OpenNebula</a></span><span style="border-collapse:collapse;color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"></span></div>
</div>
<br>
<br>
<div class="gmail_quote">On Fri, Mar 22, 2013 at 5:46 PM,
Nicolas Bélan <span dir="ltr"><<a href="mailto:nicolas.belan@gmail.com" target="_blank">nicolas.belan@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello,<br>
<br>
well, i would like to display to user their vm, networks,
images and so on, according to the role and access of each
user.<br>
so i am trying to use as much as possible openNebula rbac
and rpc to retrieve only right informations.<br>
the step after is to deploy vm as user, not as oneadmin or
serveradmin, but directly as "user"<br>
<br>
the service i am building is a very simplified user
interface. the step after for the user is to have access to
self service, but to begin, i would like to hide some
concepts to make easier cloud access.<br>
<br>
best regards,<br>
nicolas<br>
Le 22 mars 2013 à 17:25, Tino Vazquez <<a href="mailto:tinova@opennebula.org" target="_blank">tinova@opennebula.org</a>>
a écrit :<br>
<div>
<div><br>
> Hi Nicolas,<br>
><br>
> serveradmin is used by Sunstone and related
interface services. Did<br>
> you try it out with other users (ie, oneadmin)?<br>
><br>
> Depending on what type of service you are building,
you may be<br>
> interested indeed in serveradmin. Could you
elaborate a bit more on<br>
> that?<br>
><br>
> Regards<br>
> --<br>
> Constantino Vázquez Blanco, PhD, MSc<br>
> Project Engineer<br>
> OpenNebula - The Open-Source Solution for Data
Center Virtualization<br>
> <a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a>
| @tinova79 | @OpenNebula<br>
><br>
><br>
> On Fri, Mar 22, 2013 at 4:16 PM, Nicolas Bélan <<a href="mailto:nicolas.belan@gmail.com" target="_blank">nicolas.belan@gmail.com</a>>
wrote:<br>
>> Hello the list,<br>
>><br>
>> I am trying (unsuccessfully) to call RPM
methods.<br>
>><br>
>> The problem is that I can not make my user
authenticated by code (while<br>
>> it is ok with <a href="http://localhost:4567/ui" target="_blank">http://localhost:4567/ui</a>)<br>
>> I am using version 3.8.3.<br>
>><br>
>> I am trying to user
serveradmin:<user>:<password> with it does
not work<br>
>> as written in the documentation.<br>
>> Deeply investigating, I found, in<br>
>> /usr/lib/one/ruby/server_cipher_auth.rb that
the third part is a token,<br>
>> but i am not ruby compliant....<br>
>> It seems, If i understand, that:<br>
>> a string is built with:
"serveradmin:username:time()+expire"<br>
>> the serveradmin password is used to create a
key.<br>
>> This key is then used to cipher (salted ?) the
previous string.<br>
>> The result is then appended like that:<br>
>>
"serveradmin:username:cipher(key,serveradmin:username:time()+expire)"<br>
>> and sent as the first parameter of the rpc
call.<br>
>> Am i completely wrong ?<br>
>> For example:<br>
>>
serveradmin:user_example:PWyaJz96iwdYldYoPHXWZYkBMbuvKIEXiTVb0WuAHURYuQ2Dzmhnzjm0JDNCMchB<br>
>><br>
>> Using perl, I failed to authenticate user ....<br>
>> using tcpdump, it seems that the third part is
quite constant during a<br>
>> certain laps of time ...<br>
>> So, I may be wrong with my time() expire part
....<br>
>> Can you help me writing this part of code ?
Perl or PHP are welcome ;)<br>
>><br>
>> Thank you for you help<br>
>><br>
>> Best regards,<br>
>> Nicolas.<br>
>><br>
>><br>
>><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Users mailing list<br>
>> <a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>
>> <a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
>><br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br>