<div dir="ltr"><div><br></div><div>Hi, </div><div><br></div><div>I'm pretty new to OpenNebula and had some trouble getting LDAP integration to work. I made the following changes to ldap_auth.rb and am now up and running. Am I missing something, or does this need a bug (or several bugs)? I am not very experienced with ruby, but hacked my way through it. </div>
<div><br></div><div>1) multi-line ldap.search() statements resulted in syntax errors. Reducing them to a single line fixed it</div><div><br></div><div>2) Our LDAP server keeps group members like this:</div><div><br></div>
<div>member: uid=jryan,ou=People,dc=awesome,dc=com</div><div><br></div><div>which didn't work as a filter in the group matching section, even when the whole search() was on one line. I used a Net::LDAP::Filter object with the same filter string, and it worked.</div>
<div><br></div><div>3) The cloning of the initial Net::LDAP object to test the user's credentials resulted in the script binding as the user who did the initial search, which of course was able to bind. This meant that no matter what password the user passed in, as long as they were in the LDAP directory and in the group specified, their user was created in ONE and they could repeatedly log in -- security hole!!!!</div>
<div><br></div><div>I wiped out the auth info from the cloned ldap object and replaced it with the user's credentials. </div><div><br></div><div><font face="courier new, monospace">root@ops-vm-opennebula:/usr/lib/one/ruby/opennebula# diff ldap_auth.rb{,.new} -u</font></div>
<div><font face="courier new, monospace">--- ldap_auth.rb 2013-05-17 10:57:50.000000000 -0700</font></div><div><font face="courier new, monospace">+++ ldap_auth.rb.new 2013-06-28 18:24:28.305292002 -0700</font></div><div>
<font face="courier new, monospace">@@ -52,9 +52,7 @@</font></div><div><font face="courier new, monospace"> </font></div><div><font face="courier new, monospace"> def find_user(name)</font></div><div><font face="courier new, monospace"> begin</font></div>
<div><font face="courier new, monospace">- result=@ldap.search(</font></div><div><font face="courier new, monospace">- :base => @options[:base],</font></div><div><font face="courier new, monospace">- :filter => "#{@options[:user_field]}=#{name}")</font></div>
<div><font face="courier new, monospace">+ result=@ldap.search( :base => @options[:base], :filter => "#{@options[:user_field]}=#{name}")</font></div><div><font face="courier new, monospace"> </font></div>
<div><font face="courier new, monospace"> if result && result.first</font></div><div><font face="courier new, monospace"> [result.first.dn, result.first[@options[:user_group_field]]]</font></div>
<div><font face="courier new, monospace">@@ -73,9 +71,8 @@</font></div><div><font face="courier new, monospace"> end</font></div><div><font face="courier new, monospace"> </font></div><div><font face="courier new, monospace"> def is_in_group?(user, group)</font></div>
<div><font face="courier new, monospace">- result=@ldap.search(</font></div><div><font face="courier new, monospace">- :base => group,</font></div><div><font face="courier new, monospace">- :filter => "(#{@options[:group_field]}=#{user.first})")</font></div>
<div><font face="courier new, monospace">+ filter = Net::LDAP::Filter.eq(@options[:group_field],user.first)</font></div><div><font face="courier new, monospace">+ result=@ldap.search( :base => group, :filter => filter )</font></div>
<div><font face="courier new, monospace"> </font></div><div><font face="courier new, monospace"> if result && result.first</font></div><div><font face="courier new, monospace"> true</font></div>
<div><font face="courier new, monospace">@@ -87,13 +84,10 @@</font></div><div><font face="courier new, monospace"> def authenticate(user, password)</font></div><div><font face="courier new, monospace"> ldap=@ldap.clone</font></div>
<div><font face="courier new, monospace"> </font></div><div><font face="courier new, monospace">- auth={</font></div><div><font face="courier new, monospace">- :method => @options[:auth_method],</font></div>
<div><font face="courier new, monospace">- :username => user,</font></div><div><font face="courier new, monospace">- :password => password</font></div><div><font face="courier new, monospace">- }</font></div>
<div><font face="courier new, monospace">+ ldap.auth nil,nil</font></div><div><font face="courier new, monospace">+ ldap.auth user, password</font></div><div><font face="courier new, monospace"> </font></div><div><font face="courier new, monospace">- if ldap.bind(auth)</font></div>
<div><font face="courier new, monospace">+ if ldap.bind()</font></div><div><font face="courier new, monospace"> true</font></div><div><font face="courier new, monospace"> else</font></div><div><font face="courier new, monospace"> false</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">$ ruby -v</font></div><div><font face="courier new, monospace">ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">$ dpkg -l |grep ruby-net-ldap</font></div><div><font face="courier new, monospace">ii ruby-net-ldap 0.0.4-1 LDAP client library for Ruby</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">$ cat /etc/issue</font></div><div><font face="courier new, monospace"> Ubuntu 12.04.2 LTS Server</font></div><div><font face="courier new, monospace"><br>
</font></div><div><font face="courier new, monospace">$ dpkg -l |grep opennebula</font></div><div><font face="courier new, monospace">ii opennebula 4.0.1-1 controller which executes the OpenNebula cluster services</font></div>
<div><font face="courier new, monospace">ii opennebula-common 4.0.1-1 empty package to create OpenNebula users and directories</font></div><div><font face="courier new, monospace">ii opennebula-node 4.0.1-1 empty package to prepare a machine as OpenNebula Node</font></div>
<div><font face="courier new, monospace">ii opennebula-sunstone 4.0.1-1 web interface to which executes the OpenNebula cluster services</font></div><div><font face="courier new, monospace">ii opennebula-tools 4.0.1-1 Command-line tools for OpenNebula Cloud</font></div>
<div><font face="courier new, monospace">ii ruby-opennebula 4.0.1-1 Ruby bindings for OpenNebula Cloud API (OCA)</font></div><div><font face="courier new, monospace"><br></font></div>
<div><br></div></div>