LDAP Authentication 3.2

The LDAP Authentication addon permits users to have the same credentials as in LDAP, so effectively centralizing authentication. Enabling it will let any correctly authenticated LDAP user to use OpenNebula.

Prerequisites

This Addon uses the 'net/ldap' ruby library provided by the 'net-ldap' gem.

This Addon will not install any Ldap server or configure it in any way. It will not create, delete or modify any entry in the Ldap server it connects to. The only requirement is the ability to connect to an already running Ldap server and being able to perform a successful ldapbind operation and have a user able to perform searches of users, therefore no special attributes or values are required in the LDIF entry of the user authenticating.

Configuration

Configuration file for auth module is located at $ONE_LOCATION/etc/auth/ldap_auth.conf. This is the default configuration:

# Ldap user able to query, if not set connects as anonymous

#:user: 'admin'

#:password: 'password'

 

# Ldap authentication method

:auth_method: :simple

 

# Ldap server

:host: localhost

:port: 389

 

# base hierarchy where to search for users and groups

:base: 'dc=domain'

 

# group the users need to belong to. If not set any user will do

:group: 'cn=cloud,ou=groups,dc=domain'

 

# field that holds the user name, if not set 'cn' will be used

:user_field: 'cn'
VARIABLE DESCRIPTION
:user Name of the user that can query ldap. Do not set it if you can perform queries anonymously
:password Password for the user defined in :user. Do not set if anonymous access is enabled
:auth_method Can be set to :simple_tls if ssl connection is needed
:host Host name of the ldap server
:port Port of the ldap server
:base Base leaf where to perform user searches
:group If set the users need to belong to this group
:user_field Field in ldap that holds the user name

To enable ldap authentication the described parameters should be configured. OpenNebula must be also configured to enable external authentication. Uncomment these lines in $ONE_LOCATION/etc/oned.conf and add ldap and default (more on this later) as an enabled authentication method.

AUTH_MAD = [

    executable = "one_auth_mad",

    arguments = "--authz quota --authn server_cipher,ldap,default"

]

To be able to use this driver for users that are still not in the user database you must set it to the default driver. To do this go to the auth drivers directory and symlink the directory ldap to default. In system-wide installation you can do this using this command:

$ ln -s /var/lib/one/remotes/auth/ldap /var/lib/one/remotes/auth/default

User Management

Using LDAP authentication module the administrator doesn't need to create users with oneuser command as this will be automatically done. The user should add its credentials to $ONE_AUTH file (usually $HOME/.one/one_auth) in this fashion:

user_dn_or_username:user_password

LDAP Authentication for openNebula3.2的更多相关文章

  1. LDAP Authentication Handler

    Including the Handler In the pom.xml file for your CAS Maven2 WAR Overlay, add the following depende ...

  2. SPRING IN ACTION 第4版笔记-第九章Securing web applications-007-设置LDAP server比较密码(contextSource、root()、ldif()、)

    一.LDAP server在哪 By default, Spring Security’s LDAP authentication assumes that the LDAP server is li ...

  3. opennebula extend(expending) auth module ldap

    LDAP Authentication addon permits users to have the same credentials as in LDAP, so effectively cent ...

  4. net-ldap for ruby openNebula ldap

    preface:ldap 主要概念及术语 OpenNebula issues:missing step to use LDAP as default driver cp -r /var/lib/one ...

  5. Spring Security(二十四):6.6 The Authentication Manager and the Namespace

    The main interface which provides authentication services in Spring Security is the AuthenticationMa ...

  6. Spring Security(十五):5.6 Authentication

    Thus far we have only taken a look at the most basic authentication configuration. Let’s take a look ...

  7. 将 LDAP 目录用于 Samba 认证

    原文地址: http://www.ibm.com/developerworks/cn/education/linux/smb-ldap/smb-ldap.html 开放源码 Samba 将 Unix ...

  8. ldap集成nexus

    nexus版本:2.14.4 添加nexus支持ldap认证: 管理员登录,点击 Administration --> Server -->Security Settings,将 OSS ...

  9. Confluence 6 使用 LDAP 授权连接一个内部目录 - 成员 Schema 设置

    请注意:这部分仅在拷贝用户登录(Copy User on Login)和 同步组成员(Synchronize Group Memberships)被启用后可见. 用户组成员属性(Group Membe ...

随机推荐

  1. Constructor Prototype Pattern 原型模式(PHP示例)

    当一个类大部分都是相同的只有部分是不同的时候,如果需要大量这个类的对象,每次都重复实例化那些相同的部分是开销很大的,而如果clone之前建立对象的那些相同的部分,就可以节约开销. 针对php的一种实现 ...

  2. Example: Develop Web application on Baidu App Engine using CherryPy

    In the past few months, I have developed two simple applications on Baidu App Engine. Compared to Go ...

  3. 自制DTU

        最近打算自己做一款工业级DTU产品,预计到今年年底前完成,博客会随时更新产品进度,有兴趣的朋友可以联系我.

  4. KDE子项目一览 good

    https://www.kde.org/applications/development/ https://www.kde.org/applications/graphics/ https://www ...

  5. 修改Windows XP的桌面路径

    WinowsXP 的桌面的是在系统盘上,一但系统瘫痪需要重新安装系统时,总得记得去备份桌面的重要文件,如果一不小心忘记备份就重装系统的话,那些重要文件就一去不复返了.其实我们可以把桌面放到其它盘目录里 ...

  6. perl 一个简单的面向对象的例子

    <pre name="code" class="python">[root@wx03 wx]# cat x1.pm package x1; use ...

  7. windows、linux创建子进程

    在windows下创建子进程较常用到的API就是CreateProcess,可以通过以下的方式启动一个新进程: STARTUPINFO si = {0};                 PROCES ...

  8. 关于我们-成功人士西装定制服务第一品牌派斯特PAISTETAILOR绅士礼服

    关于我们-成功人士西装定制服务第一品牌派斯特PAISTETAILOR绅士礼服 北京派思特服装服饰有限公司国内领先绅士男装定制品牌PAISTETAILOR,引领男装定制的领航者.

  9. jsxtransformer.js 和browser.js有什么关系?

    这个确实是百度就能解决的问题 补充下楼上的回答在react 0.14前,浏览器端实现对jsx的编译依赖jsxtransformer.js 在react 0.14后,这个依赖的库改为browser.js ...

  10. magento中取不同store中的产品数据

    $products = Mage::getResourceModel('catalog/product_collection')                    ->setStoreId( ...