LDAP Authentication addon permits users to have the same credentials as in LDAP, so effectively centralizing authentication

let any correctly authenticated LDAP user to use OpenNebula

1,prerequistries

Addon requires the 'net/ldap' ruby library provided by the 'net-ldap' gem

Addon will not install any Ldap server or configure it in any way. It will not create, delete or modify any entry in the Ldap server it connects to. The only requirement is the ability to connect to an already running Ldap server and being able to perform a successful ldapbind operation and have a user able to perform searches of users, therefore no special attributes or values are required in the LDIF entry of the user authenticating.

2,Considerations & Limitations

Transport Layer Security(TLS) as on so做ssl for apache httpd https

LDAP auth driver has a bug that does not let it connect to TLS LDAP instances

3,configuration

Configuration file for auth module is located at /etc/one/auth/ldap_auth.conf. This is the default configuration

:user_field Field in ldap that holds the user name

To enable ldap authentication the described parameters should be configured. OpenNebula must be also configured to enable external authentication. Uncomment these lines in /etc/one/oned.conf and add ldap and default (more on this later) as an enabled authentication method.

AUTH_MAD = [

    executable = "one_auth_mad",

    authn = "ssh,x509,ldap,server_cipher,server_x509"

]

To be able to use this driver for users that are still not in the user database you must set it to the default driver. To do this go to the auth drivers directory and copy the directory ldap to default. In system-wide installations you can do this using this command:

$ cp -R /var/lib/one/remotes/auth/ldap /var/lib/one/remotes/auth/default

User Management

Using LDAP authentication module the administrator doesn't need to create users with oneuser command as this will be automatically done. The user should add its credentials to $ONE_AUTH file (usually $HOME/.one/one_auth) in this fashion:

<user_dn>:ldap_password

where

  • <user_dn> the DN of the user in the LDAP service
  • ldap_password is the password of the user in the LDAP service

DN's With Special Characters

When the user dn or password contains blank spaces the LDAP driver will escape them so they can be used to create OpenNebula users. Therefore, users needs to set up their $ONE_AUTH file accordingly.

Users can easily create escaped $ONE_AUTH tokens with the command oneuser encode <user> [<password>], as an example:

$ oneuser encode 'cn=First Name,dc=institution,dc=country' 'pass word'

cn=First%20Name,dc=institution,dc=country:pass%20word

The output of this command should be put in the $ONE_AUTH file.

Active Directory

LDAP Auth drivers are able to connect to Active Directory. You will need:

  • Active Directory server with support for simple user/password authentication.
  • User with read permissions in the Active Directory user's tree.

You will need to change the following values in the configuration file (/etc/one/auth/ldap_auth.conf):

  • :user: the Active Directory user with read permissions in the user's tree plus the domain. For example for user Administrator at domain win.opennebula.org you specify it as Administrator@win.opennebula.org
  • :password: password of this user
  • :host: hostname or IP of the Domain Controller
  • :base: base DN to search for users. You need to decompose the full domain name and use each part as DN component. Example, for win.opennebula.org you will get te base DN: DN=win,DN=opennebula,DN=org
  • :user_field: set it to sAMAccountName

:group parameter is still not supported for Active Directory, leave it commented.

Enabling LDAP auth in Sunstone

Update the /etc/one/sunstone-server.conf :auth parameter to use the opennebula:

    :auth: opennebula

Using this method the credentials provided in the login screen will be sent to the OpenNebula core and the authentication will be delegated to the OpenNebula auth system, using the specified driver for that user. Therefore any OpenNebula auth driver can be used through this method to authenticate the user (i.e: LDAP).

To automatically encode credentials as explained in DN's with special characters section also add this parameter to sunstone configuration:

    :encode_user_password: true

opennebula extend(expending) auth module ldap的更多相关文章

  1. opennebula auth module ldap

    1,安装net-ldap  addon ruby library for openldap

  2. net-ldap for ruby openNebula ldap

    preface:ldap 主要概念及术语 OpenNebula issues:missing step to use LDAP as default driver cp -r /var/lib/one ...

  3. OpenNebula openldap集成

    Preface: 当前写这篇post的心情可谓是即激动,又操蛋!............................ ruiy还是言归正传,人老了,赖的扯淡了,哥当前一心看向Tech(s),做个顾 ...

  4. LDAP Authentication for openNebula3.2

    LDAP Authentication 3.2 The LDAP Authentication addon permits users to have the same credentials as ...

  5. LDAP落地实战(二):SVN集成OpenLDAP认证

    上一篇文章我们介绍了LDAP的部署以及管理维护,那么如何接入LDAP实现账号统一认证呢?这篇文章将带你完成svn的接入验证 subversion集成OpenLDAP认证 系统环境:debian8.4 ...

  6. Ruby中实现module继承

    module FooModule  def self.included base    base.extend ClassMethods  end module ClassMethods    def ...

  7. javax.security.auth.login.LoginException: Error during resolve 异常

    登陆TIM时本地抛此异常,测试环境正常 需要重启测试环境机器以后,本地才可以登陆成功 求大神帮忙解决: INFO: Client code attempting to load security co ...

  8. Mantis集成 LDAP 认证

    mantis的用户认证函数Authentication中相关有 $g_login_method MD5 LDAP PLAIN CRYPT CRYPT_FULL_SALT BASIC_AUTH Some ...

  9. ruby中的extend 和 include

    include include是把module中定义的instance_method给mixin,然后当做类的实例方法使用(是因为module本身不能使用module的实例方法),给类进行实例化一个对 ...

随机推荐

  1. UVa230 Borrowers (STL)

     Borrowers  I mean your borrowers of books - those mutilators of collections, spoilers of the symmet ...

  2. swift笔记06

    for in循环 for 被乘数 in 1...5{ println("\(被乘数) 乘以 5 等于 \( 被乘数 * 5)"); } let  女神们 = ["小林&q ...

  3. Mybatis.net与MVC入门配置及联合查询动态SQL拼接和简单事务

    第一次学习Mybatis.net,在博客园也找到好多资料,但是在配置成功之后也遇到了一些问题,尤其是在动态SQl拼接时候,这里把遇到的问题还有自己写的一个Demo贴出来,希望能帮到新手,有不适合的地方 ...

  4. android 手势滑动

    1.概述, 两次都是画曲线统计图用到手势滑动.左滑动,右滑动曲线图翻页 2.直接上代码 3.注: 第一次使用的时候是implement了 OnTouchListener 接口,是在画图布局上layou ...

  5. OpenStack core components CLI快速调用API

    1,openStack core components CLI 使用自身参数执行;

  6. optics matlab实现

    关于optics算法的一些基本概念,在此一一忽略. 先求得所有节点的核心距离,用cd矩阵表示: 然后对每个节点进行处理,这个时候不需要考虑该节点是不是核心对象,按顺序取节点,如果该拓展点是核心对象,处 ...

  7. OpenGL研究2.0 计算圆

    OpenGL研究2.0 计算圆 DionysosLai2014-06-18 在游戏中.常常有些地方涉及到一些圆的轨迹计算,例如一些转轴类的游戏,人物一般在角色转轴上面运动.这时,我们就要时刻计算角色的 ...

  8. ajax封装

    /** * ITCAST WEB * Created by zhousg on 2016/5/24. */ /* * 1. 请求的类型 type get post * 2. 请求地址 url * 3. ...

  9. CSS文字超出div或者span时显示省略号

    我们常常需要在文本过长时显示,将超出显示成省略号: 思想为: 首先设置宽度,然后让超出的部分隐藏如果有超出则在最后显示省略号让文本不换行 具体css代码为: .title{ width:200px;o ...

  10. Android环境开发搭建

    今天第一次接触安卓,从开发环境的配置到程序的运行,足足搞了一天,也没有整出来. 1.安装JDK 在JDK官网上下载了最新的JDK,安装成功后进行环境的配置.JAVA_HOME:C:\Program F ...