Re: [one-users] Unable to login to Sunstone/OCCI via LDAP (Users Digest, Vol 60, Issue 16)
On 2013-02-11 16:13, Daniel Molina wrote: Hi Rolandas, On 7 February 2013 07:28, Rolandas Naujikas wrote: We made Opennebula (3.8.3) Self Service portal (OCCI web UI) to work with LDAP authentication by using this patch: sed -i 's/CryptoJS.SHA1(password)/password/' /(location of depends on installation)/occi/ui/public/js/login.js and putting ":auth: occi" to occi-server.conf If you set :auth: occi, the authentication method will compare the password provided by the user and the one stored in OpenNebula (OCCICloudAuth.rb) but LDAP will not be used. Instead you have to set ":auth: opennebula" (OpenNebulaCloudAuth.rb) [1] and change the auth driver for that user 'oneuser chauth ..." to use LDAP, or set LDAP as default for new users [2] Yes, I shown wrong configuration file content from our system. Really we are using ":auth: opennebula" (in occi-server.conf) and it works in opennebula self service portal with LDAP authentication in our environment (with the patch in login.js). Regards, Rolandas Naujikas [1] http://opennebula.org/documentation:rel3.8:sunstone#authentication_methods [2] http://opennebula.org/documentation:rel3.8:ldap#configuration Cheers That is because OCCI transfers SHA1 hashed password to occi-server and it could not do LDAP bind with it (exept if your LDAP contains clear text passwords or SHA1 hash). With this patch clear password is transported to occi-server and it could do LDAP bind against LDAP users. ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] Unable to login to Sunstone/OCCI via LDAP (Users Digest, Vol 60, Issue 16)
Hi Rolandas, On 7 February 2013 07:28, Rolandas Naujikas wrote: > We made Opennebula (3.8.3) Self Service portal (OCCI web UI) to work with > LDAP authentication by using this patch: > > sed -i 's/CryptoJS.SHA1(password)/password/' /(location of depends on > installation)/occi/ui/public/js/login.js > > and putting ":auth: occi" to occi-server.conf > If you set :auth: occi, the authentication method will compare the password provided by the user and the one stored in OpenNebula (OCCICloudAuth.rb) but LDAP will not be used. Instead you have to set ":auth: opennebula" (OpenNebulaCloudAuth.rb) [1] and change the auth driver for that user 'oneuser chauth ..." to use LDAP, or set LDAP as default for new users [2] [1] http://opennebula.org/documentation:rel3.8:sunstone#authentication_methods [2] http://opennebula.org/documentation:rel3.8:ldap#configuration Cheers > That is because OCCI transfers SHA1 hashed password to occi-server and it > could not do LDAP bind with it (exept if your LDAP contains clear text > passwords or SHA1 hash). With this patch clear password is transported to > occi-server and it could do LDAP bind against LDAP users. -- Daniel Molina Project Engineer OpenNebula - The Open Source Solution for Data Center Virtualization www.OpenNebula.org | dmol...@opennebula.org | @OpenNebula ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] Unable to login to Sunstone/OCCI via LDAP (Users Digest, Vol 60, Issue 16)
Thx Rolandas and Daniel for your answers. Both were really useful. On Thu, Feb 7, 2013 at 8:28 AM, Rolandas Naujikas wrote: > Hi, > > We made Opennebula (3.8.3) Self Service portal (OCCI web UI) to work with > LDAP authentication by using this patch: > > sed -i 's/CryptoJS.SHA1(password)/password/' /(location of depends on > installation)/occi/ui/public/js/login.js > > and putting ":auth: occi" to occi-server.conf > > That is because OCCI transfers SHA1 hashed password to occi-server and it > could not do LDAP bind with it (exept if your LDAP contains clear text > passwords or SHA1 hash). With this patch clear password is transported to > occi-server and it could do LDAP bind against LDAP users. > > Regards, Rolandas Naujikas > > P.S. We are using https reverse proxy also. > > On 2013-02-06 15:15, Vassilis Vatikiotis wrote: >> >> Hello all, >> >> I'm trying to enable the LDAP auth method so my users can login to >> OCCI web UI and although I've followed the steps from the docs in ONE >> site so far I haven;t managed it. >> >> The /etc/one/oned.conf AUTH_MAD section is: >> AUTH_MAD = [ >> executable = "one_auth_mad", >> authn = "ssh,x509,ldap,default,server_cipher,server_x509" >> ] >> >> The /etc/one/auth/ldap_auth.conf is: >> server 1: >> :user: 'cn=xxx,ou=,dc=xxx,dc=xxx,dc=xxx' >> :password: '' >> :auth_method: :simple >> :host: 'ldap.xxx.xxx.xxx' >> :port: 389 >> :base: 'ou=xxx,dc=xxx,dc=xxx,dc=xxx' >> :user_field: 'uid' >> >> :order: >> - server 1 >> >> The above ldap setting work as I've tested them inside irb, using the >> ruby class defined in /etc/lib/one/ruby/ldap_auth.rb. I can search my >> LDAP database and get results >> >> I've also copied the ldap directory to a default one, like, >> $ cp -R /var/lib/one/remotes/auth/ldap /var/lib/one/remotes/auth/default >> >> What puzzles me is that whenever I try to login to OCCI (or sunstone) >> I cannot see any auth related queries in /var/log/one/oned.log. It's >> as if the ldap and default settings in authn of AUTH_MAD are completly >> ignored. At the same time, no queries are performed in the LDAP >> backend. >> >> I haven't done the last step where a $HOME/.one/one_auth file >> containing a user_dn:password >> entry cause I'm unsure of what it means. >> >> Any ideas? >> >> >> >> > ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] Unable to login to Sunstone/OCCI via LDAP (Users Digest, Vol 60, Issue 16)
Hi, We made Opennebula (3.8.3) Self Service portal (OCCI web UI) to work with LDAP authentication by using this patch: sed -i 's/CryptoJS.SHA1(password)/password/' /(location of depends on installation)/occi/ui/public/js/login.js and putting ":auth: occi" to occi-server.conf That is because OCCI transfers SHA1 hashed password to occi-server and it could not do LDAP bind with it (exept if your LDAP contains clear text passwords or SHA1 hash). With this patch clear password is transported to occi-server and it could do LDAP bind against LDAP users. Regards, Rolandas Naujikas P.S. We are using https reverse proxy also. On 2013-02-06 15:15, Vassilis Vatikiotis wrote: Hello all, I'm trying to enable the LDAP auth method so my users can login to OCCI web UI and although I've followed the steps from the docs in ONE site so far I haven;t managed it. The /etc/one/oned.conf AUTH_MAD section is: AUTH_MAD = [ executable = "one_auth_mad", authn = "ssh,x509,ldap,default,server_cipher,server_x509" ] The /etc/one/auth/ldap_auth.conf is: server 1: :user: 'cn=xxx,ou=,dc=xxx,dc=xxx,dc=xxx' :password: '' :auth_method: :simple :host: 'ldap.xxx.xxx.xxx' :port: 389 :base: 'ou=xxx,dc=xxx,dc=xxx,dc=xxx' :user_field: 'uid' :order: - server 1 The above ldap setting work as I've tested them inside irb, using the ruby class defined in /etc/lib/one/ruby/ldap_auth.rb. I can search my LDAP database and get results I've also copied the ldap directory to a default one, like, $ cp -R /var/lib/one/remotes/auth/ldap /var/lib/one/remotes/auth/default What puzzles me is that whenever I try to login to OCCI (or sunstone) I cannot see any auth related queries in /var/log/one/oned.log. It's as if the ldap and default settings in authn of AUTH_MAD are completly ignored. At the same time, no queries are performed in the LDAP backend. I haven't done the last step where a $HOME/.one/one_auth file containing a user_dn:password entry cause I'm unsure of what it means. Any ideas? ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
