Hi,
I'm pretty new to OpenNebula and had some trouble getting LDAP integration
to work. I made the following changes to ldap_auth.rb and am now up and
running. Am I missing something, or does this need a bug (or several bugs)?
I am not very experienced with ruby, but hacked my way through it.
1) multi-line ldap.search() statements resulted in syntax errors. Reducing
them to a single line fixed it
2) Our LDAP server keeps group members like this:
member: uid=jryan,ou=People,dc=awesome,dc=com
which didn't work as a filter in the group matching section, even when the
whole search() was on one line. I used a Net::LDAP::Filter object with the
same filter string, and it worked.
3) The cloning of the initial Net::LDAP object to test the user's
credentials resulted in the script binding as the user who did the initial
search, which of course was able to bind. This meant that no matter what
password the user passed in, as long as they were in the LDAP directory and
in the group specified, their user was created in ONE and they could
repeatedly log in -- security hole!!!!
I wiped out the auth info from the cloned ldap object and replaced it with
the user's credentials.
root@ops-vm-opennebula:/usr/lib/one/ruby/opennebula# diff
ldap_auth.rb{,.new} -u
--- ldap_auth.rb 2013-05-17 10:57:50.000000000 -0700
+++ ldap_auth.rb.new 2013-06-28 18:24:28.305292002 -0700
@@ -52,9 +52,7 @@
def find_user(name)
begin
- [email protected](
- :base => @options[:base],
- :filter => "#{@options[:user_field]}=#{name}")
+ [email protected]( :base => @options[:base], :filter =>
"#{@options[:user_field]}=#{name}")
if result && result.first
[result.first.dn,
result.first[@options[:user_group_field]]]
@@ -73,9 +71,8 @@
end
def is_in_group?(user, group)
- [email protected](
- :base => group,
- :filter => "(#{@options[:group_field]}=#{user.first})")
+ filter = Net::LDAP::Filter.eq(@options[:group_field],user.first)
+ [email protected]( :base => group, :filter => filter )
if result && result.first
true
@@ -87,13 +84,10 @@
def authenticate(user, password)
[email protected]
- auth={
- :method => @options[:auth_method],
- :username => user,
- :password => password
- }
+ ldap.auth nil,nil
+ ldap.auth user, password
- if ldap.bind(auth)
+ if ldap.bind()
true
else
false
$ ruby -v
ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux]
$ dpkg -l |grep ruby-net-ldap
ii ruby-net-ldap 0.0.4-1 LDAP
client library for Ruby
$ cat /etc/issue
Ubuntu 12.04.2 LTS Server
$ dpkg -l |grep opennebula
ii opennebula 4.0.1-1
controller which executes the OpenNebula cluster services
ii opennebula-common 4.0.1-1 empty
package to create OpenNebula users and directories
ii opennebula-node 4.0.1-1 empty
package to prepare a machine as OpenNebula Node
ii opennebula-sunstone 4.0.1-1 web
interface to which executes the OpenNebula cluster services
ii opennebula-tools 4.0.1-1
Command-line tools for OpenNebula Cloud
ii ruby-opennebula 4.0.1-1 Ruby
bindings for OpenNebula Cloud API (OCA)
_______________________________________________
Users mailing list
[email protected]
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
