I have to test this in more depth with the versions you have. For us it is working properly and does lot let a user with a wrong password to log in. I'll come back to you as soon as I find what could be happening.
On Sat, Jun 29, 2013 at 3:33 AM, Justin Ryan <justin.r...@kixeye.com> wrote: > > Hi, > > I'm pretty new to OpenNebula and had some trouble getting LDAP integration > to work. I made the following changes to ldap_auth.rb and am now up and > running. Am I missing something, or does this need a bug (or several bugs)? > I am not very experienced with ruby, but hacked my way through it. > > 1) multi-line ldap.search() statements resulted in syntax errors. Reducing > them to a single line fixed it > > 2) Our LDAP server keeps group members like this: > > member: uid=jryan,ou=People,dc=awesome,dc=com > > which didn't work as a filter in the group matching section, even when the > whole search() was on one line. I used a Net::LDAP::Filter object with the > same filter string, and it worked. > > 3) The cloning of the initial Net::LDAP object to test the user's > credentials resulted in the script binding as the user who did the initial > search, which of course was able to bind. This meant that no matter what > password the user passed in, as long as they were in the LDAP directory and > in the group specified, their user was created in ONE and they could > repeatedly log in -- security hole!!!! > > I wiped out the auth info from the cloned ldap object and replaced it with > the user's credentials. > > root@ops-vm-opennebula:/usr/lib/one/ruby/opennebula# diff > ldap_auth.rb{,.new} -u > --- ldap_auth.rb 2013-05-17 10:57:50.000000000 -0700 > +++ ldap_auth.rb.new 2013-06-28 18:24:28.305292002 -0700 > @@ -52,9 +52,7 @@ > > def find_user(name) > begin > - result=@ldap.search( > - :base => @options[:base], > - :filter => "#{@options[:user_field]}=#{name}") > + result=@ldap.search( :base => @options[:base], :filter => > "#{@options[:user_field]}=#{name}") > > if result && result.first > [result.first.dn, > result.first[@options[:user_group_field]]] > @@ -73,9 +71,8 @@ > end > > def is_in_group?(user, group) > - result=@ldap.search( > - :base => group, > - :filter => "(#{@options[:group_field]}=#{user.first})") > + filter = Net::LDAP::Filter.eq(@options[:group_field],user.first) > + result=@ldap.search( :base => group, :filter => filter ) > > if result && result.first > true > @@ -87,13 +84,10 @@ > def authenticate(user, password) > ldap=@ldap.clone > > - auth={ > - :method => @options[:auth_method], > - :username => user, > - :password => password > - } > + ldap.auth nil,nil > + ldap.auth user, password > > - if ldap.bind(auth) > + if ldap.bind() > true > else > false > > > $ ruby -v > ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux] > > $ dpkg -l |grep ruby-net-ldap > ii ruby-net-ldap 0.0.4-1 LDAP > client library for Ruby > > $ cat /etc/issue > Ubuntu 12.04.2 LTS Server > > $ dpkg -l |grep opennebula > ii opennebula 4.0.1-1 > controller which executes the OpenNebula cluster services > ii opennebula-common 4.0.1-1 empty > package to create OpenNebula users and directories > ii opennebula-node 4.0.1-1 empty > package to prepare a machine as OpenNebula Node > ii opennebula-sunstone 4.0.1-1 web > interface to which executes the OpenNebula cluster services > ii opennebula-tools 4.0.1-1 > Command-line tools for OpenNebula Cloud > ii ruby-opennebula 4.0.1-1 Ruby > bindings for OpenNebula Cloud API (OCA) > > > > _______________________________________________ > Users mailing list > Users@lists.opennebula.org > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org > -- Join us at OpenNebulaConf2013 in Berlin from the 24th to the 26th of September 2013! Javier Fontán Muiños Project Engineer OpenNebula - The Open Source Toolkit for Data Center Virtualization www.OpenNebula.org | jfon...@opennebula.org | @OpenNebula _______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org