Re: [one-users] User within LDAP group authentication

Wed, 08 Oct 2014 03:42:41 -0700 


On 10/08/2014 12:32 PM, Manuel Alfonso López Rourich wrote:

Good morning,

I'd like to ask you about an issue with user authentication in SunStone:

I've configured SunStone so that new users from an OpenLDAP directory
can log in (the user is created automatically in OpenNebula). It works
fine but when I configure *:group* in *ldap_auth.conf*, I can't
authenticate new users within a LDAP group. The error that ONE throws is
clear (*"User ulopez is not in group
cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es"*) but I don't know what could
be do so that it works. The documentation about LDAP groups with ONE is
not very clear for me.

The LDAP configuration is:

server 1:
     :auth_method: :simple
     :host: 10.12.0.3
     :port: 389
     :base: 'dc=one,dc=es'

     # group the users need to belong to. If not set any user will do
     :group: 'cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es'

     # field that holds the user name, if not set 'cn' will be used
     :user_field: 'uid'
     # field name for group membership, by default it is 'member'
     :group_field: 'memberUid'

     # user field that that is in in the group group_field, if not set
'dn' will be used
     #user_group_field: 'gidNumber'

The directory entry for the group is the next one:

# extended LDIF
#
# LDAPv3
# base <cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# grupo_nuevo, ou_nueva, one.es <http://one.es>
dn: cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es
gidNumber: 503
cn: grupo_nuevo
objectClass: posixGroup
objectClass: top
memberUid: ulopez

# us_nuevo_lopez, grupo_nuevo, ou_nueva, one.es <http://one.es>
dn: cn=us_nuevo_lopez,cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es
givenName: us_nuevo
gidNumber: 503
homeDirectory: /home/users/ulopez
sn: lopez
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1009
uid: ulopez
cn: us_nuevo_lopez

Thank you very much,

Best regards




_______________________________________________
Users mailing list
[email protected]
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org





Currently openebula supports only scheme with "listofmembers" (not sure 
if haven't make a mistake in name) objecClass.


You can use my patch:
https://github.com/cinek810/one/commit/925a124c96018aa8b4b44805aafa76280830a461

to support groups in memberUid format.

cheers,
marcin
_______________________________________________
Users mailing list
[email protected]
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org






















					Reply via email to