On 10/08/2014 12:32 PM, Manuel Alfonso López Rourich wrote:
Good morning, I'd like to ask you about an issue with user authentication in SunStone: I've configured SunStone so that new users from an OpenLDAP directory can log in (the user is created automatically in OpenNebula). It works fine but when I configure *:group* in *ldap_auth.conf*, I can't authenticate new users within a LDAP group. The error that ONE throws is clear (*"User ulopez is not in group cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es"*) but I don't know what could be do so that it works. The documentation about LDAP groups with ONE is not very clear for me. The LDAP configuration is: server 1: :auth_method: :simple :host: 10.12.0.3 :port: 389 :base: 'dc=one,dc=es' # group the users need to belong to. If not set any user will do :group: 'cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es' # field that holds the user name, if not set 'cn' will be used :user_field: 'uid' # field name for group membership, by default it is 'member' :group_field: 'memberUid' # user field that that is in in the group group_field, if not set 'dn' will be used #user_group_field: 'gidNumber' The directory entry for the group is the next one: # extended LDIF # # LDAPv3 # base <cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es> with scope subtree # filter: (objectclass=*) # requesting: ALL # # grupo_nuevo, ou_nueva, one.es <http://one.es> dn: cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es gidNumber: 503 cn: grupo_nuevo objectClass: posixGroup objectClass: top memberUid: ulopez # us_nuevo_lopez, grupo_nuevo, ou_nueva, one.es <http://one.es> dn: cn=us_nuevo_lopez,cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es givenName: us_nuevo gidNumber: 503 homeDirectory: /home/users/ulopez sn: lopez loginShell: /bin/sh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uidNumber: 1009 uid: ulopez cn: us_nuevo_lopez Thank you very much, Best regards _______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Currently openebula supports only scheme with "listofmembers" (not sure if haven't make a mistake in name) objecClass.
You can use my patch: https://github.com/cinek810/one/commit/925a124c96018aa8b4b44805aafa76280830a461 to support groups in memberUid format. cheers, marcin _______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org