opennebula extend(expending) auth module ldap
LDAP Authentication addon permits users to have the same credentials as in LDAP, so effectively centralizing authentication
let any correctly authenticated LDAP user to use OpenNebula
1,prerequistries
Addon requires the 'net/ldap' ruby library provided by the 'net-ldap' gem
Addon will not install any Ldap server or configure it in any way. It will not create, delete or modify any entry in the Ldap server it connects to. The only requirement is the ability to connect to an already running Ldap server and being able to perform a successful ldapbind operation and have a user able to perform searches of users, therefore no special attributes or values are required in the LDIF entry of the user authenticating.
2,Considerations & Limitations
Transport Layer Security(TLS) as on so做ssl for apache httpd https
LDAP auth driver has a bug that does not let it connect to TLS LDAP instances
3,configuration
Configuration file for auth module is located at /etc/one/auth/ldap_auth.conf. This is the default configuration
:user_field |
Field in ldap that holds the user name |
To enable ldap authentication the described parameters should be configured. OpenNebula must be also configured to enable external authentication. Uncomment these lines in /etc/one/oned.conf and add ldap and default (more on this later) as an enabled authentication method.
AUTH_MAD = [
executable = "one_auth_mad",
authn = "ssh,x509,ldap,server_cipher,server_x509"
]
To be able to use this driver for users that are still not in the user database you must set it to the default driver. To do this go to the auth drivers directory and copy the directory ldap to default. In system-wide installations you can do this using this command:
$ cp -R /var/lib/one/remotes/auth/ldap /var/lib/one/remotes/auth/default
User Management
Using LDAP authentication module the administrator doesn't need to create users with oneuser command as this will be automatically done. The user should add its credentials to $ONE_AUTH file (usually $HOME/.one/one_auth) in this fashion:
<user_dn>:ldap_password
where
<user_dn>the DN of the user in the LDAP serviceldap_passwordis the password of the user in the LDAP service
DN's With Special Characters
When the user dn or password contains blank spaces the LDAP driver will escape them so they can be used to create OpenNebula users. Therefore, users needs to set up their $ONE_AUTH file accordingly.
Users can easily create escaped $ONE_AUTH tokens with the command oneuser encode <user> [<password>], as an example:
$ oneuser encode 'cn=First Name,dc=institution,dc=country' 'pass word'
cn=First%20Name,dc=institution,dc=country:pass%20word
The output of this command should be put in the $ONE_AUTH file.
Active Directory
LDAP Auth drivers are able to connect to Active Directory. You will need:
- Active Directory server with support for simple user/password authentication.
- User with read permissions in the Active Directory user's tree.
You will need to change the following values in the configuration file (/etc/one/auth/ldap_auth.conf):
:user: the Active Directory user with read permissions in the user's tree plus the domain. For example for user Administrator at domain win.opennebula.org you specify it asAdministrator@win.opennebula.org:password: password of this user:host: hostname or IP of the Domain Controller:base: base DN to search for users. You need to decompose the full domain name and use each part as DN component. Example, forwin.opennebula.orgyou will get te base DN: DN=win,DN=opennebula,DN=org:user_field: set it tosAMAccountName
:group parameter is still not supported for Active Directory, leave it commented.
Enabling LDAP auth in Sunstone
Update the /etc/one/sunstone-server.conf :auth parameter to use the opennebula:
:auth: opennebula
Using this method the credentials provided in the login screen will be sent to the OpenNebula core and the authentication will be delegated to the OpenNebula auth system, using the specified driver for that user. Therefore any OpenNebula auth driver can be used through this method to authenticate the user (i.e: LDAP).
To automatically encode credentials as explained in DN's with special characters section also add this parameter to sunstone configuration:
:encode_user_password: true
opennebula extend(expending) auth module ldap的更多相关文章
- opennebula auth module ldap
1,安装net-ldap addon ruby library for openldap
- net-ldap for ruby openNebula ldap
preface:ldap 主要概念及术语 OpenNebula issues:missing step to use LDAP as default driver cp -r /var/lib/one ...
- OpenNebula openldap集成
Preface: 当前写这篇post的心情可谓是即激动,又操蛋!............................ ruiy还是言归正传,人老了,赖的扯淡了,哥当前一心看向Tech(s),做个顾 ...
- LDAP Authentication for openNebula3.2
LDAP Authentication 3.2 The LDAP Authentication addon permits users to have the same credentials as ...
- LDAP落地实战(二):SVN集成OpenLDAP认证
上一篇文章我们介绍了LDAP的部署以及管理维护,那么如何接入LDAP实现账号统一认证呢?这篇文章将带你完成svn的接入验证 subversion集成OpenLDAP认证 系统环境:debian8.4 ...
- Ruby中实现module继承
module FooModule def self.included base base.extend ClassMethods end module ClassMethods def ...
- javax.security.auth.login.LoginException: Error during resolve 异常
登陆TIM时本地抛此异常,测试环境正常 需要重启测试环境机器以后,本地才可以登陆成功 求大神帮忙解决: INFO: Client code attempting to load security co ...
- Mantis集成 LDAP 认证
mantis的用户认证函数Authentication中相关有 $g_login_method MD5 LDAP PLAIN CRYPT CRYPT_FULL_SALT BASIC_AUTH Some ...
- ruby中的extend 和 include
include include是把module中定义的instance_method给mixin,然后当做类的实例方法使用(是因为module本身不能使用module的实例方法),给类进行实例化一个对 ...
随机推荐
- 单元测试(UT)、功能测试(FT)(转)
纯个人总结: 单元测试(UT).功能测试(FT): 目的:1.尽量避免写的代码测试人员频繁的来找你其他地方又出问题了:2.提供的接口不可用:3.一个bug修复了引入了其他的bug或者其他用例变红了: ...
- Python中的图形库
Python中的图形库 根据Python 2.x的官网文档的解释: Graphical User Interfaces with Tk 和 Other Graphical User Interface ...
- Google map v3 using simple tool file google.map.util.js v 1.1
/** * GOOGLE地图开发使用工具 * @author BOONYACHENGDU@GMAIL.COM * @date 2013-08-23 * @notice 地图容器的z-index不能小于 ...
- alternaiate terms
操作系统就是能让您的计算机工作 的一系列基本程序和实用工具; 大多数的软件至少都要卖几百块钱,您们怎么愿意白白把它送给别人? 您真正应该问的问题是软件公司怎么可以要您花那么多钱买他们的软件.写软件和制 ...
- 具体解释HTML中的window对象和document对象
Window -- 代表浏览器中一个打开的窗体: 对象属性 window //窗体自身 window.self //引用本窗户window=window.self window.name //为窗体命 ...
- js判断的执行顺序
js预编译是对每一个<script>标签片段进行的.预编译声明所有var变量(初始为undefined),解析定义式函数语句. 还有个关于 "window作用域下,a = 1和v ...
- IIS应用程序池自动回收问题的有效解决办法
问题:Timer不能持续执行,如果长时间没有访问,就会被IIs自动回收.造成一些定时作业无法完成. 解决方式1:改用windows服务或是winform方式 解决方式2:在Application_En ...
- iOS开发之git学习
本人是参考廖雪峰的git学习的.他写的非常详细,我在这里就是把我学习中的总结以及碰到的坑写出来. /* 初始化git仓库:git init */ /* 添加文件到git仓库 */ 分两步: 第一步:追 ...
- NSURLSessionDownloadTask 下载文件
-(void)RequestdataUI:(NSString*)ImageURL imageName:(NSString*)imageName{ NSURL *url = [NSURL URLWith ...
- Search in Sorted Array,Search in Rotated Sorted Array,Search in Rotated Sorted ArrayII
一:Search in Sorted Array 二分查找,可有重复元素,返回target所在的位置,只需返回其中一个位置,代码中的查找范围为[low,high),左闭右开,否则容易照成死循环. 代码 ...