Re: [one-users] New authentication type
Hello, I have a new problem with my radius authentication: The passwords are stored in clear text in oned.log, in messages like this: Thu Apr 18 11:19:17 2013 [AuM][D]: Message received: AUTHENTICATE SUCCESS 103 radius christoph.pleger blablabla And oned.log is readable by everyone who can login to the cloud management node! How can I prevent passwords from being stored in clear text, or how can I achieve that oned.log is created with more restrictive permissions? Regards Christoph ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] New authentication type
Usually for external authentication methods you don't need to store the password in OpenNebula. In fact it is better that you don't store it as you will have to sync the password with the external database. You can use the password as storage for some other useful information. In the case of ldap we store full dn of the user. If you don't want to store anything just provide a -. For example: puts radius #{username} - On Fri, Apr 19, 2013 at 10:05 AM, Christoph Pleger christoph.ple...@cs.tu-dortmund.de wrote: Hello, I have a new problem with my radius authentication: The passwords are stored in clear text in oned.log, in messages like this: Thu Apr 18 11:19:17 2013 [AuM][D]: Message received: AUTHENTICATE SUCCESS 103 radius christoph.pleger blablabla And oned.log is readable by everyone who can login to the cloud management node! How can I prevent passwords from being stored in clear text, or how can I achieve that oned.log is created with more restrictive permissions? Regards Christoph ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org -- Javier Fontán Muiños Project Engineer OpenNebula - The Open Source Toolkit for Data Center Virtualization www.OpenNebula.org | jfon...@opennebula.org | @OpenNebula ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] New authentication type
Hi, I'm glad you made it work. Do yo plan to share these drivers? They could make a good ecosystem project [1]. Cheers [1] http://opennebula.org/community:ecosystem -- Carlos Martín, MSc Project Engineer OpenNebula - The Open-source Solution for Data Center Virtualization www.OpenNebula.org | cmar...@opennebula.org | @OpenNebulahttp://twitter.com/opennebulacmar...@opennebula.org On Fri, Apr 12, 2013 at 5:39 PM, Christoph Pleger christoph.ple...@cs.tu-dortmund.de wrote: Hello, Try to replicate the ldap authenticate script. To create new users, the driver needs to print to stdout 'drivername username password' when the authentication is successful Ah, thank you very much, that was it! I only had to add 'puts radius #{user} #{pass} in authenticate before 'exit 0', now it works. Regards Christoph ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] New authentication type
Hi, That's how the LDAP driver works [1]. To create new users automatically on their first login, copy or link this dir to your drivers: /var/lib/one/remotes/auth/default Keep us updated on that integration! [1] http://opennebula.org/documentation:rel3.8:ldap#configuration -- Carlos Martín, MSc Project Engineer OpenNebula - The Open-source Solution for Data Center Virtualization www.OpenNebula.org | cmar...@opennebula.org | @OpenNebulahttp://twitter.com/opennebulacmar...@opennebula.org On Fri, Apr 12, 2013 at 11:33 AM, Christoph Pleger christoph.ple...@cs.tu-dortmund.de wrote: Hello, I am trying to add radius authentication for OpennNebula. I have written a small ruby file for that and I can successfully login to sunstone, but I still have to create a user with oneuser create and choose a password for the user, and authentication only works if that password and the radius password are the same. What I would like to have is that users do not have to be in obennebula's user database before their first login and that the users are automatically added to the user database on their first login. How can I achieve that? Regards Christoph ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] New authentication type
Hello, That's how the LDAP driver works [1]. To create new users automatically on their first login, copy or link this dir to your drivers: Authentication itself is successful now, but I get another error now: ---snip--- Fri Apr 12 15:35:22 2013 [AuM][D]: Message received: LOG D 14 authenticate: Radius-Authenticating christoph.pleger, with password Fri Apr 12 15:35:22 2013 [AuM][I]: authenticate: Radius-Authenticating christoph.pleger, with password Fri Apr 12 15:35:22 2013 [AuM][D]: Message received: LOG I 14 ExitCode: 0 Fri Apr 12 15:35:22 2013 [AuM][I]: ExitCode: 0 Fri Apr 12 15:35:22 2013 [AuM][D]: Message received: AUTHENTICATE SUCCESS 14 - Fri Apr 12 15:35:22 2013 [AuM][E]: Can't create user: . Driver response: ---snip--- So far, I changed the following things: 1. Set ':auth: opennebula' in /etc/one/sunstone-server.conf 2. Set authn = ssh,x509,ldap,server_cipher,server_x509,radius,default in /etc/one/oned.conf 3. Created /usr/lib/one/ruby/radius_auth.rb 4. Created /var/lib/one/remotes/auth/radius/authenticate 5. Created a link /var/lib/one/remotes/auth/default - /var/lib/one/remotes/auth/radius I have attached my files radius_auth.rb and authenticate. Sorry if my ruby is not good, I am a really new newbie to ruby. Regards Christoph ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] New authentication type
Hi, Try to replicate the ldap authenticate script. To create new users, the driver needs to print to stdout 'drivername username password' when the authentication is successful Cheers -- Carlos Martín, MSc Project Engineer OpenNebula - The Open-source Solution for Data Center Virtualization www.OpenNebula.org | cmar...@opennebula.org | @OpenNebulahttp://twitter.com/opennebulacmar...@opennebula.org On Fri, Apr 12, 2013 at 4:07 PM, Christoph Pleger christoph.ple...@cs.tu-dortmund.de wrote: Hello, That's how the LDAP driver works [1]. To create new users automatically on their first login, copy or link this dir to your drivers: Authentication itself is successful now, but I get another error now: ---snip--- Fri Apr 12 15:35:22 2013 [AuM][D]: Message received: LOG D 14 authenticate: Radius-Authenticating christoph.pleger, with password Fri Apr 12 15:35:22 2013 [AuM][I]: authenticate: Radius-Authenticating christoph.pleger, with password Fri Apr 12 15:35:22 2013 [AuM][D]: Message received: LOG I 14 ExitCode: 0 Fri Apr 12 15:35:22 2013 [AuM][I]: ExitCode: 0 Fri Apr 12 15:35:22 2013 [AuM][D]: Message received: AUTHENTICATE SUCCESS 14 - Fri Apr 12 15:35:22 2013 [AuM][E]: Can't create user: . Driver response: ---snip--- So far, I changed the following things: 1. Set ':auth: opennebula' in /etc/one/sunstone-server.conf 2. Set authn = ssh,x509,ldap,server_cipher,server_x509,radius,default in /etc/one/oned.conf 3. Created /usr/lib/one/ruby/radius_auth.rb 4. Created /var/lib/one/remotes/auth/radius/authenticate 5. Created a link /var/lib/one/remotes/auth/default - /var/lib/one/remotes/auth/radius I have attached my files radius_auth.rb and authenticate. Sorry if my ruby is not good, I am a really new newbie to ruby. Regards Christoph ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
Re: [one-users] New authentication type
Hello, Try to replicate the ldap authenticate script. To create new users, the driver needs to print to stdout 'drivername username password' when the authentication is successful Ah, thank you very much, that was it! I only had to add 'puts radius #{user} #{pass} in authenticate before 'exit 0', now it works. Regards Christoph ___ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org