Hi, I'm pretty new to OpenNebula and had some trouble getting LDAP integration to work. I made the following changes to ldap_auth.rb and am now up and running. Am I missing something, or does this need a bug (or several bugs)? I am not very experienced with ruby, but hacked my way through it.
1) multi-line ldap.search() statements resulted in syntax errors. Reducing them to a single line fixed it 2) Our LDAP server keeps group members like this: member: uid=jryan,ou=People,dc=awesome,dc=com which didn't work as a filter in the group matching section, even when the whole search() was on one line. I used a Net::LDAP::Filter object with the same filter string, and it worked. 3) The cloning of the initial Net::LDAP object to test the user's credentials resulted in the script binding as the user who did the initial search, which of course was able to bind. This meant that no matter what password the user passed in, as long as they were in the LDAP directory and in the group specified, their user was created in ONE and they could repeatedly log in -- security hole!!!! I wiped out the auth info from the cloned ldap object and replaced it with the user's credentials. root@ops-vm-opennebula:/usr/lib/one/ruby/opennebula# diff ldap_auth.rb{,.new} -u --- ldap_auth.rb 2013-05-17 10:57:50.000000000 -0700 +++ ldap_auth.rb.new 2013-06-28 18:24:28.305292002 -0700 @@ -52,9 +52,7 @@ def find_user(name) begin - result=@ldap.search( - :base => @options[:base], - :filter => "#{@options[:user_field]}=#{name}") + result=@ldap.search( :base => @options[:base], :filter => "#{@options[:user_field]}=#{name}") if result && result.first [result.first.dn, result.first[@options[:user_group_field]]] @@ -73,9 +71,8 @@ end def is_in_group?(user, group) - result=@ldap.search( - :base => group, - :filter => "(#{@options[:group_field]}=#{user.first})") + filter = Net::LDAP::Filter.eq(@options[:group_field],user.first) + result=@ldap.search( :base => group, :filter => filter ) if result && result.first true @@ -87,13 +84,10 @@ def authenticate(user, password) ldap=@ldap.clone - auth={ - :method => @options[:auth_method], - :username => user, - :password => password - } + ldap.auth nil,nil + ldap.auth user, password - if ldap.bind(auth) + if ldap.bind() true else false $ ruby -v ruby 1.8.7 (2011-06-30 patchlevel 352) [x86_64-linux] $ dpkg -l |grep ruby-net-ldap ii ruby-net-ldap 0.0.4-1 LDAP client library for Ruby $ cat /etc/issue Ubuntu 12.04.2 LTS Server $ dpkg -l |grep opennebula ii opennebula 4.0.1-1 controller which executes the OpenNebula cluster services ii opennebula-common 4.0.1-1 empty package to create OpenNebula users and directories ii opennebula-node 4.0.1-1 empty package to prepare a machine as OpenNebula Node ii opennebula-sunstone 4.0.1-1 web interface to which executes the OpenNebula cluster services ii opennebula-tools 4.0.1-1 Command-line tools for OpenNebula Cloud ii ruby-opennebula 4.0.1-1 Ruby bindings for OpenNebula Cloud API (OCA)
_______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org