Hello, Thank you very much for your so quickly response, but I would prefer not to change any OpenNebula script.
Anyway, I wonder why that simple configuration doesn't work. Could someone who has integrated OpenLDAP groups with OpenNebula let us know his configuration and OpenLDAP entry types? Thank you very much Best regards 2014-10-08 12:42 GMT+02:00 Marcin Stolarek <ms...@icm.edu.pl>: > > > On 10/08/2014 12:32 PM, Manuel Alfonso López Rourich wrote: > >> Good morning, >> >> I'd like to ask you about an issue with user authentication in SunStone: >> >> I've configured SunStone so that new users from an OpenLDAP directory >> can log in (the user is created automatically in OpenNebula). It works >> fine but when I configure *:group* in *ldap_auth.conf*, I can't >> authenticate new users within a LDAP group. The error that ONE throws is >> clear (*"User ulopez is not in group >> cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es"*) but I don't know what could >> >> be do so that it works. The documentation about LDAP groups with ONE is >> not very clear for me. >> >> The LDAP configuration is: >> >> server 1: >> :auth_method: :simple >> :host: 10.12.0.3 >> :port: 389 >> :base: 'dc=one,dc=es' >> >> # group the users need to belong to. If not set any user will do >> :group: 'cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es' >> >> # field that holds the user name, if not set 'cn' will be used >> :user_field: 'uid' >> # field name for group membership, by default it is 'member' >> :group_field: 'memberUid' >> >> # user field that that is in in the group group_field, if not set >> 'dn' will be used >> #user_group_field: 'gidNumber' >> >> The directory entry for the group is the next one: >> >> # extended LDIF >> # >> # LDAPv3 >> # base <cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es> with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # grupo_nuevo, ou_nueva, one.es <http://one.es> >> dn: cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es >> gidNumber: 503 >> cn: grupo_nuevo >> objectClass: posixGroup >> objectClass: top >> memberUid: ulopez >> >> # us_nuevo_lopez, grupo_nuevo, ou_nueva, one.es <http://one.es> >> dn: cn=us_nuevo_lopez,cn=grupo_nuevo,ou=ou_nueva,dc=one,dc=es >> givenName: us_nuevo >> gidNumber: 503 >> homeDirectory: /home/users/ulopez >> sn: lopez >> loginShell: /bin/sh >> objectClass: inetOrgPerson >> objectClass: posixAccount >> objectClass: top >> uidNumber: 1009 >> uid: ulopez >> cn: us_nuevo_lopez >> >> Thank you very much, >> >> Best regards >> >> >> >> >> _______________________________________________ >> Users mailing list >> Users@lists.opennebula.org >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >> >> > > Currently openebula supports only scheme with "listofmembers" (not sure if > haven't make a mistake in name) objecClass. > > You can use my patch: > https://github.com/cinek810/one/commit/925a124c96018aa8b4b44805aafa76 > 280830a461 > > to support groups in memberUid format. > > cheers, > marcin > _______________________________________________ > Users mailing list > Users@lists.opennebula.org > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >
_______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
