Assign multiple groups via active directory

Community Support
1

I have set up our OpenNebula with LDAP authentication via active directory. The authentication works nicely but the group mapping is incomplete.

The LDAP users have a bunch of groups assigned and i have defined group mappings that assign the correct group. What i did not get working so far is the mapping of multiple groups. We have users that are not just in team x (mapped to OpenNebula group X) but as well in group Y and Z. There is a mapping for those groups as well but it seems that after the first match is found the other groups are ignored.

Is that the expected behavior or am i doing something wrong?

auth config:
server at:
:auth_method: :simple
:encryption: :simple_tls
:user: ‘ldap_user’
:password: ‘password’
:host: server
:port: port
:base: ‘dc…’
:user_field: ‘name field’
:group_field: ‘memberOf’
:mapping_generate: false
:mapping_timeout: 300
:mapping_filename: server_at.yaml
:mapping_key: GROUP_DN
:mapping_default: 105

group mapping:
team admin:

  • ‘101’
  • ‘106’
  • ‘105’
  • ‘104’
  • ‘103’
  • ‘102’
  • ‘1’
  • '0’
    team a:
  • ‘103’
  • '105’
    team b:
  • ‘102’
  • '105’
    team c:
  • ‘104’
  • ‘102’
  • ‘103’
  • '105’
    team d:
  • ‘106’
  • '105’
    team e:
  • ‘107’
  • '105’
    others: ‘105’

Example user ‘tester’ is member of team b, team c and team d but he only gets the OpenNebula groups for team b assigned. So templates or VMs from the other teams he belongs to are not shown.

2

This is true for OpenNebula < 5.2.0. In the latest release extra groups will be added as secondary groups. This membership will also be changed to reflect ldap mapping if it changes.

http://docs.opennebula.org/5.2/deployment/authentication_setup/ldap.html#group-mapping

3

Thx for your fast answer Javi!
Actually i’m running on 5.2.0 currently. Sorry forgot to mention that.

Edit:
the mapping of secondary groups to a single ldap group works, what i would need is that the mapping is done for every ldap group. So my example user ‘tester’ should not just be in 102 and 105 but as well in 103, 104 and 106. The main group should be the first ldap groups primary (that still leaves room for a dedicated primary group but i’d go with the order in the file)