I have set up our OpenNebula with LDAP authentication via active directory. The authentication works nicely but the group mapping is incomplete.
The LDAP users have a bunch of groups assigned and i have defined group mappings that assign the correct group. What i did not get working so far is the mapping of multiple groups. We have users that are not just in team x (mapped to OpenNebula group X) but as well in group Y and Z. There is a mapping for those groups as well but it seems that after the first match is found the other groups are ignored.
Is that the expected behavior or am i doing something wrong?
auth config:
server at:
:auth_method: :simple
:encryption: :simple_tls
:user: ‘ldap_user’
:password: ‘password’
:host: server
:port: port
:base: ‘dc…’
:user_field: ‘name field’
:group_field: ‘memberOf’
:mapping_generate: false
:mapping_timeout: 300
:mapping_filename: server_at.yaml
:mapping_key: GROUP_DN
:mapping_default: 105
group mapping:
team admin:
- ‘101’
- ‘106’
- ‘105’
- ‘104’
- ‘103’
- ‘102’
- ‘1’
- '0’
team a: - ‘103’
- '105’
team b: - ‘102’
- '105’
team c: - ‘104’
- ‘102’
- ‘103’
- '105’
team d: - ‘106’
- '105’
team e: - ‘107’
- '105’
others: ‘105’
Example user ‘tester’ is member of team b, team c and team d but he only gets the OpenNebula groups for team b assigned. So templates or VMs from the other teams he belongs to are not shown.