Custom/Kerberos auth - password limitations

Hello, I am trying to deploy OpenNebula in my local network, where we use Kerberos authentication. I wrote a simple Perl script /var/lib/one/remotes/auth/krb5/authenticate, which works from the command line as expected. I am able to create users in Sunstone (with a dummy password and a custom/krb5 auth method), and they are able to log in. The problem is that it does not work for some users. The users who are not able to log in are those who have spaces in their passwords. The problem is that my …/krb5/authenticate script is not even called for those users.

The unsuccessful login attempts are not logged at all in oned.log, only in sunstone.log:

Wed Mar 23 11:15:45 2016 [E]: User xtest could not be authenticated
Wed Mar 23 11:15:45 2016 [E]: Net::ReadTimeout
Wed Mar 23 11:15:45 2016 [I]: Unauthorized login attempt
Wed Mar 23 11:15:45 2016 [I]: - - [23/Mar/2016:11:15:45 +0100] “POST /login HTTP/1.1” 401 - 30.0181

How can I make Kerberos authentication work with any passwords from the Kerberos database?



There is an option in sunstone-server.conf to encode user passwords:


OK, this helped. I think the comment inside the default sunstone-server.conf should be fixed, though:

  • it is not for LDAP auth only
  • s/espaces/spaces/
  • it does full URL-encoding, not only turning spaces to %20 (percent signs, quotes, etc. are also encoded to %xx).


Thank you we will fix it.