Integration with AD

Andrew_Hancock · March 31, 2026, 11:24am

My original post was closed - Active Directory integration working in 2025?

We’ve spent some time going through ALL ON, following the process of how ON works, and this was our notes on how we got AD integrated with ON.

OpenNebula Active Directory Integration - Implementation Summary

Objective

Connect OpenNebula 7.0.1 (FireEdge/Sunstone) to Active Directory for user authentication.

Environment

Component	Detail
OpenNebula Host	`opennebula-host.example.ac.uk`
AD Domain	`example.ac.uk`
AD Domain Controller	`dc01.example.ac.uk`
OS	Ubuntu 24.04.4 LTS
OpenNebula Version	7.0.1

Steps Taken

1. Initial Configuration

Backed up original ldap_auth.conf
Configured server 1 in ldap_auth.conf with AD server, base DN, service account and group restriction

2. Service Account Creation

Created svc-opennebula in CN=Managed Service Accounts,DC=example,DC=ac,DC=uk
Account requires read-only access to AD directory

3. AD Group Creation

Created CN=OpenNebula Users,OU=Groups,DC=example,DC=ac,DC=uk
Group scope set to Domain Local (to allow cross-domain trust members)
Added test user and cross-domain user as members

4. LDAP Connectivity Testing

Used ldapsearch to verify connectivity on port 389
Confirmed service account could bind and search the directory
Confirmed test user existed and was in the correct group

5. Issues Encountered & Resolved

Issue 1: `Authentication driver 'default' not available`

Cause: Normal Sunstone health check — not a real error
Resolution: Ignored, not related to LDAP auth

Issue 2: `Request timeout`

Cause: Multiple contributing factors:
- :timeout setting in ldap_auth.conf was never passed to Net::LDAP object in ldap_auth.rb
- :disable_referrals not implemented in the Ruby library
- TIMEOUT in oned.conf was commented out
- mapping_generate making API callback to OpenNebula causing deadlock
Resolution:
- Added ops[:timeout] and ops[:referrals]=false to ldap_auth.rb
- Set TIMEOUT = 60 in oned.conf
- Set :mapping_generate: false in ldap_auth.conf

Issue 3: `memberOf` attribute not returned

Cause: Service account did not have permission to read memberOf attribute on user objects
Resolution: Ran on DC:

powershell

  dsacls "OU=Managed,DC=example,DC=ac,DC=uk" /I:S /G "example\svc-opennebula:RP;memberOf;user"

Issue 4: `mapping_generate` deadlock

Cause: The mapping_generate function makes an API call back to OpenNebula during authentication, causing a deadlock/timeout
Resolution: Set :mapping_generate: false in ldap_auth.conf

Issue 5: Users must be pre-created

Cause: Unlike old Sunstone, FireEdge does not auto-provision LDAP users on first login
Resolution: Users must be created manually before first login:

bash

  oneuser create USERNAME "placeholder" --driver ldap

Final Working Configuration

`/etc/one/auth/ldap_auth.conf`

yaml

server 1:
    :auth_method: :simple
    :host: dc01.example.ac.uk
    :port: 389
    :timeout: 30
    :user: 'svc-opennebula@example.ac.uk'
    :password: 'SERVICEACCOUNTPASSWORD'
    :base: 'DC=example,DC=ac,DC=uk'
    :group: 'CN=OpenNebula Users,OU=Groups,DC=example,DC=ac,DC=uk'
    :user_field: 'sAMAccountName'
    :group_field: 'member'
    :user_group_field: 'dn'
    :rfc2307bis: true
    :mapping_generate: false
    :mapping_timeout: 300
    :mapping_filename: server1.yaml
    :mapping_key: GROUP_DN
    :mapping_default: 1
    :disable_referrals: true
    :unbind_anon: true
:order:
    - server 1
```

### `/etc/one/oned.conf` changes
```
TIMEOUT = 60

`/usr/lib/one/ruby/opennebula/ldap_auth.rb` patch

Added to the initialize method after the existing ops[:encryption] line:

ruby

ops[:timeout]=@options[:timeout].to_i if @options[:timeout]
ops[:referrals]=false

AD permissions

powershell

dsacls "OU=Managed,DC=example,DC=ac,DC=uk" /I:S /G "example\svc-opennebula:RP;memberOf;user"

Ongoing Administration

Task	Command
Create new LDAP user	`oneuser create USERNAME "placeholder" --driver ldap`
Switch existing user to LDAP	`oneuser chauth USERNAME ldap`
Add user to AD group	Add to `CN=OpenNebula Users` in AD
Test LDAP connectivity	`ldapsearch -x -H ldap://dc01.example.ac.uk -D "svc-opennebula@example.ac.uk" -w 'PASSWORD' -b "DC=example,DC=ac,DC=uk" "(sAMAccountName=USERNAME)"`
Verify memberOf readable	`ldapsearch -x -H ldap://dc01.example.ac.uk -D "svc-opennebula@example.ac.uk" -w 'PASSWORD' -b "DC=example,DC=ac,DC=uk" "(sAMAccountName=USERNAME)" sAMAccountName memberOf dn`

Security Notes

Use a dedicated read-only service account for LDAP binding
Set the service account password to never expire
Grant only the minimum permissions required (memberOf read on user objects)
Store the service account password securely — not in plain text if possible

Hopefully my notes, will help someone in the future, now we fully understand the “code” behind ON !

Topic		Replies	Views
Problems with Active Directory authentication via LDAPS Product Support	12	6252	September 3, 2015
Authentication to LDAP/AD for Sunstone fails Product Support	9	2209	August 30, 2017
Connecting OpenNebulla 5.8.4 to Active Directory VIA LDAP Installation & Configuration	0	516	June 23, 2020
LDAP-Active Directory Errors Product Support	2	1513	June 5, 2015
OpenNebula AD connection Product Support	1	670	November 30, 2016