We are trying to configure the LDAP Authentication for our Open Nebula. We got it working updating the parameters into the config file /etc/one/auth/ldap_auth.conf
Now, all the users are able to authenticate…… BUT we need to make a restriction, to allow just users from an specific group to authenticate, so we have made an edition of the file in this way:
We have follow several post about some patches and changes in /etc/one/auth/ldap_auth.rb , but we always get the same error (related to an Invalid filter syntax)
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate jchavez - ****
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: Trying server server 1
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: Exception raised authenticating to LDAP
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: Net::LDAP::LdapError: Invalid filter syntax
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap/filter.rb:675:in `initialize'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap/filter.rb:668:in `new'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap/filter.rb:668:in `parse'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap/filter.rb:341:in `construct'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap.rb:1482:in `search'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap.rb:669:in `search'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap/instrumentation.rb:19:in `instrument'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap.rb:655:in `search'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /usr/lib/one/ruby/opennebula/ldap_auth.rb:149:in `is_in_group?'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/one/remotes/auth/ldap/authenticate:79
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/one/remotes/auth/ldap/authenticate:59:in `each'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/one/remotes/auth/ldap/authenticate:59
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: Could not authenticate user jchavez
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: ExitCode: 255
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][E]: Auth Error:
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][ReM][E]: Req:5120 UID:- UserInfo result FAILURE [UserInfo] User couldn't be authenticated, aborting call.
Is there any solution for this?. We don’t what to make a match between groups in Nebula and Active Directory, we just need to filter the users that are able to login into the opennebula interface, to some specific group.
The filter seems OK. It could be a problem with the net-ldap libary version? Wich distro and version are you using? It could happen that ldap library is installed with a system package. You can get the versions with:
$ gem list | grep ldap
$ rpm -qa | grep ldap # for CentOS/RedHat
$ dpkg -l | grep ldap # for debian based distros
I’ve tested the ldap version you are using and I’m also getting an error but not the same as you. Ruby version may be the difference (using 2.2.0 right now).
The version you are using is correct if you are using ruby 1.8 (CentOS 6 or Ubuntu 12). The problem is in the driver code that uses features from a newer version. I’ve managed to make it work changing the file /usr/lib/one/ruby/opennebula/ldap_auth.rb around line 148. Change this:
I’ve made tests with Ubuntu 12.04, the same version of net-ldap gem and a configuration very similar to that but I’m still unable to reproduce it. It works as intended.
One thing that I find strange is that the dn it is searching is not in the base tree configured: