Ldap Authentication with group Filter on OpenNebula 4.10.2

Community Support
1

Good morning,

We are trying to configure the LDAP Authentication for our Open Nebula. We got it working updating the parameters into the config file /etc/one/auth/ldap_auth.conf

:base: 'OU=rootou,DC=mydomain,DC=com'
:user_field: 'sAMAccountName'
:mapping_generate: false
:mapping_timeout: 300
:mapping_filename: server1.yaml
:mapping_key: GROUP_DN
:mapping_default: 1

Now, all the users are able to authenticate…… BUT we need to make a restriction, to allow just users from an specific group to authenticate, so we have made an edition of the file in this way:

:base: 'OU=rootou,DC=mydomain,DC=com'
:group: 'CN=DLG_mygroup,OU=Groups,OU=People,OU=rootou,DC=mydomain,DC=com'
:user_field: 'sAMAccountName'
:group_field: 'member'
:user_group_field: 'dn'
:mapping_generate: false
:mapping_timeout: 300
:mapping_filename: server1.yaml
:mapping_key: GROUP_DN
:mapping_default: 1

We have follow several post about some patches and changes in /etc/one/auth/ldap_auth.rb , but we always get the same error (related to an Invalid filter syntax)

Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate jchavez - ****
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: Trying server server 1
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: Exception raised authenticating to LDAP
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: Net::LDAP::LdapError: Invalid filter syntax
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap/filter.rb:675:in `initialize'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap/filter.rb:668:in `new'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap/filter.rb:668:in `parse'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap/filter.rb:341:in `construct'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap.rb:1482:in `search'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap.rb:669:in `search'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap/instrumentation.rb:19:in `instrument'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/gems/1.8/gems/net-ldap-0.8.0/lib/net/ldap.rb:655:in `search'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /usr/lib/one/ruby/opennebula/ldap_auth.rb:149:in `is_in_group?'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/one/remotes/auth/ldap/authenticate:79
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/one/remotes/auth/ldap/authenticate:59:in `each'
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: /var/lib/one/remotes/auth/ldap/authenticate:59
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: Could not authenticate user jchavez
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][I]: ExitCode: 255
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][AuM][E]: Auth Error: 
Mar 18 08:08:14 lpr-vm-nebu01 oned[23797]: [Z0][ReM][E]: Req:5120 UID:- UserInfo result FAILURE [UserInfo] User couldn't be authenticated, aborting call.

Is there any solution for this?. We don’t what to make a match between groups in Nebula and Active Directory, we just need to filter the users that are able to login into the opennebula interface, to some specific group.

2

Can you modify the file /usr/lib/one/ruby/opennebula/ldap_auth.rb around line 148 and add the line that starts with STDERR.puts?

def is_in_group?(user, group)
    STDERR.puts "(#{@options[:group_field]}=#{user.first})"
    result=@ldap.search(
        :base   => group,
        :attributes => @options[:group_field],
        :filter => "(#{@options[:group_field]}=#{user.first})")

After that try to authenticate and send again the log. You don’t need to restart OpenNebula.

3

Thank you Javi for the quick response…

Adding that line, now I got the same errors with the detail of the filter…

(member=CN=myuser,OU=Users,OU=Corporate,DC=mydomain,DC=com)

Correct me if I’m wrong, but is the string “member=” producing the error?
if yes. how can I solve it?

Thanks in advance, for your answer.

4

The filter seems OK. It could be a problem with the net-ldap libary version? Wich distro and version are you using? It could happen that ldap library is installed with a system package. You can get the versions with:

$ gem list | grep ldap
$ rpm -qa | grep ldap # for CentOS/RedHat
$ dpkg -l | grep ldap # for debian based distros
5

Thanks Javi, This is the output:

gem list | grep ldap
net-ldap (0.8.0)


:~$ dpkg -l | grep ldap
ii  ldap-utils                       2.4.28-1.1ubuntu4.4
OpenLDAP utilities
ii  libldap-2.4-2                    2.4.28-1.1ubuntu4.4
OpenLDAP libraries
ii  libldap2-dev                     2.4.28-1.1ubuntu4.4
OpenLDAP development libraries
ii  libnet-ldap-perl                 1:0.4300-2ubuntu1
client interface to LDAP servers

Which versions do you think are the appropriate ones?

Thanks in advance

Renzo

6

I’ve tested the ldap version you are using and I’m also getting an error but not the same as you. Ruby version may be the difference (using 2.2.0 right now).

The version you are using is correct if you are using ruby 1.8 (CentOS 6 or Ubuntu 12). The problem is in the driver code that uses features from a newer version. I’ve managed to make it work changing the file /usr/lib/one/ruby/opennebula/ldap_auth.rb around line 148. Change this:

    def is_in_group?(user, group)                                                    
        result=@ldap.search(                                                         
                    :base   => group,                                                
                    :attributes => @options[:group_field],                           
                    :filter => "(#{@options[:group_field]}=#{user.first})")

to this (delete attributes line):

    def is_in_group?(user, group)                                                    
        result=@ldap.search(                                                         
                    :base   => group,                                                                       
                    :filter => "(#{@options[:group_field]}=#{user.first})")

Tell me if it works with this change. I’ve opened an issue to track this problem:

http://dev.opennebula.org/issues/3719

7

Unfortunately is not working here. I got the same error after making that change.

8

I’ll take a look in the same distro as you. Are you running Ubuntu 12.04?

9

Yes, is Ubuntu 12.04.5 LTS
Thanks

10

I’ve made tests with Ubuntu 12.04, the same version of net-ldap gem and a configuration very similar to that but I’m still unable to reproduce it. It works as intended.

One thing that I find strange is that the dn it is searching is not in the base tree configured:

dn: CN=myuser,OU=Users,OU=Corporate,DC=mydomain,DC=com
base: OU=rootou,DC=mydomain,DC=com

Is that correct? Can you try using as base DC=mydomain,DC=com. Also, does the DN of the user contain non ASCII characters or some kind of punctuation?

11

Thanks Javi,
I’ve tried , creating accounts with no punctuation signs, nor spaces as
part of the dn , but still the same result

Mar 27 12:55:30 lpr-vm-nebu01 oned[3515]: [Z0][AuM][I]: Command execution
fail: /var/lib/one/remotes/auth/default/authenticate jvelasquez - ****
Mar 27 12:55:30 lpr-vm-nebu01 oned[3515]: [Z0][AuM][I]: Trying server
server 1

12

Unfortunately I am not able to reproduce it. All the tests we’ve made are successful.

While we don’t find the source of the problem you can try group mapping and set the default group to a non existing ID.