Limit access to only specific Active Directory users in a security group

Hi,

I am in a middle of a POC to find out the simplest way for users to have a self-service facility to provision a VM.

One requirement is to use and control access via active directory. I was able to successfuly authenticate active directory users, but part of the requirement is to be able to restrict access to just user/s that is a member of a particular security group. At the moment every domain user account is able to login. (I have multiple test accounts)

I tried to add a “Group” setting but I do I get and “Invalid Username or Password” message on the portal login.

Below is the my /etc/one/auth/ldap_auth.conf

:order:

  • server1.ourdomain.company.corp
    server1.ourdomain.company.corp:
    :mapping_generate: true
    :mapping_timeout: 300
    :mapping_filename: server1.yaml
    :mapping_key: GROUP_DN
    :mapping_default: 1
    :user: ourdomain\onecloud.dc.svc
    :password: “removed”
    :auth_method: :simple
    :host: 192.168.0.1
    :port: 389
    :base: DC=ourdomain,DC=company,DC=corp
    :group: CN=onecloudgroup.dc.ro,OU=Country Global Groups,OU=Southeast Asia,DC=ourdomain,DC=company,DC=corp
    :user_field: sAMAccountName
    :group_field: member

Below is the /var/log/one/oned.log
Mon Mar 7 04:33:06 2016 [Z0][ReM][D]: Req:7728 UID:1 DocumentPoolInfo invoked , -2, -1, -1, 100
Mon Mar 7 04:33:06 2016 [Z0][ReM][D]: Req:7728 UID:1 DocumentPoolInfo result SUCCESS, "<DOCUMENT_POOL></DOC…"
Mon Mar 7 04:33:10 2016 [Z0][InM][D]: Host Staging (1) successfully monitored.
Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate yamg.test01 CN=Test01%5C,%20YamG,OU=Users,OU=Singapore,OU=Southeast%20Asia,DC=ourdomain,DC=company,DC=corp ****

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate yamg.test01 CN=Test01%5C,%20YamG,OU=Users,OU=Singapore,OU=Southeast%20Asia,DC=ourdomain,DC=company,DC=corp ****

Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 Trying server server1.ourdomain.company.corp

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: Trying server server1.ourdomain.company.corp
Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 Exception raised authenticating to LDAP

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: Exception raised authenticating to LDAP
Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 #<Net::LDAP::FilterSyntaxInvalidError: Invalid filter syntax.>

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: #<Net::LDAP::FilterSyntaxInvalidError: Invalid filter syntax.>
Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/filter.rb:674:in `initialize’

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/filter.rb:674:in initialize' Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/filter.rb:667:innew’

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/filter.rb:667:in new' Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/filter.rb:667:inparse’

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/filter.rb:667:in parse' Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/filter.rb:341:inconstruct’

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/filter.rb:341:in construct' Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/connection.rb:421:insearch’

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/connection.rb:421:in search' Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap.rb:743:inblock (2 levels) in search’

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap.rb:743:in block (2 levels) in search' Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap.rb:1211:inuse_connection’

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap.rb:1211:in use_connection' Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap.rb:742:inblock in search’

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap.rb:742:in block in search' Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/instrumentation.rb:19:ininstrument’

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/instrumentation.rb:19:in instrument' Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap.rb:741:insearch’

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap.rb:741:in search' Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 /usr/lib/one/ruby/opennebula/ldap_auth.rb:149:inis_in_group?’

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: /usr/lib/one/ruby/opennebula/ldap_auth.rb:149:in is_in_group?' Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 /var/lib/one/remotes/auth/ldap/authenticate:79:inblock in ’

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: /var/lib/one/remotes/auth/ldap/authenticate:79:in block in <main>' Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 /var/lib/one/remotes/auth/ldap/authenticate:59:ineach’

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: /var/lib/one/remotes/auth/ldap/authenticate:59:in each' Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 /var/lib/one/remotes/auth/ldap/authenticate:59:in

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: /var/lib/one/remotes/auth/ldap/authenticate:59:in `'
Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 Could not authenticate user yamg.test01

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: Could not authenticate user yamg.test01
Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: LOG I 1 ExitCode: 255

Mon Mar 7 04:33:12 2016 [Z0][AuM][I]: ExitCode: 255
Mon Mar 7 04:33:12 2016 [Z0][AuM][D]: Message received: AUTHENTICATE FAILURE 1 -

Mon Mar 7 04:33:12 2016 [Z0][AuM][E]: Auth Error:
Mon Mar 7 04:33:12 2016 [Z0][ReM][D]: Req:4192 UID:-1 UserInfo invoked , -1
Mon Mar 7 04:33:12 2016 [Z0][ReM][E]: Req:4192 UID:- UserInfo result FAILURE [UserInfo] User couldn’t be authenticated, aborting call.

I used both the following guides for reference:

Thanks!

Regards,
Yam

Can you try the same modification as this post and send us the output?