This Addon uses the 'net/ldap' ruby library provided by the 'net-ldap' gem.

This Addon will not install any Ldap server or configure it in any way. It will not create, delete or modify any entry in the Ldap server it connects to. The only requirement is the ability to connect to an already running Ldap server and being able to perform a successful ldapbind operation and have a user able to perform searches of users, therefore no special attributes or values are required in the LDIF entry of the user authenticating.

Download the addon, untar and execute 'install.sh' as the oneadmin user.

Configuration file for auth module is located at $ONE_LOCATION/etc/auth/ldap_auth.conf. This is the default configuration:

# Ldap user able to query, if not set connects as anonymous
#:user: 'admin'
#:password: 'password'
 
# Ldap authentication method
:auth_method: :simple
 
# Ldap server
:host: localhost
:port: 389
 
# base hierarchy where to search for users and groups
:base: 'dc=domain'
 
# group the users need to belong to. If not set any user will do
:group: 'cn=cloud,ou=groups,dc=domain'

To enable ldap authentication the described parameters should be configured. OpenNebula must be also configured to enable external authentication. Uncomment these lines in $ONE_LOCATION/etc/oned.conf and add ldap as an enabled authentication method.

AUTH_MAD = [
    executable = "one_auth_mad",
    arguments = "--authz quota --authn plain,ssh,x509,ldap"
]

To be able to use this driver for users that are still not in the user database you must set it to the default driver. To do this go to the auth drivers directory and symlink the directory ldap to default.

Using LDAP authentication module the administrator doesn't need to create users with oneuser command as this will be automatically done. The user should add its credentials to $ONE_AUTH file (usually $HOME/.one/one_auth) in this fashion:

user_dn:ldap:user_password