LDAP Authentication Guide 2.0
The LDAP Authentication addon permits users to have the same credentials as in LDAP, so effectively centralizing authentication. Enabling it will let any correctly authenticated LDAP user to use OpenNebula.
This Addon uses the 'net/ldap' ruby library provided by the 'net-ldap' gem.
This Addon will not install any Ldap server or configure it in any way. It will not create, delete or modify any entry in the Ldap server it connects to. The only requirement is the ability to connect to an already running Ldap server and being able to perform a successful ldapbind operation, therefore no special attributes or values are required in the LDIF entry of the user authenticating.
Download the addon, untar and execute 'install.sh' as the oneadmin user.
Configuration file for auth module is located at $ONE_LOCATION/etc/auth/auth.conf
. This is the default configuration:
:database: sqlite://auth.db :authentication: simple :quota: :enabled: false :defaults: :cpu: 10.0 :memory: 1048576 :ldap: :host: ldap.server.tld :port: 389
VARIABLE | DESCRIPTION |
---|---|
:authentication | Authentication method to use. simple , ssh and ldap modules are supported. |
:ldap/:host | Host where LDAP server is running. |
:ldap/:port | Port where LDAP server is running. |
To enable ldap
authentication the described parameters should be configured. :authentication
must be set to ldap
and :host
/:port
should point to your LDAP server.
OpenNebula must be also configured to enable external authentication. Uncomment these lines in $ONE_LOCATION/etc/auth/auth.conf
.
AUTH_MAD = [ executable = "one_auth_mad" ]
Using LDAP authentication module the administrator doesn't need to create users with oneuser
command as this will be automatically done. The user should add its credentials to $ONE_AUTH
file (usually $HOME/.one/one_auth
) in this fashion:
user_dn:plain:user_password