LDAP Authentication Guide 2.0
To use this functionality you need to install the LDAP Authentication Addon
The LDAP Authentication addon permits users to have the same credentials as in LDAP, so effectively centralizing authentication. Enabling it will let any correctly authenticated LDAP user to use OpenNebula.
Prerequisites
This Addon uses the 'net/ldap' ruby library provided by the 'net-ldap' gem.
This Addon will not install any Ldap server or configure it in any way. It will not create, delete or modify any entry in the Ldap server it connects to. The only requirement is the ability to connect to an already running Ldap server and being able to perform a successful ldapbind operation, therefore no special attributes or values are required in the LDIF entry of the user authenticating.
Installation
Download the addon, untar and execute 'install.sh' as the oneadmin user.
Configuration
Configuration file for auth module is located at $ONE_LOCATION/etc/auth/auth.conf. This is the default configuration:
:database: sqlite://auth.db :authentication: simple :quota: :enabled: false :defaults: :cpu: 10.0 :memory: 1048576 :ldap: :host: ldap.server.tld :port: 389
| VARIABLE | DESCRIPTION |
|---|---|
:authentication | Authentication method to use. simple, ssh and ldap modules are supported. |
:ldap/:host | Host where LDAP server is running. |
:ldap/:port | Port where LDAP server is running. |
To enable ldap authentication the described parameters should be configured. :authentication must be set to ldap and :host/:port should point to your LDAP server.
OpenNebula must be also configured to enable external authentication. Uncomment these lines in $ONE_LOCATION/etc/auth/auth.conf.
AUTH_MAD = [ executable = "one_auth_mad" ]
User Management
Using LDAP authentication module the administrator doesn't need to create users with oneuser command as this will be automatically done. The user should add its credentials to $ONE_AUTH file (usually $HOME/.one/one_auth) in this fashion:
user_dn:plain:user_password