In a previous post I’ve installed an LDAP server with OpenLDAP in my CentOS 6.4, please read it if you want to know the structure of my lab’s LDAP directory. I’m going to configure OpenNebula so it uses this LDAP for Sunstone authentication.
I’m following the official documentation about this topic and I’m offering my examples and comments, please read http://opennebula.org/documentation:rel4.2:ldap if you have any doubt.
The first thing to do is installing the following gem:
# gem install net-ldap
If the gem is not installed this is the error you’ll find in /var/log/one/oned.log: Error `gem_original_require’: no such file to load — net/ldap (LoadError)
We’ll need to configure the LDAP connection parameters in the /etc/one/auth/ldap_auth.conf. My LDAP running in the same host only requires the following parameters. I’ll use the uid attribute for the user field and the users must me members of the group onemanagers:
# Ldap authentication method :auth_method: :simple # Ldap server :host: localhost :port: 389 # base hierarchy where to search for users and groups :base: 'dc=example,dc=com' # group the users need to belong to. If not set any user will do :group: 'cn=onemanagers,ou=Groups,dc=example,dc=com' # field that holds the user name, if not set 'cn' will be used :user_field: 'uid' # field name for group membership, by default it is 'member' :group_field: 'member' # user field that that is in in the group group_field, if not set 'dn' will be used :user_group_field: 'dn'
Now edit the /etc/one/oned.conf file and add default in the authn directive inside the AUTH_MAD section
AUTH_MAD = [ executable = "one_auth_mad", authn = "ssh,x509,ldap,default,server_cipher,server_x509" ]
If you forget to add “default” this is the error you’ll find in your /var/log/one/oned.log: Error Auth Error: Authentication driver ‘default’ not available
If you want to authenticate users that are not included in opennebula database but in the LDAP directory execute this command so LDAP authentication driver is used as the default authentication driver. I execute the following commands:
# cp -R /var/lib/one/remotes/auth/ldap /var/lib/one/remotes/auth/default chown oneadmin:oneadmin /var/lib/one/remotes/auth/default ( -- remember to do this if you are using the root account --)
Finally let’s change how Sunstone authenticates users:
- Edit the /etc/one/sunstone-server.conf and change :auth: sunstone to :auth: opennebula
Restart your services (maybe it’s not needed but just in case… 😀 )
Ok. The authentication with LDAP works. If I try to log with a new user which is a member of the cn=onemanagers group the user is added to OpenNebula automatically. Here’s an image of how my user n40lab has been added as a new Sunstone user.