CentOS 6.4 – Connecting OpenNebula Sunstone to LDAP server

In a previous post I’ve installed an LDAP server with OpenLDAP in my CentOS 6.4, please read it if you want to know the structure of my lab’s LDAP directory. I’m going to configure OpenNebula so it uses this LDAP for Sunstone authentication.

I’m following the official documentation about this topic and I’m offering my examples and comments, please read http://opennebula.org/documentation:rel4.2:ldap if you have any doubt.

The first thing to do is installing the following gem:

# gem install net-ldap

If the gem is not installed this is the error you’ll find in /var/log/one/oned.log: Error `gem_original_require’: no such file to load — net/ldap (LoadError)

We’ll need to configure the LDAP connection parameters in the /etc/one/auth/ldap_auth.conf. My LDAP running in the same host only requires the following parameters. I’ll use the uid attribute for the user field and the users must me members of the group onemanagers:

# Ldap authentication method
:auth_method: :simple

# Ldap server
:host: localhost
:port: 389

# base hierarchy where to search for users and groups
:base: 'dc=example,dc=com'

# group the users need to belong to. If not set any user will do
:group: 'cn=onemanagers,ou=Groups,dc=example,dc=com'

# field that holds the user name, if not set 'cn' will be used
:user_field: 'uid'

# field name for group membership, by default it is 'member'
:group_field: 'member'

# user field that that is in in the group group_field, if not set 'dn' will be used
:user_group_field: 'dn'

Now edit the /etc/one/oned.conf file and add default in the authn directive inside the AUTH_MAD section

AUTH_MAD = [
executable = "one_auth_mad",
authn = "ssh,x509,ldap,default,server_cipher,server_x509"
]

If you forget to add “default” this is the error you’ll find in your /var/log/one/oned.log: Error Auth Error: Authentication driver ‘default’ not available

If you want to authenticate users that are not included in opennebula database but in the LDAP directory execute this command so LDAP authentication driver is used as the default authentication driver. I execute the following commands:

# cp -R /var/lib/one/remotes/auth/ldap /var/lib/one/remotes/auth/default
chown oneadmin:oneadmin /var/lib/one/remotes/auth/default ( -- remember to do this if you are using the root account --)

Finally let’s change how Sunstone authenticates users:

  • Edit the /etc/one/sunstone-server.conf and change :auth: sunstone to :auth: opennebula

Restart your services (maybe it’s not needed but just in case… 😀 )

Ok. The authentication with LDAP works. If I try to log with a new user which is a member of the cn=onemanagers group the user is added to OpenNebula automatically. Here’s an image of how my user n40lab has been added as a new Sunstone user.

one_users_ldap

Enjoy!

Advertisements

Creating a simple LDAP directory with OpenLDAP 2.4 in CentOS 6.4

Hi again!.

I like to write posts so I don’t forget things that I test in my lab, today I wanted to create an LDAP directory for my future projects where I want to use LDAP for authentication.

Update: I use OpenLDAP in this post but you may use 389-ds as 42zy suggests.

In this guide I’ve used information from these sources, I wish to thank all the people behind these webs and those who provides all the open source software.

Reference: Red Hat Deployment Guide

Reference: OpenLDAP Quickstart

Reference: Zytrax LDAP book [1] and [2]

Reference: IBM [1] and [2]

1) Let’s install the packages for OpenLDAP

# yum install openldap openldap-clients openldap-servers

2) We are going to create a backup of the /etc/openldap/slapd.d/cn=config.ldif configuration file.

# cp /etc/openldap/slapd.d/cn\=config.ldif /etc/openldap/slapd.d/cn\=config.ldif.orig

3) Let’s modify some options in the /etc/openldap/slapd.d/cn=config.ldif configuration file:

  • Delete the olcAllows: bind_v2 line, in my case I only want LDAPv3 connections.
  • I’ve changed the olcIdleTimeout: from 0 to 60, idle connections will be closed after 60 seconds.

4) Now we are going to create a backup for the BDB database used by OpenLDAP

# cp /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif.orig

5) Let’s change some configuration options for the database. My domain will be example.com

  • I’ve changed the olcSuffix: dc=my-domain,dc=com so OpenLDAP uses my own domain e.g olcSuffix: dc=example,dc=com
  • The RootDN is the user that can manage the LDAP server without restrictions. Change the olcRootDN line so it reflects your domain configurationolcRootDN: cn=admin,dc=example,dc=com
  • We have to add a password for the RootDN user, we can generate a password using the slappasswd command. We’ll paste the {SSHA}…. password generated into the olcRootPW: directive e.g olcRootPW: {SSHA}blahblahcode

6) Now we are going to start the OpenLDAP server and we are going to configure it to start at boot time.

# chkconfig slapd on
# service slapd start
Starting slapd: [ OK ]

7) We need to create an LDIF (LDAP Interchange Format) file with the configuration for our organization LDAP tree. I also will create two organizational units one called People where all users be a member of this ou, and another ou called Groups which will be used to create groups for my organization. At the end of the file I specify who is the RootDN for this LDAP tree (cn=admin,dc=example,dc=com)

Very Important: no space must be placed at the end of each line, use only new line characters!

dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Org
dc: example

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Groups

dn: cn=admin,dc=example,dc=com
objectclass: organizationalRole
cn: admin

8) Now we apply our LDIF file. We’ll need the admin password. Finally we can test if the LDAP tree is ready with the ldapsearch command.

# ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f example.ldif
# ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'

9) I’m not using LDAP for Unix authentication, I’m preparing my LDAP directory for web application authentication. I’ll create an LDIF file with entries for a user that will be authenticated. I’m using a Á (A with an accent) in my given name so I’m using the utf-8 code for that caracter.

dn: uid=mcabrerizo,ou=People,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
uid: mcabrerizo
cn: Miguel \C1ngel Cabrerizo
sn: Cabrerizo
givenName: Miguel \C1ngel

10) Now I’m going to provide a password for my new LDAP user. The following command will prompt me for a password and of course will ask for the admin user

# ldappasswd -S -x -D "cn=admin,dc=example,dc=com" -W \ 
uid=mcabrerizo,ou=People,dc=example,dc=com
New password:
Re-enter new password:
Enter LDAP Password:

11) I’ll create a group in the Groups organizational unit and I’ll include my new user into that group

dn: cn=onemanagers,ou=Groups,dc=example,dc=com
cn: onemanagers
objectclass: groupofnames
member: uid=mcabrerizo,ou=People,dc=example,dc=com

12) Let’s suppose that I’ve created a new user with uid n40lab and now I want to add it to the group onemanagers. I’ll create an LDIF file (addto_onemanagers.ldif) for this modification and I’ll use the ldapmodify command:

dn: cn=onemanagers,ou=Groups,dc=example,dc=com
changetype: modify
add: member
member: uid=n40lab,ou=People,dc=example,dc=com

# ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f addto_onemanagers.ldif

13) Now, if I want to remove that user from my group, I’ll create an LDIF file (removefrom_onemanagers.ldif) for this modification and I’ll use the ldapmodify command:

dn: cn=onemanagers,ou=Groups,dc=example,dc=com
changetype: modify
delete: member
member: uid=n40lab,ou=People,dc=example,dc=com

# ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f removefrom_onemanagers.ldif

OK, this is long enough. That’s how I’ve created a simple directory for a web application authentication. I’m an LDAP newbie so forgive me if you find anything wrong with this post, I’ll update it while I use this LDAP configuration in my test.

In a different post I’ll try to increase the security for this LDAP directory.

Cheers!

CentOS 6.4 – Installing OpenNebula 4.2 (Flame)

This is my first post in a long time…. my apologies I’ve been quite busy for a few months and I’ve had no time left to write new posts or answer your comments, so thanks for your patience and understanding for all of you that have sent me emails or comments.

Today I’m writing an easy post… maybe it’s too late as OpenNebula 4.4 is so close but if you’re looking for a post about OpenNebula 4.2 and CentOS 6.4 it could help you.

OpenNebula provides an official quickstart guide for CentOS and other platforms so you may want to check them first, I keep writing these posts as they are my installation notes and maybe they are useful to you.

I’m executing the following commands as root.

1. Install the EPEL repository

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

2. Add OpenNebula’s repository – [ Reference OpenNebula’s site ]

# cat << EOT > /etc/yum.repos.d/opennebula.repo
[opennebula]
name=opennebula
baseurl=http://downloads.opennebula.org/repo/CentOS/6/stable/\$basearch
enabled=1
gpgcheck=0
EOT

3. Let’s check that EPEL and OpenNebula repositories are ready

# yum search opennebula
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.xtratelecom.es
* epel: fedora.aau.at
* extras: centos.mirror.xtratelecom.es
* updates: centos.mirror.xtratelecom.es
=========================== N/S Matched: opennebula ============================
opennebula-common.x86_64 : Provides the OpenNebula user
opennebula-context.x86_64 : Configures a Virtual Machine for OpenNebula
opennebula-flow.x86_64 : Manage OpenNebula Services
opennebula-gate.x86_64 : Transfer information from Virtual Machines to: OpenNebula
opennebula-java.x86_64 : Java interface to OpenNebula Cloud API
opennebula-node-kvm.x86_64 : Configures an OpenNebula node providing kvm
opennebula-ruby.x86_64 : Provides the OpenNebula Ruby libraries
opennebula-server.x86_64 : Provides the OpenNebula servers
opennebula.x86_64 : Cloud computing solution for Data Center Virtualization
opennebula-ozones.x86_64 : Tool for administering
opennebula-sunstone.x86_64 : Browser based UI and public cloud interfaces.
Name and summary matches only, use "search all" for everything.

4. Install the packages you need for your OpenNebula installation architecture. In my case I’m running OpenNebula in a single machine so I’ll install opennebula-server and opennebula-sunstone

# yum install opennebula-server opennebula-sunstone

Warning: if it’s the first time using the EPEL repository you’ll need to import its GPG key so answer yes to the following question:

# Is this ok [y/N]: y

5. If you are going to use KVM virtualization, install the package opennebula-node-kvm in the machine that’s going to act as the host offering virtualization resources. This package will install qemu-kvm, libvirt and all the CentOS packages needed for virtualization. I’m using a single machine so my machine will act as a front-end, host and datastore. Please read the official documentation to understand which are the basic components for OpenNebula.

6. Let’s start the opennebula service

# service opennebula start
Starting OpenNebula daemon: [ OK ]

7. The opennebula’s sunstone service provides the graphical interface for opennebula. By default it listens on the 127.0.0.1:9869 address/port so if you want to listen in a different address edit the :host: directive in the /etc/one/sunstone-server.conf

For example if you want to listen in the 192.168.1.70 address change the host directive and save the file.

# Server Configuration
#
:host: 192.168.1.70

The service is started using the following command:

# service opennebula-sunstone start
Starting Sunstone Server daemon: VNC proxy started
sunstone-server started [ OK ]

If you change the IP address where Sunstone is listening, remember to add a firewall rule (also remember to save that rule)

#iptables -I INPUT -m tcp -p tcp --dport 9869 -m state --state=NEW -j ACCEPT
#service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

OK, that’s only the installation part, if you want to run a VM you’ll need to configure a host please read this old blog post

Cheers! … I’ll be back!