CentOS 6.4 – Connecting OpenNebula Sunstone to LDAP server

In a previous post I’ve installed an LDAP server with OpenLDAP in my CentOS 6.4, please read it if you want to know the structure of my lab’s LDAP directory. I’m going to configure OpenNebula so it uses this LDAP for Sunstone authentication.

I’m following the official documentation about this topic and I’m offering my examples and comments, please read http://opennebula.org/documentation:rel4.2:ldap if you have any doubt.

The first thing to do is installing the following gem:

# gem install net-ldap

If the gem is not installed this is the error you’ll find in /var/log/one/oned.log: Error `gem_original_require’: no such file to load — net/ldap (LoadError)

We’ll need to configure the LDAP connection parameters in the /etc/one/auth/ldap_auth.conf. My LDAP running in the same host only requires the following parameters. I’ll use the uid attribute for the user field and the users must me members of the group onemanagers:

# Ldap authentication method
:auth_method: :simple

# Ldap server
:host: localhost
:port: 389

# base hierarchy where to search for users and groups
:base: 'dc=example,dc=com'

# group the users need to belong to. If not set any user will do
:group: 'cn=onemanagers,ou=Groups,dc=example,dc=com'

# field that holds the user name, if not set 'cn' will be used
:user_field: 'uid'

# field name for group membership, by default it is 'member'
:group_field: 'member'

# user field that that is in in the group group_field, if not set 'dn' will be used
:user_group_field: 'dn'

Now edit the /etc/one/oned.conf file and add default in the authn directive inside the AUTH_MAD section

executable = "one_auth_mad",
authn = "ssh,x509,ldap,default,server_cipher,server_x509"

If you forget to add “default” this is the error you’ll find in your /var/log/one/oned.log: Error Auth Error: Authentication driver ‘default’ not available

If you want to authenticate users that are not included in opennebula database but in the LDAP directory execute this command so LDAP authentication driver is used as the default authentication driver. I execute the following commands:

# cp -R /var/lib/one/remotes/auth/ldap /var/lib/one/remotes/auth/default
chown oneadmin:oneadmin /var/lib/one/remotes/auth/default ( -- remember to do this if you are using the root account --)

Finally let’s change how Sunstone authenticates users:

  • Edit the /etc/one/sunstone-server.conf and change :auth: sunstone to :auth: opennebula

Restart your services (maybe it’s not needed but just in case… 😀 )

Ok. The authentication with LDAP works. If I try to log with a new user which is a member of the cn=onemanagers group the user is added to OpenNebula automatically. Here’s an image of how my user n40lab has been added as a new Sunstone user.




Creating a simple LDAP directory with OpenLDAP 2.4 in CentOS 6.4

Hi again!.

I like to write posts so I don’t forget things that I test in my lab, today I wanted to create an LDAP directory for my future projects where I want to use LDAP for authentication.

Update: I use OpenLDAP in this post but you may use 389-ds as 42zy suggests.

In this guide I’ve used information from these sources, I wish to thank all the people behind these webs and those who provides all the open source software.

Reference: Red Hat Deployment Guide

Reference: OpenLDAP Quickstart

Reference: Zytrax LDAP book [1] and [2]

Reference: IBM [1] and [2]

1) Let’s install the packages for OpenLDAP

# yum install openldap openldap-clients openldap-servers

2) We are going to create a backup of the /etc/openldap/slapd.d/cn=config.ldif configuration file.

# cp /etc/openldap/slapd.d/cn\=config.ldif /etc/openldap/slapd.d/cn\=config.ldif.orig

3) Let’s modify some options in the /etc/openldap/slapd.d/cn=config.ldif configuration file:

  • Delete the olcAllows: bind_v2 line, in my case I only want LDAPv3 connections.
  • I’ve changed the olcIdleTimeout: from 0 to 60, idle connections will be closed after 60 seconds.

4) Now we are going to create a backup for the BDB database used by OpenLDAP

# cp /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif.orig

5) Let’s change some configuration options for the database. My domain will be example.com

  • I’ve changed the olcSuffix: dc=my-domain,dc=com so OpenLDAP uses my own domain e.g olcSuffix: dc=example,dc=com
  • The RootDN is the user that can manage the LDAP server without restrictions. Change the olcRootDN line so it reflects your domain configurationolcRootDN: cn=admin,dc=example,dc=com
  • We have to add a password for the RootDN user, we can generate a password using the slappasswd command. We’ll paste the {SSHA}…. password generated into the olcRootPW: directive e.g olcRootPW: {SSHA}blahblahcode

6) Now we are going to start the OpenLDAP server and we are going to configure it to start at boot time.

# chkconfig slapd on
# service slapd start
Starting slapd: [ OK ]

7) We need to create an LDIF (LDAP Interchange Format) file with the configuration for our organization LDAP tree. I also will create two organizational units one called People where all users be a member of this ou, and another ou called Groups which will be used to create groups for my organization. At the end of the file I specify who is the RootDN for this LDAP tree (cn=admin,dc=example,dc=com)

Very Important: no space must be placed at the end of each line, use only new line characters!

dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Org
dc: example

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Groups

dn: cn=admin,dc=example,dc=com
objectclass: organizationalRole
cn: admin

8) Now we apply our LDIF file. We’ll need the admin password. Finally we can test if the LDAP tree is ready with the ldapsearch command.

# ldapadd -x -D "cn=admin,dc=example,dc=com" -W -f example.ldif
# ldapsearch -x -b 'dc=example,dc=com' '(objectclass=*)'

9) I’m not using LDAP for Unix authentication, I’m preparing my LDAP directory for web application authentication. I’ll create an LDIF file with entries for a user that will be authenticated. I’m using a Á (A with an accent) in my given name so I’m using the utf-8 code for that caracter.

dn: uid=mcabrerizo,ou=People,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
uid: mcabrerizo
cn: Miguel \C1ngel Cabrerizo
sn: Cabrerizo
givenName: Miguel \C1ngel

10) Now I’m going to provide a password for my new LDAP user. The following command will prompt me for a password and of course will ask for the admin user

# ldappasswd -S -x -D "cn=admin,dc=example,dc=com" -W \ 
New password:
Re-enter new password:
Enter LDAP Password:

11) I’ll create a group in the Groups organizational unit and I’ll include my new user into that group

dn: cn=onemanagers,ou=Groups,dc=example,dc=com
cn: onemanagers
objectclass: groupofnames
member: uid=mcabrerizo,ou=People,dc=example,dc=com

12) Let’s suppose that I’ve created a new user with uid n40lab and now I want to add it to the group onemanagers. I’ll create an LDIF file (addto_onemanagers.ldif) for this modification and I’ll use the ldapmodify command:

dn: cn=onemanagers,ou=Groups,dc=example,dc=com
changetype: modify
add: member
member: uid=n40lab,ou=People,dc=example,dc=com

# ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f addto_onemanagers.ldif

13) Now, if I want to remove that user from my group, I’ll create an LDIF file (removefrom_onemanagers.ldif) for this modification and I’ll use the ldapmodify command:

dn: cn=onemanagers,ou=Groups,dc=example,dc=com
changetype: modify
delete: member
member: uid=n40lab,ou=People,dc=example,dc=com

# ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f removefrom_onemanagers.ldif

OK, this is long enough. That’s how I’ve created a simple directory for a web application authentication. I’m an LDAP newbie so forgive me if you find anything wrong with this post, I’ll update it while I use this LDAP configuration in my test.

In a different post I’ll try to increase the security for this LDAP directory.