Failure to authenticate ldap users via the EC2 interface
Users authenticated with LDAP are not allowed to launch instances via EC2.
I tried an EC2 start instance script with oneadmin user and a core user, and script works.
Then I tried with users, declared in LDAP, and we have error "User not authorized":
-- Calling x.x.x.x. with user osallou
-- Create an image --
Error: User not authorized
#1 Updated by Daniel Molina over 7 years ago
LDAP authentication is not supported out-of-the-box in EC2 (nor OCCI). The EC2 authentication generates a token using the site endpoint, username, password ... This token is also generated in the server side and compared, but the user password is not available in the server side, so the signature cannot be generated.
In OpenNebula 3.4 a new CloudAuth was included for Susntone to use the OpenNebula core drivers such as LDAP, ssh... but it can be also used with the rest of the cloud servers
This method (OpenNebulaCloudAuth) will retrieve the user information from the basic auth header and will send it to OpenNebula. Therefore if the EC2 request includes this header (user:password) the user can be authenticated using the LDAP driver. This would require to modify the clients to include this information and enable this auth method inside the econe.conf file (:auth: opennebula).
Other options to support the LDAP authentication in EC2 are:
1. Save the LDAP password in the OpenNebula DB. The signature will be generated using this password and if it matchs it will be sent to the LDAP driver to authenticate with the LDAP server.
2. Include a new attribute (i.e.: cloud_key) in the LDAP tree, the user will provide this attribute in the client side to generate the signature. In the server side a special user will be required to retrieve the cloud_key of the specified user from the LDAP tree.
Both methods would require to develop a new LDAPCloudAuth
If you think this feature is necessary we can consider it for the next release.
#2 Updated by olivier sallou over 7 years ago
I gonna remove ldap usage in this case.
But it is a kind of issue. Getting LDAP support is really nice in case of an organization, but if users cannot use the EC2 interface, it is less usefull....
Saving LDAP password in open nebula is useless, there would be no sync with use password management. Using a special key in the LDAP tree could be a nice feature.