Bug #1394

Wrong username with LDAP auth

Added by Arthur Zalevsky over 6 years ago. Updated over 6 years ago.

Status:ClosedStart date:07/26/2012
Priority:NormalDue date:
Assignee:Javi Fontan% Done:

0%

Category:Core & System
Target version:Release 3.8
Resolution:fixed Pull request:
Affected Versions:OpenNebula 3.4

Description

I'm trying to setup LDAP auth for opennebula and sunstone and having such trouble:

first login is ok, but after second attempt i've got something like that in oned.log

Thu Jul 26 13:23:49 2012 [AuM][D]: Message received: LOG I 4 Trying server server 1

Thu Jul 26 13:23:49 2012 [AuM][I]: Trying server server 1
Thu Jul 26 13:23:49 2012 [AuM][D]: Message received: LOG I 4 ExitCode: 0

Thu Jul 26 13:23:49 2012 [AuM][I]: ExitCode: 0
Thu Jul 26 13:23:49 2012 [AuM][D]: Message received: AUTHENTICATE SUCCESS 4 ldap uid=silwer,ou=Users,dc=lab password

Thu Jul 26 13:23:49 2012 [AuM][E]: Can't create user: NAME is already taken by USER 9.. Driver response: ldap uid=silwer,ou=Users,dc=lab password

And username looks like that:

9 uid=silwer,ou=U users      ldap             -                 -           -

So i've resolved the issue with modification of /var/lib/one/remotes/auth/ldap/authenticate in this way

if ldap.authenticate(user_name, secret)                                                                       
    escaped_user=URI_PARSER.escape(user_name)                                                               

to
if ldap.authenticate(user_name, secret)                                                                       
    escaped_user=URI_PARSER.escape(user)                                                               

and now user looks good

  10 silwer          users      ldap             -                 -           -

Not sure if it's the best proper way, but it works fine for me.
So the problem, as far as i can see, is in incorrect parsing of ldap entry.

OS: ubuntu 12.04 amd64
Opennebula: 3.6 from .deb package
/etc/one/auth/ldap_auth.conf in attach

ldap_auth.conf (2.18 KB) Arthur Zalevsky, 07/26/2012 09:53 AM

Associated revisions

Revision 97b537ad
Added by Javi Fontan over 6 years ago

bug #1394: fix ldap authentication when using username

History

#1 Updated by Arthur Zalevsky over 6 years ago

And it seems the same issue with this part

if server_conf[:group]                                                                                        
    if !ldap.is_in_group?(user_name, server_conf[:group])                                                       
        STDERR.puts "User #{user} is not in group #{server_conf[:group]}"                                     
        next                                                                                                  
    end                                                                                                       
end

also changed user_name to user and everything works.

#2 Updated by Ruben S. Montero over 6 years ago

  • Target version set to Release 3.8

#3 Updated by Ruben S. Montero over 6 years ago

  • Assignee set to Javi Fontan

#4 Updated by Ruben S. Montero over 6 years ago

  • Status changed from New to Assigned

#5 Updated by Javi Fontan over 6 years ago

You are right. There is a problem when using a user name instead of the DN. Changing the name stored in ONE database by the one that the user provides does the trick.

One thing I don't get is why you use also user to check if the user is in a group. In our setup we have the dn's added to a group. Does your grup contain usernames instead of dn's?

#6 Updated by Javi Fontan over 6 years ago

  • Status changed from Assigned to Closed
  • Resolution set to fixed

Also available in: Atom PDF