Feature #1916
Allow ldap group member field to be something else than dn
| Status: | Closed | Start date: | 04/16/2013 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Javi Fontan | % Done: | 0% | |
| Category: | Drivers - Auth | |||
| Target version: | Release 4.0 | |||
| Resolution: | fixed | Pull request: |
Description
When doing ldap authentication, the current driver expects the group_field attribute to contain the dn of the user entry. However, not all ldap are made this way. So it would be useful if one could configure which attribute of the user entry would be looked for in the group_field attribute of the group entry.
The attached patch fixes this (please note that it breaks api of OpenNebula::LdapAuth class). It is not fully tested.
0001-Allow-configuration-of-ldap-group-member-field.patch 
(4.18 KB)
ldap_groups.patch
(2.09 KB)
ldap_auth.rb
(3.24 KB)
0001-Allow-configuration-of-ldap-group-member-field.patch
(4.22 KB)
Associated revisions
feature #1916: add user_group_field support to ldap
Revert "feature #1916: add user_group_field support to ldap"
This reverts commit d30b0f1bd168d3fd981ea1dc140992a14f51d762.
feature #1916: Allow configuration of ldap group member field
Patch by Jean-Philippe Garcia Ballester
feature #1916: bug in ldap auth
History
#1
Updated by Jean-Philippe Garcia Ballester about 8 years ago
I would very much like to see this in OpenNebula 4.0, since I will otherwise have either to patch opennebula, or change my ldap structure…
#2
Updated by Javi Fontan about 8 years ago
- Status changed from New to Assigned
- Assignee set to Javi Fontan
- Target version set to Release 4.0
I'll try to integrate this before final 4.0. Thanks for the tip and the patch.
#3
Updated by Javi Fontan about 8 years ago
- File ldap_groups.patch added
I've been fiddling a bit with this and I think I've found a solution for both cases. I still have to test it (I don't really know if it even executes). Could you please give a try to this patch?
#4
Updated by Javi Fontan about 8 years ago
- Tracker changed from Bug to Feature
#5
Updated by Jean-Philippe Garcia Ballester about 8 years ago
- File ldap_auth.rb added
Your patch addresses an interesting issue, but it is not the one I filed :)
Some examples to make this clear:
First ldap example (covered by current opennebula version):
User: dn: cn=Jean-Philippe Garcia Ballester,ou=users,dc=ac-grenoble,dc=fr Group: dn: cn=admin,ou=groups,dc=ac-grenoble,dc=fr member: cn=Jean-Philippe Garcia Ballester,ou=users,dc=ac-grenoble,dc=fr
Second ldap example (covered by my patch):
User dn: cn=Jean-Philippe Garcia Ballester,ou=users,dc=ac-grenoble,dc=fr uid: jp Group: dn: cn=admin,ou=groups,dc=ac-grenoble,dc=fr member: jp
Third ldap example (covered by your patch):
User dn: cn=Jean-Philippe Garcia Ballester,ou=users,dc=ac-grenoble,dc=fr group: admin
My patch was supposed to work for first and second example. If you changed it, I suppose it is because it breaks something?
I have updated it to also make the second example work when the parameter is the dn.
#6
Updated by Jean-Philippe Garcia Ballester about 8 years ago
Arg, I attached the file instead of the patch…
#7
Updated by Javi Fontan about 8 years ago
I got it totally wrong there. I've just reverted my mess and committed your patch. Thanks!
#8
Updated by Javi Fontan about 8 years ago
- Status changed from Assigned to Closed
- Resolution set to fixed