Backlog #3161
Populate LDAP users before they connect
| Status: | Pending | Start date: | 08/26/2014 | |
|---|---|---|---|---|
| Priority: | Low | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | Drivers - Auth | |||
| Target version: | - |
Description
Hello,
It could be interesting to populate users before their first connection.
To avoid enabling every LDAP account to connect to OpenNebula, we could disable the default authentication method and populate the user by hand.
The problem is that oneuser create myuser --driver ldap requires a password or an authentication method:
oneadmin@one:~$ oneuser create myldapuser --driver ldap You have to specify an Auth method or define a password
This could be made optional, or even disabled per driver.
History
#1
Updated by Stefan Kooman almost 7 years ago
I don't really get this one. In LDAP you can create a special group for OpenNebula and in "auth.conf" set the group field (filter) accordingly. We got something like this:
- group the users need to belong to. If not set any user will do
:group: 'cn=opennebula,ou=roles,dc=domain,dc=tld'
Only users that are a member of group "opennebula" are able to authenticate. Besides that we have a "USER" hook that does a ldapsearch for the user authenticating, checking group memberships and applies group membership in ONE accordingly.
#2
Updated by EOLE Team almost 7 years ago
Stefan Kooman wrote:
I don't really get this one. In LDAP you can create a special group for OpenNebula and in "auth.conf" set the group field (filter) accordingly
Sorry, I forgot to mention that we do not have group in LDAP.
Some ONE installations may even use an LDAP not managed by the ONE admin, just to give to the authorized users the possibility to use the same authentication than everything else.
Technically, I don't see any reason why the LDAP driver need an auth method or a password, since the password field contains the DN of the userĀ :
oneadmin@one:~$ oneuser show myldapuser USER 4 INFORMATION ID : 4 NAME : myldapuser GROUP : users PASSWORD : uid=myldapuser,ou=users,dc=example,dc=net AUTH_DRIVER : ldap ENABLED : Yes USER TEMPLATE DEFAULT_VIEW="user" LANG="en_US" TABLE_ORDER="desc" TOKEN_PASSWORD="5ce9fdc274e22b2ef3012023d91e7eb4ce07305" VNC_WSS="yes"
#3
Updated by Ruben S. Montero almost 7 years ago
EOLE Team wrote:
Stefan Kooman wrote:
I don't really get this one. In LDAP you can create a special group for OpenNebula and in "auth.conf" set the group field (filter) accordingly
Sorry, I forgot to mention that we do not have group in LDAP.
Some ONE installations may even use an LDAP not managed by the ONE admin, just to give to the authorized users the possibility to use the same authentication than everything else.
Technically, I don't see any reason why the LDAP driver need an auth method or a password, since the password field contains the DN of the userĀ :
[...]
Hi Stefan
We've also implemented #3159. Documentation will be available shortly, but the idea is that you can label each OpenNebula group with a LDAP key in the template (GROUP_DN). An LDAP user with that key will be added to the corresponding group (or groups).
Thought you might be interested....
Cheers
#4
Updated by Ruben S. Montero almost 7 years ago
- Tracker changed from Request to Backlog
- Category set to Drivers - Auth
- Priority changed from Normal to Low