zoukankan      html  css  js  c++  java
  • LDAP Authentication for openNebula3.2

    LDAP Authentication 3.2

    The LDAP Authentication addon permits users to have the same credentials as in LDAP, so effectively centralizing authentication. Enabling it will let any correctly authenticated LDAP user to use OpenNebula.

    Prerequisites

    This Addon uses the 'net/ldap' ruby library provided by the 'net-ldap' gem.

    This Addon will not install any Ldap server or configure it in any way. It will not create, delete or modify any entry in the Ldap server it connects to. The only requirement is the ability to connect to an already running Ldap server and being able to perform a successful ldapbind operation and have a user able to perform searches of users, therefore no special attributes or values are required in the LDIF entry of the user authenticating.

    Configuration

    Configuration file for auth module is located at $ONE_LOCATION/etc/auth/ldap_auth.conf. This is the default configuration:

    # Ldap user able to query, if not set connects as anonymous
    #:user: 'admin'
    #:password: 'password'
     
    # Ldap authentication method
    :auth_method: :simple
     
    # Ldap server
    :host: localhost
    :port: 389
     
    # base hierarchy where to search for users and groups
    :base: 'dc=domain'
     
    # group the users need to belong to. If not set any user will do
    :group: 'cn=cloud,ou=groups,dc=domain'
     
    # field that holds the user name, if not set 'cn' will be used
    :user_field: 'cn'
    VARIABLEDESCRIPTION
    :user Name of the user that can query ldap. Do not set it if you can perform queries anonymously
    :password Password for the user defined in :user. Do not set if anonymous access is enabled
    :auth_method Can be set to :simple_tls if ssl connection is needed
    :host Host name of the ldap server
    :port Port of the ldap server
    :base Base leaf where to perform user searches
    :group If set the users need to belong to this group
    :user_field Field in ldap that holds the user name

    To enable ldap authentication the described parameters should be configured. OpenNebula must be also configured to enable external authentication. Uncomment these lines in $ONE_LOCATION/etc/oned.conf and add ldap and default (more on this later) as an enabled authentication method.

    AUTH_MAD = [
        executable = "one_auth_mad",
        arguments = "--authz quota --authn server_cipher,ldap,default"
    ]

    To be able to use this driver for users that are still not in the user database you must set it to the default driver. To do this go to the auth drivers directory and symlink the directory ldap to default. In system-wide installation you can do this using this command:

    $ ln -s /var/lib/one/remotes/auth/ldap /var/lib/one/remotes/auth/default
    

    User Management

    Using LDAP authentication module the administrator doesn't need to create users with oneuser command as this will be automatically done. The user should add its credentials to $ONE_AUTH file (usually $HOME/.one/one_auth) in this fashion:

    user_dn_or_username:user_password
  • 相关阅读:
    Visual C++ 打印编程技术-内存设备环境
    MySQL存储引擎
    记录阿里云服务器docker安装wordpress
    记录dockerfile参数
    记录一次 在公网使用FRP内网穿透开源软件,通过SSH连接内网服务器
    记录一次docker安装zabbix5.0
    记录一次zabbix邮件告警搭建过程和问题处理
    记录一次yum-config-manager命令的使用
    记录一次解决zabbix5.0图形化界面文字乱码的问题
    记录一次查看本地端口10050被哪个IP地址访问
  • 原文地址:https://www.cnblogs.com/ruiy/p/4096599.html
Copyright © 2011-2022 走看看