LDAP authentication is handled by master daemon

* dicos/29_one-master.xml: new template to manage * tmpl/ldap_auth.conf: import from eole-one-frontend Ref: #21703
2017-10-19 11:09:12 +02:00 · 2017-10-19 11:09:12 +02:00 · daf0700d15
parent 05d37c6569
commit daf0700d15
2 changed files with 74 additions and 0 deletions
--- a/dicos/29_one-master.xml
+++ b/dicos/29_one-master.xml
@ -5,6 +5,8 @@
        <file filelist='onesinglenode' name='/etc/one/vmm_exec/vmm_exec_kvm.conf' rm='True' mkdir='True'/>
        <file filelist='onesinglenode' name='/etc/one/oned.conf' rm='True'/>
        <file filelist='onesinglenode' name='/var/lib/one/remotes/vnm/OpenNebulaNetwork.conf' rm='True' mkdir='True'/>
+        <file filelist='onesinglenode' name='/etc/one/auth/ldap_auth.conf'/>
+
        <service>opennebula</service>

        <service_access service='one-ssh'>
--- a/tmpl/ldap_auth.conf
+++ b/tmpl/ldap_auth.conf
@ -0,0 +1,72 @@
+# ---------------------------------------------------------------------------- #
+# Copyright 2002-2017, OpenNebula Project, OpenNebula Systems                  #
+#                                                                              #
+# Licensed under the Apache License, Version 2.0 (the "License"); you may      #
+# not use this file except in compliance with the License. You may obtain      #
+# a copy of the License at                                                     #
+#                                                                              #
+# http://www.apache.org/licenses/LICENSE-2.0                                   #
+#                                                                              #
+# Unless required by applicable law or agreed to in writing, software          #
+# distributed under the License is distributed on an "AS IS" BASIS,            #
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.     #
+# See the License for the specific language governing permissions and          #
+# limitations under the License.                                               #
+# ---------------------------------------------------------------------------- #
+
+server 1:
+    # Ldap user able to query, if not set connects as anonymous. For
+    # Active Directory append the domain name. Example:
+    # Administrator@my.domain.com
+    #:user: 'admin'
+    #:password: 'password'
+
+    # Ldap authentication method
+    :auth_method: :simple
+
+    # Ldap server
+    :host: %%adresse_ip_ldap
+    :port: %%ldap_port
+%if %%getVar('ldap_tls', 'non') == 'oui'
+
+    # Uncomment this line for tls conections
+    :encryption: :simple_tls
+%end if
+
+    # base hierarchy where to search for users and groups
+    :base: %%ldap_base_dn
+
+    # group the users need to belong to. If not set any user will do
+    #:group: 'cn=cloud,ou=groups,dc=domain'
+
+    # field that holds the user name, if not set 'cn' will be used
+    :user_field: 'uid'
+
+    # for Active Directory use this user_field instead
+    #:user_field: 'sAMAccountName'
+
+    # field name for group membership, by default it is 'member'
+    #:group_field: 'member'
+
+    # user field that that is in in the group group_field, if not set 'dn' will be used
+    #:user_group_field: 'dn'
+
+    # Generate mapping file from group template info
+    :mapping_generate: true
+
+    # Seconds a mapping file remain untouched until the next regeneration
+    :mapping_timeout: 300
+
+    # Name of the mapping file in OpenNebula var diretory
+    :mapping_filename: server1.yaml
+
+    # Key from the OpenNebula template to map to an AD group
+    :mapping_key: GROUP_DN
+
+    # Default group ID used for users in an AD group not mapped
+    :mapping_default: 1
+
+# List the order the servers are queried
+:order:
+    - server 1
+%end if