mirror of
https://github.com/OpenNebula/one.git
synced 2025-08-29 09:49:28 +03:00
Merge branch 'feature-1100'
This commit is contained in:
@ -32,6 +32,7 @@ $: << RUBY_LIB_LOCATION
|
||||
require 'scripts_common'
|
||||
require 'OpenNebulaDriver'
|
||||
require 'getoptlong'
|
||||
require 'shellwords'
|
||||
|
||||
# This is a generic AuthZ/AuthN driver able to manage multiple authentication
|
||||
# protocols (simultaneosly). It also supports the definition of custom
|
||||
@ -110,7 +111,9 @@ class AuthDriver < OpenNebulaDriver
|
||||
authN_path = File.join(@local_scripts_path, driver)
|
||||
|
||||
command = File.join(authN_path, ACTION[:authN].downcase)
|
||||
command << " '" << user.gsub("'", '\'"\'"\'') << "' '" << password.gsub("'", '\'"\'"\'') << "' " << secret
|
||||
command << ' ' << ([user, password, secret].map do |p|
|
||||
Shellwords.escape(p)
|
||||
end.join(' '))
|
||||
|
||||
rc = LocalCommand.run(command, log_method(request_id))
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
#!/usr/bin/ruby
|
||||
#!/usr/bin/env ruby
|
||||
|
||||
# ---------------------------------------------------------------------------- #
|
||||
# Copyright 2010-2012, C12G Labs S.L #
|
||||
@ -30,34 +30,77 @@ $: << RUBY_LIB_LOCATION
|
||||
|
||||
require 'yaml'
|
||||
require 'ldap_auth'
|
||||
require 'uri'
|
||||
|
||||
user=ARGV[0]
|
||||
pass=ARGV[1]
|
||||
secret=ARGV[2]
|
||||
if defined?(URI::Parser)
|
||||
URI_PARSER=URI::Parser.new
|
||||
else
|
||||
URI_PARSER=URI
|
||||
end
|
||||
|
||||
user=URI_PARSER.unescape(ARGV[0])
|
||||
pass=URI_PARSER.unescape(ARGV[1])
|
||||
secret=URI_PARSER.unescape(ARGV[2])
|
||||
|
||||
options=YAML.load(File.read(ETC_LOCATION+'/auth/ldap_auth.conf'))
|
||||
|
||||
ldap=LdapAuth.new(options)
|
||||
order=options[:order]
|
||||
|
||||
user_name=ldap.find_user(user)
|
||||
|
||||
if !user_name
|
||||
STDERR.puts "User #{user} not found"
|
||||
if !order
|
||||
STDERR.puts ":order value not found, the configuration file could be malformed"
|
||||
order=options.keys
|
||||
elsif order.class != Array
|
||||
STDERR.puts ":order value malformed, must be an Array"
|
||||
exit(-1)
|
||||
end
|
||||
|
||||
if options[:group]
|
||||
if !ldap.is_in_group?(user_name, options[:group])
|
||||
STDERR.puts "User #{user} is not in group #{options[:group]}"
|
||||
exit(-1)
|
||||
authenticated=false
|
||||
|
||||
order.each do |server_name|
|
||||
STDERR.puts "Trying server #{server_name}"
|
||||
|
||||
server_conf=options[server_name]
|
||||
if !server_conf
|
||||
STDERR.puts "Configuration for server not found"
|
||||
break
|
||||
end
|
||||
|
||||
begin
|
||||
ldap=LdapAuth.new(server_conf)
|
||||
|
||||
user_name=ldap.find_user(user)
|
||||
|
||||
if !user_name
|
||||
STDERR.puts "User #{user} not found"
|
||||
next
|
||||
end
|
||||
|
||||
if server_conf[:group]
|
||||
if !ldap.is_in_group?(user_name, server_conf[:group])
|
||||
STDERR.puts "User #{user} is not in group #{server_conf[:group]}"
|
||||
next
|
||||
end
|
||||
end
|
||||
|
||||
if ldap.authenticate(user_name, secret)
|
||||
escaped_user=URI_PARSER.escape(user_name)
|
||||
escaped_secret=URI_PARSER.escape(secret)
|
||||
puts "ldap #{escaped_user} #{escaped_secret}"
|
||||
authenticated=true
|
||||
break
|
||||
else
|
||||
STDERR.puts "Bad user/password"
|
||||
end
|
||||
|
||||
rescue Exception => e
|
||||
STDERR.puts "Exception raised authenticating to LDAP"
|
||||
STDERR.puts e.inspect
|
||||
STDERR.puts e.backtrace.join("\n")
|
||||
end # rescue
|
||||
end
|
||||
|
||||
if ldap.authenticate(user_name, secret)
|
||||
puts "ldap #{user} #{user_name}"
|
||||
exit(0)
|
||||
else
|
||||
STDERR.puts "Bad user/password"
|
||||
if !authenticated
|
||||
STDERR.puts "Could not authenticate user #{user}"
|
||||
exit(-1)
|
||||
end
|
||||
|
||||
|
@ -14,22 +14,43 @@
|
||||
# limitations under the License. #
|
||||
# ---------------------------------------------------------------------------- #
|
||||
|
||||
# Ldap user able to query, if not set connects as anonymous
|
||||
#:user: 'admin'
|
||||
#:password: 'password'
|
||||
server 1:
|
||||
# Ldap user able to query, if not set connects as anonymous. For
|
||||
# Active Directory append the domain name. Example:
|
||||
# Administrator@my.domain.com
|
||||
#:user: 'admin'
|
||||
#:password: 'password'
|
||||
|
||||
# Ldap authentication method
|
||||
:auth_method: :simple
|
||||
# Ldap authentication method
|
||||
:auth_method: :simple
|
||||
|
||||
# Ldap server
|
||||
:host: localhost
|
||||
:port: 389
|
||||
# Ldap server
|
||||
:host: localhost
|
||||
:port: 389
|
||||
|
||||
# base hierarchy where to search for users and groups
|
||||
:base: 'dc=domain'
|
||||
# base hierarchy where to search for users and groups
|
||||
:base: 'dc=domain'
|
||||
|
||||
# group the users need to belong to. If not set any user will do
|
||||
:group: 'cn=cloud,ou=groups,dc=domain'
|
||||
# group the users need to belong to. If not set any user will do
|
||||
#:group: 'cn=cloud,ou=groups,dc=domain'
|
||||
|
||||
# field that holds the user name, if not set 'cn' will be used
|
||||
:user_field: 'cn'
|
||||
# field that holds the user name, if not set 'cn' will be used
|
||||
:user_field: 'cn'
|
||||
|
||||
# for Active Directory use this user_field instead
|
||||
#:user_field: 'sAMAccountName'
|
||||
|
||||
# this example server wont be called as it is not in the :order list
|
||||
server 2:
|
||||
:auth_method: :simple
|
||||
:host: localhost
|
||||
:port: 389
|
||||
:base: 'dc=domain'
|
||||
#:group: 'cn=cloud,ou=groups,dc=domain'
|
||||
:user_field: 'cn'
|
||||
|
||||
|
||||
# List the order the servers are queried
|
||||
:order:
|
||||
- server 1
|
||||
#- server 2
|
||||
|
@ -30,6 +30,8 @@ $: << RUBY_LIB_LOCATION+"/cli"
|
||||
require 'command_parser'
|
||||
require 'one_helper/oneuser_helper'
|
||||
|
||||
require 'uri'
|
||||
|
||||
cmd=CommandParser::CmdParser.new(ARGV) do
|
||||
usage "`oneuser` <command> [<args>] [<options>]"
|
||||
version OpenNebulaHelper::ONE_VERSION
|
||||
@ -336,4 +338,21 @@ cmd=CommandParser::CmdParser.new(ARGV) do
|
||||
helper.show_resource(user,options)
|
||||
end
|
||||
|
||||
show_desc = <<-EOT.unindent
|
||||
Encodes user and password to use it with ldap
|
||||
EOT
|
||||
|
||||
command :encode, show_desc, :username, [:password, nil] do
|
||||
ar=args.compact
|
||||
|
||||
if defined?(URI::Parser)
|
||||
parser=URI::Parser.new
|
||||
else
|
||||
parser=URI
|
||||
end
|
||||
|
||||
puts ar.map{|a| parser.escape(a) }.join(':')
|
||||
|
||||
0
|
||||
end
|
||||
end
|
||||
|
Reference in New Issue
Block a user