1
0
mirror of https://github.com/OpenNebula/one.git synced 2025-08-29 09:49:28 +03:00

Merge branch 'feature-1100'

This commit is contained in:
Ruben S. Montero
2012-05-16 22:43:10 +02:00
4 changed files with 119 additions and 33 deletions

View File

@ -32,6 +32,7 @@ $: << RUBY_LIB_LOCATION
require 'scripts_common'
require 'OpenNebulaDriver'
require 'getoptlong'
require 'shellwords'
# This is a generic AuthZ/AuthN driver able to manage multiple authentication
# protocols (simultaneosly). It also supports the definition of custom
@ -110,7 +111,9 @@ class AuthDriver < OpenNebulaDriver
authN_path = File.join(@local_scripts_path, driver)
command = File.join(authN_path, ACTION[:authN].downcase)
command << " '" << user.gsub("'", '\'"\'"\'') << "' '" << password.gsub("'", '\'"\'"\'') << "' " << secret
command << ' ' << ([user, password, secret].map do |p|
Shellwords.escape(p)
end.join(' '))
rc = LocalCommand.run(command, log_method(request_id))

View File

@ -1,4 +1,4 @@
#!/usr/bin/ruby
#!/usr/bin/env ruby
# ---------------------------------------------------------------------------- #
# Copyright 2010-2012, C12G Labs S.L #
@ -30,34 +30,77 @@ $: << RUBY_LIB_LOCATION
require 'yaml'
require 'ldap_auth'
require 'uri'
user=ARGV[0]
pass=ARGV[1]
secret=ARGV[2]
if defined?(URI::Parser)
URI_PARSER=URI::Parser.new
else
URI_PARSER=URI
end
user=URI_PARSER.unescape(ARGV[0])
pass=URI_PARSER.unescape(ARGV[1])
secret=URI_PARSER.unescape(ARGV[2])
options=YAML.load(File.read(ETC_LOCATION+'/auth/ldap_auth.conf'))
ldap=LdapAuth.new(options)
order=options[:order]
user_name=ldap.find_user(user)
if !user_name
STDERR.puts "User #{user} not found"
if !order
STDERR.puts ":order value not found, the configuration file could be malformed"
order=options.keys
elsif order.class != Array
STDERR.puts ":order value malformed, must be an Array"
exit(-1)
end
if options[:group]
if !ldap.is_in_group?(user_name, options[:group])
STDERR.puts "User #{user} is not in group #{options[:group]}"
exit(-1)
authenticated=false
order.each do |server_name|
STDERR.puts "Trying server #{server_name}"
server_conf=options[server_name]
if !server_conf
STDERR.puts "Configuration for server not found"
break
end
begin
ldap=LdapAuth.new(server_conf)
user_name=ldap.find_user(user)
if !user_name
STDERR.puts "User #{user} not found"
next
end
if server_conf[:group]
if !ldap.is_in_group?(user_name, server_conf[:group])
STDERR.puts "User #{user} is not in group #{server_conf[:group]}"
next
end
end
if ldap.authenticate(user_name, secret)
escaped_user=URI_PARSER.escape(user_name)
escaped_secret=URI_PARSER.escape(secret)
puts "ldap #{escaped_user} #{escaped_secret}"
authenticated=true
break
else
STDERR.puts "Bad user/password"
end
rescue Exception => e
STDERR.puts "Exception raised authenticating to LDAP"
STDERR.puts e.inspect
STDERR.puts e.backtrace.join("\n")
end # rescue
end
if ldap.authenticate(user_name, secret)
puts "ldap #{user} #{user_name}"
exit(0)
else
STDERR.puts "Bad user/password"
if !authenticated
STDERR.puts "Could not authenticate user #{user}"
exit(-1)
end

View File

@ -14,22 +14,43 @@
# limitations under the License. #
# ---------------------------------------------------------------------------- #
# Ldap user able to query, if not set connects as anonymous
#:user: 'admin'
#:password: 'password'
server 1:
# Ldap user able to query, if not set connects as anonymous. For
# Active Directory append the domain name. Example:
# Administrator@my.domain.com
#:user: 'admin'
#:password: 'password'
# Ldap authentication method
:auth_method: :simple
# Ldap authentication method
:auth_method: :simple
# Ldap server
:host: localhost
:port: 389
# Ldap server
:host: localhost
:port: 389
# base hierarchy where to search for users and groups
:base: 'dc=domain'
# base hierarchy where to search for users and groups
:base: 'dc=domain'
# group the users need to belong to. If not set any user will do
:group: 'cn=cloud,ou=groups,dc=domain'
# group the users need to belong to. If not set any user will do
#:group: 'cn=cloud,ou=groups,dc=domain'
# field that holds the user name, if not set 'cn' will be used
:user_field: 'cn'
# field that holds the user name, if not set 'cn' will be used
:user_field: 'cn'
# for Active Directory use this user_field instead
#:user_field: 'sAMAccountName'
# this example server wont be called as it is not in the :order list
server 2:
:auth_method: :simple
:host: localhost
:port: 389
:base: 'dc=domain'
#:group: 'cn=cloud,ou=groups,dc=domain'
:user_field: 'cn'
# List the order the servers are queried
:order:
- server 1
#- server 2

View File

@ -30,6 +30,8 @@ $: << RUBY_LIB_LOCATION+"/cli"
require 'command_parser'
require 'one_helper/oneuser_helper'
require 'uri'
cmd=CommandParser::CmdParser.new(ARGV) do
usage "`oneuser` <command> [<args>] [<options>]"
version OpenNebulaHelper::ONE_VERSION
@ -336,4 +338,21 @@ cmd=CommandParser::CmdParser.new(ARGV) do
helper.show_resource(user,options)
end
show_desc = <<-EOT.unindent
Encodes user and password to use it with ldap
EOT
command :encode, show_desc, :username, [:password, nil] do
ar=args.compact
if defined?(URI::Parser)
parser=URI::Parser.new
else
parser=URI
end
puts ar.map{|a| parser.escape(a) }.join(':')
0
end
end