Active Directory group mapping?


(Vadim Tsaplin) #1

Hello, I’ve seen documentation http://docs.opennebula.org/4.14/administration/authentication/ldap.html, but I haven’t understood about Active Directory group mapping.
I’ve found

:group parameter is still not supported for Active Directory, leave it commented.

And my question: Group mapping for Active Directory is working? If it works, where and how I will create mapping?
I’ve tried to add this in file server1.yml, as is in :mapping_filename

CN=cloud-admin,OU=AccessGroups,DC=domain,DC=ru: ‘0’

And, when I create user with LDAP in Frontend, I see only default mapping (:mapping_default: 1)


(Javi Fontán) #2

Group mapping works with active directory. Here is the configuration I have in my machine:

$ onegroup show test | grep GROUP_DN
GROUP_DN="CN=cloud,CN=Groups,DC=opennebula,DC=org"
$ grep -v '^$' ldap_auth.conf | grep -v '^ *#'                
server 1:
    :user: 'Administrator@opennebula.org'
    :password: '*******'
    :auth_method: :simple
    :host: domain.server
    :port: 389
    :base: 'dc=opennebula,dc=org'
    :user_field: 'sAMAccountName'
    :mapping_generate: true
    :mapping_timeout: 300
    :mapping_filename: server1.yaml
    :mapping_key: GROUP_DN
    :mapping_default: 1
:order:
    - server 1

This is the manual execution of the driver action with a test user in that cloud group and the mapping file that was generated automatically by the driver:

$ $ONE_LOCATION/var/remotes/auth/ldap/authenticate test - test
Trying server server 1
ldap test CN=test%20test,CN=Users,DC=opennebula,DC=org 100
$ cat $ONE_LOCATION/var/server1.yaml
---
CN=cloud,CN=Groups,DC=opennebula,DC=org: '100'

Notice the number 100 in the authentication test. That is the id of cloud group so it is correctly mapped.


vOneCloud Active Directory Integration
(Chad Tuttle) #3

Can you add what the filelocation\filename is for these settings changes?