Custom/Kerberos auth - password limitations

Yenya · March 23, 2016, 10:41am

Hello, I am trying to deploy OpenNebula in my local network, where we use Kerberos authentication. I wrote a simple Perl script /var/lib/one/remotes/auth/krb5/authenticate, which works from the command line as expected. I am able to create users in Sunstone (with a dummy password and a custom/krb5 auth method), and they are able to log in. The problem is that it does not work for some users. The users who are not able to log in are those who have spaces in their passwords. The problem is that my …/krb5/authenticate script is not even called for those users.

The unsuccessful login attempts are not logged at all in oned.log, only in sunstone.log:

Wed Mar 23 11:15:45 2016 [E]: User xtest could not be authenticated
Wed Mar 23 11:15:45 2016 [E]: Net::ReadTimeout
Wed Mar 23 11:15:45 2016 [I]: Unauthorized login attempt
Wed Mar 23 11:15:45 2016 [I]: 127.0.0.1 - - [23/Mar/2016:11:15:45 +0100] “POST /login HTTP/1.1” 401 - 30.0181

How can I make Kerberos authentication work with any passwords from the Kerberos database?

Thanks!

dmolina · March 29, 2016, 8:34am

Hi,

There is an option in sunstone-server.conf to encode user passwords:

github.com

OpenNebula/one/blob/master/src/sunstone/etc/sunstone-server.conf#L81


# Enable an http proxy for the support portal and to download MarketPlaceApps
# from the MarketPlace to the user's desktop.
# :proxy: http://<hostname>:<port>


################################################################################
# Auth
################################################################################


# Authentication driver for incoming requests
#   sunstone: for OpenNebula's user-password scheme
#   x509: for x509 certificates based authentication
#   opennebula: the authentication will be done by the opennebula core using the
#     driver defined for the user
#   remote: performs the login based on a Kerberos REMOTE_USER
#
:auth: opennebula


# Authentication driver to communicate with OpenNebula core
#   cipher, for symmetric cipher encryption of tokens
#   x509, for x509 certificate encryption of tokens
#

Cheers

Yenya · March 29, 2016, 9:33am

OK, this helped. I think the comment inside the default sunstone-server.conf should be fixed, though:

it is not for LDAP auth only
s/espaces/spaces/
it does full URL-encoding, not only turning spaces to %20 (percent signs, quotes, etc. are also encoded to %xx).

Thanks!

dmolina · March 30, 2016, 8:37am

Thank you we will fix it.

Topic		Replies	Views
Sunstone with kerberos support Development	0	1442	September 3, 2015
Authentication Failed Community Support	1	75	March 27, 2024
[Solved] Sunstone authentication bad decrypt Community Support	11	3747	October 14, 2016
Authentication to LDAP/AD for Sunstone fails Community Support	9	2055	August 30, 2017
New remote auth for Sunstone PRs Integrations	4	1205	November 18, 2015

Custom/Kerberos auth - password limitations

Related Topics