Authentication Configuration on

Overview

Mon, 17 Feb 2025 00:00:00 +0000

OpenNebula comes with a default internal user authentication system based on username/password, where information and secrets are stored in the OpenNebula (see the Users & Groups Subsystem guide). Dedicated external user authentication drivers can be used to leverage additional authentication mechanisms or sources of information about the users (e.g., LDAP, SAML). This chapter describes the available user authentication and management options.

Authentication

In this figure you can see three authentication configurations you can customize in OpenNebula.

SSH Authentication

Mon, 17 Feb 2025 00:00:00 +0000

This guide will show you how to enable and use the SSH authentication with the OpenNebula CLI with authentication driver ssh. Using this method, users log in to the OpenNebula with a token encrypted with their private SSH keys.

Requirements

No additional installation required.

Considerations & Limitations

This authentication method works only for interaction with OpenNebula over CLI.

Configuration

This authentication mechanism is enabled by default. If it doesn’t work, make sure you have the authentication method ssh enabled in the AUTH_MAD section of your /etc/one/oned.conf. For example:

X.509 Authentication

Mon, 17 Feb 2025 00:00:00 +0000

This guide will show you how to enable and use authentication using X.509 certificates with OpenNebula with authentication driver x509. The X.509 certificates can be used in two different ways in OpenNebula.

The first option that is explained in this guide enables us to use certificates with the CLI. In this case the user will generate a login token with their private key. OpenNebula will validate the certificate and decrypt the token to authenticate the user.

LDAP Authentication

Mon, 17 Feb 2025 00:00:00 +0000

The LDAP Authentication allows users to have the same credentials as in LDAP, effectively centralizing authentication. Enabling it will let any correctly authenticated LDAP user use OpenNebula.

Requirements

You need to have your own LDAP server in the infrastructure. OpenNebula doesn’t contain or configure any LDAP server, it only connects to an existing one. Also, it doesn’t create, delete, or modify any entry in the LDAP server it connects to. The only requirement is the ability to connect to an already running LDAP server, perform a successful ldapbind operation, and have a user able to perform searches of other users. Therefore no special attributes or values are required in the LDIF entry of the authenticating user.

SAML Authentication

Wed, 09 Jul 2025 00:00:00 +0000

The SAML Authentication driver allows users to access OpenNebula by logging in into a trusted SAML Identity Provider, effectively centralizing authentication and allowing Single Sign-On. Enabling it allows OpenNebula to be used as a SAML Service Provider.

Requirements

You need to manage your own SAML Identity Provider. OpenNebula doesn’t contain or configure any SAML Identity Provider, it only receives SAML responses and validates those.

Configuration

This authentication mechanism is enabled by default. If it doesn’t work, make sure you have the authentication method saml enabled in the AUTH_MAD section of your /etc/one/oned.conf. For example:

Sunstone Authentication

Mon, 17 Feb 2025 00:00:00 +0000

By default, Sunstone works with the default core authentication method (user and password) although you can configure any authentication mechanism supported by OpenNebula. In this section, you will learn how to enable other authentication.

Authentication is based on the credentials stored in the OpenNebula database for the user. Depending on the type of these credentials the authentication method can be: remote or opennebula.

The following sections explain Sunstone server authentication methods to the user.