<div dir="ltr"><div>Good afternoon, </div><div><br></div><div>We cannot access to Ovirt using LDAP authentication against our openldap server. We created the following files in /etc/ovirt-engine/extensions.d (the organization name is not <a href="http://example.org">example.org</a> and the passwords are not XXXXXXXX, obviously) :</div><div><br></div><div>----------- /etc/ovirt-engine/extensions.d/<a href="http://ldap.example.org">ldap.example.org</a> -----------</div><div><br></div><div><div>include = <openldap_example.properties></div><div><br></div><div>vars.server = <a href="http://ldap1.example.org">ldap1.example.org</a></div><div>vars.user = cn=authenticate,ou=System,dc=example,dc=org</div><div>vars.password = "XXXXXXXX"</div><div><br></div><div>pool.default.serverset.single.server = ${global:vars.server}</div><div>pool.default.auth.simple.bindDN = ${global:vars.user}</div><div>pool.default.auth.simple.password = ${global:vars.password}</div><div><br></div><div>pool.default.ssl.startTLS = true</div><div>pool.default.ssl.truststore.file = /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks</div><div>pool.default.ssl.truststore.password = XXXXXXXX</div></div><div><br></div><div>----------- /etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties -----------<br></div><div><br></div><div><div><a href="http://ovirt.engine.extension.name">ovirt.engine.extension.name</a> = <a href="http://authn-ldap.example.org">authn-ldap.example.org</a></div><div>ovirt.engine.extension.bindings.method = jbossmodule</div><div>ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap</div><div>ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension</div><div>ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn</div><div><br></div><div><a href="http://ovirt.engine.aaa.authn.profile.name">ovirt.engine.aaa.authn.profile.name</a> = <a href="http://ldap.example.org">ldap.example.org</a></div><div>ovirt.engine.aaa.authn.authz.plugin = <a href="http://authz-ldap.example.org">authz-ldap.example.org</a></div><div><br></div><div>config.profile.file.1 = /etc/ovirt-engine/extensions.d/<a href="http://ldap.example.org">ldap.example.org</a></div></div><div><br></div><div>----------- /etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties -----------<br></div><div><br></div><div><div><a href="http://ovirt.engine.extension.name">ovirt.engine.extension.name</a> = <a href="http://authz-ldap.example.org">authz-ldap.example.org</a></div><div>ovirt.engine.extension.bindings.method = jbossmodule</div><div>ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap</div><div>ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension</div><div><br></div><div>ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz</div><div>config.profile.file.1 = /etc/ovirt-engine/extensions.d/<a href="http://ldap.example.org">ldap.example.org</a></div></div><div><br></div><div>------------------------------------------------</div><div><br></div><div>After all of this we restarted the service and tried to access via the administration portal. The JKS has the right permissions and contains the TLS CA, the password is correct and the user "esthera" exists. But when we try to log in, we obtain the following error in the engine.log (we already set the verbosity to ALL):</div><div><br></div><div><div>------------------------------------------------</div></div><div><br></div><div><span style="font-size:13px">2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll.</span><span style="font-size:13px">aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.</span><span style="font-size:13px">extensions.mgr.</span><span style="font-size:13px">ExtensionInvokeCommandFailedEx</span><span style="font-size:13px">ception</span><br style="font-size:13px"><span style="font-size:13px">Input:</span><br style="font-size:13px"><span style="font-size:13px">{Extkey[name=AAA_AUTHN_</span><span style="font-size:13px">CREDENTIALS;type=class java.lang.String;uuid=AAA_</span><span style="font-size:13px">AUTHN_CREDENTIALS[03b96485-</span><span style="font-size:13px">4bb5-4592-8167-810a5c909706];]</span><span style="font-size:13px">=***, Extkey[name=EXTENSION_INVOKE_</span><span style="font-size:13px">CONTEXT;type=class org.ovirt.engine.api.</span><span style="font-size:13px">extensions.ExtMap;uuid=</span><span style="font-size:13px">EXTENSION_INVOKE_CONTEXT[</span><span style="font-size:13px">886d2ebb-312a-49ae-9cc3-</span><span style="font-size:13px">e1f849834b7d];]={Extkey[name=</span><span style="font-size:13px">EXTENSION_INTERFACE_VERSION_</span><span style="font-size:13px">MAX;type=class java.lang.Integer;uuid=</span><span style="font-size:13px">EXTENSION_INTERFACE_VERSION_</span><span style="font-size:13px">MAX[f4cff49f-2717-4901-8ee9-</span><span style="font-size:13px">df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;</span><span style="font-size:13px">type=class java.lang.String;uuid=</span><span style="font-size:13px">EXTENSION_LICENSE[8a61ad65-</span><span style="font-size:13px">054c-4e31-9c6d-1ca4d60a4c18];]</span><span style="font-size:13px">=ASL 2.0, Extkey[name=EXTENSION_NOTES;</span><span style="font-size:13px">type=class java.lang.String;uuid=</span><span style="font-size:13px">EXTENSION_NOTES[2da5ad7e-185a-</span><span style="font-size:13px">4584-aaff-97f66978e4ea];]=</span><span style="font-size:13px">Display name: ovirt-engine-extension-aaa-</span><span style="font-size:13px">ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_</span><span style="font-size:13px">URL;type=class java.lang.String;uuid=</span><span style="font-size:13px">EXTENSION_HOME_URL[4ad7a2f4-</span><span style="font-size:13px">f969-42d4-b399-72d192e18304];]</span><span style="font-size:13px">=</span><a href="http://www.ovirt.org/" target="_blank" style="font-size:13px">http://www.ovirt.org</a><span style="font-size:13px">, Extkey[name=EXTENSION_LOCALE;</span><span style="font-size:13px">type=class java.lang.String;uuid=</span><span style="font-size:13px">EXTENSION_LOCALE[0780b112-</span><span style="font-size:13px">0ce0-404a-b85e-8765d778bb29];]</span><span style="font-size:13px">=en_US, Extkey[name=EXTENSION_NAME;</span><span style="font-size:13px">type=class java.lang.String;uuid=</span><span style="font-size:13px">EXTENSION_NAME[651381d3-f54f-</span><span style="font-size:13px">4547-bf28-b0b01a103184];]=</span><span style="font-size:13px">ovirt-engine-extension-aaa-</span><span style="font-size:13px">ldap.authn, Extkey[name=EXTENSION_</span><span style="font-size:13px">INTERFACE_VERSION_MIN;type=</span><span style="font-size:13px">class java.lang.Integer;uuid=</span><span style="font-size:13px">EXTENSION_INTERFACE_VERSION_</span><span style="font-size:13px">MIN[2b84fc91-305b-497b-a1d7-</span><span style="font-size:13px">d961b9d2ce0b];]=0, Extkey[name=EXTENSION_</span><span style="font-size:13px">CONFIGURATION;type=class java.util.Properties;uuid=</span><span style="font-size:13px">EXTENSION_CONFIGURATION[</span><span style="font-size:13px">2d48ab72-f0a1-4312-b4ae-</span><span style="font-size:13px">5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;</span><span style="font-size:13px">type=class java.lang.String;uuid=</span><span style="font-size:13px">EXTENSION_AUTHOR[ef242f7a-</span><span style="font-size:13px">2dad-4bc5-9aad-e07018b7fbcc];]</span><span style="font-size:13px">=The oVirt Project, Extkey[name=EXTENSION_</span><span style="font-size:13px">INSTANCE_NAME;type=class java.lang.String;uuid=</span><span style="font-size:13px">EXTENSION_INSTANCE_NAME[</span><span style="font-size:13px">65c67ff6-aeca-4bd5-a245-</span><span style="font-size:13px">8674327f011b];]=</span><a href="http://authn-ldap.pic.es/" target="_blank" style="font-size:13px">authn-ldap.</a><a href="http://example.org">example.org</a><span style="font-size:13px">, Extkey[name=EXTENSION_BUILD_</span><span style="font-size:13px">INTERFACE_VERSION;type=class java.lang.Integer;uuid=</span><span style="font-size:13px">EXTENSION_BUILD_INTERFACE_</span><span style="font-size:13px">VERSION[cb479e5a-4b23-46f8-</span><span style="font-size:13px">aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_</span><span style="font-size:13px">CONFIGURATION_SENSITIVE_KEYS;</span><span style="font-size:13px">type=interface java.util.Collection;uuid=</span><span style="font-size:13px">EXTENSION_CONFIGURATION_</span><span style="font-size:13px">SENSITIVE_KEYS[a456efa1-73ff-</span><span style="font-size:13px">4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_</span><span style="font-size:13px">CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_</span><span style="font-size:13px">CAPABILITIES[9d16bee3-10fd-</span><span style="font-size:13px">46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_</span><span style="font-size:13px">CONTEXT;type=class org.ovirt.engine.api.</span><span style="font-size:13px">extensions.ExtMap;uuid=</span><span style="font-size:13px">EXTENSION_GLOBAL_CONTEXT[</span><span style="font-size:13px">9799e72f-7af6-4cf1-bf08-</span><span style="font-size:13px">297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;</span><span style="font-size:13px">type=class java.lang.String;uuid=</span><span style="font-size:13px">EXTENSION_VERSION[fe35f6a8-</span><span style="font-size:13px">8239-4bdb-ab1a-af9f779ce68c];]</span><span style="font-size:13px">=1.0.0, Extkey[name=EXTENSION_MANAGER_</span><span style="font-size:13px">TRACE_LOG;type=interface org.slf4j.Logger;uuid=</span><span style="font-size:13px">EXTENSION_MANAGER_TRACE_LOG[</span><span style="font-size:13px">863db666-3ea7-4751-9695-</span><span style="font-size:13px">918a3197ad83];]=org.slf4j.</span><span style="font-size:13px">impl.Slf4jLogger(</span><a href="http://org.ovirt.engine.core.extensions.mgr.extensionsmanager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.pic.es/" target="_blank" style="font-size:13px">org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.</a><a href="http://example.org">example.org</a><span style="font-size:13px">), Extkey[name=EXTENSION_</span><span style="font-size:13px">PROVIDES;type=interface java.util.Collection;uuid=</span><span style="font-size:13px">EXTENSION_PROVIDES[8cf373a6-</span><span style="font-size:13px">65b5-4594-b828-0e275087de91];]</span><span style="font-size:13px">=[org.ovirt.engine.api.</span><span style="font-size:13px">extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER;</span><span style="font-size:13px">type=class java.lang.String;uuid=AAA_</span><span style="font-size:13px">AUTHN_USER[1ceaba26-1bdc-4663-</span><span style="font-size:13px">a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_INVOKE_</span><span style="font-size:13px">COMMAND;type=class org.ovirt.engine.api.</span><span style="font-size:13px">extensions.ExtUUID;uuid=</span><span style="font-size:13px">EXTENSION_INVOKE_COMMAND[</span><span style="font-size:13px">485778ab-bede-4f1a-b823-</span><span style="font-size:13px">77b262a2f28d];]=AAA_AUTHN_</span><span style="font-size:13px">AUTHENTICATE_CREDENTIALS[</span><span style="font-size:13px">d9605c75-6b43-4b00-b32c-</span><span style="font-size:13px">06bdfa80244c]}</span><br style="font-size:13px"><span style="font-size:13px">Output:</span><br style="font-size:13px"><span style="font-size:13px">{Extkey[name=EXTENSION_INVOKE_</span><span style="font-size:13px">RESULT;type=class java.lang.Integer;uuid=</span><span style="font-size:13px">EXTENSION_INVOKE_RESULT[</span><span style="font-size:13px">0909d91d-8bde-40fb-b6c0-</span><span style="font-size:13px">099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_</span><span style="font-size:13px">MESSAGE;type=class java.lang.String;uuid=</span><span style="font-size:13px">EXTENSION_INVOKE_MESSAGE[</span><span style="font-size:13px">b7b053de-dc73-4bf7-9d26-</span><span style="font-size:13px">b8bdb72f5893];]=invalid credentials}</span><br></div><div><span style="font-size:13px"><br></span></div><div>------------------------------------------------<br></div><div><br></div><div>Having a look at the LDAP log we check that there is a "invalid credentials" error while binding, but we are sure that the bind password is the right one. We already tried to set the bind password without quotes, but then the DN user then appear as an empty string ("")</div><div><br></div><div>------------------------------------------------<br></div><div><br></div><div><span style="font-size:13px">[root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 | cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log</span><br style="font-size:13px"><span style="font-size:13px">Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from IP=</span><a href="http://192.168.95.2:39501/" target="_blank" style="font-size:13px">192.168.XX.X:39501</a><span style="font-size:13px"> (IP=</span><a href="http://0.0.0.0:389/" target="_blank" style="font-size:13px">0.0.0.0:389</a><span style="font-size:13px">)</span><br style="font-size:13px"><span style="font-size:13px">Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT oid=1.3.6.1.4.1.1466.20037</span><br style="font-size:13px"><span style="font-size:13px">Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS</span><br style="font-size:13px"><span style="font-size:13px">Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text=</span><br style="font-size:13px"><span style="font-size:13px">Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established tls_ssf=128 ssf=128</span><br style="font-size:13px"><span style="font-size:13px">Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND dn="cn=authenticate,ou=System,</span><span style="font-size:13px">dc=example,dc=org" method=128</span><br style="font-size:13px"><span style="font-size:13px">Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 err=49 text=</span><br style="font-size:13px"><span style="font-size:13px">Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND</span><br style="font-size:13px"><span style="font-size:13px">Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed</span><br></div><div><span style="font-size:13px"><br></span></div><div>------------------------------------------------<span style="font-size:13px"><br></span></div><div><br></div><div>By the way, the Ovirt manager (ovmgr) machine can query correctly the openldap server and retrieves everything OK</div><div><br></div><div>------------------------------------------------<br></div><div><br></div><div><span style="font-size:13px">[root@ovmgr extensions.d]# ldapsearch -ZZ -D cn=authenticate,ou=System,dc=example</span><span style="font-size:13px">,dc=org -W </span><br style="font-size:13px"><span style="font-size:13px">Enter LDAP Password: </span><br style="font-size:13px"><span style="font-size:13px"># extended LDIF</span><br style="font-size:13px"><span style="font-size:13px">#</span><br style="font-size:13px"><span style="font-size:13px"># LDAPv3</span><br style="font-size:13px"><span style="font-size:13px"># base <dc=example,dc=org> (default) with scope subtree</span><br style="font-size:13px"><span style="font-size:13px"># filter: (objectclass=*)</span><br style="font-size:13px"><span style="font-size:13px"># requesting: ALL</span><br style="font-size:13px"><span style="font-size:13px">#</span><br style="font-size:13px"><br style="font-size:13px"><span style="font-size:13px"># </span><a href="http://pic.es/" target="_blank" style="font-size:13px">pic.es</a><br style="font-size:13px"><span style="font-size:13px">dn: dc=example,dc=org</span><br style="font-size:13px"><span style="font-size:13px">dc: pic</span><br style="font-size:13px"><span style="font-size:13px">objectClass: top</span><br style="font-size:13px"><span style="font-size:13px">objectClass: domain</span><br></div><div><span style="font-size:13px"><br></span></div><div>------------------------------------------------<span style="font-size:13px"><br></span></div><div><br></div><div>Did anybody had a similar problem ? Is there anything that we didn't check ?</div><div><br></div><div>Thanks in advance !</div><div><br></div>-- <br><div class="gmail_signature"><div style="text-align:left;font-family:Arial,Tahoma,Helvetica,FreeSans,sans-serif;line-height:20px;background-color:rgb(255,255,255)"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;line-height:normal">Bruno Rodríguez Rodríguez</span></div><div style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"><br></div></div>
</div>