<div dir="ltr">Thanks ! Now it's working!<div><br></div><div>The problem was the absence of the line:</div><div><br></div><div><div>pool.default.auth.type = simple</div><div><br></div><div>It's strange, I thought that the default auth type was set to simple and I didn't check it twice. After setting that the problem has to do about a user/password incorrect, which is our problem because of the schema we are using (migrated from a NIS some time ago).</div><div><br></div><div>The openldap_example.properties actually was a copy of openldap.properties, I did it that way to customize it to our schema, but in a first instance it was a carbon copy of the original.</div><div><br></div><div>Thanks again !</div><div><br>Bruno<br><div><br></div><div><br></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 15, 2015 at 10:43 AM, Ondra Machacek <span dir="ltr"><<a href="mailto:omachace@redhat.com" target="_blank">omachace@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 01/15/2015 10:36 AM, Alon Bar-Lev wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
----- Original Message -----<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
From: "Bruno Rodriguez" <<a href="mailto:bruno@pic.es" target="_blank">bruno@pic.es</a>><br>
To: "Ondra Machacek" <<a href="mailto:omachace@redhat.com" target="_blank">omachace@redhat.com</a>><br>
Cc: "Esther Accion" <<a href="mailto:esthera@pic.es" target="_blank">esthera@pic.es</a>>, <a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a><br>
Sent: Thursday, January 15, 2015 11:20:57 AM<br>
Subject: Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module<br>
<br>
Thank you very much,<br>
<br>
using the following <a href="http://ldap.example.org" target="_blank">ldap.example.org</a> file:<br>
<br>
---------------------<br>
<br>
include = <openldap_example.properties><br>
include = <rfc2307.properties><br>
</blockquote>
<br>
what do you have in openldap_example.properties?<br>
</blockquote>
<br></span>
It seems you have specified anonymous bind in openldap_example.properties. You should probably try it with original one (openldap.properties).<div class="HOEnZb"><div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
vars.server = <a href="http://ldap1.example.org" target="_blank">ldap1.example.org</a><br>
#vars.user = cn=authenticate,ou=System,dc=<u></u>example,dc=org<br>
#vars.password = XXXXXXXXX<br>
</blockquote>
<br>
why have you commented out the vars?<br>
you should have just removed the quotes from vars.password and keep bellow as-is.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
pool.default.serverset.single.<u></u>server = ${global:vars.server}<br>
pool.default.auth.simple.<u></u>bindDN = cn=authenticate,ou=System,dc=<u></u>example,dc=org<br>
pool.default.auth.simple.<u></u>password = XXXXXXXXX<br>
<br>
pool.default.ssl.startTLS = true<br>
pool.default.ssl.truststore.<u></u>file =<br>
/etc/ovirt-engine/extensions.<u></u>d/ldap.example.org_keystore.<u></u>jks<br>
pool.default.ssl.truststore.<u></u>password = XXXXXXXXX<br>
<br>
---------------------<br>
<br>
Then I get the following in the engine log:<br>
<br>
<br>
2015-01-15 10:04:15,250 ERROR<br>
[org.ovirt.engine.core.bll.<u></u>aaa.LoginAdminUserCommand]<br>
(ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class<br>
org.ovirt.engine.core.<u></u>extensions.mgr.<u></u>ExtensionInvokeCommandFailedEx<u></u>ception<br>
Input:<br>
{Extkey[name=AAA_AUTHN_<u></u>CREDENTIALS;type=class<br>
java.lang.String;uuid=AAA_<u></u>AUTHN_CREDENTIALS[03b96485-<u></u>4bb5-4592-8167-810a5c909706];]<u></u>=***,<br>
Extkey[name=EXTENSION_INVOKE_<u></u>CONTEXT;type=class<br>
org.ovirt.engine.api.<u></u>extensions.ExtMap;uuid=<u></u>EXTENSION_INVOKE_CONTEXT[<u></u>886d2ebb-312a-49ae-9cc3-<u></u>e1f849834b7d];]={Extkey[name=<u></u>EXTENSION_INTERFACE_VERSION_<u></u>MAX;type=class<br>
java.lang.Integer;uuid=<u></u>EXTENSION_INTERFACE_VERSION_<u></u>MAX[f4cff49f-2717-4901-8ee9-<u></u>df362446e3e7];]=0,<br>
Extkey[name=EXTENSION_LICENSE;<u></u>type=class<br>
java.lang.String;uuid=<u></u>EXTENSION_LICENSE[8a61ad65-<u></u>054c-4e31-9c6d-1ca4d60a4c18];]<u></u>=ASL<br>
2.0, Extkey[name=EXTENSION_NOTES;<u></u>type=class<br>
java.lang.String;uuid=<u></u>EXTENSION_NOTES[2da5ad7e-185a-<u></u>4584-aaff-97f66978e4ea];]=<u></u>Display<br>
name: ovirt-engine-extension-aaa-<u></u>ldap-1.0.0-1.el6,<br>
Extkey[name=EXTENSION_HOME_<u></u>URL;type=class<br>
java.lang.String;uuid=<u></u>EXTENSION_HOME_URL[4ad7a2f4-<u></u>f969-42d4-b399-72d192e18304];]<u></u>=<br>
<a href="http://www.ovirt.org" target="_blank">http://www.ovirt.org</a> ,Extkey[name=EXTENSION_LOCALE;<u></u>type=class<br>
java.lang.String;uuid=<u></u>EXTENSION_LOCALE[0780b112-<u></u>0ce0-404a-b85e-8765d778bb29];]<u></u>=en_US,<br>
Extkey[name=EXTENSION_NAME;<u></u>type=class<br>
java.lang.String;uuid=<u></u>EXTENSION_NAME[651381d3-f54f-<u></u>4547-bf28-b0b01a103184];]=<u></u>ovirt-engine-extension-aaa-<u></u>ldap.authn,<br>
Extkey[name=EXTENSION_<u></u>INTERFACE_VERSION_MIN;type=<u></u>class<br>
java.lang.Integer;uuid=<u></u>EXTENSION_INTERFACE_VERSION_<u></u>MIN[2b84fc91-305b-497b-a1d7-<u></u>d961b9d2ce0b];]=0,<br>
Extkey[name=EXTENSION_<u></u>CONFIGURATION;type=class<br>
java.util.Properties;uuid=<u></u>EXTENSION_CONFIGURATION[<u></u>2d48ab72-f0a1-4312-b4ae-<u></u>5068a226b0fc];]=***,<br>
Extkey[name=EXTENSION_AUTHOR;<u></u>type=class<br>
java.lang.String;uuid=<u></u>EXTENSION_AUTHOR[ef242f7a-<u></u>2dad-4bc5-9aad-e07018b7fbcc];]<u></u>=The<br>
oVirt Project, Extkey[name=EXTENSION_<u></u>INSTANCE_NAME;type=class<br>
java.lang.String;uuid=<u></u>EXTENSION_INSTANCE_NAME[<u></u>65c67ff6-aeca-4bd5-a245-<u></u>8674327f011b];]=<br>
<a href="http://authn-ldap.example.org" target="_blank">authn-ldap.example.org</a> ,<br>
Extkey[name=EXTENSION_BUILD_<u></u>INTERFACE_VERSION;type=class<br>
java.lang.Integer;uuid=<u></u>EXTENSION_BUILD_INTERFACE_<u></u>VERSION[cb479e5a-4b23-46f8-<u></u>aed3-56a4747a8ab7];]=0,<br>
Extkey[name=EXTENSION_<u></u>CONFIGURATION_SENSITIVE_KEYS;<u></u>type=interface<br>
java.util.Collection;uuid=<u></u>EXTENSION_CONFIGURATION_<u></u>SENSITIVE_KEYS[a456efa1-73ff-<u></u>4204-9f9b-ebff01e35263];]=[],<br>
Extkey[name=AAA_AUTHN_<u></u>CAPABILITIES;type=class<br>
java.lang.Long;uuid=AAA_AUTHN_<u></u>CAPABILITIES[9d16bee3-10fd-<u></u>46f2-83f9-3d3c54cf258d];]=12,<br>
Extkey[name=EXTENSION_GLOBAL_<u></u>CONTEXT;type=class<br>
org.ovirt.engine.api.<u></u>extensions.ExtMap;uuid=<u></u>EXTENSION_GLOBAL_CONTEXT[<u></u>9799e72f-7af6-4cf1-bf08-<u></u>297bc8903676];]=*skip*,<br>
Extkey[name=EXTENSION_VERSION;<u></u>type=class<br>
java.lang.String;uuid=<u></u>EXTENSION_VERSION[fe35f6a8-<u></u>8239-4bdb-ab1a-af9f779ce68c];]<u></u>=1.0.0,<br>
Extkey[name=EXTENSION_MANAGER_<u></u>TRACE_LOG;type=interface<br>
org.slf4j.Logger;uuid=<u></u>EXTENSION_MANAGER_TRACE_LOG[<u></u>863db666-3ea7-4751-9695-<u></u>918a3197ad83];]=org.slf4j.<u></u>impl.Slf4jLogger(<br>
<a href="http://org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org" target="_blank">org.ovirt.engine.core.<u></u>extensions.mgr.<u></u>ExtensionsManager.trace.ovirt-<u></u>engine-extension-aaa-ldap.<u></u>authn.authn-ldap.example.org</a><br>
), Extkey[name=EXTENSION_<u></u>PROVIDES;type=interface<br>
java.util.Collection;uuid=<u></u>EXTENSION_PROVIDES[8cf373a6-<u></u>65b5-4594-b828-0e275087de91];]<u></u>=[org.ovirt.engine.api.<u></u>extensions.aaa.Authn]},<br>
Extkey[name=AAA_AUTHN_USER;<u></u>type=class<br>
java.lang.String;uuid=AAA_<u></u>AUTHN_USER[1ceaba26-1bdc-4663-<u></u>a3c6-5d926f9dd8f0];]=bruno,<br>
Extkey[name=EXTENSION_INVOKE_<u></u>COMMAND;type=class<br>
org.ovirt.engine.api.<u></u>extensions.ExtUUID;uuid=<u></u>EXTENSION_INVOKE_COMMAND[<u></u>485778ab-bede-4f1a-b823-<u></u>77b262a2f28d];]=AAA_AUTHN_<u></u>AUTHENTICATE_CREDENTIALS[<u></u>d9605c75-6b43-4b00-b32c-<u></u>06bdfa80244c]}<br>
Output:<br>
{Extkey[name=EXTENSION_INVOKE_<u></u>RESULT;type=class<br>
java.lang.Integer;uuid=<u></u>EXTENSION_INVOKE_RESULT[<u></u>0909d91d-8bde-40fb-b6c0-<u></u>099c772ddd4e];]=2,<br>
Extkey[name=EXTENSION_INVOKE_<u></u>MESSAGE;type=class<br>
java.lang.String;uuid=<u></u>EXTENSION_INVOKE_MESSAGE[<u></u>b7b053de-dc73-4bf7-9d26-<u></u>b8bdb72f5893];]=anonymous<br>
bind disallowed}<br>
</blockquote>
<br>
error: anonymous bind disallowed<br>
<br>
can you please enable debug per what I instructed last time and send a complete log?<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
------------------------------<u></u>-----<br>
<br>
And this is the ldap connection log:<br>
<br>
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114<br>
ACCEPT from IP=192.168.XX.XX:41469 (IP= <a href="http://0.0.0.0:389" target="_blank">0.0.0.0:389</a> )<br>
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 EXT<br>
oid=1.3.6.1.4.1.1466.20037<br>
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0<br>
STARTTLS<br>
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 RESULT<br>
oid= err=0 text=<br>
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 TLS<br>
established tls_ssf=128 ssf=128<br>
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND<br>
dn="cn=authenticate,ou=System,<u></u>dc=example,dc=org" method=128<br>
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND<br>
dn="cn=authenticate,ou=System,<u></u>dc=example,dc=org" mech=SIMPLE ssf=0<br>
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 RESULT<br>
tag=97 err=0 text=<br>
<br>
------------------------------<u></u>-----<br>
<br>
It looks like it got the dn correctly but it's unable to bind anyway ...<br>
<br>
Thank you,<br>
<br>
Bruno<br>
<br>
<br>
On Wed, Jan 14, 2015 at 5:50 PM, Ondra Machacek < <a href="mailto:omachace@redhat.com" target="_blank">omachace@redhat.com</a> ><br>
wrote:<br>
<br>
<br>
Hi,<br>
<br>
On 01/14/2015 04:53 PM, Bruno Rodriguez wrote:<br>
<br>
<br>
Good afternoon,<br>
<br>
We cannot access to Ovirt using LDAP authentication against our openldap<br>
server. We created the following files in /etc/ovirt-engine/extensions.d<br>
(the organization name is not <a href="http://example.org" target="_blank">example.org</a> < <a href="http://example.org" target="_blank">http://example.org</a> > and the<br>
passwords are not XXXXXXXX, obviously) :<br>
<br>
----------- /etc/ovirt-engine/extensions. d/ <a href="http://ldap.example.org" target="_blank">ldap.example.org</a><br>
< <a href="http://ldap.example.org" target="_blank">http://ldap.example.org</a> > -----------<br>
<br>
include = <openldap_example.properties><br>
<br>
vars.server = <a href="http://ldap1.example.org" target="_blank">ldap1.example.org</a> < <a href="http://ldap1.example.org" target="_blank">http://ldap1.example.org</a> ><br>
vars.user = cn=authenticate,ou=System,dc= example,dc=org<br>
vars.password = "XXXXXXXX"<br>
<br>
pool.default.serverset.single. server = ${global:vars.server}<br>
pool.default.auth.simple. bindDN = ${global:vars.user}<br>
pool.default.auth.simple. password = ${global:vars.password}<br>
<br>
pool.default.ssl.startTLS = true<br>
pool.default.ssl.truststore. file =<br>
/etc/ovirt-engine/extensions. d/ldap.example.org_keystore. jks<br>
pool.default.ssl.truststore. password = XXXXXXXX<br>
<br>
-----------<br>
/etc/ovirt-engine/extensions. d/ <a href="http://authn-ldap.example.org" target="_blank">authn-ldap.example.org</a> . properties<br>
-----------<br>
<br>
<a href="http://ovirt.engine.extension.name" target="_blank">ovirt.engine.extension.name</a> < <a href="http://ovirt.engine" target="_blank">http://ovirt.engine</a>. <a href="http://extension.name" target="_blank">extension.name</a> > =<br>
<a href="http://authn-ldap.example.org" target="_blank">authn-ldap.example.org</a> < <a href="http://authn-ldap.example.org" target="_blank">http://authn-ldap.example.org</a> ><br>
ovirt.engine.extension. bindings.method = jbossmodule<br>
ovirt.engine.extension. binding.jbossmodule.module =<br>
org.ovirt.engine-extensions. aaa.ldap<br>
ovirt.engine.extension. binding.jbossmodule.class =<br>
org.ovirt.engineextensions. aaa.ldap.AuthnExtension<br>
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authn<br>
<br>
ovirt.engine.aaa.authn. <a href="http://profile.name" target="_blank">profile.name</a><br>
< <a href="http://ovirt.engine.aaa" target="_blank">http://ovirt.engine.aaa</a>. <a href="http://authn.profile.name" target="_blank">authn.profile.name</a> > = <a href="http://ldap.example.org" target="_blank">ldap.example.org</a><br>
< <a href="http://ldap.example.org" target="_blank">http://ldap.example.org</a> ><br>
ovirt.engine.aaa.authn.authz. plugin = <a href="http://authz-ldap.example.org" target="_blank">authz-ldap.example.org</a><br>
< <a href="http://authz-ldap.example.org" target="_blank">http://authz-ldap.example.org</a> ><br>
<br>
config.profile.file.1 = /etc/ovirt-engine/extensions. d/ <a href="http://ldap.example.org" target="_blank">ldap.example.org</a><br>
< <a href="http://ldap.example.org" target="_blank">http://ldap.example.org</a> ><br>
<br>
-----------<br>
/etc/ovirt-engine/extensions. d/ <a href="http://authz-ldap.example.org" target="_blank">authz-ldap.example.org</a> . properties<br>
-----------<br>
<br>
<a href="http://ovirt.engine.extension.name" target="_blank">ovirt.engine.extension.name</a> < <a href="http://ovirt.engine" target="_blank">http://ovirt.engine</a>. <a href="http://extension.name" target="_blank">extension.name</a> > =<br>
<a href="http://authz-ldap.example.org" target="_blank">authz-ldap.example.org</a> < <a href="http://authz-ldap.example.org" target="_blank">http://authz-ldap.example.org</a> ><br>
ovirt.engine.extension. bindings.method = jbossmodule<br>
ovirt.engine.extension. binding.jbossmodule.module =<br>
org.ovirt.engine-extensions. aaa.ldap<br>
ovirt.engine.extension. binding.jbossmodule.class =<br>
org.ovirt.engineextensions. aaa.ldap.AuthzExtension<br>
<br>
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authz<br>
config.profile.file.1 = /etc/ovirt-engine/extensions. d/ <a href="http://ldap.example.org" target="_blank">ldap.example.org</a><br>
< <a href="http://ldap.example.org" target="_blank">http://ldap.example.org</a> ><br>
<br>
------------------------------ ------------------<br>
<br>
After all of this we restarted the service and tried to access via the<br>
administration portal. The JKS has the right permissions and contains<br>
the TLS CA, the password is correct and the user "esthera" exists. But<br>
when we try to log in, we obtain the following error in the engine.log<br>
(we already set the verbosity to ALL):<br>
<br>
------------------------------ ------------------<br>
<br>
2015-01-14 16:35:25,750 ERROR<br>
[org.ovirt.engine.core.bll. aaa.LoginAdminUserCommand]<br>
(ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class<br>
org.ovirt.engine.core. extensions.mgr. ExtensionInvokeCommandFailedEx ception<br>
Input:<br>
{Extkey[name=AAA_AUTHN_ CREDENTIALS;type=class<br>
java.lang.String;uuid=AAA_ AUTHN_CREDENTIALS[03b96485-<br>
4bb5-4592-8167-810a5c909706];] =***,<br>
Extkey[name=EXTENSION_INVOKE_ CONTEXT;type=class<br>
org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_INVOKE_CONTEXT[<br>
886d2ebb-312a-49ae-9cc3- e1f849834b7d];]={Extkey[name=<br>
EXTENSION_INTERFACE_VERSION_ MAX;type=class<br>
java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_<br>
MAX[f4cff49f-2717-4901-8ee9- df362446e3e7];]=0,<br>
Extkey[name=EXTENSION_LICENSE; type=class<br>
java.lang.String;uuid= EXTENSION_LICENSE[8a61ad65-<br>
054c-4e31-9c6d-1ca4d60a4c18];] =ASL<br>
2.0, Extkey[name=EXTENSION_NOTES; type=class<br>
java.lang.String;uuid= EXTENSION_NOTES[2da5ad7e-185a-<br>
4584-aaff-97f66978e4ea];]= Display<br>
name: ovirt-engine-extension-aaa- ldap-1.0.0-1.el6,<br>
Extkey[name=EXTENSION_HOME_ URL;type=class<br>
java.lang.String;uuid= EXTENSION_HOME_URL[4ad7a2f4-<br>
f969-42d4-b399-72d192e18304];] = <a href="http://www.ovirt.org" target="_blank">http://www.ovirt.org</a><br>
< <a href="http://www.ovirt.org/" target="_blank">http://www.ovirt.org/</a> >, Extkey[name=EXTENSION_LOCALE; type=class<br>
java.lang.String;uuid= EXTENSION_LOCALE[0780b112-<br>
0ce0-404a-b85e-8765d778bb29];] =en_US,<br>
Extkey[name=EXTENSION_NAME; type=class<br>
java.lang.String;uuid= EXTENSION_NAME[651381d3-f54f-<br>
4547-bf28-b0b01a103184];]= ovirt-engine-extension-aaa- ldap.authn,<br>
Extkey[name=EXTENSION_ INTERFACE_VERSION_MIN;type= class<br>
java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_<br>
MIN[2b84fc91-305b-497b-a1d7- d961b9d2ce0b];]=0,<br>
Extkey[name=EXTENSION_ CONFIGURATION;type=class<br>
java.util.Properties;uuid= EXTENSION_CONFIGURATION[ 2d48ab72-f0a1-4312-b4ae-<br>
5068a226b0fc];]=***,<br>
Extkey[name=EXTENSION_AUTHOR; type=class<br>
java.lang.String;uuid= EXTENSION_AUTHOR[ef242f7a-<br>
2dad-4bc5-9aad-e07018b7fbcc];] =The<br>
oVirt Project, Extkey[name=EXTENSION_ INSTANCE_NAME;type=class<br>
java.lang.String;uuid= EXTENSION_INSTANCE_NAME[ 65c67ff6-aeca-4bd5-a245-<br>
8674327f011b];]=authn-ldap.<br>
< <a href="http://authn-ldap.pic.es/" target="_blank">http://authn-ldap.pic.es/</a> > exa <a href="http://mple.org" target="_blank">mple.org</a> < <a href="http://example.org" target="_blank">http://example.org</a> >,<br>
Extkey[name=EXTENSION_BUILD_ INTERFACE_VERSION;type=class<br>
java.lang.Integer;uuid= EXTENSION_BUILD_INTERFACE_<br>
VERSION[cb479e5a-4b23-46f8- aed3-56a4747a8ab7];]=0,<br>
Extkey[name=EXTENSION_ CONFIGURATION_SENSITIVE_KEYS; type=interface<br>
java.util.Collection;uuid= EXTENSION_CONFIGURATION_<br>
SENSITIVE_KEYS[a456efa1-73ff- 4204-9f9b-ebff01e35263];]=[],<br>
Extkey[name=AAA_AUTHN_ CAPABILITIES;type=class<br>
java.lang.Long;uuid=AAA_AUTHN_ CAPABILITIES[9d16bee3-10fd-<br>
46f2-83f9-3d3c54cf258d];]=12,<br>
Extkey[name=EXTENSION_GLOBAL_ CONTEXT;type=class<br>
org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_GLOBAL_CONTEXT[<br>
9799e72f-7af6-4cf1-bf08- 297bc8903676];]=*skip*,<br>
Extkey[name=EXTENSION_VERSION; type=class<br>
java.lang.String;uuid= EXTENSION_VERSION[fe35f6a8-<br>
8239-4bdb-ab1a-af9f779ce68c];] =1.0.0,<br>
Extkey[name=EXTENSION_MANAGER_ TRACE_LOG;type=interface<br>
org.slf4j.Logger;uuid= EXTENSION_MANAGER_TRACE_LOG[ 863db666-3ea7-4751-9695-<br>
918a3197ad83];]=org.slf4j. impl.Slf4jLogger(org.ovirt.<br>
engine.core.extensions.mgr. ExtensionsManager.trace.ovirt-<br>
engine-extension-aaa-ldap. authn.authn-ldap.<br>
< <a href="http://org.ovirt.engine.core" target="_blank">http://org.ovirt.engine.core</a>. extensions.mgr.<br>
extensionsmanager.trace.ovirt- engine-extension-aaa-ldap.<br>
<a href="http://authn.authn-ldap.pic.es/" target="_blank">authn.authn-ldap.pic.es/</a> > examp <a href="http://le.org" target="_blank">le.org</a><br>
< <a href="http://example.org" target="_blank">http://example.org</a> >), Extkey[name=EXTENSION_ PROVIDES;type=interface<br>
java.util.Collection;uuid= EXTENSION_PROVIDES[8cf373a6-<br>
65b5-4594-b828-0e275087de91];] =[org.ovirt.engine.api.<br>
extensions.aaa.Authn]},<br>
Extkey[name=AAA_AUTHN_USER; type=class<br>
java.lang.String;uuid=AAA_ AUTHN_USER[1ceaba26-1bdc-4663-<br>
a3c6-5d926f9dd8f0];]=esthera,<br>
Extkey[name=EXTENSION_INVOKE_ COMMAND;type=class<br>
org.ovirt.engine.api. extensions.ExtUUID;uuid= EXTENSION_INVOKE_COMMAND[<br>
485778ab-bede-4f1a-b823- 77b262a2f28d];]=AAA_AUTHN_<br>
AUTHENTICATE_CREDENTIALS[ d9605c75-6b43-4b00-b32c- 06bdfa80244c]}<br>
Output:<br>
{Extkey[name=EXTENSION_INVOKE_ RESULT;type=class<br>
java.lang.Integer;uuid= EXTENSION_INVOKE_RESULT[ 0909d91d-8bde-40fb-b6c0-<br>
099c772ddd4e];]=2,<br>
Extkey[name=EXTENSION_INVOKE_ MESSAGE;type=class<br>
java.lang.String;uuid= EXTENSION_INVOKE_MESSAGE[ b7b053de-dc73-4bf7-9d26-<br>
b8bdb72f5893];]=invalid<br>
credentials}<br>
<br>
------------------------------ ------------------<br>
<br>
Having a look at the LDAP log we check that there is a "invalid<br>
credentials" error while binding, but we are sure that the bind password<br>
is the right one. We already tried to set the bind password without<br>
quotes, but then the DN user then appear as an empty string ("")<br>
<br>
I think problem is here. That's really strange, you have to use the password<br>
without quotes.<br>
<br>
Can you please try to set:<br>
pool.default.auth.simple. bindDN = cn=authenticate,ou=System,dc=<br>
example,dc=org<br>
pool.default.auth.simple. password = XXXXXX<br>
<br>
just without the variables. if the DN is not empty now.<br>
<br>
<br>
<br>
<br>
------------------------------ ------------------<br>
<br>
[root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 |<br>
cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log<br>
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from<br>
IP=192.168.XX.X:39501 < <a href="http://192.168.95.2:39501/" target="_blank">http://192.168.95.2:39501/</a> > (IP= <a href="http://0.0.0.0:389" target="_blank">0.0.0.0:389</a><br>
< <a href="http://0.0.0.0:389/" target="_blank">http://0.0.0.0:389/</a> >)<br>
<br>
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT<br>
oid=1.3.6.1.4.1.1466.20037<br>
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS<br>
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text=<br>
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established<br>
tls_ssf=128 ssf=128<br>
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND<br>
dn="cn=authenticate,ou=System, dc=example,dc=org" method=128<br>
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97<br>
err=49 text=<br>
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND<br>
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed<br>
<br>
------------------------------ ------------------<br>
<br>
By the way, the Ovirt manager (ovmgr) machine can query correctly the<br>
openldap server and retrieves everything OK<br>
<br>
------------------------------ ------------------<br>
<br>
[root@ovmgr extensions.d]# ldapsearch -ZZ -D<br>
cn=authenticate,ou=System,dc= example,dc=org -W<br>
Enter LDAP Password:<br>
# extended LDIF<br>
#<br>
# LDAPv3<br>
# base <dc=example,dc=org> (default) with scope subtree<br>
# filter: (objectclass=*)<br>
# requesting: ALL<br>
#<br>
<br>
# <a href="http://pic.es" target="_blank">pic.es</a> < <a href="http://pic.es/" target="_blank">http://pic.es/</a> ><br>
dn: dc=example,dc=org<br>
dc: pic<br>
objectClass: top<br>
objectClass: domain<br>
<br>
------------------------------ ------------------<br>
<br>
Did anybody had a similar problem ? Is there anything that we didn't check ?<br>
<br>
Thanks in advance !<br>
<br>
--<br>
Bruno Rodríguez Rodríguez<br>
<br>
<br>
<br>
This body part will be downloaded on demand.<br>
<br>
<br>
<br>
<br>
--<br>
Bruno Rodríguez Rodríguez<br>
<br>
PIC (Port d'Informació Científica)<br>
Campus UAB, Edificio D<br>
E-08193 Bellaterra, Barcelona<br>
Tel: <a href="tel:%2B34%2093%20581%2033%2022" value="+34935813322" target="_blank">+34 93 581 33 22</a><br>
<br>
"Si algo me ha enseñado el tetris, es que los errores se acumulan y los<br>
triunfos desaparecen"<br>
<br>
______________________________<u></u>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/<u></u>mailman/listinfo/users</a><br>
<br>
</blockquote></blockquote>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div style="text-align:left;font-family:Arial,Tahoma,Helvetica,FreeSans,sans-serif;line-height:20px;background-color:rgb(255,255,255)"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;line-height:normal">Bruno Rodríguez Rodríguez</span></div><div style="color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"><br>PIC (Port d'Informació Científica)<br>Campus UAB, Edificio D<br>E-08193 Bellaterra, Barcelona<br></div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Tel: </span><a value="+34935813322" style="color:rgb(17,85,204);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">+34 93 581 33 22</a><div><a value="+34935813322" style="color:rgb(17,85,204);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"><br></a></div><div><a value="+34935813322" style="color:rgb(17,85,204);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"><span style="color:rgb(0,0,0);font-family:Arial,Tahoma,Helvetica,FreeSans,sans-serif;font-size:small;line-height:20px">"Si algo me ha enseñado el tetris, es que los errores se acumulan y los triunfos desaparecen"</span></a></div></div>
</div>