<div dir="ltr"><div>I have configured the simple-sso with kerberos.  I can successfully login most of the time, but often the login fails and I am dropped at the portal login window and  prompted for the internal account username and password. Host is FC 20.  Also, adding users in the GMU-authz o=<a href="http://gmu.edu">gmu.edu</a> namespace is agonisingly slow returning from the directory lookup.</div><div><br></div><div>I can see from the apache logs that the kerberos authentication is successful, but in the engine logs I see many errors:</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">2015-04-09 13:39:28,493 ERROR [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter] (ajp--127.0.0.1-8702-11) Cannot obtain profile for user aneil2</blockquote></div><div><br></div><div>and eventually:</div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">2015-04-09 13:39:28,342 ERROR [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter] (ajp--127.0.0.1-8702-5) Cannot obtain profile for user aneil2<br>{Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.fc20, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=<a href="http://www.ovirt.org">http://www.ovirt.org</a>, Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authz, Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=50, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=GMU-authz, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.2, Extkey[name=AAA_AUTHZ_AVAILABLE_NAMESPACES;type=interface java.util.Collection;uuid=AAA_AUTHZ_AVAILABLE_NAMESPACES[6dffa34c-955f-486a-bd35-0a272b45a711];]=[o=<a href="http://gmu.edu">gmu.edu</a>], Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authz.GMU-authz), Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authz], Extkey[name=EXTENSION_CONFIGURATION_FILE;type=class java.lang.String;uuid=EXTENSION_CONFIGURATION_FILE[4fb0ffd3-983c-4f3f-98ff-9660bd67af6a];]=/etc/ovirt-engine/extensions.d/GMU-authz.properties}, Extkey[name=AAA_AUTHZ_QUERY_FLAGS;type=class java.lang.Integer;uuid=AAA_AUTHZ_QUERY_FLAGS[97d226e9-8d87-49a0-9a7f-af689320907b];]=3, Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHZ_FETCH_PRINCIPAL_RECORD[5a5bf9bb-9336-4376-a823-26efe1ba26df], Extkey[name=AAA_AUTHN_AUTH_RECORD;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=AAA_AUTHN_AUTH_RECORD[e9462168-b53b-44ac-9af5-f25e1697173e];]={Extkey[name=AAA_AUTHN_AUTH_RECORD_PRINCIPAL;type=class java.lang.String;uuid=AAA_AUTHN_AUTH_RECORD_PRINCIPAL[c3498f07-11fe-464c-958c-8bd7490b119a];]=aneil2}}<br>{Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=Cannot locate principal &#39;aneil2&#39;}<br>2015-04-09 13:39:28,527 ERROR [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter] (ajp--127.0.0.1-8702-6) Cannot obtain profile for user aneil2<br>2015-04-09 13:39:28,493 ERROR [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter] (ajp--127.0.0.1-8702-11) Cannot obtain profile for user aneil2<br>2015-04-09 13:39:28,593 INFO  [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-6) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User aneil2@GMU.EDU@GMU-http logged in.</blockquote></div><div><br></div><div><br></div><div>I suspect the ldap lookup is not working correctly.   Here are the relevant config files:</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">cat /etc/ovirt-engine/aaa/GMU.properties file:</blockquote><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"># Select one<br>#<br>#include = &lt;openldap.properties&gt;<br>#include = &lt;389ds.properties&gt;<br>#include = &lt;rhds.properties&gt;<br>#include = &lt;ipa.properties&gt;<br>include = &lt;iplanet.properties&gt;<br>#include = &lt;rfc2307.properties&gt;<br>#include = &lt;rfc2307-openldap.properties&gt;<br>#<br># Server<br>#<br>vars.server = <a href="http://dirapps.gmu.edu">dirapps.gmu.edu</a><br>#<br># Search user and its password.<br>#<br>vars.user = uid=proxy,ou=people,o=<a href="http://gmu.edu">gmu.edu</a><br>vars.password = XXXXXXXXXX<br>pool.default.serverset.single.server = ${global:vars.server}<br>pool.default.auth.simple.bindDN = ${global:vars.user}<br>pool.default.auth.simple.password = ${global:vars.password}<br># Create keystore, import certificate chain and uncomment<br># if using ssl/tls.<br>#pool.default.ssl.startTLS = true<br>#pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks<br>#pool.default.ssl.truststore.password = changeit</blockquote><div> </div></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">cat /etc/ovirt-engine/extensions.d/GMU-authz.properties <br><a href="http://ovirt.engine.extension.name">ovirt.engine.extension.name</a> = GMU-authz<br>ovirt.engine.extension.bindings.method = jbossmodule<br>ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap<br>ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension<br>ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz<br>config.profile.file.1 = ../aaa/GMU.properties<br>#config.globals.bindFormat.simple_bindFormat = realm</blockquote></div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">cat /etc/ovirt-engine/extensions.d/GMU-http-authn.properties <br><a href="http://ovirt.engine.extension.name">ovirt.engine.extension.name</a> = GMU-http-authn<br>ovirt.engine.extension.bindings.method = jbossmodule<br>ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc<br>ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension<br>ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn<br><a href="http://ovirt.engine.aaa.authn.profile.name">ovirt.engine.aaa.authn.profile.name</a> = GMU-http<br>ovirt.engine.aaa.authn.authz.plugin = GMU-authz<br>ovirt.engine.aaa.authn.mapping.plugin = http-mapping<br><a href="http://config.artifact.name">config.artifact.name</a> = HEADER<br>config.artifact.arg = X-Remote-User</blockquote></div><div><br></div><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">cat /etc/ovirt-engine/extensions.d/http-mapping.properties <br><a href="http://ovirt.engine.extension.name">ovirt.engine.extension.name</a> = http-mapping<br>ovirt.engine.extension.bindings.method = jbossmodule<br>ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc<br>ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension<br>ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping<br>config.mapAuthRecord.type = regex<br>config.mapAuthRecord.regex.mustMatch = true<br>config.mapAuthRecord.regex.pattern = ^(?&lt;user&gt;.*?)((\\\\(?&lt;at&gt;@)(?&lt;suffix&gt;.*?)@.*)|(?&lt;realm&gt;@.*))$<br>config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}</blockquote><div><br></div><div> </div></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">cat /etc/ovirt-engine/aaa/ovirt-sso.conf <br>#<br># 1. make sure /etc/krb5.keytab is available and valid.<br># 2. update KrbAuthRealms<br># 3. symlink into /etc/httpd/conf.d<br>#<br>&lt;LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)&gt;<br><span class="" style="white-space:pre">        </span>RewriteEngine on<br><span class="" style="white-space:pre">        </span>RewriteCond %{LA-U:REMOTE_USER} ^(.*)$<br><span class="" style="white-space:pre">        </span>RewriteRule ^(.*)$ - [L,P,E=REMOTE_USER:%1]<br><span class="" style="white-space:pre">        </span>RequestHeader set X-Remote-User %{REMOTE_USER}s<br><span class="" style="white-space:pre">        </span>LogLevel debug<br><span class="" style="white-space:pre">        </span>AuthType Kerberos<br><span class="" style="white-space:pre">        </span>AuthName &quot;Kerberos Login&quot;<br><span class="" style="white-space:pre">        </span>Krb5Keytab /etc/httpd/http.keytab<br><span class="" style="white-space:pre">        </span>KrbAuthRealms <a href="http://GMU.EDU">GMU.EDU</a> <a href="http://VSNET.GMU.EDU">VSNET.GMU.EDU</a><br><span class="" style="white-space:pre">        </span>KrbServiceName HTTP/<a href="http://ovirt-admin-hosted.vsnet.gmu.edu">ovirt-admin-hosted.vsnet.gmu.edu</a><br><span class="" style="white-space:pre">        </span>Require valid-user<br>&lt;/LocationMatch&gt;</blockquote></div><div><br></div><div><br></div><div>The LDAP server is:  Sun-Directory-Server/11.1.1.5.0</div><div><br></div><div>I have no administrative access to the ldap server, but I can successfully search via ldapsearch by binding  with the proxy dn and password.  </div><div><br></div><div>Any ideas what might be wrong, or how to troubleshoot?</div><div><br></div><div>-Alastair</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br></blockquote></div>