Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

Thank you very much, using the following ldap.example.org <http://ldap.example.org> file: --------------------- include = <openldap_example.properties> include = <rfc2307.properties> vars.server = ldap1.example.org <http://ldap1.example.org> #vars.user = cn=authenticate,ou=System,dc=example,dc=org #vars.password = XXXXXXXXX pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=example,dc=org pool.default.auth.simple.password = XXXXXXXXX pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks pool.default.ssl.truststore.password = XXXXXXXXX --------------------- Then I get the following in the engine log: 2015-01-15 10:04:15,250 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***, Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=http://www.ovirt.org,Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn, Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-867... <http://authn-ldap.example.org>;, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0, Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695... <http://org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt...>), Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER;type=class java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno, Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=anonymous bind disallowed} ----------------------------------- And this is the ldap connection log: /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 ACCEPT from IP=192.168.XX.XX:41469 (IP=0.0.0.0:389 <http://0.0.0.0:389>) /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 EXT oid=1.3.6.1.4.1.1466.20037 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 STARTTLS /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 RESULT oid= err=0 text= /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 TLS established tls_ssf=128 ssf=128 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" method=128 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" mech=SIMPLE ssf=0 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 RESULT tag=97 err=0 text= ----------------------------------- It looks like it got the dn correctly but it's unable to bind anyway ... Thank you, Bruno On Wed, Jan 14, 2015 at 5:50 PM, Ondra Machacek <omachace(a)redhat.com <mailto:omachace@redhat.com>> wrote: Hi, On 01/14/2015 04:53 PM, Bruno Rodriguez wrote: Good afternoon, We cannot access to Ovirt using LDAP authentication against our openldap server. We created the following files in /etc/ovirt-engine/extensions.d (the organization name is not example.org <http://example.org> <http://example.org> and the passwords are not XXXXXXXX, obviously) : ----------- /etc/ovirt-engine/extensions.__d/ldap.example.org <http://ldap.example.org> <http://ldap.example.org> ----------- include = <openldap_example.properties> vars.server = ldap1.example.org <http://ldap1.example.org> <http://ldap1.example.org> vars.user = cn=authenticate,ou=System,dc=__example,dc=org vars.password = "XXXXXXXX" pool.default.serverset.single.__server = ${global:vars.server} pool.default.auth.simple.__bindDN = ${global:vars.user} pool.default.auth.simple.__password = ${global:vars.password} pool.default.ssl.startTLS = true pool.default.ssl.truststore.__file = /etc/ovirt-engine/extensions.__d/ldap.example.org_keystore.__jks pool.default.ssl.truststore.__password = XXXXXXXX ----------- /etc/ovirt-engine/extensions.__d/authn-ldap.example.org <http://authn-ldap.example.org>.__properties ----------- ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> = authn-ldap.example.org <http://authn-ldap.example.org> <http://authn-ldap.example.org__> ovirt.engine.extension.__bindings.method = jbossmodule ovirt.engine.extension.__binding.jbossmodule.module = org.ovirt.engine-extensions.__aaa.ldap ovirt.engine.extension.__binding.jbossmodule.class = org.ovirt.engineextensions.__aaa.ldap.AuthnExtension ovirt.engine.extension.__provides = org.ovirt.engine.api.__extensions.aaa.Authn ovirt.engine.aaa.authn.__profile.name <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>> = ldap.example.org <http://ldap.example.org> <http://ldap.example.org> ovirt.engine.aaa.authn.authz.__plugin = authz-ldap.example.org <http://authz-ldap.example.org> <http://authz-ldap.example.org__> config.profile.file.1 = /etc/ovirt-engine/extensions.__d/ldap.example.org <http://ldap.example.org> <http://ldap.example.org> ----------- /etc/ovirt-engine/extensions.__d/authz-ldap.example.org <http://authz-ldap.example.org>.__properties ----------- ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> = authz-ldap.example.org <http://authz-ldap.example.org> <http://authz-ldap.example.org__> ovirt.engine.extension.__bindings.method = jbossmodule ovirt.engine.extension.__binding.jbossmodule.module = org.ovirt.engine-extensions.__aaa.ldap ovirt.engine.extension.__binding.jbossmodule.class = org.ovirt.engineextensions.__aaa.ldap.AuthzExtension ovirt.engine.extension.__provides = org.ovirt.engine.api.__extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions.__d/ldap.example.org <http://ldap.example.org> <http://ldap.example.org> ------------------------------__------------------ After all of this we restarted the service and tried to access via the administration portal. The JKS has the right permissions and contains the TLS CA, the password is correct and the user "esthera" exists. But when we try to log in, we obtain the following error in the engine.log (we already set the verbosity to ALL): ------------------------------__------------------ 2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll.__aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.__extensions.mgr.__ExtensionInvokeCommandFailedEx__ception Input: {Extkey[name=AAA_AUTHN___CREDENTIALS;type=class java.lang.String;uuid=AAA___AUTHN_CREDENTIALS[03b96485-__4bb5-4592-8167-810a5c909706];]__=***, Extkey[name=EXTENSION_INVOKE___CONTEXT;type=class org.ovirt.engine.api.__extensions.ExtMap;uuid=__EXTENSION_INVOKE_CONTEXT[__886d2ebb-312a-49ae-9cc3-__e1f849834b7d];]={Extkey[name=__EXTENSION_INTERFACE_VERSION___MAX;type=class java.lang.Integer;uuid=__EXTENSION_INTERFACE_VERSION___MAX[f4cff49f-2717-4901-8ee9-__df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;__type=class java.lang.String;uuid=__EXTENSION_LICENSE[8a61ad65-__054c-4e31-9c6d-1ca4d60a4c18];]__=ASL 2.0, Extkey[name=EXTENSION_NOTES;__type=class java.lang.String;uuid=__EXTENSION_NOTES[2da5ad7e-185a-__4584-aaff-97f66978e4ea];]=__Display name: ovirt-engine-extension-aaa-__ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME___URL;type=class java.lang.String;uuid=__EXTENSION_HOME_URL[4ad7a2f4-__f969-42d4-b399-72d1... <http://www.ovirt.org/>;, Extkey[name=EXTENSION_LOCALE;__type=class java.lang.String;uuid=__EXTENSION_LOCALE[0780b112-__0ce0-404a-b85e-8765d778bb29];]__=en_US, Extkey[name=EXTENSION_NAME;__type=class java.lang.String;uuid=__EXTENSION_NAME[651381d3-f54f-__4547-bf28-b0b01a103184];]=__ovirt-engine-extension-aaa-__ldap.authn, Extkey[name=EXTENSION___INTERFACE_VERSION_MIN;type=__class java.lang.Integer;uuid=__EXTENSION_INTERFACE_VERSION___MIN[2b84fc91-305b-497b-a1d7-__d961b9d2ce0b];]=0, Extkey[name=EXTENSION___CONFIGURATION;type=class java.util.Properties;uuid=__EXTENSION_CONFIGURATION[__2d48ab72-f0a1-4312-b4ae-__5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;__type=class java.lang.String;uuid=__EXTENSION_AUTHOR[ef242f7a-__2dad-4bc5-9aad-e07018b7fbcc];]__=The oVirt Project, Extkey[name=EXTENSION___INSTANCE_NAME;type=class java.lang.String;uuid=__EXTENSION_INSTANCE_NAME[__65c67ff6-aeca-4bd5-a245-__8674327f011b];]=authn-ldap. <http://authn-ldap.pic.es/>exa__mple.org <http://example.org> <http://example.org>;, Extkey[name=EXTENSION_BUILD___INTERFACE_VERSION;type=class java.lang.Integer;uuid=__EXTENSION_BUILD_INTERFACE___VERSION[cb479e5a-4b23-46f8-__aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION___CONFIGURATION_SENSITIVE_KEYS;__type=interface java.util.Collection;uuid=__EXTENSION_CONFIGURATION___SENSITIVE_KEYS[a456efa1-73ff-__4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN___CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN___CAPABILITIES[9d16bee3-10fd-__46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL___CONTEXT;type=class org.ovirt.engine.api.__extensions.ExtMap;uuid=__EXTENSION_GLOBAL_CONTEXT[__9799e72f-7af6-4cf1-bf08-__297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;__type=class java.lang.String;uuid=__EXTENSION_VERSION[fe35f6a8-__8239-4bdb-ab1a-af9f779ce68c];]__=1.0.0, Extkey[name=EXTENSION_MANAGER___TRACE_LOG;type=interface org.slf4j.Logger;uuid=__EXTENSION_MANAGER_TRACE_LOG[__863db666-3ea7-4751-9695-__918a3197ad83];]=org.slf4j.__impl.Slf4jLogger(org.ovirt.__engine.core.extensions.mgr.__ExtensionsManager.trace.ovirt-__engine-extension-aaa-ldap.__authn.authn-ldap. <http://org.ovirt.engine.core.__extensions.mgr.__extensionsmanager.trace.o... <http://org.ovirt.engine.core.extensions.mgr.extensionsmanager.trace.ovirt... <http://example.org> <http://example.org>), Extkey[name=EXTENSION___PROVIDES;type=interface java.util.Collection;uuid=__EXTENSION_PROVIDES[8cf373a6-__65b5-4594-b828-0e275087de91];]__=[org.ovirt.engine.api.__extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER;__type=class java.lang.String;uuid=AAA___AUTHN_USER[1ceaba26-1bdc-4663-__a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_INVOKE___COMMAND;type=class org.ovirt.engine.api.__extensions.ExtUUID;uuid=__EXTENSION_INVOKE_COMMAND[__485778ab-bede-4f1a-b823-__77b262a2f28d];]=AAA_AUTHN___AUTHENTICATE_CREDENTIALS[__d9605c75-6b43-4b00-b32c-__06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE___RESULT;type=class java.lang.Integer;uuid=__EXTENSION_INVOKE_RESULT[__0909d91d-8bde-40fb-b6c0-__099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE___MESSAGE;type=class java.lang.String;uuid=__EXTENSION_INVOKE_MESSAGE[__b7b053de-dc73-4bf7-9d26-__b8bdb72f5893];]=invalid credentials} ------------------------------__------------------ Having a look at the LDAP log we check that there is a "invalid credentials" error while binding, but we are sure that the bind password is the right one. We already tried to set the bind password without quotes, but then the DN user then appear as an empty string ("") I think problem is here. That's really strange, you have to use the password without quotes. Can you please try to set: pool.default.auth.simple.__bindDN = cn=authenticate,ou=System,dc=__example,dc=org pool.default.auth.simple.__password = XXXXXX just without the variables. if the DN is not empty now. ------------------------------__------------------ [root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 | cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from IP=192.168.XX.X:39501 <http://192.168.95.2:39501/> (IP=0.0.0.0:389 <http://0.0.0.0:389> <http://0.0.0.0:389/>) Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established tls_ssf=128 ssf=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND dn="cn=authenticate,ou=System,__dc=example,dc=org" method=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 err=49 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed ------------------------------__------------------ By the way, the Ovirt manager (ovmgr) machine can query correctly the openldap server and retrieves everything OK ------------------------------__------------------ [root@ovmgr extensions.d]# ldapsearch -ZZ -D cn=authenticate,ou=System,dc=__example,dc=org -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=org> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # pic.es <http://pic.es> <http://pic.es/> dn: dc=example,dc=org dc: pic objectClass: top objectClass: domain ------------------------------__------------------ Did anybody had a similar problem ? Is there anything that we didn't check ? Thanks in advance ! -- Bruno Rodríguez Rodríguez This body part will be downloaded on demand. -- Bruno Rodríguez Rodríguez PIC (Port d'Informació Científica) Campus UAB, Edificio D E-08193 Bellaterra, Barcelona Tel: +34 93 581 33 22 "Si algo me ha enseñado el tetris, es que los errores se acumulan y los triunfos desaparecen"