Re: [ovirt-users] simple-sso w. kerberos & iplanet ldap - login slow and unreliable (ovirt 3.5.1.1)

From the log I can see that you probably have Basic Authorization Headers enabled, are you sure you do not type user/password in the browser credentials dialog? can you please add KrbMethodK5Passwd off to the apache configuration to make sure it is not prompted? To clear this, if you use firefox go to History->Clear Recent and select only Active Logins.

From: "Alastair Neil" <ajneil.tech(a)gmail.com&gt; To: "Ovirt Users" <users(a)ovirt.org&gt; Sent: Thursday, April 9, 2015 9:46:09 PM Subject: [ovirt-users] simple-sso w. kerberos & iplanet ldap - login slow and unreliable (ovirt 3.5.1.1) I have configured the simple-sso with kerberos. I can successfully login most of the time, but often the login fails and I am dropped at the portal login window and prompted for the internal account username and password. Host is FC 20. Also, adding users in the GMU-authz o= gmu.edu namespace is agonisingly slow returning from the directory lookup. I can see from the apache logs that the kerberos authentication is successful, but in the engine logs I see many errors: 2015-04-09 13:39:28,493 ERROR [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter] (ajp--127.0.0.1-8702-11) Cannot obtain profile for user aneil2 and eventually: 2015-04-09 13:39:28,342 ERROR [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter] (ajp--127.0.0.1-8702-5) Cannot obtain profile for user aneil2 {Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.fc20, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]= http://www.ovirt.org , Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authz, Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=50, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=GMU-authz, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.2, Extkey[name=AAA_AUTHZ_AVAILABLE_NAMESPACES;type=interface java.util.Collection;uuid=AAA_AUTHZ_AVAILABLE_NAMESPACES[6dffa34c-955f-486a-bd35-0a272b45a711];]=[o= gmu.edu ], Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authz.GMU-authz), Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authz], Extkey[name=EXTENSION_CONFIGURATION_FILE;type=class java.lang.String;uuid=EXTENSION_CONFIGURATION_FILE[4fb0ffd3-983c-4f3f-98ff-9660bd67af6a];]=/etc/ovirt-engine/extensions.d/GMU-authz.properties}, Extkey[name=AAA_AUTHZ_QUERY_FLAGS;type=class java.lang.Integer;uuid=AAA_AUTHZ_QUERY_FLAGS[97d226e9-8d87-49a0-9a7f-af689320907b];]=3, Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHZ_FETCH_PRINCIPAL_RECORD[5a5bf9bb-9336-4376-a823-26efe1ba26df], Extkey[name=AAA_AUTHN_AUTH_RECORD;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=AAA_AUTHN_AUTH_RECORD[e9462168-b53b-44ac-9af5-f25e1697173e];]={Extkey[name=AAA_AUTHN_AUTH_RECORD_PRINCIPAL;type=class java.lang.String;uuid=AAA_AUTHN_AUTH_RECORD_PRINCIPAL[c3498f07-11fe-464c-958c-8bd7490b119a];]=aneil2}} {Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=Cannot locate principal 'aneil2'} 2015-04-09 13:39:28,527 ERROR [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter] (ajp--127.0.0.1-8702-6) Cannot obtain profile for user aneil2 2015-04-09 13:39:28,493 ERROR [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter] (ajp--127.0.0.1-8702-11) Cannot obtain profile for user aneil2 2015-04-09 13:39:28,593 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-6) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User aneil2@GMU.EDU(a)GMU-http logged in. I suspect the ldap lookup is not working correctly. Here are the relevant config files: cat /etc/ovirt-engine/aaa/GMU.properties file: # Select one # #include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties> # # Server # vars.server = dirapps.gmu.edu # # Search user and its password. # vars.user = uid=proxy,ou=people,o= gmu.edu vars.password = XXXXXXXXXX pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit cat /etc/ovirt-engine/extensions.d/GMU-authz.properties ovirt.engine.extension.name = GMU-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = ../aaa/GMU.properties #config.globals.bindFormat.simple_bindFormat = realm cat /etc/ovirt-engine/extensions.d/GMU-http-authn.properties ovirt.engine.extension.name = GMU-http-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.http.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = GMU-http ovirt.engine.aaa.authn.authz.plugin = GMU-authz ovirt.engine.aaa.authn.mapping.plugin = http-mapping config.artifact.name = HEADER config.artifact.arg = X-Remote-User cat /etc/ovirt-engine/extensions.d/http-mapping.properties ovirt.engine.extension.name = http-mapping ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.misc ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping config.mapAuthRecord.type = regex config.mapAuthRecord.regex.mustMatch = true config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$ config.mapAuthRecord.regex.replacement = ${user}${at}${suffix} cat /etc/ovirt-engine/aaa/ovirt-sso.conf # # 1. make sure /etc/krb5.keytab is available and valid. # 2. update KrbAuthRealms # 3. symlink into /etc/httpd/conf.d # <LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)> RewriteEngine on RewriteCond %{LA-U:REMOTE_USER} ^(.*)$ RewriteRule ^(.*)$ - [L,P,E=REMOTE_USER:%1] RequestHeader set X-Remote-User %{REMOTE_USER}s LogLevel debug AuthType Kerberos AuthName "Kerberos Login" Krb5Keytab /etc/httpd/http.keytab KrbAuthRealms GMU.EDU VSNET.GMU.EDU KrbServiceName HTTP/ ovirt-admin-hosted.vsnet.gmu.edu Require valid-user </LocationMatch> The LDAP server is: Sun-Directory-Server/11.1.1.5.0 I have no administrative access to the ldap server, but I can successfully search via ldapsearch by binding with the proxy dn and password. Any ideas what might be wrong, or how to troubleshoot? -Alastair _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users