Good afternoon,
We cannot access to Ovirt using LDAP authentication against our openldap
server. We created the following files in /etc/ovirt-engine/extensions.d
(the organization name is not
example.org <
http://example.org> and the
passwords are not XXXXXXXX, obviously) :
----------- /etc/ovirt-engine/extensions.d/ldap.example.org
<
http://ldap.example.org> -----------
include = <openldap_example.properties>
vars.server =
ldap1.example.org <
http://ldap1.example.org>
vars.user = cn=authenticate,ou=System,dc=example,dc=org
vars.password = "XXXXXXXX"
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
/etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
pool.default.ssl.truststore.password = XXXXXXXX
-----------
/etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties -----------
ovirt.engine.extension.name <
http://ovirt.engine.extension.name> =
authn-ldap.example.org <
http://authn-ldap.example.org>
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name
<
http://ovirt.engine.aaa.authn.profile.name> =
ldap.example.org
<
http://ldap.example.org>
ovirt.engine.aaa.authn.authz.plugin =
authz-ldap.example.org
<
http://authz-ldap.example.org>
config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org
<
http://ldap.example.org>
-----------
/etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties -----------
ovirt.engine.extension.name <
http://ovirt.engine.extension.name> =
authz-ldap.example.org <
http://authz-ldap.example.org>
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org
<
http://ldap.example.org>
------------------------------------------------
After all of this we restarted the service and tried to access via the
administration portal. The JKS has the right permissions and contains
the TLS CA, the password is correct and the user "esthera" exists. But
when we try to log in, we obtain the following error in the engine.log
(we already set the verbosity to ALL):
------------------------------------------------
2015-01-14 16:35:25,750 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_NOTES;type=class
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e1...
<
http://www.ovirt.org/>, Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=authn-ldap.
<
http://authn-ldap.pic.es/>example.org <
http://example.org>,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class
java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.
<
http://org.ovirt.engine.core.extensions.mgr.extensionsmanager.trace.ovirt...
<
http://example.org>), Extkey[name=EXTENSION_PROVIDES;type=interface
java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]},
Extkey[name=AAA_AUTHN_USER;type=class
java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=esthera,
Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
Output:
{Extkey[name=EXTENSION_INVOKE_RESULT;type=class
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=invalid
credentials}
------------------------------------------------
Having a look at the LDAP log we check that there is a "invalid
credentials" error while binding, but we are sure that the bind password
is the right one. We already tried to set the bind password without
quotes, but then the DN user then appear as an empty string ("")
I think problem is here. That's really strange, you have to use the
password without quotes.
Can you please try to set:
pool.default.auth.simple.bindDN =
cn=authenticate,ou=System,dc=example,dc=org
pool.default.auth.simple.password = XXXXXX
just without the variables. if the DN is not empty now.
------------------------------------------------
[root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 |
cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from
IP=192.168.XX.X:39501 <
http://192.168.95.2:39501/> (IP=0.0.0.0:389
<
http://0.0.0.0:389/>)
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text=
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established
tls_ssf=128 ssf=128
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND
dn="cn=authenticate,ou=System,dc=example,dc=org" method=128
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97
err=49 text=
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
------------------------------------------------
By the way, the Ovirt manager (ovmgr) machine can query correctly the
openldap server and retrieves everything OK
------------------------------------------------
[root@ovmgr extensions.d]# ldapsearch -ZZ -D
cn=authenticate,ou=System,dc=example,dc=org -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# pic.es <
http://pic.es/>
dn: dc=example,dc=org
dc: pic
objectClass: top
objectClass: domain
------------------------------------------------
Did anybody had a similar problem ? Is there anything that we didn't check ?
Thanks in advance !
--
Bruno RodrÃguez RodrÃguez
This body part will be downloaded on demand.