Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

Hi, On 01/14/2015 04:53 PM, Bruno Rodriguez wrote: > Good afternoon, > > We cannot access to Ovirt using LDAP authentication against our openldap > server. We created the following files in /etc/ovirt-engine/extensions.d > (the organization name is not example.org <http://example.org> and the > passwords are not XXXXXXXX, obviously) : > > ----------- /etc/ovirt-engine/extensions.d/ldap.example.org > <http://ldap.example.org> ----------- > > include = <openldap_example.properties> > > vars.server = ldap1.example.org <http://ldap1.example.org> > vars.user = cn=authenticate,ou=System,dc=example,dc=org > vars.password = "XXXXXXXX" > > pool.default.serverset.single.server = ${global:vars.server} > pool.default.auth.simple.bindDN = ${global:vars.user} > pool.default.auth.simple.password = ${global:vars.password} > > pool.default.ssl.startTLS = true > pool.default.ssl.truststore.file = > /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks > pool.default.ssl.truststore.password = XXXXXXXX > > ----------- > /etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties > ----------- > > ovirt.engine.extension.name <http://ovirt.engine.extension.name> = > authn-ldap.example.org <http://authn-ldap.example.org> > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthnExtension > ovirt.engine.extension.provides = org.ovirt.engine.api. > extensions.aaa.Authn > > ovirt.engine.aaa.authn.profile.name > <http://ovirt.engine.aaa.authn.profile.name> = ldap.example.org > <http://ldap.example.org> > ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org > <http://authz-ldap.example.org> > > config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org > <http://ldap.example.org> > > ----------- > /etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties > ----------- > > ovirt.engine.extension.name <http://ovirt.engine.extension.name> = > authz-ldap.example.org <http://authz-ldap.example.org> > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthzExtension > > ovirt.engine.extension.provides = org.ovirt.engine.api. > extensions.aaa.Authz > config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org > <http://ldap.example.org> > > ------------------------------------------------ > > After all of this we restarted the service and tried to access via the > administration portal. The JKS has the right permissions and contains > the TLS CA, the password is correct and the user "esthera" exists. But > when we try to log in, we obtain the following error in the engine.log > (we already set the verbosity to ALL): > > ------------------------------------------------ > > 2015-01-14 16:35:25,750 ERROR > [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] > (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class > org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedEx > ception > Input: > {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class > java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485- > 4bb5-4592-8167-810a5c909706];]=***, > Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class > org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[ > 886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name= > EXTENSION_INTERFACE_VERSION_MAX;type=class > java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_ > MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, > Extkey[name=EXTENSION_LICENSE;type=class > java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65- > 054c-4e31-9c6d-1ca4d60a4c18];]=ASL > 2.0, Extkey[name=EXTENSION_NOTES;type=class > java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a- > 4584-aaff-97f66978e4ea];]=Display > name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6, > Extkey[name=EXTENSION_HOME_URL;type=class > java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4- > f969-42d4-b399-72d192e18304];]=http://www.ovirt.org > <http://www.ovirt.org/>;, Extkey[name=EXTENSION_LOCALE;type=class > java.lang.String;uuid=EXTENSION_LOCALE[0780b112- > 0ce0-404a-b85e-8765d778bb29];]=en_US, > Extkey[name=EXTENSION_NAME;type=class > java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f- > 4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn, > Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class > java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_ > MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, > Extkey[name=EXTENSION_CONFIGURATION;type=class > java.util.Properties;uuid=EXTENSION_CONFIGURATION[ > 2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, > Extkey[name=EXTENSION_AUTHOR;type=class > java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a- > 2dad-4bc5-9aad-e07018b7fbcc];]=The > oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class > java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245- > 8674327f011b];]=authn-ldap. > <http://authn-ldap.pic.es/>example.org <http://example.org>;, > Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class > java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_ > VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, > Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface > java.util.Collection;uuid=EXTENSION_CONFIGURATION_ > SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], > Extkey[name=AAA_AUTHN_CAPABILITIES;type=class > java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd- > 46f2-83f9-3d3c54cf258d];]=12, > Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class > org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[ > 9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, > Extkey[name=EXTENSION_VERSION;type=class > java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8- > 8239-4bdb-ab1a-af9f779ce68c];]=1.0.0, > Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface > org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[ > 863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j. > impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr. > ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap. > <http://org.ovirt.engine.core.extensions.mgr. > extensionsmanager.trace.ovirt-engine-extension-aaa-ldap. > authn.authn-ldap.pic.es/>example.org > <http://example.org>), Extkey[name=EXTENSION_PROVIDES;type=interface > java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6- > 65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api. > extensions.aaa.Authn]}, > Extkey[name=AAA_AUTHN_USER;type=class > java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663- > a3c6-5d926f9dd8f0];]=esthera, > Extkey[name=EXTENSION_INVOKE_COMMAND;type=class > org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[ > 485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_ > AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]} > Output: > {Extkey[name=EXTENSION_INVOKE_RESULT;type=class > java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0- > 099c772ddd4e];]=2, > Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class > java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26- > b8bdb72f5893];]=invalid > credentials} > > ------------------------------------------------ > > Having a look at the LDAP log we check that there is a "invalid > credentials" error while binding, but we are sure that the bind password > is the right one. We already tried to set the bind password without > quotes, but then the DN user then appear as an empty string ("") > I think problem is here. That's really strange, you have to use the password without quotes. Can you please try to set: pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc= example,dc=org pool.default.auth.simple.password = XXXXXX just without the variables. if the DN is not empty now. > ------------------------------------------------ > > [root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 | > cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from > IP=192.168.XX.X:39501 <http://192.168.95.2:39501/> (IP=0.0.0.0:389 > <http://0.0.0.0:389/>) > > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT > oid=1.3.6.1.4.1.1466.20037 > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 > text= > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established > tls_ssf=128 ssf=128 > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND > dn="cn=authenticate,ou=System,dc=example,dc=org" method=128 > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 > err=49 text= > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed > > ------------------------------------------------ > > By the way, the Ovirt manager (ovmgr) machine can query correctly the > openldap server and retrieves everything OK > > ------------------------------------------------ > > [root@ovmgr extensions.d]# ldapsearch -ZZ -D > cn=authenticate,ou=System,dc=example,dc=org -W > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=example,dc=org> (default) with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # pic.es <http://pic.es/> > dn: dc=example,dc=org > dc: pic > objectClass: top > objectClass: domain > > ------------------------------------------------ > > Did anybody had a similar problem ? Is there anything that we didn't > check ? > > Thanks in advance ! > > -- > Bruno Rodríguez Rodríguez > > > > This body part will be downloaded on demand. > >