[ovirt-users] LDAP auth error "server_error: Cannot locate principal"

Wednesday, 21 July 2021

Trying to configure LDAP auth on engine. After adding user from LDAP i cannot login with
this error "server_error: Cannot locate principal"
Errors from engine.log
2021-06-30 17:24:23,830+05 ERROR
[org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-5) [686f77b]
Internal Server Error: Cannot locate principal 'Domain Reader'
2021-06-30 17:24:23,830+05 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default
task-5) [686f77b] Cannot locate principal 'Domain Reader'
2021-06-30 17:24:23,851+05 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet]
(default task-5) [686f77b] server_error: Cannot locate principal 'Domain Reader'
How i can fix this error?

ovirt 4.3.10
Config /etc/ovirt-engine/aaa/openldap_rfc.properties:
include = <rfc2307-openldap.properties>

vars.server = LDAP.testdom.local
vars.user = CN=Domain Reader,OU=AD,OU=SERVICE,DC=testdom,DC=local
vars.password = password

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = single
pool.default.serverset.single.server = ${global:vars.server}
pool.default.ssl.startTLS = tlocale
pool.default.ssl.insecure = tlocale

attrmap.map-principal-record.attr.PrincipalRecord_ID.map = uid
attrmap.map-principal-record.attr.PrincipalRecord_PRINCIPAL.map = cn

#LDAP value changes
sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn, givenName, sn, Email
sequence.openldap-init-vars.040.var-set.value = (objectClass=posixAccount)(uid=*)
sequence.openldap-init-vars.050.var-set.value = entryUUID, uid
sequence.openldap-init-vars.060.var-set.value = (objectClass=posixGroup)
sequence.openldap-init-vars.070.var-set.value = membelocalid

User attribures:
ovirt-engine-extensions-tool aaa search --extension-name=openldap_rfc-authz
--entity=principal --entity-name=domreader
2021-07-21 17:14:33,805+05 INFO   
========================================================================
2021-07-21 17:14:33,833+05 INFO    ============================ Initialization
============================
2021-07-21 17:14:33,833+05 INFO   
========================================================================
2021-07-21 17:14:33,878+05 INFO    Loading extension 'internal-authz'
2021-07-21 17:14:33,885+05 INFO    Extension 'internal-authz' loaded
------
2021-07-21 17:14:35,885+05 INFO   
========================================================================
2021-07-21 17:14:35,886+05 INFO    ============================== Execution
===============================
2021-07-21 17:14:35,886+05 INFO   
========================================================================
2021-07-21 17:14:35,886+05 INFO    Iteration: 0
2021-07-21 17:14:35,891+05 INFO    --- Begin QueryFilterRecord ---
2021-07-21 17:14:35,892+05 INFO    AAA_AUTHZ_QUERY_FILTER_OPERATOR: 102
2021-07-21 17:14:35,892+05 INFO    AAA_AUTHZ_QUERY_ENTITY:
AAA_AUTHZ_QUERY_ENTITY_PRINCIPAL[1695cd36-4656-474f-b7bc-4466e12634e4]
2021-07-21 17:14:35,893+05 INFO      --- Begin QueryFilterRecord ---
2021-07-21 17:14:35,893+05 INFO      AAA_AUTHZ_QUERY_FILTER_OPERATOR: 0
2021-07-21 17:14:35,894+05 INFO      AAA_AUTHZ_QUERY_FILTER_KEY:
Extkey[name=AAA_AUTHZ_PRINCIPAL_NAME;type=class
java.lang.String;uuid=AAA_AUTHZ_PRINCIPAL_NAME[a0df5bcc-6ead-40a2-8565-2f5cc8773bdd];]
2021-07-21 17:14:35,894+05 INFO      AAA_AUTHZ_PRINCIPAL_NAME: domreader
2021-07-21 17:14:35,894+05 INFO      --- End QueryFilterRecord ---
2021-07-21 17:14:35,895+05 INFO    --- End QueryFilterRecord ---
2021-07-21 17:14:35,895+05 INFO    API: -->Authz.InvokeCommands.QUERY_OPEN
namespace='dc=testdom,dc=local'
2021-07-21 17:14:35,904+05 INFO    API: <--Authz.InvokeCommands.QUERY_OPEN
2021-07-21 17:14:35,904+05 INFO    API: -->Authz.InvokeCommands.QUERY_EXECUTE
2021-07-21 17:16:04,079+05 INFO    API: <--Authz.InvokeCommands.QUERY_EXECUTE count=1
2021-07-21 17:16:04,080+05 INFO    --- Begin PrincipalRecord ---
2021-07-21 17:16:04,081+05 INFO    AAA_AUTHZ_PRINCIPAL_PRINCIPAL: Domain Reader
2021-07-21 17:16:04,081+05 INFO    AAA_AUTHZ_PRINCIPAL_LAST_NAME: Reader
2021-07-21 17:16:04,081+05 INFO    AAA_LDAP_UNBOUNDID_DN: cn=Domain
Reader,ou=AD,ou=SERVICE,dc=testdom,dc=local
2021-07-21 17:16:04,082+05 INFO    AAA_AUTHZ_PRINCIPAL_NAMESPACE: dc=testdom,dc=local
2021-07-21 17:16:04,082+05 INFO    AAA_AUTHZ_PRINCIPAL_ID: domreader
2021-07-21 17:16:04,082+05 INFO    AAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: Domain Reader
2021-07-21 17:16:04,083+05 INFO    AAA_AUTHZ_PRINCIPAL_NAME: domreader
2021-07-21 17:16:04,083+05 INFO    AAA_AUTHZ_PRINCIPAL_FIRST_NAME: Domain
2021-07-21 17:16:04,083+05 INFO    --- End   PrincipalRecord ---
2021-07-21 17:16:04,084+05 INFO    API: -->Authz.InvokeCommands.QUERY_EXECUTE
2021-07-21 17:16:04,084+05 INFO    API: <--Authz.InvokeCommands.QUERY_EXECUTE
count=END
2021-07-21 17:16:04,084+05 INFO    API: -->Authz.InvokeCommands.QUERY_CLOSE
2021-07-21 17:16:04,084+05 INFO    API: <--Authz.InvokeCommands.QUERY_CLOSE

Trying to auth using ovirt-engine-extensions-tool:
ovirt-engine-extensions-tool aaa login-user --profile=openldap_rfc --user-name=domreader
2021-07-21 17:40:47,318+05 INFO   
========================================================================
2021-07-21 17:40:47,350+05 INFO    ============================ Initialization
============================
2021-07-21 17:40:47,351+05 INFO   
========================================================================
2021-07-21 17:40:47,401+05 INFO    Loading extension 'internal-authz'
2021-07-21 17:40:47,407+05 INFO    Extension 'internal-authz' loaded
2021-07-21 17:40:47,409+05 INFO    Loading extension 'internal-authn'
2021-07-21 17:40:47,410+05 INFO    Extension 'internal-authn' loaded
2021-07-21 17:40:47,426+05 INFO    Loading extension 'test_ldap'
2021-07-21 17:40:47,508+05 INFO    Extension 'test_ldap' loaded
2021-07-21 17:40:47,509+05 INFO    Loading extension 'test_ldap-authn'
2021-07-21 17:40:47,523+05 INFO    Extension 'test_ldap-authn' loaded
2021-07-21 17:40:47,525+05 INFO    Loading extension 'openldap_rfc-authz'
2021-07-21 17:40:47,538+05 INFO    Extension 'openldap_rfc-authz' loaded
2021-07-21 17:40:47,540+05 INFO    Loading extension 'openldap_rfc-authn'
2021-07-21 17:40:47,551+05 INFO    Extension 'openldap_rfc-authn' loaded
2021-07-21 17:40:47,552+05 INFO    Initializing extension 'internal-authz'
2021-07-21 17:40:47,671+05 INFO    Extension 'internal-authz' initialized
2021-07-21 17:40:47,672+05 INFO    Initializing extension 'internal-authn'
2021-07-21 17:40:47,685+05 INFO    Extension 'internal-authn' initialized
2021-07-21 17:40:47,685+05 INFO    Initializing extension 'test_ldap'
2021-07-21 17:40:47,686+05 INFO    [ovirt-engine-extension-aaa-ldap.authz::test_ldap]
Creating LDAP pool 'authz'
2021-07-21 17:40:47,787+05 INFO    [ovirt-engine-extension-aaa-ldap.authz::test_ldap] LDAP
pool 'authz' information: vendor='null' version='null'
2021-07-21 17:40:47,788+05 INFO    [ovirt-engine-extension-aaa-ldap.authz::test_ldap]
Available Namespaces: [dc=field,dc=example,dc=com]
2021-07-21 17:40:47,789+05 INFO    Extension 'test_ldap' initialized
2021-07-21 17:40:47,789+05 INFO    Initializing extension 'test_ldap-authn'
2021-07-21 17:40:47,790+05 INFO   
[ovirt-engine-extension-aaa-ldap.authn::test_ldap-authn] Creating LDAP pool
'authz'
2021-07-21 17:40:47,837+05 INFO   
[ovirt-engine-extension-aaa-ldap.authn::test_ldap-authn] LDAP pool 'authz'
information: vendor='null' version='null'
2021-07-21 17:40:47,838+05 INFO   
[ovirt-engine-extension-aaa-ldap.authn::test_ldap-authn] Creating LDAP pool
'authn'
2021-07-21 17:40:47,849+05 INFO   
[ovirt-engine-extension-aaa-ldap.authn::test_ldap-authn] LDAP pool 'authn'
information: vendor='null' version='null'
2021-07-21 17:40:47,849+05 INFO    Extension 'test_ldap-authn' initialized
2021-07-21 17:40:47,850+05 INFO    Initializing extension 'openldap_rfc-authz'
2021-07-21 17:40:47,850+05 INFO   
[ovirt-engine-extension-aaa-ldap.authz::openldap_rfc-authz] Creating LDAP pool
'authz'
2021-07-21 17:40:47,851+05 WARNING
[ovirt-engine-extension-aaa-ldap.authz::openldap_rfc-authz] TLS/SSL insecure mode
2021-07-21 17:40:48,575+05 INFO   
[ovirt-engine-extension-aaa-ldap.authz::openldap_rfc-authz] LDAP pool 'authz'
information: vendor='null' version='null'
2021-07-21 17:40:48,576+05 INFO   
[ovirt-engine-extension-aaa-ldap.authz::openldap_rfc-authz] Available Namespaces:
[dc=testdom,dc=local]
2021-07-21 17:40:48,576+05 INFO    Extension 'openldap_rfc-authz' initialized
2021-07-21 17:40:48,576+05 INFO    Initializing extension 'openldap_rfc-authn'
2021-07-21 17:40:48,577+05 INFO   
[ovirt-engine-extension-aaa-ldap.authn::openldap_rfc-authn] Creating LDAP pool
'authz'
2021-07-21 17:40:48,577+05 WARNING
[ovirt-engine-extension-aaa-ldap.authn::openldap_rfc-authn] TLS/SSL insecure mode
2021-07-21 17:40:49,174+05 INFO   
[ovirt-engine-extension-aaa-ldap.authn::openldap_rfc-authn] LDAP pool 'authz'
information: vendor='null' version='null'
2021-07-21 17:40:49,175+05 INFO   
[ovirt-engine-extension-aaa-ldap.authn::openldap_rfc-authn] Creating LDAP pool
'authn'
2021-07-21 17:40:49,175+05 WARNING
[ovirt-engine-extension-aaa-ldap.authn::openldap_rfc-authn] TLS/SSL insecure mode
2021-07-21 17:40:49,427+05 INFO   
[ovirt-engine-extension-aaa-ldap.authn::openldap_rfc-authn] LDAP pool 'authn'
information: vendor='null' version='null'
2021-07-21 17:40:49,428+05 INFO    Extension 'openldap_rfc-authn' initialized
2021-07-21 17:40:49,428+05 INFO    Start of enabled extensions list
2021-07-21 17:40:49,429+05 INFO    Instance name: 'openldap_rfc-authz', Extension
name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.10', Notes:
'Display name: ovirt-engine-extension-aaa-ldap-1.3.10-1.el7', License: 'ASL
2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface Version: '0',  File:
'/etc/ovirt-engine/extensions.d/openldap_rfc-authz.properties', Initialized:
'tlocale'
2021-07-21 17:40:49,429+05 INFO    Instance name: 'test_ldap', Extension name:
'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.10', Notes:
'Display name: ovirt-engine-extension-aaa-ldap-1.3.10-1.el7', License: 'ASL
2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface Version: '0',  File:
'/etc/ovirt-engine/extensions.d/test_ldap.properties', Initialized:
'tlocale'
2021-07-21 17:40:49,429+05 INFO    Instance name: 'internal-authn', Extension
name: '"ovirt-engine-extension-aaa-jdbc".authn', Version:
'"1.1.10"', Notes: 'Display name:
"ovirt-engine-extension-aaa-jdbc"', License: 'ASL 2.0', Home:
'http://www.ovirt.org', Author 'The oVirt Project', Build interface
Version: '0',  File:
'/etc/ovirt-engine/extensions.d/internal-authn.properties', Initialized:
'tlocale'
2021-07-21 17:40:49,430+05 INFO    Instance name: 'internal-authz', Extension
name: '"ovirt-engine-extension-aaa-jdbc".authz', Version:
'"1.1.10"', Notes: 'Display name:
"ovirt-engine-extension-aaa-jdbc"', License: 'ASL 2.0', Home:
'http://www.ovirt.org', Author 'The oVirt Project', Build interface
Version: '0',  File:
'/etc/ovirt-engine/extensions.d/internal-authz.properties', Initialized:
'tlocale'
2021-07-21 17:40:49,430+05 INFO    Instance name: 'openldap_rfc-authn', Extension
name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.10', Notes:
'Display name: ovirt-engine-extension-aaa-ldap-1.3.10-1.el7', License: 'ASL
2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface Version: '0',  File:
'/etc/ovirt-engine/extensions.d/openldap_rfc-authn.properties', Initialized:
'tlocale'
2021-07-21 17:40:49,430+05 INFO    Instance name: 'test_ldap-authn', Extension
name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.10', Notes:
'Display name: ovirt-engine-extension-aaa-ldap-1.3.10-1.el7', License: 'ASL
2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface Version: '0',  File:
'/etc/ovirt-engine/extensions.d/test_ldap-authn.properties', Initialized:
'tlocale'
2021-07-21 17:40:49,430+05 INFO    End of enabled extensions list
2021-07-21 17:40:49,431+05 INFO   
========================================================================
2021-07-21 17:40:49,431+05 INFO    ============================== Execution
===============================
2021-07-21 17:40:49,431+05 INFO   
========================================================================
2021-07-21 17:40:49,432+05 INFO    Iteration: 0
2021-07-21 17:40:49,433+05 INFO    Profile='openldap_rfc'
authn='openldap_rfc-authn' authz='openldap_rfc-authz'
mapping='null'
2021-07-21 17:40:49,433+05 INFO    API:
-->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='openldap_rfc'
user='domreader'
Password:
2021-07-21 17:42:28,572+05 INFO    API:
<--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='openldap_rfc'
result=SUCCESS
2021-07-21 17:42:28,576+05 INFO    --- Begin AuthRecord ---
2021-07-21 17:42:28,577+05 INFO    AAA_AUTHN_AUTH_RECORD_PRINCIPAL: Domain Reader
2021-07-21 17:42:28,577+05 INFO    --- End   AuthRecord ---
2021-07-21 17:42:28,578+05 INFO    API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
principal='Domain Reader'
2021-07-21 17:43:28,582+05 SEVERE  Cannot locate principal 'Domain Reader'

LDAP server working as proxy to AD. 
slapd.conf listnig:

### Schema includes ###########################################################
include                 /etc/openldap/schema/core.schema
include                 /etc/openldap/schema/cosine.schema
include                 /etc/openldap/schema/inetorgperson.schema
include                 /etc/openldap/schema/misc.schema
include                 /etc/openldap/schema/nis.schema
include                 /etc/openldap/schema/ad.schema

## Module paths ##############################################################
modulepath              /usr/lib64/openldap/
moduleload              back_ldap
moduleload              rwm

### Logging ###################################################################
logfile                 /var/log/slapd/slapd.log
loglevel                256

# Main settings ###############################################################
pidfile                 /var/run/openldap/slapd.pid
argsfile                /var/run/openldap/slapd.args
TLSCipherSuite          HIGH:!NULL
TLSCACertificateFile    /etc/pki/tls/certs/cacert.pem
TLSCertificateFile      /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile   /etc/pki/tls/certs/slapd.pem
TLSVerifyClient         never
# Disallow non-encrypted binds - this will refuse any connection that isn't
# secured with at least 128-bit encryption
security                ssf=128

# Allow v2 binding for legacy clients #########################################
allow bind_v2

### Database definition (Proxy to AD) #########################################
database ldap
readonly yes
protocol-version 3
rebind-as-user yes
uri "ldap://testdom.local:389"
suffix "dc=testdom,dc=local"
idassert-bind bindmethod=simple
        mode=none
        binddn="CN=Domain Reader,OU=AD,OU=SERVICE,DC=testdom,DC=local"
        credentials=eOv5rgrNv3eq
        starttls=yes
        tls_cacertdir=/etc/pki/tls/certs
        tls_reqcert=never
idassert-authzFrom "*"
overlay rwm

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

[ovirt-users] LDAP auth error "server_error: Cannot locate principal"