7:08 p.m.
Hi!
Great information!
I really need you to add the log for org.ovirt.engineextensions.aaa.ldap, see [1] so I can
see the entire sequence.
You are trying to authenticate the esthera user, this result in bind request using this
user, so you should really try to see if bind succeeds with this user and passwod.
$ ldapsearch -ZZ -D replace_with_esthera_DN -W -b 'dc=example,dc=org'
It may be that the password of the user is not set or different than what you expect, or
the schema is not openldap but rfc2307.
Alon
[1]
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl...
----- Original Message -----
From: "Bruno Rodriguez" <bruno(a)pic.es>
To: users(a)ovirt.org, "Esther Accion" <esthera(a)pic.es>
Sent: Wednesday, January 14, 2015 5:53:06 PM
Subject: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module
Good afternoon,
We cannot access to Ovirt using LDAP authentication against our openldap
server. We created the following files in /etc/ovirt-engine/extensions.d
(the organization name is not example.org and the passwords are not
XXXXXXXX, obviously) :
----------- /etc/ovirt-engine/extensions.d/ ldap.example.org -----------
include = <openldap_example.properties>
vars.server = ldap1.example.org
vars.user = cn=authenticate,ou=System,dc=example,dc=org
vars.password = "XXXXXXXX"
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
/etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
pool.default.ssl.truststore.password = XXXXXXXX
----------- /etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties
-----------
ovirt.engine.extension.name = authn-ldap.example.org
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = ldap.example.org
ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org
config.profile.file.1 = /etc/ovirt-engine/extensions.d/ ldap.example.org
----------- /etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties
-----------
ovirt.engine.extension.name = authz-ldap.example.org
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/extensions.d/ ldap.example.org
------------------------------------------------
After all of this we restarted the service and tried to access via the
administration portal. The JKS has the right permissions and contains the
TLS CA, the password is correct and the user "esthera" exists. But when we
try to log in, we obtain the following error in the engine.log (we already
set the verbosity to ALL):
------------------------------------------------
2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll.
aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during
CanDoActionFailure.: Class: class org.ovirt.engine.core. extensions.mgr.
ExtensionInvokeCommandFailedEx ception
Input:
{Extkey[name=AAA_AUTHN_ CREDENTIALS;type=class java.lang.String;uuid=AAA_
AUTHN_CREDENTIALS[03b96485- 4bb5-4592-8167-810a5c909706];] =***,
Extkey[name=EXTENSION_INVOKE_ CONTEXT;type=class org.ovirt.engine.api.
extensions.ExtMap;uuid= EXTENSION_INVOKE_CONTEXT[ 886d2ebb-312a-49ae-9cc3-
e1f849834b7d];]={Extkey[name= EXTENSION_INTERFACE_VERSION_ MAX;type=class
java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_
MAX[f4cff49f-2717-4901-8ee9- df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE; type=class java.lang.String;uuid=
EXTENSION_LICENSE[8a61ad65- 054c-4e31-9c6d-1ca4d60a4c18];] =ASL 2.0,
Extkey[name=EXTENSION_NOTES; type=class java.lang.String;uuid=
EXTENSION_NOTES[2da5ad7e-185a- 4584-aaff-97f66978e4ea];]= Display name:
ovirt-engine-extension-aaa- ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_
URL;type=class java.lang.String;uuid= EXTENSION_HOME_URL[4ad7a2f4-
f969-42d4-b399-72d192e18304];] = http://www.ovirt.org ,
Extkey[name=EXTENSION_LOCALE; type=class java.lang.String;uuid=
EXTENSION_LOCALE[0780b112- 0ce0-404a-b85e-8765d778bb29];] =en_US,
Extkey[name=EXTENSION_NAME; type=class java.lang.String;uuid=
EXTENSION_NAME[651381d3-f54f- 4547-bf28-b0b01a103184];]=
ovirt-engine-extension-aaa- ldap.authn, Extkey[name=EXTENSION_
INTERFACE_VERSION_MIN;type= class java.lang.Integer;uuid=
EXTENSION_INTERFACE_VERSION_ MIN[2b84fc91-305b-497b-a1d7- d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_ CONFIGURATION;type=class java.util.Properties;uuid=
EXTENSION_CONFIGURATION[ 2d48ab72-f0a1-4312-b4ae- 5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR; type=class java.lang.String;uuid=
EXTENSION_AUTHOR[ef242f7a- 2dad-4bc5-9aad-e07018b7fbcc];] =The oVirt
Project, Extkey[name=EXTENSION_ INSTANCE_NAME;type=class
java.lang.String;uuid= EXTENSION_INSTANCE_NAME[ 65c67ff6-aeca-4bd5-a245-
8674327f011b];]= authn-ldap. example.org , Extkey[name=EXTENSION_BUILD_
INTERFACE_VERSION;type=class java.lang.Integer;uuid=
EXTENSION_BUILD_INTERFACE_ VERSION[cb479e5a-4b23-46f8-
aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_ CONFIGURATION_SENSITIVE_KEYS;
type=interface java.util.Collection;uuid= EXTENSION_CONFIGURATION_
SENSITIVE_KEYS[a456efa1-73ff- 4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_ CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHN_ CAPABILITIES[9d16bee3-10fd-
46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_
CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid=
EXTENSION_GLOBAL_CONTEXT[ 9799e72f-7af6-4cf1-bf08- 297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION; type=class java.lang.String;uuid=
EXTENSION_VERSION[fe35f6a8- 8239-4bdb-ab1a-af9f779ce68c];] =1.0.0,
Extkey[name=EXTENSION_MANAGER_ TRACE_LOG;type=interface
org.slf4j.Logger;uuid= EXTENSION_MANAGER_TRACE_LOG[ 863db666-3ea7-4751-9695-
918a3197ad83];]=org.slf4j. impl.Slf4jLogger(
org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.
example.org ), Extkey[name=EXTENSION_ PROVIDES;type=interface
java.util.Collection;uuid= EXTENSION_PROVIDES[8cf373a6-
65b5-4594-b828-0e275087de91];] =[org.ovirt.engine.api.
extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER; type=class
java.lang.String;uuid=AAA_ AUTHN_USER[1ceaba26-1bdc-4663-
a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_INVOKE_
COMMAND;type=class org.ovirt.engine.api. extensions.ExtUUID;uuid=
EXTENSION_INVOKE_COMMAND[ 485778ab-bede-4f1a-b823-
77b262a2f28d];]=AAA_AUTHN_ AUTHENTICATE_CREDENTIALS[
d9605c75-6b43-4b00-b32c- 06bdfa80244c]}
Output:
{Extkey[name=EXTENSION_INVOKE_ RESULT;type=class java.lang.Integer;uuid=
EXTENSION_INVOKE_RESULT[ 0909d91d-8bde-40fb-b6c0- 099c772ddd4e];]=2,
Extkey[name=EXTENSION_INVOKE_ MESSAGE;type=class java.lang.String;uuid=
EXTENSION_INVOKE_MESSAGE[ b7b053de-dc73-4bf7-9d26- b8bdb72f5893];]=invalid
credentials}
------------------------------------------------
Having a look at the LDAP log we check that there is a "invalid credentials"
error while binding, but we are sure that the bind password is the right
one. We already tried to set the bind password without quotes, but then the
DN user then appear as an empty string ("")
------------------------------------------------
[root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 | cut
-d: -f4 | cut -d\ -f2) /var/log/ldap.log
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from IP=
192.168.XX.X:39501 (IP= 0.0.0.0:389 )
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text=
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established
tls_ssf=128 ssf=128
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND
dn="cn=authenticate,ou=System, dc=example,dc=org" method=128
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 err=49
text=
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
------------------------------------------------
By the way, the Ovirt manager (ovmgr) machine can query correctly the
openldap server and retrieves everything OK
------------------------------------------------
[root@ovmgr extensions.d]# ldapsearch -ZZ -D
cn=authenticate,ou=System,dc=example ,dc=org -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# pic.es
dn: dc=example,dc=org
dc: pic
objectClass: top
objectClass: domain
------------------------------------------------
Did anybody had a similar problem ? Is there anything that we didn't check ?
Thanks in advance !
--
Bruno RodrÃguez RodrÃguez
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users