Thanks ! Now it's working!

The problem was the absence of the line:

pool.default.auth.type = simple

It's strange, I thought that the default auth type was set to simple and I didn't check it twice. After setting that the problem has to do about a user/password incorrect, which is our problem because of the schema we are using (migrated from a NIS some time ago).

The openldap_example.properties actually was a copy of openldap.properties, I did it that way to customize it to our  schema, but in a first instance it was a carbon copy of the original.

Thanks again !

Bruno



On Thu, Jan 15, 2015 at 10:43 AM, Ondra Machacek <omachace@redhat.com> wrote:
On 01/15/2015 10:36 AM, Alon Bar-Lev wrote:


----- Original Message -----
From: "Bruno Rodriguez" <bruno@pic.es>
To: "Ondra Machacek" <omachace@redhat.com>
Cc: "Esther Accion" <esthera@pic.es>, users@ovirt.org
Sent: Thursday, January 15, 2015 11:20:57 AM
Subject: Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP     module

Thank you very much,

using the following ldap.example.org file:

---------------------

include = <openldap_example.properties>
include = <rfc2307.properties>

what do you have in openldap_example.properties?

 It seems you have specified anonymous bind in openldap_example.properties. You should probably try it with original one (openldap.properties).



vars.server = ldap1.example.org
#vars.user = cn=authenticate,ou=System,dc=example,dc=org
#vars.password = XXXXXXXXX

why have you commented out the vars?
you should have just removed the quotes from vars.password and keep bellow as-is.

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=example,dc=org
pool.default.auth.simple.password = XXXXXXXXX

pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
/etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
pool.default.ssl.truststore.password = XXXXXXXXX

---------------------

Then I get the following in the engine log:


2015-01-15 10:04:15,250 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_NOTES;type=class
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org ,Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=
authn-ldap.example.org ,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class
java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(
org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org
), Extkey[name=EXTENSION_PROVIDES;type=interface
java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]},
Extkey[name=AAA_AUTHN_USER;type=class
java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno,
Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
Output:
{Extkey[name=EXTENSION_INVOKE_RESULT;type=class
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=anonymous
bind disallowed}

error: anonymous bind disallowed

can you please enable debug per what I instructed last time and send a complete log?


-----------------------------------

And this is the ldap connection log:

/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114
ACCEPT from IP=192.168.XX.XX:41469 (IP= 0.0.0.0:389 )
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0
STARTTLS
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 RESULT
oid= err=0 text=
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 TLS
established tls_ssf=128 ssf=128
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND
dn="cn=authenticate,ou=System,dc=example,dc=org" method=128
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND
dn="cn=authenticate,ou=System,dc=example,dc=org" mech=SIMPLE ssf=0
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 RESULT
tag=97 err=0 text=

-----------------------------------

It looks like it got the dn correctly but it's unable to bind anyway ...

Thank you,

Bruno


On Wed, Jan 14, 2015 at 5:50 PM, Ondra Machacek < omachace@redhat.com >
wrote:


Hi,

On 01/14/2015 04:53 PM, Bruno Rodriguez wrote:


Good afternoon,

We cannot access to Ovirt using LDAP authentication against our openldap
server. We created the following files in /etc/ovirt-engine/extensions.d
(the organization name is not example.org < http://example.org > and the
passwords are not XXXXXXXX, obviously) :

----------- /etc/ovirt-engine/extensions. d/ ldap.example.org
< http://ldap.example.org > -----------

include = <openldap_example.properties>

vars.server = ldap1.example.org < http://ldap1.example.org >
vars.user = cn=authenticate,ou=System,dc= example,dc=org
vars.password = "XXXXXXXX"

pool.default.serverset.single. server = ${global:vars.server}
pool.default.auth.simple. bindDN = ${global:vars.user}
pool.default.auth.simple. password = ${global:vars.password}

pool.default.ssl.startTLS = true
pool.default.ssl.truststore. file =
/etc/ovirt-engine/extensions. d/ldap.example.org_keystore. jks
pool.default.ssl.truststore. password = XXXXXXXX

-----------
/etc/ovirt-engine/extensions. d/ authn-ldap.example.org . properties
-----------

ovirt.engine.extension.name < http://ovirt.engine. extension.name > =
authn-ldap.example.org < http://authn-ldap.example.org >
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthnExtension
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authn

ovirt.engine.aaa.authn. profile.name
< http://ovirt.engine.aaa. authn.profile.name > = ldap.example.org
< http://ldap.example.org >
ovirt.engine.aaa.authn.authz. plugin = authz-ldap.example.org
< http://authz-ldap.example.org >

config.profile.file.1 = /etc/ovirt-engine/extensions. d/ ldap.example.org
< http://ldap.example.org >

-----------
/etc/ovirt-engine/extensions. d/ authz-ldap.example.org . properties
-----------

ovirt.engine.extension.name < http://ovirt.engine. extension.name > =
authz-ldap.example.org < http://authz-ldap.example.org >
ovirt.engine.extension. bindings.method = jbossmodule
ovirt.engine.extension. binding.jbossmodule.module =
org.ovirt.engine-extensions. aaa.ldap
ovirt.engine.extension. binding.jbossmodule.class =
org.ovirt.engineextensions. aaa.ldap.AuthzExtension

ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/extensions. d/ ldap.example.org
< http://ldap.example.org >

------------------------------ ------------------

After all of this we restarted the service and tried to access via the
administration portal. The JKS has the right permissions and contains
the TLS CA, the password is correct and the user "esthera" exists. But
when we try to log in, we obtain the following error in the engine.log
(we already set the verbosity to ALL):

------------------------------ ------------------

2015-01-14 16:35:25,750 ERROR
[org.ovirt.engine.core.bll. aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core. extensions.mgr. ExtensionInvokeCommandFailedEx ception
Input:
{Extkey[name=AAA_AUTHN_ CREDENTIALS;type=class
java.lang.String;uuid=AAA_ AUTHN_CREDENTIALS[03b96485-
4bb5-4592-8167-810a5c909706];] =***,
Extkey[name=EXTENSION_INVOKE_ CONTEXT;type=class
org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_INVOKE_CONTEXT[
886d2ebb-312a-49ae-9cc3- e1f849834b7d];]={Extkey[name=
EXTENSION_INTERFACE_VERSION_ MAX;type=class
java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_
MAX[f4cff49f-2717-4901-8ee9- df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE; type=class
java.lang.String;uuid= EXTENSION_LICENSE[8a61ad65-
054c-4e31-9c6d-1ca4d60a4c18];] =ASL
2.0, Extkey[name=EXTENSION_NOTES; type=class
java.lang.String;uuid= EXTENSION_NOTES[2da5ad7e-185a-
4584-aaff-97f66978e4ea];]= Display
name: ovirt-engine-extension-aaa- ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_ URL;type=class
java.lang.String;uuid= EXTENSION_HOME_URL[4ad7a2f4-
f969-42d4-b399-72d192e18304];] = http://www.ovirt.org
< http://www.ovirt.org/ >, Extkey[name=EXTENSION_LOCALE; type=class
java.lang.String;uuid= EXTENSION_LOCALE[0780b112-
0ce0-404a-b85e-8765d778bb29];] =en_US,
Extkey[name=EXTENSION_NAME; type=class
java.lang.String;uuid= EXTENSION_NAME[651381d3-f54f-
4547-bf28-b0b01a103184];]= ovirt-engine-extension-aaa- ldap.authn,
Extkey[name=EXTENSION_ INTERFACE_VERSION_MIN;type= class
java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_
MIN[2b84fc91-305b-497b-a1d7- d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_ CONFIGURATION;type=class
java.util.Properties;uuid= EXTENSION_CONFIGURATION[ 2d48ab72-f0a1-4312-b4ae-
5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR; type=class
java.lang.String;uuid= EXTENSION_AUTHOR[ef242f7a-
2dad-4bc5-9aad-e07018b7fbcc];] =The
oVirt Project, Extkey[name=EXTENSION_ INSTANCE_NAME;type=class
java.lang.String;uuid= EXTENSION_INSTANCE_NAME[ 65c67ff6-aeca-4bd5-a245-
8674327f011b];]=authn-ldap.
< http://authn-ldap.pic.es/ > exa mple.org < http://example.org >,
Extkey[name=EXTENSION_BUILD_ INTERFACE_VERSION;type=class
java.lang.Integer;uuid= EXTENSION_BUILD_INTERFACE_
VERSION[cb479e5a-4b23-46f8- aed3-56a4747a8ab7];]=0,
Extkey[name=EXTENSION_ CONFIGURATION_SENSITIVE_KEYS; type=interface
java.util.Collection;uuid= EXTENSION_CONFIGURATION_
SENSITIVE_KEYS[a456efa1-73ff- 4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_ CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHN_ CAPABILITIES[9d16bee3-10fd-
46f2-83f9-3d3c54cf258d];]=12,
Extkey[name=EXTENSION_GLOBAL_ CONTEXT;type=class
org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_GLOBAL_CONTEXT[
9799e72f-7af6-4cf1-bf08- 297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION; type=class
java.lang.String;uuid= EXTENSION_VERSION[fe35f6a8-
8239-4bdb-ab1a-af9f779ce68c];] =1.0.0,
Extkey[name=EXTENSION_MANAGER_ TRACE_LOG;type=interface
org.slf4j.Logger;uuid= EXTENSION_MANAGER_TRACE_LOG[ 863db666-3ea7-4751-9695-
918a3197ad83];]=org.slf4j. impl.Slf4jLogger(org.ovirt.
engine.core.extensions.mgr. ExtensionsManager.trace.ovirt-
engine-extension-aaa-ldap. authn.authn-ldap.
< http://org.ovirt.engine.core. extensions.mgr.
extensionsmanager.trace.ovirt- engine-extension-aaa-ldap.
authn.authn-ldap.pic.es/ > examp le.org
< http://example.org >), Extkey[name=EXTENSION_ PROVIDES;type=interface
java.util.Collection;uuid= EXTENSION_PROVIDES[8cf373a6-
65b5-4594-b828-0e275087de91];] =[org.ovirt.engine.api.
extensions.aaa.Authn]},
Extkey[name=AAA_AUTHN_USER; type=class
java.lang.String;uuid=AAA_ AUTHN_USER[1ceaba26-1bdc-4663-
a3c6-5d926f9dd8f0];]=esthera,
Extkey[name=EXTENSION_INVOKE_ COMMAND;type=class
org.ovirt.engine.api. extensions.ExtUUID;uuid= EXTENSION_INVOKE_COMMAND[
485778ab-bede-4f1a-b823- 77b262a2f28d];]=AAA_AUTHN_
AUTHENTICATE_CREDENTIALS[ d9605c75-6b43-4b00-b32c- 06bdfa80244c]}
Output:
{Extkey[name=EXTENSION_INVOKE_ RESULT;type=class
java.lang.Integer;uuid= EXTENSION_INVOKE_RESULT[ 0909d91d-8bde-40fb-b6c0-
099c772ddd4e];]=2,
Extkey[name=EXTENSION_INVOKE_ MESSAGE;type=class
java.lang.String;uuid= EXTENSION_INVOKE_MESSAGE[ b7b053de-dc73-4bf7-9d26-
b8bdb72f5893];]=invalid
credentials}

------------------------------ ------------------

Having a look at the LDAP log we check that there is a "invalid
credentials" error while binding, but we are sure that the bind password
is the right one. We already tried to set the bind password without
quotes, but then the DN user then appear as an empty string ("")

I think problem is here. That's really strange, you have to use the password
without quotes.

Can you please try to set:
pool.default.auth.simple. bindDN = cn=authenticate,ou=System,dc=
example,dc=org
pool.default.auth.simple. password = XXXXXX

just without the variables. if the DN is not empty now.




------------------------------ ------------------

[root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 |
cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from
IP=192.168.XX.X:39501 < http://192.168.95.2:39501/ > (IP= 0.0.0.0:389
< http://0.0.0.0:389/ >)

Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text=
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established
tls_ssf=128 ssf=128
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND
dn="cn=authenticate,ou=System, dc=example,dc=org" method=128
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97
err=49 text=
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed

------------------------------ ------------------

By the way, the Ovirt manager (ovmgr) machine can query correctly the
openldap server and retrieves everything OK

------------------------------ ------------------

[root@ovmgr extensions.d]# ldapsearch -ZZ -D
cn=authenticate,ou=System,dc= example,dc=org -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# pic.es < http://pic.es/ >
dn: dc=example,dc=org
dc: pic
objectClass: top
objectClass: domain

------------------------------ ------------------

Did anybody had a similar problem ? Is there anything that we didn't check ?

Thanks in advance !

--
Bruno Rodríguez Rodríguez



This body part will be downloaded on demand.




--
Bruno Rodríguez Rodríguez

PIC (Port d'Informació Científica)
Campus UAB, Edificio D
E-08193 Bellaterra, Barcelona
Tel: +34 93 581 33 22

"Si algo me ha enseñado el tetris, es que los errores se acumulan y los
triunfos desaparecen"

_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users




--
Bruno Rodríguez Rodríguez

PIC (Port d'Informació Científica)
Campus UAB, Edificio D
E-08193 Bellaterra, Barcelona
Tel: +34 93 581 33 22

"Si algo me ha enseñado el tetris, es que los errores se acumulan y los triunfos desaparecen"