From: Vrgotic, Marko
Sent: Tuesday, June 4, 2019 4:44:08 PM
To: users@ovirt.org
Cc: Stojchev, Darko
Subject: Issue with aaa-ldap connector on fresh install of 4.3.3
 

Dear oVIrt,

 

We are running 4.3.3 latest with SHE.

 

Tried to connect our domain users using aaa-ldap extension tool provided.

 

We tried multiple different accounts, with multiple dn search tree syntaxes and verified the passwords.

The error is always the same:

`2019-06-04 14:03:30,763+0000 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:835 Cannot authenticate using 'uid=**FILTERED**,ou=ABC Users,dc=example,dc=com': {'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'}`

 

The log file is showing the following:

 

2019-06-04 14:02:31,666+0000 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._getURLs:283 URLs: [u'ldap://hqdc2.example.com:389', u'ldap://eudc1.example.com:389', u'ldap://eudc2.example.com:389', u'ldap://hqdc1.example.com:389']

2019-06-04 14:02:31,666+0000 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:393 Connecting to LDAP using 'ldap://hqdc2.example.com:389'

2019-06-04 14:02:31,675+0000 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:444 Executing startTLS

2019-06-04 14:02:32,420+0000 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:447 Perform search

2019-06-04 14:02:32,567+0000 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:455 Result: [('', {'supportedLDAPVersion': ['3', '2']})]

2019-06-04 14:02:32,568+0000 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:457 Connection succeeded

2019-06-04 14:02:32,568+0000 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_USER

2019-06-04 14:02:32,568+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND                 Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous):

2019-06-04 14:02:57,540+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE    uid=da-dstojchev,ou=Users,dc=example,dc=com

2019-06-04 14:02:57,541+0000 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_PASSWORD

2019-06-04 14:02:57,541+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND                 Enter search user password:

2019-06-04 14:03:00,713+0000 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._bindLDAP:478 Attempting to bind using 'uid=da-dstojchev,ou=Users,dc=example,dc=com'

2019-06-04 14:03:00,862+0000 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:835 Cannot authenticate using 'uid=da-dstojchev,ou=Users,dc=example,dc=com': {'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'}

2019-06-04 14:03:00,863+0000 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_USER

2019-06-04 14:03:00,863+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND                 Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous):

2019-06-04 14:03:27,376+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:RECEIVE    uid=openstack-test,ou=ABC Users,dc=example,dc=com

2019-06-04 14:03:27,376+0000 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_PASSWORD

2019-06-04 14:03:27,377+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND                 Enter search user password:

2019-06-04 14:03:30,616+0000 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._bindLDAP:478 Attempting to bind using 'uid=**FILTERED**,ou=ABC Users,dc=example,dc=com'

2019-06-04 14:03:30,763+0000 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:835 Cannot authenticate using 'uid=**FILTERED**,ou=ABC Users,dc=example,dc=com': {'info': '80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1', 'desc': 'Invalid credentials'}

2019-06-04 14:03:30,764+0000 DEBUG otopi.plugins.otopi.dialog.human human.queryString:159 query OVAAALDAP_LDAP_USER

2019-06-04 14:03:30,764+0000 DEBUG otopi.plugins.otopi.dialog.human dialog.__logString:204 DIALOG:SEND                 Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous):

2019-06-04 14:03:41,055+0000 DEBUG otopi.context context._executeMethod:145 method exception

Traceback (most recent call last):

  File "/usr/lib/python2.7/site-packages/otopi/context.py", line 132, in _executeMethod

    method['method']()

  File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 812, in _customization_late

    default='',

  File "/usr/share/otopi/plugins/otopi/dialog/human.py", line 211, in queryString

    value = self._readline(hidden=hidden)

  File "/usr/lib/python2.7/site-packages/otopi/dialog.py", line 246, in _readline

    value = self.__input.readline()

  File "/usr/lib/python2.7/site-packages/otopi/main.py", line 53, in _signal

    raise RuntimeError("SIG%s" % signum)

RuntimeError: SIG2

2019-06-04 14:03:41,057+0000 ERROR otopi.context context._executeMethod:154 Failed to execute stage 'Environment customization': SIG2

2019-06-04 14:03:41,057+0000 DEBUG otopi.context context.dumpEnvironment:731 ENVIRONMENT DUMP – BEGIN

 

This is fresh install of oVIrt 4.3.3 latest, assigned for our prod env.

 

Kindly awaiting your reply,

 

Marko Vrgotic

ActiveVideo