Error authenticating bind using the AAA OpenLDAP module

Good afternoon, We cannot access to Ovirt using LDAP authentication against our openldap server. We created the following files in /etc/ovirt-engine/extensions.d (the organization name is not example.org and the passwords are not XXXXXXXX, obviously) : ----------- /etc/ovirt-engine/extensions.d/ldap.example.org ----------- include = <openldap_example.properties> vars.server = ldap1.example.org vars.user = cn=authenticate,ou=System,dc=example,dc=org vars.password = "XXXXXXXX" pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks pool.default.ssl.truststore.password = XXXXXXXX ----------- /etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties ----------- ovirt.engine.extension.name = authn-ldap.example.org ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = ldap.example.org ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org ----------- /etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties ----------- ovirt.engine.extension.name = authz-ldap.example.org ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org ------------------------------------------------ After all of this we restarted the service and tried to access via the administration portal. The JKS has the right permissions and contains the TLS CA, the password is correct and the user "esthera" exists. But when we try to log in, we obtain the following error in the engine.log (we already set the verbosity to ALL): ------------------------------------------------ 2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class java.lang.String;uuid=AAA_ AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***, Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3- e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_ MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid= EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid= EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4- f969-42d4-b399-72d192e18304];]=http://www.ovirt.org, Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid= EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid= EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]= ovirt-engine-extension-aaa-ldap.authn, Extkey[name=EXTENSION_ INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid= EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid= EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid= EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=authn-ldap. <http://authn-ldap.pic.es/>example.org, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_ SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_ CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid= EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0, Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695- 918a3197ad83];]=org.slf4j.impl.Slf4jLogger( org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap. <http://org.ovirt.engine.core.extensions.mgr.extensionsmanager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.pic.es/> example.org), Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6- 65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER;type=class java.lang.String;uuid=AAA_ AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api. extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823- 77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c- 06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid= EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid= EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=invalid credentials} ------------------------------------------------ Having a look at the LDAP log we check that there is a "invalid credentials" error while binding, but we are sure that the bind password is the right one. We already tried to set the bind password without quotes, but then the DN user then appear as an empty string ("") ------------------------------------------------ [root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 | cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from IP= 192.168.XX.X:39501 <http://192.168.95.2:39501/> (IP=0.0.0.0:389) Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established tls_ssf=128 ssf=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" method=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 err=49 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed ------------------------------------------------ By the way, the Ovirt manager (ovmgr) machine can query correctly the openldap server and retrieves everything OK ------------------------------------------------ [root@ovmgr extensions.d]# ldapsearch -ZZ -D cn=authenticate,ou=System,dc=example,dc=org -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=org> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # pic.es dn: dc=example,dc=org dc: pic objectClass: top objectClass: domain ------------------------------------------------ Did anybody had a similar problem ? Is there anything that we didn't check ? Thanks in advance ! -- Bruno Rodríguez Rodríguez

Hi! Great information! I really need you to add the log for org.ovirt.engineextensions.aaa.ldap, see [1] so I can see the entire sequence. You are trying to authenticate the esthera user, this result in bind request using this user, so you should really try to see if bind succeeds with this user and passwod. $ ldapsearch -ZZ -D replace_with_esthera_DN -W -b 'dc=example,dc=org' It may be that the password of the user is not set or different than what you expect, or the schema is not openldap but rfc2307. Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... ----- Original Message -----
From: "Bruno Rodriguez" <bruno@pic.es> To: users@ovirt.org, "Esther Accion" <esthera@pic.es> Sent: Wednesday, January 14, 2015 5:53:06 PM Subject: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module
Good afternoon,
We cannot access to Ovirt using LDAP authentication against our openldap server. We created the following files in /etc/ovirt-engine/extensions.d (the organization name is not example.org and the passwords are not XXXXXXXX, obviously) :
----------- /etc/ovirt-engine/extensions.d/ ldap.example.org -----------
include = <openldap_example.properties>
vars.server = ldap1.example.org vars.user = cn=authenticate,ou=System,dc=example,dc=org vars.password = "XXXXXXXX"
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks pool.default.ssl.truststore.password = XXXXXXXX
----------- /etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties -----------
ovirt.engine.extension.name = authn-ldap.example.org ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = ldap.example.org ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org
config.profile.file.1 = /etc/ovirt-engine/extensions.d/ ldap.example.org
----------- /etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties -----------
ovirt.engine.extension.name = authz-ldap.example.org ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/ ldap.example.org
------------------------------------------------
After all of this we restarted the service and tried to access via the administration portal. The JKS has the right permissions and contains the TLS CA, the password is correct and the user "esthera" exists. But when we try to log in, we obtain the following error in the engine.log (we already set the verbosity to ALL):
------------------------------------------------
2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll. aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core. extensions.mgr. ExtensionInvokeCommandFailedEx ception Input: {Extkey[name=AAA_AUTHN_ CREDENTIALS;type=class java.lang.String;uuid=AAA_ AUTHN_CREDENTIALS[03b96485- 4bb5-4592-8167-810a5c909706];] =***, Extkey[name=EXTENSION_INVOKE_ CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_INVOKE_CONTEXT[ 886d2ebb-312a-49ae-9cc3- e1f849834b7d];]={Extkey[name= EXTENSION_INTERFACE_VERSION_ MAX;type=class java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_ MAX[f4cff49f-2717-4901-8ee9- df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE; type=class java.lang.String;uuid= EXTENSION_LICENSE[8a61ad65- 054c-4e31-9c6d-1ca4d60a4c18];] =ASL 2.0, Extkey[name=EXTENSION_NOTES; type=class java.lang.String;uuid= EXTENSION_NOTES[2da5ad7e-185a- 4584-aaff-97f66978e4ea];]= Display name: ovirt-engine-extension-aaa- ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_ URL;type=class java.lang.String;uuid= EXTENSION_HOME_URL[4ad7a2f4- f969-42d4-b399-72d192e18304];] = http://www.ovirt.org , Extkey[name=EXTENSION_LOCALE; type=class java.lang.String;uuid= EXTENSION_LOCALE[0780b112- 0ce0-404a-b85e-8765d778bb29];] =en_US, Extkey[name=EXTENSION_NAME; type=class java.lang.String;uuid= EXTENSION_NAME[651381d3-f54f- 4547-bf28-b0b01a103184];]= ovirt-engine-extension-aaa- ldap.authn, Extkey[name=EXTENSION_ INTERFACE_VERSION_MIN;type= class java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_ MIN[2b84fc91-305b-497b-a1d7- d961b9d2ce0b];]=0, Extkey[name=EXTENSION_ CONFIGURATION;type=class java.util.Properties;uuid= EXTENSION_CONFIGURATION[ 2d48ab72-f0a1-4312-b4ae- 5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR; type=class java.lang.String;uuid= EXTENSION_AUTHOR[ef242f7a- 2dad-4bc5-9aad-e07018b7fbcc];] =The oVirt Project, Extkey[name=EXTENSION_ INSTANCE_NAME;type=class java.lang.String;uuid= EXTENSION_INSTANCE_NAME[ 65c67ff6-aeca-4bd5-a245- 8674327f011b];]= authn-ldap. example.org , Extkey[name=EXTENSION_BUILD_ INTERFACE_VERSION;type=class java.lang.Integer;uuid= EXTENSION_BUILD_INTERFACE_ VERSION[cb479e5a-4b23-46f8- aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_ CONFIGURATION_SENSITIVE_KEYS; type=interface java.util.Collection;uuid= EXTENSION_CONFIGURATION_ SENSITIVE_KEYS[a456efa1-73ff- 4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_ CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_ CAPABILITIES[9d16bee3-10fd- 46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_ CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_GLOBAL_CONTEXT[ 9799e72f-7af6-4cf1-bf08- 297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION; type=class java.lang.String;uuid= EXTENSION_VERSION[fe35f6a8- 8239-4bdb-ab1a-af9f779ce68c];] =1.0.0, Extkey[name=EXTENSION_MANAGER_ TRACE_LOG;type=interface org.slf4j.Logger;uuid= EXTENSION_MANAGER_TRACE_LOG[ 863db666-3ea7-4751-9695- 918a3197ad83];]=org.slf4j. impl.Slf4jLogger( org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap. example.org ), Extkey[name=EXTENSION_ PROVIDES;type=interface java.util.Collection;uuid= EXTENSION_PROVIDES[8cf373a6- 65b5-4594-b828-0e275087de91];] =[org.ovirt.engine.api. extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER; type=class java.lang.String;uuid=AAA_ AUTHN_USER[1ceaba26-1bdc-4663- a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_INVOKE_ COMMAND;type=class org.ovirt.engine.api. extensions.ExtUUID;uuid= EXTENSION_INVOKE_COMMAND[ 485778ab-bede-4f1a-b823- 77b262a2f28d];]=AAA_AUTHN_ AUTHENTICATE_CREDENTIALS[ d9605c75-6b43-4b00-b32c- 06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_ RESULT;type=class java.lang.Integer;uuid= EXTENSION_INVOKE_RESULT[ 0909d91d-8bde-40fb-b6c0- 099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_ MESSAGE;type=class java.lang.String;uuid= EXTENSION_INVOKE_MESSAGE[ b7b053de-dc73-4bf7-9d26- b8bdb72f5893];]=invalid credentials}
------------------------------------------------
Having a look at the LDAP log we check that there is a "invalid credentials" error while binding, but we are sure that the bind password is the right one. We already tried to set the bind password without quotes, but then the DN user then appear as an empty string ("")
------------------------------------------------
[root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 | cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from IP= 192.168.XX.X:39501 (IP= 0.0.0.0:389 ) Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established tls_ssf=128 ssf=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND dn="cn=authenticate,ou=System, dc=example,dc=org" method=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 err=49 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
------------------------------------------------
By the way, the Ovirt manager (ovmgr) machine can query correctly the openldap server and retrieves everything OK
------------------------------------------------
[root@ovmgr extensions.d]# ldapsearch -ZZ -D cn=authenticate,ou=System,dc=example ,dc=org -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=org> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# pic.es dn: dc=example,dc=org dc: pic objectClass: top objectClass: domain
------------------------------------------------
Did anybody had a similar problem ? Is there anything that we didn't check ?
Thanks in advance !
-- Bruno Rodríguez Rodríguez
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Thank you very much for the fast reply ! I grepped "org.ovirt.engineextensions.aaa.ldap" in the engine log file, but I wasn't able to get enough information for me to know which was the problem... 2015-01-14 16:04:18,575 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-3) [ovirt-engine-extension-aaa-ldap.authz::authz-ldap.example.org] Creating LDAP pool 'authz' 2015-01-14 16:04:18,648 ERROR [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-3) [ovirt-engine-extension-aaa-ldap.authz::authz-ldap.example.org] Cannot initialize LDAP framework, deferring initialization. Error: invalid credentials 2015-01-14 16:04:36,913 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-2) [ovirt-engine-extension-aaa-ldap.authn::authn-ldap.example.org] Creating LDAP pool 'authz' 2015-01-14 16:08:34,521 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-1) [ovirt-engine-extension-aaa-ldap.authn::authn-ldap.example.org] Creating LDAP pool 'authz' 2015-01-14 16:35:25,670 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-6) [ovirt-engine-extension-aaa-ldap.authn::authn-ldap.example.org] Creating LDAP pool 'authz' 2015-01-14 17:44:19,769 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-4) [ovirt-engine-extension-aaa-ldap.authn::authn-ldap.example.org] Creating LDAP pool 'authz' 2015-01-14 17:44:20,096 ERROR [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-4) [ovirt-engine-extension-aaa-ldap.authn::authn-ldap.example.org] Cannot initialize LDAP framework, deferring initialization. Error: invalid credentials 2015-01-14 17:44:20,105 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-4) [ovirt-engine-extension-aaa-ldap.authz::authz-ldap.example.org] Creating LDAP pool 'authz' 2015-01-14 17:44:20,178 ERROR [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-4) [ovirt-engine-extension-aaa-ldap.authz::authz-ldap.example.org] Cannot initialize LDAP framework, deferring initialization. Error: invalid credentials Thanks again. On Wed, Jan 14, 2015 at 5:08 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
Hi!
Great information!
I really need you to add the log for org.ovirt.engineextensions.aaa.ldap, see [1] so I can see the entire sequence.
You are trying to authenticate the esthera user, this result in bind request using this user, so you should really try to see if bind succeeds with this user and passwod.
$ ldapsearch -ZZ -D replace_with_esthera_DN -W -b 'dc=example,dc=org'
It may be that the password of the user is not set or different than what you expect, or the schema is not openldap but rfc2307.
Alon
[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;...
----- Original Message -----
From: "Bruno Rodriguez" <bruno@pic.es> To: users@ovirt.org, "Esther Accion" <esthera@pic.es> Sent: Wednesday, January 14, 2015 5:53:06 PM Subject: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module
Good afternoon,
We cannot access to Ovirt using LDAP authentication against our openldap server. We created the following files in /etc/ovirt-engine/extensions.d (the organization name is not example.org and the passwords are not XXXXXXXX, obviously) :
----------- /etc/ovirt-engine/extensions.d/ ldap.example.org -----------
include = <openldap_example.properties>
vars.server = ldap1.example.org vars.user = cn=authenticate,ou=System,dc=example,dc=org vars.password = "XXXXXXXX"
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks pool.default.ssl.truststore.password = XXXXXXXX
----------- /etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties -----------
ovirt.engine.extension.name = authn-ldap.example.org ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = ldap.example.org ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org
config.profile.file.1 = /etc/ovirt-engine/extensions.d/ ldap.example.org
----------- /etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties -----------
ovirt.engine.extension.name = authz-ldap.example.org ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/ ldap.example.org
------------------------------------------------
After all of this we restarted the service and tried to access via the administration portal. The JKS has the right permissions and contains the TLS CA, the password is correct and the user "esthera" exists. But when we try to log in, we obtain the following error in the engine.log (we already set the verbosity to ALL):
------------------------------------------------
2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll. aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core. extensions.mgr. ExtensionInvokeCommandFailedEx ception Input: {Extkey[name=AAA_AUTHN_ CREDENTIALS;type=class java.lang.String;uuid=AAA_ AUTHN_CREDENTIALS[03b96485- 4bb5-4592-8167-810a5c909706];] =***, Extkey[name=EXTENSION_INVOKE_ CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_INVOKE_CONTEXT[ 886d2ebb-312a-49ae-9cc3- e1f849834b7d];]={Extkey[name= EXTENSION_INTERFACE_VERSION_ MAX;type=class java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_ MAX[f4cff49f-2717-4901-8ee9- df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE; type=class java.lang.String;uuid= EXTENSION_LICENSE[8a61ad65- 054c-4e31-9c6d-1ca4d60a4c18];] =ASL 2.0, Extkey[name=EXTENSION_NOTES; type=class java.lang.String;uuid= EXTENSION_NOTES[2da5ad7e-185a- 4584-aaff-97f66978e4ea];]= Display name: ovirt-engine-extension-aaa- ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_ URL;type=class java.lang.String;uuid= EXTENSION_HOME_URL[4ad7a2f4- f969-42d4-b399-72d192e18304];] = http://www.ovirt.org , Extkey[name=EXTENSION_LOCALE; type=class java.lang.String;uuid= EXTENSION_LOCALE[0780b112- 0ce0-404a-b85e-8765d778bb29];] =en_US, Extkey[name=EXTENSION_NAME; type=class java.lang.String;uuid= EXTENSION_NAME[651381d3-f54f- 4547-bf28-b0b01a103184];]= ovirt-engine-extension-aaa- ldap.authn, Extkey[name=EXTENSION_ INTERFACE_VERSION_MIN;type= class java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_ MIN[2b84fc91-305b-497b-a1d7- d961b9d2ce0b];]=0, Extkey[name=EXTENSION_ CONFIGURATION;type=class java.util.Properties;uuid= EXTENSION_CONFIGURATION[ 2d48ab72-f0a1-4312-b4ae- 5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR; type=class java.lang.String;uuid= EXTENSION_AUTHOR[ef242f7a- 2dad-4bc5-9aad-e07018b7fbcc];] =The oVirt Project, Extkey[name=EXTENSION_ INSTANCE_NAME;type=class java.lang.String;uuid= EXTENSION_INSTANCE_NAME[ 65c67ff6-aeca-4bd5-a245- 8674327f011b];]= authn-ldap. example.org , Extkey[name=EXTENSION_BUILD_ INTERFACE_VERSION;type=class java.lang.Integer;uuid= EXTENSION_BUILD_INTERFACE_ VERSION[cb479e5a-4b23-46f8- aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_ CONFIGURATION_SENSITIVE_KEYS; type=interface java.util.Collection;uuid= EXTENSION_CONFIGURATION_ SENSITIVE_KEYS[a456efa1-73ff- 4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_ CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_ CAPABILITIES[9d16bee3-10fd- 46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_ CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_GLOBAL_CONTEXT[ 9799e72f-7af6-4cf1-bf08- 297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION; type=class java.lang.String;uuid= EXTENSION_VERSION[fe35f6a8- 8239-4bdb-ab1a-af9f779ce68c];] =1.0.0, Extkey[name=EXTENSION_MANAGER_ TRACE_LOG;type=interface org.slf4j.Logger;uuid= EXTENSION_MANAGER_TRACE_LOG[ 863db666-3ea7-4751-9695- 918a3197ad83];]=org.slf4j. impl.Slf4jLogger(
example.org ), Extkey[name=EXTENSION_ PROVIDES;type=interface java.util.Collection;uuid= EXTENSION_PROVIDES[8cf373a6- 65b5-4594-b828-0e275087de91];] =[org.ovirt.engine.api. extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER; type=class java.lang.String;uuid=AAA_ AUTHN_USER[1ceaba26-1bdc-4663- a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_INVOKE_ COMMAND;type=class org.ovirt.engine.api. extensions.ExtUUID;uuid= EXTENSION_INVOKE_COMMAND[ 485778ab-bede-4f1a-b823- 77b262a2f28d];]=AAA_AUTHN_ AUTHENTICATE_CREDENTIALS[ d9605c75-6b43-4b00-b32c- 06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_ RESULT;type=class java.lang.Integer;uuid= EXTENSION_INVOKE_RESULT[ 0909d91d-8bde-40fb-b6c0- 099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_ MESSAGE;type=class java.lang.String;uuid= EXTENSION_INVOKE_MESSAGE[ b7b053de-dc73-4bf7-9d26- b8bdb72f5893];]=invalid credentials}
------------------------------------------------
Having a look at the LDAP log we check that there is a "invalid credentials" error while binding, but we are sure that the bind password is the right one. We already tried to set the bind password without quotes, but then
org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap. the
DN user then appear as an empty string ("")
------------------------------------------------
[root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 | cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from IP= 192.168.XX.X:39501 (IP= 0.0.0.0:389 ) Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established tls_ssf=128 ssf=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND dn="cn=authenticate,ou=System, dc=example,dc=org" method=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 err=49 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
------------------------------------------------
By the way, the Ovirt manager (ovmgr) machine can query correctly the openldap server and retrieves everything OK
------------------------------------------------
[root@ovmgr extensions.d]# ldapsearch -ZZ -D cn=authenticate,ou=System,dc=example ,dc=org -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=org> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# pic.es dn: dc=example,dc=org dc: pic objectClass: top objectClass: domain
------------------------------------------------
Did anybody had a similar problem ? Is there anything that we didn't check ?
Thanks in advance !
-- Bruno Rodríguez Rodríguez
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Bruno Rodríguez Rodríguez PIC (Port d'Informació Científica) Campus UAB, Edificio D E-08193 Bellaterra, Barcelona Tel: +34 93 581 33 22 "Si algo me ha enseñado el tetris, es que los errores se acumulan y los triunfos desaparecen"

Hi, On 01/14/2015 04:53 PM, Bruno Rodriguez wrote:
Good afternoon,
We cannot access to Ovirt using LDAP authentication against our openldap server. We created the following files in /etc/ovirt-engine/extensions.d (the organization name is not example.org <http://example.org> and the passwords are not XXXXXXXX, obviously) :
----------- /etc/ovirt-engine/extensions.d/ldap.example.org <http://ldap.example.org> -----------
include = <openldap_example.properties>
vars.server = ldap1.example.org <http://ldap1.example.org> vars.user = cn=authenticate,ou=System,dc=example,dc=org vars.password = "XXXXXXXX"
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks pool.default.ssl.truststore.password = XXXXXXXX
----------- /etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties -----------
ovirt.engine.extension.name <http://ovirt.engine.extension.name> = authn-ldap.example.org <http://authn-ldap.example.org> ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> = ldap.example.org <http://ldap.example.org> ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org <http://authz-ldap.example.org>
config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org <http://ldap.example.org>
----------- /etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties -----------
ovirt.engine.extension.name <http://ovirt.engine.extension.name> = authz-ldap.example.org <http://authz-ldap.example.org> ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org <http://ldap.example.org>
------------------------------------------------
After all of this we restarted the service and tried to access via the administration portal. The JKS has the right permissions and contains the TLS CA, the password is correct and the user "esthera" exists. But when we try to log in, we obtain the following error in the engine.log (we already set the verbosity to ALL):
------------------------------------------------
2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***, Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=http://www.ovirt.org <http://www.ovirt.org/>, Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn, Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=authn-ldap. <http://authn-ldap.pic.es/>example.org <http://example.org>, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0, Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap. <http://org.ovirt.engine.core.extensions.mgr.extensionsmanager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.pic.es/>example.org <http://example.org>), Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER;type=class java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=invalid credentials}
------------------------------------------------
Having a look at the LDAP log we check that there is a "invalid credentials" error while binding, but we are sure that the bind password is the right one. We already tried to set the bind password without quotes, but then the DN user then appear as an empty string ("")
I think problem is here. That's really strange, you have to use the password without quotes. Can you please try to set: pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=example,dc=org pool.default.auth.simple.password = XXXXXX just without the variables. if the DN is not empty now.
------------------------------------------------
[root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 | cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from IP=192.168.XX.X:39501 <http://192.168.95.2:39501/> (IP=0.0.0.0:389 <http://0.0.0.0:389/>) Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established tls_ssf=128 ssf=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" method=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 err=49 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
------------------------------------------------
By the way, the Ovirt manager (ovmgr) machine can query correctly the openldap server and retrieves everything OK
------------------------------------------------
[root@ovmgr extensions.d]# ldapsearch -ZZ -D cn=authenticate,ou=System,dc=example,dc=org -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=org> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# pic.es <http://pic.es/> dn: dc=example,dc=org dc: pic objectClass: top objectClass: domain
------------------------------------------------
Did anybody had a similar problem ? Is there anything that we didn't check ?
Thanks in advance !
-- Bruno Rodríguez Rodríguez
This body part will be downloaded on demand.

Thank you very much, using the following ldap.example.org file: --------------------- include = <openldap_example.properties> include = <rfc2307.properties> vars.server = ldap1.example.org #vars.user = cn=authenticate,ou=System,dc=example,dc=org #vars.password = XXXXXXXXX pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=example,dc=org pool.default.auth.simple.password = XXXXXXXXX pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks pool.default.ssl.truststore.password = XXXXXXXXX --------------------- Then I get the following in the engine log: 2015-01-15 10:04:15,250 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***, Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]= http://www.ovirt.org,Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn, Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]= authn-ldap.example.org, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0, Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger( org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org), Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER;type=class java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno, Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=anonymous bind disallowed} ----------------------------------- And this is the ldap connection log: /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 ACCEPT from IP=192.168.XX.XX:41469 (IP=0.0.0.0:389) /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 EXT oid=1.3.6.1.4.1.1466.20037 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 STARTTLS /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 RESULT oid= err=0 text= /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 TLS established tls_ssf=128 ssf=128 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" method=128 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" mech=SIMPLE ssf=0 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 RESULT tag=97 err=0 text= ----------------------------------- It looks like it got the dn correctly but it's unable to bind anyway ... Thank you, Bruno On Wed, Jan 14, 2015 at 5:50 PM, Ondra Machacek <omachace@redhat.com> wrote:
Hi,
On 01/14/2015 04:53 PM, Bruno Rodriguez wrote:
Good afternoon,
We cannot access to Ovirt using LDAP authentication against our openldap server. We created the following files in /etc/ovirt-engine/extensions.d (the organization name is not example.org <http://example.org> and the passwords are not XXXXXXXX, obviously) :
----------- /etc/ovirt-engine/extensions.d/ldap.example.org <http://ldap.example.org> -----------
include = <openldap_example.properties>
vars.server = ldap1.example.org <http://ldap1.example.org> vars.user = cn=authenticate,ou=System,dc=example,dc=org vars.password = "XXXXXXXX"
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks pool.default.ssl.truststore.password = XXXXXXXX
----------- /etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties -----------
ovirt.engine.extension.name <http://ovirt.engine.extension.name> = authn-ldap.example.org <http://authn-ldap.example.org> ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api. extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> = ldap.example.org <http://ldap.example.org> ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org <http://authz-ldap.example.org>
config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org <http://ldap.example.org>
----------- /etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties -----------
ovirt.engine.extension.name <http://ovirt.engine.extension.name> = authz-ldap.example.org <http://authz-ldap.example.org> ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api. extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org <http://ldap.example.org>
------------------------------------------------
After all of this we restarted the service and tried to access via the administration portal. The JKS has the right permissions and contains the TLS CA, the password is correct and the user "esthera" exists. But when we try to log in, we obtain the following error in the engine.log (we already set the verbosity to ALL):
------------------------------------------------
2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedEx ception Input: {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485- 4bb5-4592-8167-810a5c909706];]=***, Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[ 886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name= EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_ MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65- 054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a- 4584-aaff-97f66978e4ea];]=Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4- f969-42d4-b399-72d192e18304];]=http://www.ovirt.org <http://www.ovirt.org/>, Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112- 0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f- 4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn, Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_ MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[ 2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a- 2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245- 8674327f011b];]=authn-ldap. <http://authn-ldap.pic.es/>example.org <http://example.org>, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_ VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_ SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd- 46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[ 9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8- 8239-4bdb-ab1a-af9f779ce68c];]=1.0.0, Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[ 863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j. impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr. ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap. <http://org.ovirt.engine.core.extensions.mgr. extensionsmanager.trace.ovirt-engine-extension-aaa-ldap. authn.authn-ldap.pic.es/>example.org <http://example.org>), Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6- 65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api. extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER;type=class java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663- a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[ 485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_ AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0- 099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26- b8bdb72f5893];]=invalid credentials}
------------------------------------------------
Having a look at the LDAP log we check that there is a "invalid credentials" error while binding, but we are sure that the bind password is the right one. We already tried to set the bind password without quotes, but then the DN user then appear as an empty string ("")
I think problem is here. That's really strange, you have to use the password without quotes.
Can you please try to set: pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc= example,dc=org pool.default.auth.simple.password = XXXXXX
just without the variables. if the DN is not empty now.
------------------------------------------------
[root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 | cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from IP=192.168.XX.X:39501 <http://192.168.95.2:39501/> (IP=0.0.0.0:389 <http://0.0.0.0:389/>)
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established tls_ssf=128 ssf=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" method=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 err=49 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
------------------------------------------------
By the way, the Ovirt manager (ovmgr) machine can query correctly the openldap server and retrieves everything OK
------------------------------------------------
[root@ovmgr extensions.d]# ldapsearch -ZZ -D cn=authenticate,ou=System,dc=example,dc=org -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=org> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# pic.es <http://pic.es/> dn: dc=example,dc=org dc: pic objectClass: top objectClass: domain
------------------------------------------------
Did anybody had a similar problem ? Is there anything that we didn't check ?
Thanks in advance !
-- Bruno Rodríguez Rodríguez
This body part will be downloaded on demand.
-- Bruno Rodríguez Rodríguez PIC (Port d'Informació Científica) Campus UAB, Edificio D E-08193 Bellaterra, Barcelona Tel: +34 93 581 33 22 "Si algo me ha enseñado el tetris, es que los errores se acumulan y los triunfos desaparecen"

Sorry, I forgot to restart the service. With the same ldap.example.org file, the REAL logs are the following: -------------- ldap log -------------- Jan 15 10:23:52 ldap1 slapd[6712]: conn=1672935 fd=109 ACCEPT from IP=192.168.XX.XX:41522 (IP=0.0.0.0:389) Jan 15 10:23:52 ldap1 slapd[6712]: conn=1672935 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 15 10:23:52 ldap1 slapd[6712]: conn=1672935 op=0 STARTTLS Jan 15 10:23:52 ldap1 slapd[6712]: conn=1672935 op=0 RESULT oid= err=0 text= Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 fd=109 TLS established tls_ssf=128 ssf=128 Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 op=1 BIND dn="" method=128 Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 op=1 RESULT tag=97 err=48 text=anonymous bind disallowed Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 op=2 UNBIND Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 fd=109 closed -------------- engine log -------------- 2015-01-15 10:23:53,010 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-2) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***, Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uu id=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX ;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Ex tkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4 c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584- aaff-97f66978e4ea];]=Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_URL;t ype=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]= http://www.ovirt.org, Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778 bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf2 8-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn, Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EX TENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a 226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc 5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=E XTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]= authn-ldap.example.org, Extkey[name=EXTENSION_BUILD_IN TERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4 747a8ab7];]=0, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTEN SION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_CAPABILITIES ;type=class java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12, Extkey[name=E XTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f -7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION _VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0, Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface o rg.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLog ger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-lda p.example.org), Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-6 5b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER;type=clas s java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_IN VOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a -b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40f b-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE _MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=anonymous bind disallowed} As you can see, the engine tries to make an anonimous binding and it's unsuccessful... Thank you very much (and sorry for the previous message), Bruno On Thu, Jan 15, 2015 at 10:20 AM, Bruno Rodriguez <bruno@pic.es> wrote:
Thank you very much,
using the following ldap.example.org file:
---------------------
include = <openldap_example.properties> include = <rfc2307.properties>
vars.server = ldap1.example.org #vars.user = cn=authenticate,ou=System,dc=example,dc=org #vars.password = XXXXXXXXX
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=example,dc=org pool.default.auth.simple.password = XXXXXXXXX
pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks pool.default.ssl.truststore.password = XXXXXXXXX
---------------------
Then I get the following in the engine log:
2015-01-15 10:04:15,250 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***, Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]= http://www.ovirt.org,Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn, Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]= authn-ldap.example.org, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0, Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger( org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org), Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER;type=class java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno, Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=anonymous bind disallowed}
-----------------------------------
And this is the ldap connection log:
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 ACCEPT from IP=192.168.XX.XX:41469 (IP=0.0.0.0:389) /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 EXT oid=1.3.6.1.4.1.1466.20037 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 STARTTLS /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 RESULT oid= err=0 text= /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 TLS established tls_ssf=128 ssf=128 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" method=128 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" mech=SIMPLE ssf=0 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 RESULT tag=97 err=0 text=
-----------------------------------
It looks like it got the dn correctly but it's unable to bind anyway ...
Thank you,
Bruno
On Wed, Jan 14, 2015 at 5:50 PM, Ondra Machacek <omachace@redhat.com> wrote:
Hi,
On 01/14/2015 04:53 PM, Bruno Rodriguez wrote:
Good afternoon,
We cannot access to Ovirt using LDAP authentication against our openldap server. We created the following files in /etc/ovirt-engine/extensions.d (the organization name is not example.org <http://example.org> and the passwords are not XXXXXXXX, obviously) :
----------- /etc/ovirt-engine/extensions.d/ldap.example.org <http://ldap.example.org> -----------
include = <openldap_example.properties>
vars.server = ldap1.example.org <http://ldap1.example.org> vars.user = cn=authenticate,ou=System,dc=example,dc=org vars.password = "XXXXXXXX"
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks pool.default.ssl.truststore.password = XXXXXXXX
----------- /etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties -----------
ovirt.engine.extension.name <http://ovirt.engine.extension.name> = authn-ldap.example.org <http://authn-ldap.example.org> ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api. extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> = ldap.example.org <http://ldap.example.org> ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org <http://authz-ldap.example.org>
config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org <http://ldap.example.org>
----------- /etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties -----------
ovirt.engine.extension.name <http://ovirt.engine.extension.name> = authz-ldap.example.org <http://authz-ldap.example.org> ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api. extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org <http://ldap.example.org>
------------------------------------------------
After all of this we restarted the service and tried to access via the administration portal. The JKS has the right permissions and contains the TLS CA, the password is correct and the user "esthera" exists. But when we try to log in, we obtain the following error in the engine.log (we already set the verbosity to ALL):
------------------------------------------------
2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedEx ception Input: {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485- 4bb5-4592-8167-810a5c909706];]=***, Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[ 886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name= EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_ MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65- 054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a- 4584-aaff-97f66978e4ea];]=Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4- f969-42d4-b399-72d192e18304];]=http://www.ovirt.org <http://www.ovirt.org/>, Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112- 0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f- 4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn, Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_ MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[ 2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a- 2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245- 8674327f011b];]=authn-ldap. <http://authn-ldap.pic.es/>example.org <http://example.org>, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_ VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_ SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd- 46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[ 9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8- 8239-4bdb-ab1a-af9f779ce68c];]=1.0.0, Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[ 863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j. impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr. ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap. authn.authn-ldap. <http://org.ovirt.engine.core.extensions.mgr. extensionsmanager.trace.ovirt-engine-extension-aaa-ldap. authn.authn-ldap.pic.es/>example.org <http://example.org>), Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6- 65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api. extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER;type=class java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663- a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[ 485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_ AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0- 099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26- b8bdb72f5893];]=invalid credentials}
------------------------------------------------
Having a look at the LDAP log we check that there is a "invalid credentials" error while binding, but we are sure that the bind password is the right one. We already tried to set the bind password without quotes, but then the DN user then appear as an empty string ("")
I think problem is here. That's really strange, you have to use the password without quotes.
Can you please try to set: pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc= example,dc=org pool.default.auth.simple.password = XXXXXX
just without the variables. if the DN is not empty now.
------------------------------------------------
[root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 | cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from IP=192.168.XX.X:39501 <http://192.168.95.2:39501/> (IP=0.0.0.0:389 <http://0.0.0.0:389/>)
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established tls_ssf=128 ssf=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" method=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 err=49 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
------------------------------------------------
By the way, the Ovirt manager (ovmgr) machine can query correctly the openldap server and retrieves everything OK
------------------------------------------------
[root@ovmgr extensions.d]# ldapsearch -ZZ -D cn=authenticate,ou=System,dc=example,dc=org -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=org> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# pic.es <http://pic.es/> dn: dc=example,dc=org dc: pic objectClass: top objectClass: domain
------------------------------------------------
Did anybody had a similar problem ? Is there anything that we didn't check ?
Thanks in advance !
-- Bruno Rodríguez Rodríguez
This body part will be downloaded on demand.
-- Bruno Rodríguez Rodríguez
PIC (Port d'Informació Científica) Campus UAB, Edificio D E-08193 Bellaterra, Barcelona Tel: +34 93 581 33 22
"Si algo me ha enseñado el tetris, es que los errores se acumulan y los triunfos desaparecen"
-- Bruno Rodríguez Rodríguez PIC (Port d'Informació Científica) Campus UAB, Edificio D E-08193 Bellaterra, Barcelona Tel: +34 93 581 33 22 "Si algo me ha enseñado el tetris, es que los errores se acumulan y los triunfos desaparecen"

Can you try add this line: pool.default.auth.type = simple to your prop file? Something like: ...... pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.type = simple pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=example,dc=org pool.default.auth.simple.password = XXXXXXXXX ........ Thanks, Ondra On 01/15/2015 10:20 AM, Bruno Rodriguez wrote:
Thank you very much,
using the following ldap.example.org <http://ldap.example.org> file:
---------------------
include = <openldap_example.properties> include = <rfc2307.properties>
vars.server = ldap1.example.org <http://ldap1.example.org> #vars.user = cn=authenticate,ou=System,dc=example,dc=org #vars.password = XXXXXXXXX
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=example,dc=org pool.default.auth.simple.password = XXXXXXXXX
pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks pool.default.ssl.truststore.password = XXXXXXXXX
---------------------
Then I get the following in the engine log:
2015-01-15 10:04:15,250 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***, Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=http://www.ovirt.org,Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn, Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=authn-ldap.example.org <http://authn-ldap.example.org>, Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0, Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org <http://org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org>), Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER;type=class java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno, Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=anonymous bind disallowed}
-----------------------------------
And this is the ldap connection log:
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 ACCEPT from IP=192.168.XX.XX:41469 (IP=0.0.0.0:389 <http://0.0.0.0:389>) /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 EXT oid=1.3.6.1.4.1.1466.20037 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 STARTTLS /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 RESULT oid= err=0 text= /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 TLS established tls_ssf=128 ssf=128 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" method=128 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" mech=SIMPLE ssf=0 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 RESULT tag=97 err=0 text=
-----------------------------------
It looks like it got the dn correctly but it's unable to bind anyway ...
Thank you,
Bruno
On Wed, Jan 14, 2015 at 5:50 PM, Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>> wrote:
Hi,
On 01/14/2015 04:53 PM, Bruno Rodriguez wrote:
Good afternoon,
We cannot access to Ovirt using LDAP authentication against our openldap server. We created the following files in /etc/ovirt-engine/extensions.d (the organization name is not example.org <http://example.org> <http://example.org> and the passwords are not XXXXXXXX, obviously) :
----------- /etc/ovirt-engine/extensions.__d/ldap.example.org <http://ldap.example.org> <http://ldap.example.org> -----------
include = <openldap_example.properties>
vars.server = ldap1.example.org <http://ldap1.example.org> <http://ldap1.example.org> vars.user = cn=authenticate,ou=System,dc=__example,dc=org vars.password = "XXXXXXXX"
pool.default.serverset.single.__server = ${global:vars.server} pool.default.auth.simple.__bindDN = ${global:vars.user} pool.default.auth.simple.__password = ${global:vars.password}
pool.default.ssl.startTLS = true pool.default.ssl.truststore.__file = /etc/ovirt-engine/extensions.__d/ldap.example.org_keystore.__jks pool.default.ssl.truststore.__password = XXXXXXXX
----------- /etc/ovirt-engine/extensions.__d/authn-ldap.example.org <http://authn-ldap.example.org>.__properties -----------
ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> = authn-ldap.example.org <http://authn-ldap.example.org> <http://authn-ldap.example.org__> ovirt.engine.extension.__bindings.method = jbossmodule ovirt.engine.extension.__binding.jbossmodule.module = org.ovirt.engine-extensions.__aaa.ldap ovirt.engine.extension.__binding.jbossmodule.class = org.ovirt.engineextensions.__aaa.ldap.AuthnExtension ovirt.engine.extension.__provides = org.ovirt.engine.api.__extensions.aaa.Authn
ovirt.engine.aaa.authn.__profile.name <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.__authn.profile.name <http://ovirt.engine.aaa.authn.profile.name>> = ldap.example.org <http://ldap.example.org> <http://ldap.example.org> ovirt.engine.aaa.authn.authz.__plugin = authz-ldap.example.org <http://authz-ldap.example.org> <http://authz-ldap.example.org__>
config.profile.file.1 = /etc/ovirt-engine/extensions.__d/ldap.example.org <http://ldap.example.org> <http://ldap.example.org>
----------- /etc/ovirt-engine/extensions.__d/authz-ldap.example.org <http://authz-ldap.example.org>.__properties -----------
ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.__extension.name <http://ovirt.engine.extension.name>> = authz-ldap.example.org <http://authz-ldap.example.org> <http://authz-ldap.example.org__> ovirt.engine.extension.__bindings.method = jbossmodule ovirt.engine.extension.__binding.jbossmodule.module = org.ovirt.engine-extensions.__aaa.ldap ovirt.engine.extension.__binding.jbossmodule.class = org.ovirt.engineextensions.__aaa.ldap.AuthzExtension
ovirt.engine.extension.__provides = org.ovirt.engine.api.__extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions.__d/ldap.example.org <http://ldap.example.org> <http://ldap.example.org>
------------------------------__------------------
After all of this we restarted the service and tried to access via the administration portal. The JKS has the right permissions and contains the TLS CA, the password is correct and the user "esthera" exists. But when we try to log in, we obtain the following error in the engine.log (we already set the verbosity to ALL):
------------------------------__------------------
2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll.__aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.__extensions.mgr.__ExtensionInvokeCommandFailedEx__ception Input: {Extkey[name=AAA_AUTHN___CREDENTIALS;type=class java.lang.String;uuid=AAA___AUTHN_CREDENTIALS[03b96485-__4bb5-4592-8167-810a5c909706];]__=***, Extkey[name=EXTENSION_INVOKE___CONTEXT;type=class org.ovirt.engine.api.__extensions.ExtMap;uuid=__EXTENSION_INVOKE_CONTEXT[__886d2ebb-312a-49ae-9cc3-__e1f849834b7d];]={Extkey[name=__EXTENSION_INTERFACE_VERSION___MAX;type=class java.lang.Integer;uuid=__EXTENSION_INTERFACE_VERSION___MAX[f4cff49f-2717-4901-8ee9-__df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;__type=class java.lang.String;uuid=__EXTENSION_LICENSE[8a61ad65-__054c-4e31-9c6d-1ca4d60a4c18];]__=ASL 2.0, Extkey[name=EXTENSION_NOTES;__type=class java.lang.String;uuid=__EXTENSION_NOTES[2da5ad7e-185a-__4584-aaff-97f66978e4ea];]=__Display name: ovirt-engine-extension-aaa-__ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME___URL;type=class java.lang.String;uuid=__EXTENSION_HOME_URL[4ad7a2f4-__f969-42d4-b399-72d192e18304];]__=http://www.ovirt.org <http://www.ovirt.org/>, Extkey[name=EXTENSION_LOCALE;__type=class java.lang.String;uuid=__EXTENSION_LOCALE[0780b112-__0ce0-404a-b85e-8765d778bb29];]__=en_US, Extkey[name=EXTENSION_NAME;__type=class java.lang.String;uuid=__EXTENSION_NAME[651381d3-f54f-__4547-bf28-b0b01a103184];]=__ovirt-engine-extension-aaa-__ldap.authn, Extkey[name=EXTENSION___INTERFACE_VERSION_MIN;type=__class java.lang.Integer;uuid=__EXTENSION_INTERFACE_VERSION___MIN[2b84fc91-305b-497b-a1d7-__d961b9d2ce0b];]=0, Extkey[name=EXTENSION___CONFIGURATION;type=class java.util.Properties;uuid=__EXTENSION_CONFIGURATION[__2d48ab72-f0a1-4312-b4ae-__5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;__type=class java.lang.String;uuid=__EXTENSION_AUTHOR[ef242f7a-__2dad-4bc5-9aad-e07018b7fbcc];]__=The oVirt Project, Extkey[name=EXTENSION___INSTANCE_NAME;type=class java.lang.String;uuid=__EXTENSION_INSTANCE_NAME[__65c67ff6-aeca-4bd5-a245-__8674327f011b];]=authn-ldap. <http://authn-ldap.pic.es/>exa__mple.org <http://example.org> <http://example.org>, Extkey[name=EXTENSION_BUILD___INTERFACE_VERSION;type=class java.lang.Integer;uuid=__EXTENSION_BUILD_INTERFACE___VERSION[cb479e5a-4b23-46f8-__aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION___CONFIGURATION_SENSITIVE_KEYS;__type=interface java.util.Collection;uuid=__EXTENSION_CONFIGURATION___SENSITIVE_KEYS[a456efa1-73ff-__4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN___CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN___CAPABILITIES[9d16bee3-10fd-__46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL___CONTEXT;type=class org.ovirt.engine.api.__extensions.ExtMap;uuid=__EXTENSION_GLOBAL_CONTEXT[__9799e72f-7af6-4cf1-bf08-__297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;__type=class java.lang.String;uuid=__EXTENSION_VERSION[fe35f6a8-__8239-4bdb-ab1a-af9f779ce68c];]__=1.0.0, Extkey[name=EXTENSION_MANAGER___TRACE_LOG;type=interface org.slf4j.Logger;uuid=__EXTENSION_MANAGER_TRACE_LOG[__863db666-3ea7-4751-9695-__918a3197ad83];]=org.slf4j.__impl.Slf4jLogger(org.ovirt.__engine.core.extensions.mgr.__ExtensionsManager.trace.ovirt-__engine-extension-aaa-ldap.__authn.authn-ldap. <http://org.ovirt.engine.core.__extensions.mgr.__extensionsmanager.trace.ovir... <http://org.ovirt.engine.core.extensions.mgr.extensionsmanager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.pic.es/>>examp__le.org <http://example.org> <http://example.org>), Extkey[name=EXTENSION___PROVIDES;type=interface java.util.Collection;uuid=__EXTENSION_PROVIDES[8cf373a6-__65b5-4594-b828-0e275087de91];]__=[org.ovirt.engine.api.__extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER;__type=class java.lang.String;uuid=AAA___AUTHN_USER[1ceaba26-1bdc-4663-__a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_INVOKE___COMMAND;type=class org.ovirt.engine.api.__extensions.ExtUUID;uuid=__EXTENSION_INVOKE_COMMAND[__485778ab-bede-4f1a-b823-__77b262a2f28d];]=AAA_AUTHN___AUTHENTICATE_CREDENTIALS[__d9605c75-6b43-4b00-b32c-__06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE___RESULT;type=class java.lang.Integer;uuid=__EXTENSION_INVOKE_RESULT[__0909d91d-8bde-40fb-b6c0-__099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE___MESSAGE;type=class java.lang.String;uuid=__EXTENSION_INVOKE_MESSAGE[__b7b053de-dc73-4bf7-9d26-__b8bdb72f5893];]=invalid credentials}
------------------------------__------------------
Having a look at the LDAP log we check that there is a "invalid credentials" error while binding, but we are sure that the bind password is the right one. We already tried to set the bind password without quotes, but then the DN user then appear as an empty string ("")
I think problem is here. That's really strange, you have to use the password without quotes.
Can you please try to set: pool.default.auth.simple.__bindDN = cn=authenticate,ou=System,dc=__example,dc=org pool.default.auth.simple.__password = XXXXXX
just without the variables. if the DN is not empty now.
------------------------------__------------------
[root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 | cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from IP=192.168.XX.X:39501 <http://192.168.95.2:39501/> (IP=0.0.0.0:389 <http://0.0.0.0:389> <http://0.0.0.0:389/>)
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established tls_ssf=128 ssf=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND dn="cn=authenticate,ou=System,__dc=example,dc=org" method=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 err=49 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
------------------------------__------------------
By the way, the Ovirt manager (ovmgr) machine can query correctly the openldap server and retrieves everything OK
------------------------------__------------------
[root@ovmgr extensions.d]# ldapsearch -ZZ -D cn=authenticate,ou=System,dc=__example,dc=org -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=org> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# pic.es <http://pic.es> <http://pic.es/> dn: dc=example,dc=org dc: pic objectClass: top objectClass: domain
------------------------------__------------------
Did anybody had a similar problem ? Is there anything that we didn't check ?
Thanks in advance !
-- Bruno Rodríguez Rodríguez
This body part will be downloaded on demand.
-- Bruno Rodríguez Rodríguez
PIC (Port d'Informació Científica) Campus UAB, Edificio D E-08193 Bellaterra, Barcelona Tel: +34 93 581 33 22
"Si algo me ha enseñado el tetris, es que los errores se acumulan y los triunfos desaparecen"

----- Original Message -----
From: "Bruno Rodriguez" <bruno@pic.es> To: "Ondra Machacek" <omachace@redhat.com> Cc: "Esther Accion" <esthera@pic.es>, users@ovirt.org Sent: Thursday, January 15, 2015 11:20:57 AM Subject: Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module
Thank you very much,
using the following ldap.example.org file:
---------------------
include = <openldap_example.properties> include = <rfc2307.properties>
what do you have in openldap_example.properties?
vars.server = ldap1.example.org #vars.user = cn=authenticate,ou=System,dc=example,dc=org #vars.password = XXXXXXXXX
why have you commented out the vars? you should have just removed the quotes from vars.password and keep bellow as-is.
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=example,dc=org pool.default.auth.simple.password = XXXXXXXXX
pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks pool.default.ssl.truststore.password = XXXXXXXXX
---------------------
Then I get the following in the engine log:
2015-01-15 10:04:15,250 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***, Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]= http://www.ovirt.org ,Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn, Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]= authn-ldap.example.org , Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0, Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger( org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org ), Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER;type=class java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno, Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=anonymous bind disallowed}
error: anonymous bind disallowed can you please enable debug per what I instructed last time and send a complete log?
-----------------------------------
And this is the ldap connection log:
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 ACCEPT from IP=192.168.XX.XX:41469 (IP= 0.0.0.0:389 ) /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 EXT oid=1.3.6.1.4.1.1466.20037 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 STARTTLS /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 RESULT oid= err=0 text= /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 TLS established tls_ssf=128 ssf=128 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" method=128 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" mech=SIMPLE ssf=0 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 RESULT tag=97 err=0 text=
-----------------------------------
It looks like it got the dn correctly but it's unable to bind anyway ...
Thank you,
Bruno
On Wed, Jan 14, 2015 at 5:50 PM, Ondra Machacek < omachace@redhat.com > wrote:
Hi,
On 01/14/2015 04:53 PM, Bruno Rodriguez wrote:
Good afternoon,
We cannot access to Ovirt using LDAP authentication against our openldap server. We created the following files in /etc/ovirt-engine/extensions.d (the organization name is not example.org < http://example.org > and the passwords are not XXXXXXXX, obviously) :
----------- /etc/ovirt-engine/extensions. d/ ldap.example.org < http://ldap.example.org > -----------
include = <openldap_example.properties>
vars.server = ldap1.example.org < http://ldap1.example.org > vars.user = cn=authenticate,ou=System,dc= example,dc=org vars.password = "XXXXXXXX"
pool.default.serverset.single. server = ${global:vars.server} pool.default.auth.simple. bindDN = ${global:vars.user} pool.default.auth.simple. password = ${global:vars.password}
pool.default.ssl.startTLS = true pool.default.ssl.truststore. file = /etc/ovirt-engine/extensions. d/ldap.example.org_keystore. jks pool.default.ssl.truststore. password = XXXXXXXX
----------- /etc/ovirt-engine/extensions. d/ authn-ldap.example.org . properties -----------
ovirt.engine.extension.name < http://ovirt.engine. extension.name > = authn-ldap.example.org < http://authn-ldap.example.org > ovirt.engine.extension. bindings.method = jbossmodule ovirt.engine.extension. binding.jbossmodule.module = org.ovirt.engine-extensions. aaa.ldap ovirt.engine.extension. binding.jbossmodule.class = org.ovirt.engineextensions. aaa.ldap.AuthnExtension ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authn
ovirt.engine.aaa.authn. profile.name < http://ovirt.engine.aaa. authn.profile.name > = ldap.example.org < http://ldap.example.org > ovirt.engine.aaa.authn.authz. plugin = authz-ldap.example.org < http://authz-ldap.example.org >
config.profile.file.1 = /etc/ovirt-engine/extensions. d/ ldap.example.org < http://ldap.example.org >
----------- /etc/ovirt-engine/extensions. d/ authz-ldap.example.org . properties -----------
ovirt.engine.extension.name < http://ovirt.engine. extension.name > = authz-ldap.example.org < http://authz-ldap.example.org > ovirt.engine.extension. bindings.method = jbossmodule ovirt.engine.extension. binding.jbossmodule.module = org.ovirt.engine-extensions. aaa.ldap ovirt.engine.extension. binding.jbossmodule.class = org.ovirt.engineextensions. aaa.ldap.AuthzExtension
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions. d/ ldap.example.org < http://ldap.example.org >
------------------------------ ------------------
After all of this we restarted the service and tried to access via the administration portal. The JKS has the right permissions and contains the TLS CA, the password is correct and the user "esthera" exists. But when we try to log in, we obtain the following error in the engine.log (we already set the verbosity to ALL):
------------------------------ ------------------
2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll. aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core. extensions.mgr. ExtensionInvokeCommandFailedEx ception Input: {Extkey[name=AAA_AUTHN_ CREDENTIALS;type=class java.lang.String;uuid=AAA_ AUTHN_CREDENTIALS[03b96485- 4bb5-4592-8167-810a5c909706];] =***, Extkey[name=EXTENSION_INVOKE_ CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_INVOKE_CONTEXT[ 886d2ebb-312a-49ae-9cc3- e1f849834b7d];]={Extkey[name= EXTENSION_INTERFACE_VERSION_ MAX;type=class java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_ MAX[f4cff49f-2717-4901-8ee9- df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE; type=class java.lang.String;uuid= EXTENSION_LICENSE[8a61ad65- 054c-4e31-9c6d-1ca4d60a4c18];] =ASL 2.0, Extkey[name=EXTENSION_NOTES; type=class java.lang.String;uuid= EXTENSION_NOTES[2da5ad7e-185a- 4584-aaff-97f66978e4ea];]= Display name: ovirt-engine-extension-aaa- ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_ URL;type=class java.lang.String;uuid= EXTENSION_HOME_URL[4ad7a2f4- f969-42d4-b399-72d192e18304];] = http://www.ovirt.org < http://www.ovirt.org/ >, Extkey[name=EXTENSION_LOCALE; type=class java.lang.String;uuid= EXTENSION_LOCALE[0780b112- 0ce0-404a-b85e-8765d778bb29];] =en_US, Extkey[name=EXTENSION_NAME; type=class java.lang.String;uuid= EXTENSION_NAME[651381d3-f54f- 4547-bf28-b0b01a103184];]= ovirt-engine-extension-aaa- ldap.authn, Extkey[name=EXTENSION_ INTERFACE_VERSION_MIN;type= class java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_ MIN[2b84fc91-305b-497b-a1d7- d961b9d2ce0b];]=0, Extkey[name=EXTENSION_ CONFIGURATION;type=class java.util.Properties;uuid= EXTENSION_CONFIGURATION[ 2d48ab72-f0a1-4312-b4ae- 5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR; type=class java.lang.String;uuid= EXTENSION_AUTHOR[ef242f7a- 2dad-4bc5-9aad-e07018b7fbcc];] =The oVirt Project, Extkey[name=EXTENSION_ INSTANCE_NAME;type=class java.lang.String;uuid= EXTENSION_INSTANCE_NAME[ 65c67ff6-aeca-4bd5-a245- 8674327f011b];]=authn-ldap. < http://authn-ldap.pic.es/ > exa mple.org < http://example.org >, Extkey[name=EXTENSION_BUILD_ INTERFACE_VERSION;type=class java.lang.Integer;uuid= EXTENSION_BUILD_INTERFACE_ VERSION[cb479e5a-4b23-46f8- aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_ CONFIGURATION_SENSITIVE_KEYS; type=interface java.util.Collection;uuid= EXTENSION_CONFIGURATION_ SENSITIVE_KEYS[a456efa1-73ff- 4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_ CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_ CAPABILITIES[9d16bee3-10fd- 46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_ CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_GLOBAL_CONTEXT[ 9799e72f-7af6-4cf1-bf08- 297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION; type=class java.lang.String;uuid= EXTENSION_VERSION[fe35f6a8- 8239-4bdb-ab1a-af9f779ce68c];] =1.0.0, Extkey[name=EXTENSION_MANAGER_ TRACE_LOG;type=interface org.slf4j.Logger;uuid= EXTENSION_MANAGER_TRACE_LOG[ 863db666-3ea7-4751-9695- 918a3197ad83];]=org.slf4j. impl.Slf4jLogger(org.ovirt. engine.core.extensions.mgr. ExtensionsManager.trace.ovirt- engine-extension-aaa-ldap. authn.authn-ldap. < http://org.ovirt.engine.core. extensions.mgr. extensionsmanager.trace.ovirt- engine-extension-aaa-ldap. authn.authn-ldap.pic.es/ > examp le.org < http://example.org >), Extkey[name=EXTENSION_ PROVIDES;type=interface java.util.Collection;uuid= EXTENSION_PROVIDES[8cf373a6- 65b5-4594-b828-0e275087de91];] =[org.ovirt.engine.api. extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER; type=class java.lang.String;uuid=AAA_ AUTHN_USER[1ceaba26-1bdc-4663- a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_INVOKE_ COMMAND;type=class org.ovirt.engine.api. extensions.ExtUUID;uuid= EXTENSION_INVOKE_COMMAND[ 485778ab-bede-4f1a-b823- 77b262a2f28d];]=AAA_AUTHN_ AUTHENTICATE_CREDENTIALS[ d9605c75-6b43-4b00-b32c- 06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_ RESULT;type=class java.lang.Integer;uuid= EXTENSION_INVOKE_RESULT[ 0909d91d-8bde-40fb-b6c0- 099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_ MESSAGE;type=class java.lang.String;uuid= EXTENSION_INVOKE_MESSAGE[ b7b053de-dc73-4bf7-9d26- b8bdb72f5893];]=invalid credentials}
------------------------------ ------------------
Having a look at the LDAP log we check that there is a "invalid credentials" error while binding, but we are sure that the bind password is the right one. We already tried to set the bind password without quotes, but then the DN user then appear as an empty string ("")
I think problem is here. That's really strange, you have to use the password without quotes.
Can you please try to set: pool.default.auth.simple. bindDN = cn=authenticate,ou=System,dc= example,dc=org pool.default.auth.simple. password = XXXXXX
just without the variables. if the DN is not empty now.
------------------------------ ------------------
[root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 | cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from IP=192.168.XX.X:39501 < http://192.168.95.2:39501/ > (IP= 0.0.0.0:389 < http://0.0.0.0:389/ >)
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established tls_ssf=128 ssf=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND dn="cn=authenticate,ou=System, dc=example,dc=org" method=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 err=49 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
------------------------------ ------------------
By the way, the Ovirt manager (ovmgr) machine can query correctly the openldap server and retrieves everything OK
------------------------------ ------------------
[root@ovmgr extensions.d]# ldapsearch -ZZ -D cn=authenticate,ou=System,dc= example,dc=org -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=org> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# pic.es < http://pic.es/ > dn: dc=example,dc=org dc: pic objectClass: top objectClass: domain
------------------------------ ------------------
Did anybody had a similar problem ? Is there anything that we didn't check ?
Thanks in advance !
-- Bruno Rodríguez Rodríguez
This body part will be downloaded on demand.
-- Bruno Rodríguez Rodríguez
PIC (Port d'Informació Científica) Campus UAB, Edificio D E-08193 Bellaterra, Barcelona Tel: +34 93 581 33 22
"Si algo me ha enseñado el tetris, es que los errores se acumulan y los triunfos desaparecen"
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

On 01/15/2015 10:36 AM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Bruno Rodriguez" <bruno@pic.es> To: "Ondra Machacek" <omachace@redhat.com> Cc: "Esther Accion" <esthera@pic.es>, users@ovirt.org Sent: Thursday, January 15, 2015 11:20:57 AM Subject: Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module
Thank you very much,
using the following ldap.example.org file:
---------------------
include = <openldap_example.properties> include = <rfc2307.properties>
what do you have in openldap_example.properties?
It seems you have specified anonymous bind in openldap_example.properties. You should probably try it with original one (openldap.properties).
vars.server = ldap1.example.org #vars.user = cn=authenticate,ou=System,dc=example,dc=org #vars.password = XXXXXXXXX
why have you commented out the vars? you should have just removed the quotes from vars.password and keep bellow as-is.
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=example,dc=org pool.default.auth.simple.password = XXXXXXXXX
pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks pool.default.ssl.truststore.password = XXXXXXXXX
---------------------
Then I get the following in the engine log:
2015-01-15 10:04:15,250 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException Input: {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***, Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]= http://www.ovirt.org ,Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn, Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]= authn-ldap.example.org , Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0, Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger( org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org ), Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER;type=class java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno, Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=anonymous bind disallowed}
error: anonymous bind disallowed
can you please enable debug per what I instructed last time and send a complete log?
-----------------------------------
And this is the ldap connection log:
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 ACCEPT from IP=192.168.XX.XX:41469 (IP= 0.0.0.0:389 ) /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 EXT oid=1.3.6.1.4.1.1466.20037 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 STARTTLS /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 RESULT oid= err=0 text= /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 TLS established tls_ssf=128 ssf=128 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" method=128 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" mech=SIMPLE ssf=0 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 RESULT tag=97 err=0 text=
-----------------------------------
It looks like it got the dn correctly but it's unable to bind anyway ...
Thank you,
Bruno
On Wed, Jan 14, 2015 at 5:50 PM, Ondra Machacek < omachace@redhat.com > wrote:
Hi,
On 01/14/2015 04:53 PM, Bruno Rodriguez wrote:
Good afternoon,
We cannot access to Ovirt using LDAP authentication against our openldap server. We created the following files in /etc/ovirt-engine/extensions.d (the organization name is not example.org < http://example.org > and the passwords are not XXXXXXXX, obviously) :
----------- /etc/ovirt-engine/extensions. d/ ldap.example.org < http://ldap.example.org > -----------
include = <openldap_example.properties>
vars.server = ldap1.example.org < http://ldap1.example.org > vars.user = cn=authenticate,ou=System,dc= example,dc=org vars.password = "XXXXXXXX"
pool.default.serverset.single. server = ${global:vars.server} pool.default.auth.simple. bindDN = ${global:vars.user} pool.default.auth.simple. password = ${global:vars.password}
pool.default.ssl.startTLS = true pool.default.ssl.truststore. file = /etc/ovirt-engine/extensions. d/ldap.example.org_keystore. jks pool.default.ssl.truststore. password = XXXXXXXX
----------- /etc/ovirt-engine/extensions. d/ authn-ldap.example.org . properties -----------
ovirt.engine.extension.name < http://ovirt.engine. extension.name > = authn-ldap.example.org < http://authn-ldap.example.org > ovirt.engine.extension. bindings.method = jbossmodule ovirt.engine.extension. binding.jbossmodule.module = org.ovirt.engine-extensions. aaa.ldap ovirt.engine.extension. binding.jbossmodule.class = org.ovirt.engineextensions. aaa.ldap.AuthnExtension ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authn
ovirt.engine.aaa.authn. profile.name < http://ovirt.engine.aaa. authn.profile.name > = ldap.example.org < http://ldap.example.org > ovirt.engine.aaa.authn.authz. plugin = authz-ldap.example.org < http://authz-ldap.example.org >
config.profile.file.1 = /etc/ovirt-engine/extensions. d/ ldap.example.org < http://ldap.example.org >
----------- /etc/ovirt-engine/extensions. d/ authz-ldap.example.org . properties -----------
ovirt.engine.extension.name < http://ovirt.engine. extension.name > = authz-ldap.example.org < http://authz-ldap.example.org > ovirt.engine.extension. bindings.method = jbossmodule ovirt.engine.extension. binding.jbossmodule.module = org.ovirt.engine-extensions. aaa.ldap ovirt.engine.extension. binding.jbossmodule.class = org.ovirt.engineextensions. aaa.ldap.AuthzExtension
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions. d/ ldap.example.org < http://ldap.example.org >
------------------------------ ------------------
After all of this we restarted the service and tried to access via the administration portal. The JKS has the right permissions and contains the TLS CA, the password is correct and the user "esthera" exists. But when we try to log in, we obtain the following error in the engine.log (we already set the verbosity to ALL):
------------------------------ ------------------
2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll. aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core. extensions.mgr. ExtensionInvokeCommandFailedEx ception Input: {Extkey[name=AAA_AUTHN_ CREDENTIALS;type=class java.lang.String;uuid=AAA_ AUTHN_CREDENTIALS[03b96485- 4bb5-4592-8167-810a5c909706];] =***, Extkey[name=EXTENSION_INVOKE_ CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_INVOKE_CONTEXT[ 886d2ebb-312a-49ae-9cc3- e1f849834b7d];]={Extkey[name= EXTENSION_INTERFACE_VERSION_ MAX;type=class java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_ MAX[f4cff49f-2717-4901-8ee9- df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE; type=class java.lang.String;uuid= EXTENSION_LICENSE[8a61ad65- 054c-4e31-9c6d-1ca4d60a4c18];] =ASL 2.0, Extkey[name=EXTENSION_NOTES; type=class java.lang.String;uuid= EXTENSION_NOTES[2da5ad7e-185a- 4584-aaff-97f66978e4ea];]= Display name: ovirt-engine-extension-aaa- ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_ URL;type=class java.lang.String;uuid= EXTENSION_HOME_URL[4ad7a2f4- f969-42d4-b399-72d192e18304];] = http://www.ovirt.org < http://www.ovirt.org/ >, Extkey[name=EXTENSION_LOCALE; type=class java.lang.String;uuid= EXTENSION_LOCALE[0780b112- 0ce0-404a-b85e-8765d778bb29];] =en_US, Extkey[name=EXTENSION_NAME; type=class java.lang.String;uuid= EXTENSION_NAME[651381d3-f54f- 4547-bf28-b0b01a103184];]= ovirt-engine-extension-aaa- ldap.authn, Extkey[name=EXTENSION_ INTERFACE_VERSION_MIN;type= class java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_ MIN[2b84fc91-305b-497b-a1d7- d961b9d2ce0b];]=0, Extkey[name=EXTENSION_ CONFIGURATION;type=class java.util.Properties;uuid= EXTENSION_CONFIGURATION[ 2d48ab72-f0a1-4312-b4ae- 5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR; type=class java.lang.String;uuid= EXTENSION_AUTHOR[ef242f7a- 2dad-4bc5-9aad-e07018b7fbcc];] =The oVirt Project, Extkey[name=EXTENSION_ INSTANCE_NAME;type=class java.lang.String;uuid= EXTENSION_INSTANCE_NAME[ 65c67ff6-aeca-4bd5-a245- 8674327f011b];]=authn-ldap. < http://authn-ldap.pic.es/ > exa mple.org < http://example.org >, Extkey[name=EXTENSION_BUILD_ INTERFACE_VERSION;type=class java.lang.Integer;uuid= EXTENSION_BUILD_INTERFACE_ VERSION[cb479e5a-4b23-46f8- aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_ CONFIGURATION_SENSITIVE_KEYS; type=interface java.util.Collection;uuid= EXTENSION_CONFIGURATION_ SENSITIVE_KEYS[a456efa1-73ff- 4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_ CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_ CAPABILITIES[9d16bee3-10fd- 46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_ CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_GLOBAL_CONTEXT[ 9799e72f-7af6-4cf1-bf08- 297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION; type=class java.lang.String;uuid= EXTENSION_VERSION[fe35f6a8- 8239-4bdb-ab1a-af9f779ce68c];] =1.0.0, Extkey[name=EXTENSION_MANAGER_ TRACE_LOG;type=interface org.slf4j.Logger;uuid= EXTENSION_MANAGER_TRACE_LOG[ 863db666-3ea7-4751-9695- 918a3197ad83];]=org.slf4j. impl.Slf4jLogger(org.ovirt. engine.core.extensions.mgr. ExtensionsManager.trace.ovirt- engine-extension-aaa-ldap. authn.authn-ldap. < http://org.ovirt.engine.core. extensions.mgr. extensionsmanager.trace.ovirt- engine-extension-aaa-ldap. authn.authn-ldap.pic.es/ > examp le.org < http://example.org >), Extkey[name=EXTENSION_ PROVIDES;type=interface java.util.Collection;uuid= EXTENSION_PROVIDES[8cf373a6- 65b5-4594-b828-0e275087de91];] =[org.ovirt.engine.api. extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER; type=class java.lang.String;uuid=AAA_ AUTHN_USER[1ceaba26-1bdc-4663- a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_INVOKE_ COMMAND;type=class org.ovirt.engine.api. extensions.ExtUUID;uuid= EXTENSION_INVOKE_COMMAND[ 485778ab-bede-4f1a-b823- 77b262a2f28d];]=AAA_AUTHN_ AUTHENTICATE_CREDENTIALS[ d9605c75-6b43-4b00-b32c- 06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_ RESULT;type=class java.lang.Integer;uuid= EXTENSION_INVOKE_RESULT[ 0909d91d-8bde-40fb-b6c0- 099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_ MESSAGE;type=class java.lang.String;uuid= EXTENSION_INVOKE_MESSAGE[ b7b053de-dc73-4bf7-9d26- b8bdb72f5893];]=invalid credentials}
------------------------------ ------------------
Having a look at the LDAP log we check that there is a "invalid credentials" error while binding, but we are sure that the bind password is the right one. We already tried to set the bind password without quotes, but then the DN user then appear as an empty string ("")
I think problem is here. That's really strange, you have to use the password without quotes.
Can you please try to set: pool.default.auth.simple. bindDN = cn=authenticate,ou=System,dc= example,dc=org pool.default.auth.simple. password = XXXXXX
just without the variables. if the DN is not empty now.
------------------------------ ------------------
[root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 | cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from IP=192.168.XX.X:39501 < http://192.168.95.2:39501/ > (IP= 0.0.0.0:389 < http://0.0.0.0:389/ >)
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established tls_ssf=128 ssf=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND dn="cn=authenticate,ou=System, dc=example,dc=org" method=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 err=49 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
------------------------------ ------------------
By the way, the Ovirt manager (ovmgr) machine can query correctly the openldap server and retrieves everything OK
------------------------------ ------------------
[root@ovmgr extensions.d]# ldapsearch -ZZ -D cn=authenticate,ou=System,dc= example,dc=org -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=org> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# pic.es < http://pic.es/ > dn: dc=example,dc=org dc: pic objectClass: top objectClass: domain
------------------------------ ------------------
Did anybody had a similar problem ? Is there anything that we didn't check ?
Thanks in advance !
-- Bruno Rodríguez Rodríguez
This body part will be downloaded on demand.
-- Bruno Rodríguez Rodríguez
PIC (Port d'Informació Científica) Campus UAB, Edificio D E-08193 Bellaterra, Barcelona Tel: +34 93 581 33 22
"Si algo me ha enseñado el tetris, es que los errores se acumulan y los triunfos desaparecen"
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Thanks ! Now it's working! The problem was the absence of the line: pool.default.auth.type = simple It's strange, I thought that the default auth type was set to simple and I didn't check it twice. After setting that the problem has to do about a user/password incorrect, which is our problem because of the schema we are using (migrated from a NIS some time ago). The openldap_example.properties actually was a copy of openldap.properties, I did it that way to customize it to our schema, but in a first instance it was a carbon copy of the original. Thanks again ! Bruno On Thu, Jan 15, 2015 at 10:43 AM, Ondra Machacek <omachace@redhat.com> wrote:
On 01/15/2015 10:36 AM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Bruno Rodriguez" <bruno@pic.es> To: "Ondra Machacek" <omachace@redhat.com> Cc: "Esther Accion" <esthera@pic.es>, users@ovirt.org Sent: Thursday, January 15, 2015 11:20:57 AM Subject: Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module
Thank you very much,
using the following ldap.example.org file:
---------------------
include = <openldap_example.properties> include = <rfc2307.properties>
what do you have in openldap_example.properties?
It seems you have specified anonymous bind in openldap_example.properties. You should probably try it with original one (openldap.properties).
vars.server = ldap1.example.org
#vars.user = cn=authenticate,ou=System,dc=example,dc=org #vars.password = XXXXXXXXX
why have you commented out the vars? you should have just removed the quotes from vars.password and keep bellow as-is.
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc= example,dc=org pool.default.auth.simple.password = XXXXXXXXX
pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks pool.default.ssl.truststore.password = XXXXXXXXX
---------------------
Then I get the following in the engine log:
2015-01-15 10:04:15,250 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedEx ception Input: {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485- 4bb5-4592-8167-810a5c909706];]=***, Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[ 886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name= EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_ MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65- 054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a- 4584-aaff-97f66978e4ea];]=Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4- f969-42d4-b399-72d192e18304];]= http://www.ovirt.org ,Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112- 0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f- 4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn, Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_ MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[ 2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a- 2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245- 8674327f011b];]= authn-ldap.example.org , Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_ VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_ SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd- 46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[ 9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8- 8239-4bdb-ab1a-af9f779ce68c];]=1.0.0, Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[ 863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger( org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt- engine-extension-aaa-ldap.authn.authn-ldap.example.org ), Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6- 65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api. extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER;type=class java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663- a3c6-5d926f9dd8f0];]=bruno, Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[ 485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_ AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0- 099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26- b8bdb72f5893];]=anonymous bind disallowed}
error: anonymous bind disallowed
can you please enable debug per what I instructed last time and send a complete log?
-----------------------------------
And this is the ldap connection log:
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 ACCEPT from IP=192.168.XX.XX:41469 (IP= 0.0.0.0:389 ) /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 EXT oid=1.3.6.1.4.1.1466.20037 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 STARTTLS /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 RESULT oid= err=0 text= /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 TLS established tls_ssf=128 ssf=128 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" method=128 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" mech=SIMPLE ssf=0 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 RESULT tag=97 err=0 text=
-----------------------------------
It looks like it got the dn correctly but it's unable to bind anyway ...
Thank you,
Bruno
On Wed, Jan 14, 2015 at 5:50 PM, Ondra Machacek < omachace@redhat.com > wrote:
Hi,
On 01/14/2015 04:53 PM, Bruno Rodriguez wrote:
Good afternoon,
We cannot access to Ovirt using LDAP authentication against our openldap server. We created the following files in /etc/ovirt-engine/extensions.d (the organization name is not example.org < http://example.org > and the passwords are not XXXXXXXX, obviously) :
----------- /etc/ovirt-engine/extensions. d/ ldap.example.org < http://ldap.example.org > -----------
include = <openldap_example.properties>
vars.server = ldap1.example.org < http://ldap1.example.org > vars.user = cn=authenticate,ou=System,dc= example,dc=org vars.password = "XXXXXXXX"
pool.default.serverset.single. server = ${global:vars.server} pool.default.auth.simple. bindDN = ${global:vars.user} pool.default.auth.simple. password = ${global:vars.password}
pool.default.ssl.startTLS = true pool.default.ssl.truststore. file = /etc/ovirt-engine/extensions. d/ldap.example.org_keystore. jks pool.default.ssl.truststore. password = XXXXXXXX
----------- /etc/ovirt-engine/extensions. d/ authn-ldap.example.org . properties -----------
ovirt.engine.extension.name < http://ovirt.engine. extension.name > = authn-ldap.example.org < http://authn-ldap.example.org > ovirt.engine.extension. bindings.method = jbossmodule ovirt.engine.extension. binding.jbossmodule.module = org.ovirt.engine-extensions. aaa.ldap ovirt.engine.extension. binding.jbossmodule.class = org.ovirt.engineextensions. aaa.ldap.AuthnExtension ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authn
ovirt.engine.aaa.authn. profile.name < http://ovirt.engine.aaa. authn.profile.name > = ldap.example.org < http://ldap.example.org > ovirt.engine.aaa.authn.authz. plugin = authz-ldap.example.org < http://authz-ldap.example.org >
config.profile.file.1 = /etc/ovirt-engine/extensions. d/ ldap.example.org < http://ldap.example.org >
----------- /etc/ovirt-engine/extensions. d/ authz-ldap.example.org . properties -----------
ovirt.engine.extension.name < http://ovirt.engine. extension.name > = authz-ldap.example.org < http://authz-ldap.example.org > ovirt.engine.extension. bindings.method = jbossmodule ovirt.engine.extension. binding.jbossmodule.module = org.ovirt.engine-extensions. aaa.ldap ovirt.engine.extension. binding.jbossmodule.class = org.ovirt.engineextensions. aaa.ldap.AuthzExtension
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions. d/ ldap.example.org < http://ldap.example.org >
------------------------------ ------------------
After all of this we restarted the service and tried to access via the administration portal. The JKS has the right permissions and contains the TLS CA, the password is correct and the user "esthera" exists. But when we try to log in, we obtain the following error in the engine.log (we already set the verbosity to ALL):
------------------------------ ------------------
2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll. aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core. extensions.mgr. ExtensionInvokeCommandFailedEx ception Input: {Extkey[name=AAA_AUTHN_ CREDENTIALS;type=class java.lang.String;uuid=AAA_ AUTHN_CREDENTIALS[03b96485- 4bb5-4592-8167-810a5c909706];] =***, Extkey[name=EXTENSION_INVOKE_ CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_INVOKE_CONTEXT[ 886d2ebb-312a-49ae-9cc3- e1f849834b7d];]={Extkey[name= EXTENSION_INTERFACE_VERSION_ MAX;type=class java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_ MAX[f4cff49f-2717-4901-8ee9- df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE; type=class java.lang.String;uuid= EXTENSION_LICENSE[8a61ad65- 054c-4e31-9c6d-1ca4d60a4c18];] =ASL 2.0, Extkey[name=EXTENSION_NOTES; type=class java.lang.String;uuid= EXTENSION_NOTES[2da5ad7e-185a- 4584-aaff-97f66978e4ea];]= Display name: ovirt-engine-extension-aaa- ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_ URL;type=class java.lang.String;uuid= EXTENSION_HOME_URL[4ad7a2f4- f969-42d4-b399-72d192e18304];] = http://www.ovirt.org < http://www.ovirt.org/ >, Extkey[name=EXTENSION_LOCALE; type=class java.lang.String;uuid= EXTENSION_LOCALE[0780b112- 0ce0-404a-b85e-8765d778bb29];] =en_US, Extkey[name=EXTENSION_NAME; type=class java.lang.String;uuid= EXTENSION_NAME[651381d3-f54f- 4547-bf28-b0b01a103184];]= ovirt-engine-extension-aaa- ldap.authn, Extkey[name=EXTENSION_ INTERFACE_VERSION_MIN;type= class java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_ MIN[2b84fc91-305b-497b-a1d7- d961b9d2ce0b];]=0, Extkey[name=EXTENSION_ CONFIGURATION;type=class java.util.Properties;uuid= EXTENSION_CONFIGURATION[ 2d48ab72-f0a1-4312-b4ae- 5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR; type=class java.lang.String;uuid= EXTENSION_AUTHOR[ef242f7a- 2dad-4bc5-9aad-e07018b7fbcc];] =The oVirt Project, Extkey[name=EXTENSION_ INSTANCE_NAME;type=class java.lang.String;uuid= EXTENSION_INSTANCE_NAME[ 65c67ff6-aeca-4bd5-a245- 8674327f011b];]=authn-ldap. < http://authn-ldap.pic.es/ > exa mple.org < http://example.org >, Extkey[name=EXTENSION_BUILD_ INTERFACE_VERSION;type=class java.lang.Integer;uuid= EXTENSION_BUILD_INTERFACE_ VERSION[cb479e5a-4b23-46f8- aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_ CONFIGURATION_SENSITIVE_KEYS; type=interface java.util.Collection;uuid= EXTENSION_CONFIGURATION_ SENSITIVE_KEYS[a456efa1-73ff- 4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_ CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_ CAPABILITIES[9d16bee3-10fd- 46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_ CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_GLOBAL_CONTEXT[ 9799e72f-7af6-4cf1-bf08- 297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION; type=class java.lang.String;uuid= EXTENSION_VERSION[fe35f6a8- 8239-4bdb-ab1a-af9f779ce68c];] =1.0.0, Extkey[name=EXTENSION_MANAGER_ TRACE_LOG;type=interface org.slf4j.Logger;uuid= EXTENSION_MANAGER_TRACE_LOG[ 863db666-3ea7-4751-9695- 918a3197ad83];]=org.slf4j. impl.Slf4jLogger(org.ovirt. engine.core.extensions.mgr. ExtensionsManager.trace.ovirt- engine-extension-aaa-ldap. authn.authn-ldap. < http://org.ovirt.engine.core. extensions.mgr. extensionsmanager.trace.ovirt- engine-extension-aaa-ldap. authn.authn-ldap.pic.es/ > examp le.org < http://example.org >), Extkey[name=EXTENSION_ PROVIDES;type=interface java.util.Collection;uuid= EXTENSION_PROVIDES[8cf373a6- 65b5-4594-b828-0e275087de91];] =[org.ovirt.engine.api. extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER; type=class java.lang.String;uuid=AAA_ AUTHN_USER[1ceaba26-1bdc-4663- a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_INVOKE_ COMMAND;type=class org.ovirt.engine.api. extensions.ExtUUID;uuid= EXTENSION_INVOKE_COMMAND[ 485778ab-bede-4f1a-b823- 77b262a2f28d];]=AAA_AUTHN_ AUTHENTICATE_CREDENTIALS[ d9605c75-6b43-4b00-b32c- 06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_ RESULT;type=class java.lang.Integer;uuid= EXTENSION_INVOKE_RESULT[ 0909d91d-8bde-40fb-b6c0- 099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_ MESSAGE;type=class java.lang.String;uuid= EXTENSION_INVOKE_MESSAGE[ b7b053de-dc73-4bf7-9d26- b8bdb72f5893];]=invalid credentials}
------------------------------ ------------------
Having a look at the LDAP log we check that there is a "invalid credentials" error while binding, but we are sure that the bind password is the right one. We already tried to set the bind password without quotes, but then the DN user then appear as an empty string ("")
I think problem is here. That's really strange, you have to use the password without quotes.
Can you please try to set: pool.default.auth.simple. bindDN = cn=authenticate,ou=System,dc= example,dc=org pool.default.auth.simple. password = XXXXXX
just without the variables. if the DN is not empty now.
------------------------------ ------------------
[root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 | cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from IP=192.168.XX.X:39501 < http://192.168.95.2:39501/ > (IP= 0.0.0.0:389 < http://0.0.0.0:389/ >)
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established tls_ssf=128 ssf=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND dn="cn=authenticate,ou=System, dc=example,dc=org" method=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 err=49 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
------------------------------ ------------------
By the way, the Ovirt manager (ovmgr) machine can query correctly the openldap server and retrieves everything OK
------------------------------ ------------------
[root@ovmgr extensions.d]# ldapsearch -ZZ -D cn=authenticate,ou=System,dc= example,dc=org -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=org> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# pic.es < http://pic.es/ > dn: dc=example,dc=org dc: pic objectClass: top objectClass: domain
------------------------------ ------------------
Did anybody had a similar problem ? Is there anything that we didn't check ?
Thanks in advance !
-- Bruno Rodríguez Rodríguez
This body part will be downloaded on demand.
-- Bruno Rodríguez Rodríguez
PIC (Port d'Informació Científica) Campus UAB, Edificio D E-08193 Bellaterra, Barcelona Tel: +34 93 581 33 22
"Si algo me ha enseñado el tetris, es que los errores se acumulan y los triunfos desaparecen"
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Bruno Rodríguez Rodríguez PIC (Port d'Informació Científica) Campus UAB, Edificio D E-08193 Bellaterra, Barcelona Tel: +34 93 581 33 22 "Si algo me ha enseñado el tetris, es que los errores se acumulan y los triunfos desaparecen"

----- Original Message -----
From: "Bruno Rodriguez" <bruno@pic.es> To: "Ondra Machacek" <omachace@redhat.com> Cc: "Alon Bar-Lev" <alonbl@redhat.com>, "Esther Accion" <esthera@pic.es>, users@ovirt.org Sent: Thursday, January 15, 2015 12:03:39 PM Subject: Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module
Thanks ! Now it's working!
The problem was the absence of the line:
pool.default.auth.type = simple
this should not be set to all pools, only for the authz pool. the authn pool should be anonymous. the process of authentication is: 1. create a pool X ldap connections with anonymous bind. 2. when user authenticate fetch a connection from (1) and bind user that user and password. 3. revert to anonymous, return to pool. so basically your pool is now authenticated using your search user at all time. if your ldap does not permit anonymous logins at all, maybe better is to provide different user for this authentication pool?
It's strange, I thought that the default auth type was set to simple and I didn't check it twice. After setting that the problem has to do about a user/password incorrect, which is our problem because of the schema we are using (migrated from a NIS some time ago).
The openldap_example.properties actually was a copy of openldap.properties, I did it that way to customize it to our schema, but in a first instance it was a carbon copy of the original.
in next version (1.0.2) there is rfc2307-openldap.properties to ease use :)
Thanks again !
Bruno
On Thu, Jan 15, 2015 at 10:43 AM, Ondra Machacek <omachace@redhat.com> wrote:
On 01/15/2015 10:36 AM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Bruno Rodriguez" <bruno@pic.es> To: "Ondra Machacek" <omachace@redhat.com> Cc: "Esther Accion" <esthera@pic.es>, users@ovirt.org Sent: Thursday, January 15, 2015 11:20:57 AM Subject: Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module
Thank you very much,
using the following ldap.example.org file:
---------------------
include = <openldap_example.properties> include = <rfc2307.properties>
what do you have in openldap_example.properties?
It seems you have specified anonymous bind in openldap_example.properties. You should probably try it with original one (openldap.properties).
vars.server = ldap1.example.org
#vars.user = cn=authenticate,ou=System,dc=example,dc=org #vars.password = XXXXXXXXX
why have you commented out the vars? you should have just removed the quotes from vars.password and keep bellow as-is.
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc= example,dc=org pool.default.auth.simple.password = XXXXXXXXX
pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks pool.default.ssl.truststore.password = XXXXXXXXX
---------------------
Then I get the following in the engine log:
2015-01-15 10:04:15,250 ERROR [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedEx ception Input: {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485- 4bb5-4592-8167-810a5c909706];]=***, Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[ 886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name= EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_ MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65- 054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a- 4584-aaff-97f66978e4ea];]=Display name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_URL;type=class java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4- f969-42d4-b399-72d192e18304];]= http://www.ovirt.org ,Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112- 0ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f- 4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn, Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_ MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[ 2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a- 2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245- 8674327f011b];]= authn-ldap.example.org , Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_ VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collection;uuid=EXTENSION_CONFIGURATION_ SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd- 46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[ 9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8- 8239-4bdb-ab1a-af9f779ce68c];]=1.0.0, Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[ 863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger( org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt- engine-extension-aaa-ldap.authn.authn-ldap.example.org ), Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6- 65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api. extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER;type=class java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663- a3c6-5d926f9dd8f0];]=bruno, Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[ 485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_ AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0- 099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26- b8bdb72f5893];]=anonymous bind disallowed}
error: anonymous bind disallowed
can you please enable debug per what I instructed last time and send a complete log?
-----------------------------------
And this is the ldap connection log:
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 ACCEPT from IP=192.168.XX.XX:41469 (IP= 0.0.0.0:389 ) /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 EXT oid=1.3.6.1.4.1.1466.20037 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 STARTTLS /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 RESULT oid= err=0 text= /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114 TLS established tls_ssf=128 ssf=128 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" method=128 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND dn="cn=authenticate,ou=System,dc=example,dc=org" mech=SIMPLE ssf=0 /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 RESULT tag=97 err=0 text=
-----------------------------------
It looks like it got the dn correctly but it's unable to bind anyway ...
Thank you,
Bruno
On Wed, Jan 14, 2015 at 5:50 PM, Ondra Machacek < omachace@redhat.com > wrote:
Hi,
On 01/14/2015 04:53 PM, Bruno Rodriguez wrote:
Good afternoon,
We cannot access to Ovirt using LDAP authentication against our openldap server. We created the following files in /etc/ovirt-engine/extensions.d (the organization name is not example.org < http://example.org > and the passwords are not XXXXXXXX, obviously) :
----------- /etc/ovirt-engine/extensions. d/ ldap.example.org < http://ldap.example.org > -----------
include = <openldap_example.properties>
vars.server = ldap1.example.org < http://ldap1.example.org > vars.user = cn=authenticate,ou=System,dc= example,dc=org vars.password = "XXXXXXXX"
pool.default.serverset.single. server = ${global:vars.server} pool.default.auth.simple. bindDN = ${global:vars.user} pool.default.auth.simple. password = ${global:vars.password}
pool.default.ssl.startTLS = true pool.default.ssl.truststore. file = /etc/ovirt-engine/extensions. d/ldap.example.org_keystore. jks pool.default.ssl.truststore. password = XXXXXXXX
----------- /etc/ovirt-engine/extensions. d/ authn-ldap.example.org . properties -----------
ovirt.engine.extension.name < http://ovirt.engine. extension.name > = authn-ldap.example.org < http://authn-ldap.example.org > ovirt.engine.extension. bindings.method = jbossmodule ovirt.engine.extension. binding.jbossmodule.module = org.ovirt.engine-extensions. aaa.ldap ovirt.engine.extension. binding.jbossmodule.class = org.ovirt.engineextensions. aaa.ldap.AuthnExtension ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authn
ovirt.engine.aaa.authn. profile.name < http://ovirt.engine.aaa. authn.profile.name > = ldap.example.org < http://ldap.example.org > ovirt.engine.aaa.authn.authz. plugin = authz-ldap.example.org < http://authz-ldap.example.org >
config.profile.file.1 = /etc/ovirt-engine/extensions. d/ ldap.example.org < http://ldap.example.org >
----------- /etc/ovirt-engine/extensions. d/ authz-ldap.example.org . properties -----------
ovirt.engine.extension.name < http://ovirt.engine. extension.name > = authz-ldap.example.org < http://authz-ldap.example.org > ovirt.engine.extension. bindings.method = jbossmodule ovirt.engine.extension. binding.jbossmodule.module = org.ovirt.engine-extensions. aaa.ldap ovirt.engine.extension. binding.jbossmodule.class = org.ovirt.engineextensions. aaa.ldap.AuthzExtension
ovirt.engine.extension. provides = org.ovirt.engine.api. extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/extensions. d/ ldap.example.org < http://ldap.example.org >
------------------------------ ------------------
After all of this we restarted the service and tried to access via the administration portal. The JKS has the right permissions and contains the TLS CA, the password is correct and the user "esthera" exists. But when we try to log in, we obtain the following error in the engine.log (we already set the verbosity to ALL):
------------------------------ ------------------
2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll. aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class org.ovirt.engine.core. extensions.mgr. ExtensionInvokeCommandFailedEx ception Input: {Extkey[name=AAA_AUTHN_ CREDENTIALS;type=class java.lang.String;uuid=AAA_ AUTHN_CREDENTIALS[03b96485- 4bb5-4592-8167-810a5c909706];] =***, Extkey[name=EXTENSION_INVOKE_ CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_INVOKE_CONTEXT[ 886d2ebb-312a-49ae-9cc3- e1f849834b7d];]={Extkey[name= EXTENSION_INTERFACE_VERSION_ MAX;type=class java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_ MAX[f4cff49f-2717-4901-8ee9- df362446e3e7];]=0, Extkey[name=EXTENSION_LICENSE; type=class java.lang.String;uuid= EXTENSION_LICENSE[8a61ad65- 054c-4e31-9c6d-1ca4d60a4c18];] =ASL 2.0, Extkey[name=EXTENSION_NOTES; type=class java.lang.String;uuid= EXTENSION_NOTES[2da5ad7e-185a- 4584-aaff-97f66978e4ea];]= Display name: ovirt-engine-extension-aaa- ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_ URL;type=class java.lang.String;uuid= EXTENSION_HOME_URL[4ad7a2f4- f969-42d4-b399-72d192e18304];] = http://www.ovirt.org < http://www.ovirt.org/ >, Extkey[name=EXTENSION_LOCALE; type=class java.lang.String;uuid= EXTENSION_LOCALE[0780b112- 0ce0-404a-b85e-8765d778bb29];] =en_US, Extkey[name=EXTENSION_NAME; type=class java.lang.String;uuid= EXTENSION_NAME[651381d3-f54f- 4547-bf28-b0b01a103184];]= ovirt-engine-extension-aaa- ldap.authn, Extkey[name=EXTENSION_ INTERFACE_VERSION_MIN;type= class java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_ MIN[2b84fc91-305b-497b-a1d7- d961b9d2ce0b];]=0, Extkey[name=EXTENSION_ CONFIGURATION;type=class java.util.Properties;uuid= EXTENSION_CONFIGURATION[ 2d48ab72-f0a1-4312-b4ae- 5068a226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR; type=class java.lang.String;uuid= EXTENSION_AUTHOR[ef242f7a- 2dad-4bc5-9aad-e07018b7fbcc];] =The oVirt Project, Extkey[name=EXTENSION_ INSTANCE_NAME;type=class java.lang.String;uuid= EXTENSION_INSTANCE_NAME[ 65c67ff6-aeca-4bd5-a245- 8674327f011b];]=authn-ldap. < http://authn-ldap.pic.es/ > exa mple.org < http://example.org >, Extkey[name=EXTENSION_BUILD_ INTERFACE_VERSION;type=class java.lang.Integer;uuid= EXTENSION_BUILD_INTERFACE_ VERSION[cb479e5a-4b23-46f8- aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_ CONFIGURATION_SENSITIVE_KEYS; type=interface java.util.Collection;uuid= EXTENSION_CONFIGURATION_ SENSITIVE_KEYS[a456efa1-73ff- 4204-9f9b-ebff01e35263];]=[], Extkey[name=AAA_AUTHN_ CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_ CAPABILITIES[9d16bee3-10fd- 46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_ CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_GLOBAL_CONTEXT[ 9799e72f-7af6-4cf1-bf08- 297bc8903676];]=*skip*, Extkey[name=EXTENSION_VERSION; type=class java.lang.String;uuid= EXTENSION_VERSION[fe35f6a8- 8239-4bdb-ab1a-af9f779ce68c];] =1.0.0, Extkey[name=EXTENSION_MANAGER_ TRACE_LOG;type=interface org.slf4j.Logger;uuid= EXTENSION_MANAGER_TRACE_LOG[ 863db666-3ea7-4751-9695- 918a3197ad83];]=org.slf4j. impl.Slf4jLogger(org.ovirt. engine.core.extensions.mgr. ExtensionsManager.trace.ovirt- engine-extension-aaa-ldap. authn.authn-ldap. < http://org.ovirt.engine.core. extensions.mgr. extensionsmanager.trace.ovirt- engine-extension-aaa-ldap. authn.authn-ldap.pic.es/ > examp le.org < http://example.org >), Extkey[name=EXTENSION_ PROVIDES;type=interface java.util.Collection;uuid= EXTENSION_PROVIDES[8cf373a6- 65b5-4594-b828-0e275087de91];] =[org.ovirt.engine.api. extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER; type=class java.lang.String;uuid=AAA_ AUTHN_USER[1ceaba26-1bdc-4663- a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_INVOKE_ COMMAND;type=class org.ovirt.engine.api. extensions.ExtUUID;uuid= EXTENSION_INVOKE_COMMAND[ 485778ab-bede-4f1a-b823- 77b262a2f28d];]=AAA_AUTHN_ AUTHENTICATE_CREDENTIALS[ d9605c75-6b43-4b00-b32c- 06bdfa80244c]} Output: {Extkey[name=EXTENSION_INVOKE_ RESULT;type=class java.lang.Integer;uuid= EXTENSION_INVOKE_RESULT[ 0909d91d-8bde-40fb-b6c0- 099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_ MESSAGE;type=class java.lang.String;uuid= EXTENSION_INVOKE_MESSAGE[ b7b053de-dc73-4bf7-9d26- b8bdb72f5893];]=invalid credentials}
------------------------------ ------------------
Having a look at the LDAP log we check that there is a "invalid credentials" error while binding, but we are sure that the bind password is the right one. We already tried to set the bind password without quotes, but then the DN user then appear as an empty string ("")
I think problem is here. That's really strange, you have to use the password without quotes.
Can you please try to set: pool.default.auth.simple. bindDN = cn=authenticate,ou=System,dc= example,dc=org pool.default.auth.simple. password = XXXXXX
just without the variables. if the DN is not empty now.
------------------------------ ------------------
[root@ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 | cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from IP=192.168.XX.X:39501 < http://192.168.95.2:39501/ > (IP= 0.0.0.0:389 < http://0.0.0.0:389/ >)
Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established tls_ssf=128 ssf=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND dn="cn=authenticate,ou=System, dc=example,dc=org" method=128 Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 err=49 text= Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
------------------------------ ------------------
By the way, the Ovirt manager (ovmgr) machine can query correctly the openldap server and retrieves everything OK
------------------------------ ------------------
[root@ovmgr extensions.d]# ldapsearch -ZZ -D cn=authenticate,ou=System,dc= example,dc=org -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=org> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# pic.es < http://pic.es/ > dn: dc=example,dc=org dc: pic objectClass: top objectClass: domain
------------------------------ ------------------
Did anybody had a similar problem ? Is there anything that we didn't check ?
Thanks in advance !
-- Bruno Rodríguez Rodríguez
This body part will be downloaded on demand.
-- Bruno Rodríguez Rodríguez
PIC (Port d'Informació Científica) Campus UAB, Edificio D E-08193 Bellaterra, Barcelona Tel: +34 93 581 33 22
"Si algo me ha enseñado el tetris, es que los errores se acumulan y los triunfos desaparecen"
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Bruno Rodríguez Rodríguez
PIC (Port d'Informació Científica) Campus UAB, Edificio D E-08193 Bellaterra, Barcelona Tel: +34 93 581 33 22
"Si algo me ha enseñado el tetris, es que los errores se acumulan y los triunfos desaparecen"
participants (3)
-
Alon Bar-Lev
-
Bruno Rodriguez
-
Ondra Machacek