Hello, I'm bringing up a new 4.2 cluster and would like to use LDAP auth. Our LDAP servers are fine and function normally for a number of other services, but I can't get this working. Our LDAP setup requires startTLS and a login. That last bit seems to be where the trouble is. After ovirt-engine-extension-aaa-ldap-setup asks for the cert and I pass it the path to the same cert used via nslcd/PAM for logging in to the host, it replies: [ INFO ] Connecting to LDAP using 'ldap://x.squaretrade.com:389' [ INFO ] Executing startTLS [WARNING] Cannot connect using 'ldap://x.squaretrade.com:389': {'info': 'authentication required', 'desc': 'Server is unwilling to perform'} [ ERROR ] Cannot connect using any of available options "Unwilling to perform" makes me think -aaa-ldap-setup is trying something the backend doesn't support, but I'm having trouble guessing what that could be since the tool hasn't gathered sufficient information to connect yet - it asks for a DN/pass later in the script. And the log isn't much more forthcoming. I double-checked the cert with openssl; it is a valid, PEM-encoded cert. Before I head in to the code, has anyone seen this? Thanks, -j - - - - snip - - - - Relevant log details: 2018-02-08 15:15:08,625-0800 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._getURLs:281 URLs: ['ldap://x.squaretrade.com:389'] 2018-02-08 15:15:08,626-0800 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:391 Connecting to LDAP using 'ldap://x.squaretrade.com:389' 2018-02-08 15:15:08,627-0800 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:442 Executing startTLS 2018-02-08 15:15:08,640-0800 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:445 Perform search 2018-02-08 15:15:08,641-0800 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:459 Exception Traceback (most recent call last): File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 451, in _connectLDAP timeout=60, File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 555, in search_st return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 546, in search_ext_s return self.result(msgid,all=1,timeout=timeout)[1] File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 458, in result resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 462, in result2 resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 469, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 476, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call result = func(*args,**kwargs) UNWILLING_TO_PERFORM: {'info': 'authentication required', 'desc': 'Server is unwilling to perform'} 2018-02-08 15:15:08,642-0800 WARNING otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:463 Cannot connect using 'ldap://x.squaretrade.com:389': {'info': 'authentication required', 'desc': 'Server is unwilling to perform'} 2018-02-08 15:15:08,643-0800 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:787 Cannot connect using any of available options 2018-02-08 15:15:08,644-0800 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:788 Exception Traceback (most recent call last): File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 782, in _customization_late insecure=insecure, File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 468, in _connectLDAP _('Cannot connect using any of available options') SoftRuntimeError: Cannot connect using any of available options
Hello, On 02/09/2018 08:17 PM, Jamie Lawrence wrote:
Hello,
I'm bringing up a new 4.2 cluster and would like to use LDAP auth. Our LDAP servers are fine and function normally for a number of other services, but I can't get this working.
Our LDAP setup requires startTLS and a login. That last bit seems to be where the trouble is. After ovirt-engine-extension-aaa-ldap-setup asks for the cert and I pass it the path to the same cert used via nslcd/PAM for logging in to the host, it replies:
[ INFO ] Connecting to LDAP using 'ldap://x.squaretrade.com:389' [ INFO ] Executing startTLS [WARNING] Cannot connect using 'ldap://x.squaretrade.com:389': {'info': 'authentication required', 'desc': 'Server is unwilling to perform'} [ ERROR ] Cannot connect using any of available options
"Unwilling to perform" makes me think -aaa-ldap-setup is trying something the backend doesn't support, but I'm having trouble guessing what that could be since the tool hasn't gathered sufficient information to connect yet - it asks for a DN/pass later in the script. And the log isn't much more forthcoming.
I double-checked the cert with openssl; it is a valid, PEM-encoded cert.
Before I head in to the code, has anyone seen this?
Looks like you have disallowed anonymous bind on your LDAP. We are trying to estabilish anonymous bind to test the connection. I would recommend to try to do a manual configuration, the documentation is here: https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README#... Then in your /etc/ovirt-engine/aaa/profile1.properties add following line: pool.default.auth.type = simple Then test the configuration using ovirt-engine-extensions-tool. If it's OK just restart ovirt-engine and all should be fine.
Thanks,
-j
- - - - snip - - - -
Relevant log details:
2018-02-08 15:15:08,625-0800 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._getURLs:281 URLs: ['ldap://x.squaretrade.com:389'] 2018-02-08 15:15:08,626-0800 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:391 Connecting to LDAP using 'ldap://x.squaretrade.com:389' 2018-02-08 15:15:08,627-0800 INFO otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:442 Executing startTLS 2018-02-08 15:15:08,640-0800 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:445 Perform search 2018-02-08 15:15:08,641-0800 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:459 Exception Traceback (most recent call last): File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 451, in _connectLDAP timeout=60, File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 555, in search_st return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 546, in search_ext_s return self.result(msgid,all=1,timeout=timeout)[1] File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 458, in result resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 462, in result2 resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 469, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 476, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call result = func(*args,**kwargs) UNWILLING_TO_PERFORM: {'info': 'authentication required', 'desc': 'Server is unwilling to perform'} 2018-02-08 15:15:08,642-0800 WARNING otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:463 Cannot connect using 'ldap://x.squaretrade.com:389': {'info': 'authentication required', 'desc': 'Server is unwilling to perform'} 2018-02-08 15:15:08,643-0800 ERROR otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:787 Cannot connect using any of available options 2018-02-08 15:15:08,644-0800 DEBUG otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:788 Exception Traceback (most recent call last): File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 782, in _customization_late insecure=insecure, File "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py", line 468, in _connectLDAP _('Cannot connect using any of available options') SoftRuntimeError: Cannot connect using any of available options _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
I missed this when you sent it; apologies for the delay.
On Feb 13, 2018, at 12:11 AM, Ondra Machacek <omachace@redhat.com> wrote:
Hello,
On 02/09/2018 08:17 PM, Jamie Lawrence wrote:
Hello, I'm bringing up a new 4.2 cluster and would like to use LDAP auth. Our LDAP servers are fine and function normally for a number of other services, but I can't get this working. Our LDAP setup requires startTLS and a login. That last bit seems to be where the trouble is. After ovirt-engine-extension-aaa-ldap-setup asks for the cert and I pass it the path to the same cert used via nslcd/PAM for logging in to the host, it replies: [ INFO ] Connecting to LDAP using 'ldap://x.squaretrade.com:389' [ INFO ] Executing startTLS [WARNING] Cannot connect using 'ldap://x.squaretrade.com:389': {'info': 'authentication required', 'desc': 'Server is unwilling to perform'} [ ERROR ] Cannot connect using any of available options "Unwilling to perform" makes me think -aaa-ldap-setup is trying something the backend doesn't support, but I'm having trouble guessing what that could be since the tool hasn't gathered sufficient information to connect yet - it asks for a DN/pass later in the script. And the log isn't much more forthcoming. I double-checked the cert with openssl; it is a valid, PEM-encoded cert. Before I head in to the code, has anyone seen this?
Looks like you have disallowed anonymous bind on your LDAP. We are trying to estabilish anonymous bind to test the connection.
Ah, I think I forgot that anonymous bind was a thing.
I would recommend to try to do a manual configuration, the documentation is here:
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README#...
Then in your /etc/ovirt-engine/aaa/profile1.properties add following line:
pool.default.auth.type = simple
Awesome, thanks so much. I really appreciate the pointer. -j
participants (2)
-
Jamie Lawrence -
Ondra Machacek