10:17 p.m.
Hello,
I'm bringing up a new 4.2 cluster and would like to use LDAP auth. Our LDAP servers
are fine and function normally for a number of other services, but I can't get this
working.
Our LDAP setup requires startTLS and a login. That last bit seems to be where the trouble
is. After ovirt-engine-extension-aaa-ldap-setup asks for the cert and I pass it the path
to the same cert used via nslcd/PAM for logging in to the host, it replies:
[ INFO ] Connecting to LDAP using 'ldap://x.squaretrade.com:389'
[ INFO ] Executing startTLS
[WARNING] Cannot connect using 'ldap://x.squaretrade.com:389': {'info':
'authentication required', 'desc': 'Server is unwilling to
perform'}
[ ERROR ] Cannot connect using any of available options
"Unwilling to perform" makes me think -aaa-ldap-setup is trying something the
backend doesn't support, but I'm having trouble guessing what that could be since
the tool hasn't gathered sufficient information to connect yet - it asks for a DN/pass
later in the script. And the log isn't much more forthcoming.
I double-checked the cert with openssl; it is a valid, PEM-encoded cert.
Before I head in to the code, has anyone seen this?
Thanks,
-j
- - - - snip - - - -
Relevant log details:
2018-02-08 15:15:08,625-0800 DEBUG
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._getURLs:281 URLs:
['ldap://x.squaretrade.com:389']
2018-02-08 15:15:08,626-0800 INFO
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:391
Connecting to LDAP using 'ldap://x.squaretrade.com:389'
2018-02-08 15:15:08,627-0800 INFO
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:442
Executing startTLS
2018-02-08 15:15:08,640-0800 DEBUG
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:445 Perform
search
2018-02-08 15:15:08,641-0800 DEBUG
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:459
Exception
Traceback (most recent call last):
File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 451, in _connectLDAP
timeout=60,
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 555, in
search_st
return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 546, in
search_ext_s
return self.result(msgid,all=1,timeout=timeout)[1]
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 458, in
result
resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 462, in
result2
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 469, in
result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 476, in
result4
ldap_result =
self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
_ldap_call
result = func(*args,**kwargs)
UNWILLING_TO_PERFORM: {'info': 'authentication required', 'desc':
'Server is unwilling to perform'}
2018-02-08 15:15:08,642-0800 WARNING
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:463 Cannot
connect using 'ldap://x.squaretrade.com:389': {'info': 'authentication
required', 'desc': 'Server is unwilling to perform'}
2018-02-08 15:15:08,643-0800 ERROR
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:787
Cannot connect using any of available options
2018-02-08 15:15:08,644-0800 DEBUG
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:788
Exception
Traceback (most recent call last):
File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 782, in _customization_late
insecure=insecure,
File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 468, in _connectLDAP
_('Cannot connect using any of available options')
SoftRuntimeError: Cannot connect using any of available options
11:11 a.m.
Hello,
On 02/09/2018 08:17 PM, Jamie Lawrence wrote:
Hello,
I'm bringing up a new 4.2 cluster and would like to use LDAP auth. Our LDAP servers
are fine and function normally for a number of other services, but I can't get this
working.
Our LDAP setup requires startTLS and a login. That last bit seems to be where the trouble
is. After ovirt-engine-extension-aaa-ldap-setup asks for the cert and I pass it the path
to the same cert used via nslcd/PAM for logging in to the host, it replies:
[ INFO ] Connecting to LDAP using 'ldap://x.squaretrade.com:389'
[ INFO ] Executing startTLS
[WARNING] Cannot connect using 'ldap://x.squaretrade.com:389': {'info':
'authentication required', 'desc': 'Server is unwilling to
perform'}
[ ERROR ] Cannot connect using any of available options
"Unwilling to perform" makes me think -aaa-ldap-setup is trying something the
backend doesn't support, but I'm having trouble guessing what that could be since
the tool hasn't gathered sufficient information to connect yet - it asks for a DN/pass
later in the script. And the log isn't much more forthcoming.
I double-checked the cert with openssl; it is a valid, PEM-encoded cert.
Before I head in to the code, has anyone seen this?
Looks like you have disallowed anonymous bind on your LDAP.
We are trying to estabilish anonymous bind to test the connection.
I would recommend to try to do a manual configuration, the documentation
is here:
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/READ...
Then in your /etc/ovirt-engine/aaa/profile1.properties add following
line:
pool.default.auth.type = simple
Then test the configuration using ovirt-engine-extensions-tool.
If it's OK just restart ovirt-engine and all should be fine.
Thanks,
-j
- - - - snip - - - -
Relevant log details:
2018-02-08 15:15:08,625-0800 DEBUG
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._getURLs:281 URLs:
['ldap://x.squaretrade.com:389']
2018-02-08 15:15:08,626-0800 INFO
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:391
Connecting to LDAP using 'ldap://x.squaretrade.com:389'
2018-02-08 15:15:08,627-0800 INFO
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:442
Executing startTLS
2018-02-08 15:15:08,640-0800 DEBUG
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:445 Perform
search
2018-02-08 15:15:08,641-0800 DEBUG
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:459
Exception
Traceback (most recent call last):
File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 451, in _connectLDAP
timeout=60,
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 555, in
search_st
return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 546, in
search_ext_s
return self.result(msgid,all=1,timeout=timeout)[1]
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 458, in
result
resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 462, in
result2
resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all,timeout)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 469, in
result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 476, in
result4
ldap_result =
self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
_ldap_call
result = func(*args,**kwargs)
UNWILLING_TO_PERFORM: {'info': 'authentication required', 'desc':
'Server is unwilling to perform'}
2018-02-08 15:15:08,642-0800 WARNING
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._connectLDAP:463 Cannot
connect using 'ldap://x.squaretrade.com:389': {'info': 'authentication
required', 'desc': 'Server is unwilling to perform'}
2018-02-08 15:15:08,643-0800 ERROR
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:787
Cannot connect using any of available options
2018-02-08 15:15:08,644-0800 DEBUG
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common common._customization_late:788
Exception
Traceback (most recent call last):
File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 782, in _customization_late
insecure=insecure,
File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 468, in _connectLDAP
_('Cannot connect using any of available options')
SoftRuntimeError: Cannot connect using any of available options
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
2:24 a.m.
I missed this when you sent it; apologies for the delay.
On Feb 13, 2018, at 12:11 AM, Ondra Machacek
<omachace(a)redhat.com> wrote:
Hello,
On 02/09/2018 08:17 PM, Jamie Lawrence wrote:
> Hello,
> I'm bringing up a new 4.2 cluster and would like to use LDAP auth. Our LDAP
servers are fine and function normally for a number of other services, but I can't get
this working.
> Our LDAP setup requires startTLS and a login. That last bit seems to be where the
trouble is. After ovirt-engine-extension-aaa-ldap-setup asks for the cert and I pass it
the path to the same cert used via nslcd/PAM for logging in to the host, it replies:
> [ INFO ] Connecting to LDAP using 'ldap://x.squaretrade.com:389'
> [ INFO ] Executing startTLS
> [WARNING] Cannot connect using 'ldap://x.squaretrade.com:389':
{'info': 'authentication required', 'desc': 'Server is
unwilling to perform'}
> [ ERROR ] Cannot connect using any of available options
> "Unwilling to perform" makes me think -aaa-ldap-setup is trying something
the backend doesn't support, but I'm having trouble guessing what that could be
since the tool hasn't gathered sufficient information to connect yet - it asks for a
DN/pass later in the script. And the log isn't much more forthcoming.
> I double-checked the cert with openssl; it is a valid, PEM-encoded cert.
> Before I head in to the code, has anyone seen this?
Looks like you have disallowed anonymous bind on your LDAP.
We are trying to estabilish anonymous bind to test the connection.
Ah, I think I forgot that anonymous bind was a thing.
I would recommend to try to do a manual configuration, the
documentation
is here:
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/READ...
Then in your /etc/ovirt-engine/aaa/profile1.properties add following
line:
pool.default.auth.type = simple
Awesome, thanks so much. I really appreciate the pointer.
-j
2467
days inactive
2478
days old
2 comments
2 participants
participants (2)
-
Jamie Lawrence -
Ondra Machacek