[Users] LDAP

Oved Ourfalli ovedo at redhat.com
Wed Feb 22 07:12:24 UTC 2012 


----- Original Message -----
> From: "Nathan Stratton" <nathan at robotics.net>
> To: "Itamar Heim" <iheim at redhat.com>
> Cc: users at ovirt.org
> Sent: Wednesday, February 22, 2012 1:03:33 AM
> Subject: Re: [Users] LDAP
> 
> On Sun, 19 Feb 2012, Itamar Heim wrote:
> 
> > On 02/19/2012 11:11 PM, Nathan Stratton wrote:
> >> On Sun, 19 Feb 2012, Itamar Heim wrote:
> >> 
> >>> the current code supports AD, freeIPA/IPA and 389ds/RHDS.
> >>> if apache directory server is similar to any of them, you could
> >>> try
> >>> hacking the code to add support for it.
> >> 
> >> Ok, will go with 389 for now, its in the family, tho Gluster is in
> >> the
> >> family and you don't support it as a storage file system... : )
> >
> > please remember you need 389ds with kerberos support.
> 
> Got it installed and setup, I am able to authenticate from linux
> boxes
> with the new 389 LDAP so I know that works. However still running
> into
> issues getting ovirt-engine to work with it.
> 
> http://share.robotics.net/ldap.pcap
> 
> As you can see from the pcap, I see a DNS SRV query for
> _ldap._tcp.blinkmind.net and the box does talk to the LDAP box. I
> don't
> see anyting on port 88, or a ldap query for the kerberos or does it
> try to
> just use the same IP as ldap?
> 
> 2012-02-21 16:59:48,411 ERROR
> [org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
> (http--0.0.0.0-8080-1) Failed ldap search server
> LDAP://ldap-master.hou.blinkmind.net:389 due to
> org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException.
> We
> should not try the next server:
> org.ovirt.engine.core.bll.adbroker.EngineDirectoryServiceException
>  	at
> org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy.authenticateToKDC(GSSAPIDirContextAuthenticationStrategy.java:150)
> [engine-bll.jar:]
>  	at
> org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy.explicitAuth(GSSAPIDirContextAuthenticationStrategy.java:119)
> [engine-bll.jar:]
>  	at
> org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy.authenticate(GSSAPIDirContextAuthenticationStrategy.java:111)
> [engine-bll.jar:]
>  	at
> org.ovirt.engine.core.bll.adbroker.GSSAPILdapTemplateWrapper.useAuthenticationStrategy(GSSAPILdapTemplateWrapper.java:90)
> [engine-bll.jar:]
>  	at
> org.ovirt.engine.core.bll.adbroker.PrepareLdapConnectionTask.call(PrepareLdapConnectionTask.java:56)
> [engine-bll.jar:]
>  	at
> org.ovirt.engine.core.bll.adbroker.DirectorySearcher$1.call(DirectorySearcher.java:108)
> [engine-bll.jar:]
>  	at
> org.ovirt.engine.core.bll.adbroker.DirectorySearcher$1.call(DirectorySearcher.java:97)
> [engine-bll.jar:]
>  	at
> java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
> [:1.6.0_22]
>  	at java.util.concurrent.FutureTask.run(FutureTask.java:166)
> [:1.6.0_22]
>  	at
> org.ovirt.engine.core.utils.threadpool.ThreadPoolUtil$InternalWrapperRunnable.run(ThreadPoolUtil.java:57)
> [utils-3.0.0-0001.jar:]
>  	at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> [:1.6.0_22]
>  	at
> java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
> [:1.6.0_22]
>  	at java.util.concurrent.FutureTask.run(FutureTask.java:166)
> [:1.6.0_22]
>  	at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
> [:1.6.0_22]
>  	at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
> [:1.6.0_22]
>  	at java.lang.Thread.run(Thread.java:679) [:1.6.0_22]
> 
> 2012-02-21 16:59:48,415 ERROR
> [org.ovirt.engine.core.bll.adbroker.LdapAuthenticateUserCommand]
> (http--0.0.0.0-8080-1) Failed authenticating user: nathan to domain
> blinkmind.net. Ldap Query Type is getUserByName
> 2012-02-21 16:59:48,416 ERROR
> [org.ovirt.engine.core.bll.LoginAdminUserCommand]
> (http--0.0.0.0-8080-1)
> USER_FAILED_TO_AUTHENTICATE_NO_KDCS_FOUND : nathan
> 2012-02-21 16:59:48,416 WARN
> [org.ovirt.engine.core.bll.LoginAdminUserCommand]
> (http--0.0.0.0-8080-1)
> CanDoAction of action LoginAdminUser failed.
> Reasons:USER_FAILED_TO_AUTHENTICATE_NO_KDCS_FOUND
> 
Hey,

This error usually happens where there is no krb5.conf file, or there is one, but your domain isn't in that.
The krb5.conf file should be located in $JBOSS_HOME/standalone/configuration directory.

How did you configure the new domain? Using engine-manage-domains utility?

Attaching the full server log and the krb5.conf file may help understand the problem.
We query for LDAP SRV records in the engine. In the utility we also query for kerberos SRV records, and update the krb5.conf file accordingly. 
Then, the kerberos authentication uses the host updated in the krb5.conf file to perform the authentication.

Oved

> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list