[Users] webadmin login issues with AD

Yair Zaslavsky yzaslavs at redhat.com
Sun Mar 3 11:57:02 UTC 2013 


----- Original Message -----
> From: "Keith Mitchell" <kamitch at cisco.com>
> To: "Yair Zaslavsky" <yzaslavs at redhat.com>
> Cc: users at ovirt.org, "Juan Antonio Hernandez Fernandez" <jhernand at redhat.com>, "Itamar Heim" <iheim at redhat.com>
> Sent: Sunday, March 3, 2013 1:48:27 PM
> Subject: Re: [Users] webadmin login issues with AD
> 
> On 3/3/13 1:45 AM, Yair Zaslavsky wrote:
> >
> > ----- Original Message -----
> >> From: "Keith Mitchell" <kamitch at cisco.com>
> >> To: "Itamar Heim" <iheim at redhat.com>
> >> Cc: users at ovirt.org, "Juan Antonio Hernandez Fernandez"
> >> <jhernand at redhat.com>, "Yair Zaslavsky" <yzaslavs at redhat.com>
> >> Sent: Sunday, March 3, 2013 7:15:16 AM
> >> Subject: Re: [Users] webadmin login issues with AD
> >>
> >> On 3/2/13 11:57 PM, Itamar Heim wrote:
> >>> On 03/03/2013 06:41, Keith Mitchell wrote:
> >>>> On 3/2/13 2:51 PM, Itamar Heim wrote:
> >>>>> On 01/03/2013 18:54, Keith Mitchell wrote:
> >>>>>> I'm trying to get rhevm 3.1 (which seems to be pretty much
> >>>>>> ovirt
> >>>>>> 3.1
> >>>>>> from what I can tell) authenticating against our active
> >>>>>> directory
> >>>>>> infrastructure bu am having some difficulty that I don't quite
> >>>>>> understand and was hoping someone may know what is happening.
> >>>>>>
> >>>>>> The server where rhevm/ovirt is running is a RHEL6 based
> >>>>>> server
> >>>>>> that has
> >>>>>> NIS configured (with user home directories mounted via
> >>>>>> nfs/automounter).  The userids in nis match the userids in our
> >>>>>> ActiveDirectory server (in fact the passwords should match too
> >>>>>> since
> >>>>>> there is a sync between the two).
> >>>>>>
> >>>>>> I added the Activedirectory server into ovirt (through
> >>>>>> rhevm-manage-domains) and it is added/validated successfully.
> >>>>>> As
> >>>>>> the
> >>>>>> local admin user I can go in and search agains the active
> >>>>>> directory, add
> >>>>>> permissions, etc.
> >>>>>>
> >>>>>> But... If I try to log into the webadmin/user portals with one
> >>>>>> of the
> >>>>>> active directory accounts it seems to hang... and I noticed
> >>>>>> that
> >>>>>> it
> >>>>>> seems to be trying to mount the home directory of a bunch of
> >>>>>> users via
> >>>>>> the automounter (perhaps its trying to mount everyones home
> >>>>>> directory...
> >>>>>> can't tell).  This takes a super long time since the home
> >>>>>> directories
> >>>>>> are all across the world and nfs access to some of these
> >>>>>> filesystems is
> >>>>>> really slow... i'm not sure it will ever complete... certainly
> >>>>>> not
> >>>>>> before the user gives up.
> > Hi,
> > Currently, both search of users in specific domain + login perform
> > both authentication + authorization check + running ldap queries (
> > authorization is a part of the login).
> > It seems really odd to me that login takes you quite some time, and
> > search of users/groups does not.
> > What other info can you provide about the user you try to login to?
> > Did you give permissions to many entities?
> At the moment there is just one AD account in the permissions and
> that
> is my AD account.  At first I added "Domain Users" to the
> permissions,
> but I took that out and just stuck in my user account to see if that
> helped.  In ovirt, my account is part of the System (i.e. top-level)
> and
> is give then SuperUser privilege, just like the local admin account.
> 
> My account is just a user account (no admin rights in the AD domain).
>  I
> am a member of quite a few groups on the AD domain but I wouldn't
> think
> ovirt would care about that or need to query each group I am a member
> of.

Please elaborate on "quite a few groups" - actually this is a well known issue.
I was afraid you might have permissions on "too many objects" or that the account is a member of too many groups.
However, being a member of too many groups should have caused the search to be slow/hang as well.

> 
> Ultimately I was hoping to add the domain users group into the
> permissions to let anyone in the domain have access :)
> 
> I used wireshark to sniff for the LDAP packets instead of just the
> kerberos packets and during the "hang" it is sending constant ldap
> packets back and forth.
> 
> Looks like its doing bind request, then it succeeds and then there is
> a
> SASL-GSSAPI exchange followed by a connection close (i.e. FIN packet)
> and then it starts all over again.  Everything is encrypted so its
> difficult to see anything in the packets.
> 
> On this particular sniff, the packets went back and forth for 10
> minutes
> and then they stopped and when I looked it had logged me into the
> GUI.
> I don't usually wait that long.  I have on occasion just left the
> window
> up and sometimes it would eventually log me in and sometimes it never
> logged me in... in the never cases the login window just stays there
> spinning until I reload the web page... perhaps something timed out
> and
> it gave up before the exchange finished.
> 
> Are there any debugs I can turn on in ovirt to have it spit out what
> its
> doing?

Hi, you can look at the following link - 

http://docs.oracle.com/javase/jndi/tutorial/ldap/security/sasl.html

we support changing sasl_qop. You can use engine-config to do that.
engine-config -s sasl_qop=auth will change Quality of Propetction to be only at authentication.
Please let us know if using that you will be able to see the ldap queries (i.e - have them plain and not encrypted)

Thanks,
Yair

> 
>

More information about the Users mailing list