[Users] openldap

Jonas Israelsson jonas at israelsson.com
Mon Nov 18 11:17:42 UTC 2013 

On 17/10/13 17:22, Juan Hernandez wrote:
> On 10/17/2013 05:15 PM, Itamar Heim wrote:
>> On 10/17/2013 09:57 AM, Jonas Israelsson wrote:
>>> I saw that openldap is now listed as a provider when invoking
>>> engine-manage-domains. I'm eager to find more information about this.
>>> Does anyone know if there is any updated documentation floating around
>>> somewhere ?
>>>
>>> Found this: http://www.ovirt.org/LDAP_Quick_Start
>>>
>>> But the article seem only half-finished.
>>>
>>> Rgds Jonas
>>>
>> this may help you.
>> https://bugzilla.redhat.com/show_bug.cgi?id=967327#c4
>> https://bugzilla.redhat.com/show_bug.cgi?id=967327#c5
>>
>> help finishing the wiki would be great...
>>
>> thanks,
>>     Itamar
>>
> I am attaching slightly updated notes on how to configure OpenLDAP and
> Kerberos for both Fedora and RHEL/CentOS.
>
Anyone knows if ovirt is able to handle that the kdc and directory
service are running on separate hosts ? In my environment this is the
case where the kdc is located at a service with it's own name/IP
(admin.elementary.se),  and the directory-service on ldap.elementary.se.
Even though I see both names are resolved by a name server lookup a
network sniffer trace shows that later (ldap.elementary.se) used for
both kerberos and ldap access.

Furthermore this (incorrect) configuration file is created

[libdefaults]

default_realm = ELEMENTARY.SE
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1

 [realms]
        ELEMENTARY.SE = {
                kdc = ldap.elementary.se
        }


 [domain_realm]
        elementary.se = ELEMENTARY.SE


In my lab both these services are actually placed on the same physical
server and since the kdc binds to all local interfaces ovirt actually
does reach the kdc via the incorrect name, this is however not the case
later in production.

When trying to add the domain it crashes with the following stack trace

General error has occurednull
java.lang.NegativeArraySizeException
        at
sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
        at
sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
        at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200)
        at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:861)
        at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385)
        at
com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:104)
        at
com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
        at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:430)
        at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555)
        at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
        at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
        at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
        at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
        at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
        at
org.ovirt.engine.core.ldap.RootDSEData.<init>(RootDSEData.java:52)
        at
org.ovirt.engine.core.utils.kerberos.JndiAction.getDomainDN(JndiAction.java:257)
        at
org.ovirt.engine.core.utils.kerberos.JndiAction.run(JndiAction.java:87)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:356)
        at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.promptSuccessfulAuthentication(KerberosConfigCheck.java:174)
        at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.validateKerberosInstallation(KerberosConfigCheck.java:150)
        at
org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck.checkInstallation(KerberosConfigCheck.java:135)
        at
org.ovirt.engine.core.domains.ManageDomains.checkKerberosConfiguration(ManageDomains.java:746)
        at
org.ovirt.engine.core.domains.ManageDomains.testConfiguration(ManageDomains.java:917)
        at
org.ovirt.engine.core.domains.ManageDomains.addDomain(ManageDomains.java:539)
        at
org.ovirt.engine.core.domains.ManageDomains.runCommand(ManageDomains.java:311)
        at
org.ovirt.engine.core.domains.ManageDomains.main(ManageDomains.java:206)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.jboss.modules.Module.run(Module.java:260)
        at org.jboss.modules.Main.main(Main.java:291)
Failure while testing domain %1$s. Details: %2$s: One of the parameters
for this error is null and no default message to show

And this gets written to the log

2013-11-18 10:22:12,479 INFO 
[org.ovirt.engine.core.domains.ManageDomains] Creating kerberos
configuration for domain(s): elementary.se
2013-11-18 10:22:12,493 INFO 
[org.ovirt.engine.core.domains.ManageDomains] Successfully created
kerberos configuration for domain(s): elementary.se
2013-11-18 10:22:12,493 INFO 
[org.ovirt.engine.core.domains.ManageDomains] Testing kerberos
configuration for domain: elementary.se
2013-11-18 10:22:12,569 ERROR
[org.ovirt.engine.core.utils.kerberos.KerberosConfigCheck] Error: 
exception message: Checksum failed
2013-11-18 10:22:12,571 ERROR
[org.ovirt.engine.core.domains.ManageDomains] Failure while testing
domain elementary.se. Details: Kerberos error. Please check log for
further details.

Could this checksum error be a result of the incorrect name being used ?

Rgds Jonas

More information about the Users mailing list