[ovirt-users] simple-sso w. kerberos & iplanet ldap - login slow and unreliable (ovirt 3.5.1.1)
Alon Bar-Lev
alonbl at redhat.com
Thu Apr 9 20:01:45 UTC 2015
Hi,
Just for me to understand... sometime it works and sometime it does not work with same user aneil2?
>From the log I can see that you probably have Basic Authorization Headers enabled, are you sure you do not type user/password in the browser credentials dialog? can you please add KrbMethodK5Passwd off to the apache configuration to make sure it is not prompted? To clear this, if you use firefox go to History->Clear Recent and select only Active Logins.
What I see is that aneil2 cannot be located, and fallback to Basic Authorization Headers is probably performed, and in these the aneil2 is specified without @profile suffix (as expected) and it fails.
Alon
----- Original Message -----
> From: "Alastair Neil" <ajneil.tech at gmail.com>
> To: "Ovirt Users" <users at ovirt.org>
> Sent: Thursday, April 9, 2015 9:46:09 PM
> Subject: [ovirt-users] simple-sso w. kerberos & iplanet ldap - login slow and unreliable (ovirt 3.5.1.1)
>
> I have configured the simple-sso with kerberos. I can successfully login most
> of the time, but often the login fails and I am dropped at the portal login
> window and prompted for the internal account username and password. Host is
> FC 20. Also, adding users in the GMU-authz o= gmu.edu namespace is
> agonisingly slow returning from the directory lookup.
>
> I can see from the apache logs that the kerberos authentication is
> successful, but in the engine logs I see many errors:
>
>
>
> 2015-04-09 13:39:28,493 ERROR
> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
> (ajp--127.0.0.1-8702-11) Cannot obtain profile for user aneil2
>
> and eventually:
>
>
>
> 2015-04-09 13:39:28,342 ERROR
> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
> (ajp--127.0.0.1-8702-5) Cannot obtain profile for user aneil2
> {Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
> Extkey[name=EXTENSION_LICENSE;type=class
> java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
> 2.0, Extkey[name=EXTENSION_NOTES;type=class
> java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
> name: ovirt-engine-extension-aaa-ldap-1.0.2-1.fc20,
> Extkey[name=EXTENSION_HOME_URL;type=class
> java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
> http://www.ovirt.org , Extkey[name=EXTENSION_LOCALE;type=class
> java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
> Extkey[name=EXTENSION_NAME;type=class
> java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authz,
> Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
> Extkey[name=EXTENSION_CONFIGURATION;type=class
> java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
> Extkey[name=EXTENSION_AUTHOR;type=class
> java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
> oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class
> java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=50,
> Extkey[name=EXTENSION_INSTANCE_NAME;type=class
> java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=GMU-authz,
> Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
> java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
> Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
> java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
> Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
> Extkey[name=EXTENSION_VERSION;type=class
> java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.2,
> Extkey[name=AAA_AUTHZ_AVAILABLE_NAMESPACES;type=interface
> java.util.Collection;uuid=AAA_AUTHZ_AVAILABLE_NAMESPACES[6dffa34c-955f-486a-bd35-0a272b45a711];]=[o=
> gmu.edu ], Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
> org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authz.GMU-authz),
> Extkey[name=EXTENSION_PROVIDES;type=interface
> java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authz],
> Extkey[name=EXTENSION_CONFIGURATION_FILE;type=class
> java.lang.String;uuid=EXTENSION_CONFIGURATION_FILE[4fb0ffd3-983c-4f3f-98ff-9660bd67af6a];]=/etc/ovirt-engine/extensions.d/GMU-authz.properties},
> Extkey[name=AAA_AUTHZ_QUERY_FLAGS;type=class
> java.lang.Integer;uuid=AAA_AUTHZ_QUERY_FLAGS[97d226e9-8d87-49a0-9a7f-af689320907b];]=3,
> Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
> org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHZ_FETCH_PRINCIPAL_RECORD[5a5bf9bb-9336-4376-a823-26efe1ba26df],
> Extkey[name=AAA_AUTHN_AUTH_RECORD;type=class
> org.ovirt.engine.api.extensions.ExtMap;uuid=AAA_AUTHN_AUTH_RECORD[e9462168-b53b-44ac-9af5-f25e1697173e];]={Extkey[name=AAA_AUTHN_AUTH_RECORD_PRINCIPAL;type=class
> java.lang.String;uuid=AAA_AUTHN_AUTH_RECORD_PRINCIPAL[c3498f07-11fe-464c-958c-8bd7490b119a];]=aneil2}}
> {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
> java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
> Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
> java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=Cannot
> locate principal 'aneil2'}
> 2015-04-09 13:39:28,527 ERROR
> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
> (ajp--127.0.0.1-8702-6) Cannot obtain profile for user aneil2
> 2015-04-09 13:39:28,493 ERROR
> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
> (ajp--127.0.0.1-8702-11) Cannot obtain profile for user aneil2
> 2015-04-09 13:39:28,593 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp--127.0.0.1-8702-6) Correlation ID: null, Call Stack: null, Custom Event
> ID: -1, Message: User aneil2 at GMU.EDU@GMU-http logged in.
>
>
> I suspect the ldap lookup is not working correctly. Here are the relevant
> config files:
>
>
>
> cat /etc/ovirt-engine/aaa/GMU.properties file:
>
>
> # Select one
> #
> #include = <openldap.properties>
> #include = <389ds.properties>
> #include = <rhds.properties>
> #include = <ipa.properties>
> include = <iplanet.properties>
> #include = <rfc2307.properties>
> #include = <rfc2307-openldap.properties>
> #
> # Server
> #
> vars.server = dirapps.gmu.edu
> #
> # Search user and its password.
> #
> vars.user = uid=proxy,ou=people,o= gmu.edu
> vars.password = XXXXXXXXXX
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file =
> ${local:_basedir}/${global:vars.server}.jks
> #pool.default.ssl.truststore.password = changeit
>
>
> cat /etc/ovirt-engine/extensions.d/GMU-authz.properties
> ovirt.engine.extension.name = GMU-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = ../aaa/GMU.properties
> #config.globals.bindFormat.simple_bindFormat = realm
>
>
>
> cat /etc/ovirt-engine/extensions.d/GMU-http-authn.properties
> ovirt.engine.extension.name = GMU-http-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.misc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.misc.http.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name = GMU-http
> ovirt.engine.aaa.authn.authz.plugin = GMU-authz
> ovirt.engine.aaa.authn.mapping.plugin = http-mapping
> config.artifact.name = HEADER
> config.artifact.arg = X-Remote-User
>
>
>
>
> cat /etc/ovirt-engine/extensions.d/http-mapping.properties
> ovirt.engine.extension.name = http-mapping
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.misc
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
> config.mapAuthRecord.type = regex
> config.mapAuthRecord.regex.mustMatch = true
> config.mapAuthRecord.regex.pattern =
> ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$
> config.mapAuthRecord.regex.replacement = ${user}${at}${suffix}
>
>
>
> cat /etc/ovirt-engine/aaa/ovirt-sso.conf
> #
> # 1. make sure /etc/krb5.keytab is available and valid.
> # 2. update KrbAuthRealms
> # 3. symlink into /etc/httpd/conf.d
> #
> <LocationMatch ^(/ovirt-engine/(webadmin|userportal|api)|/api)>
> RewriteEngine on
> RewriteCond %{LA-U:REMOTE_USER} ^(.*)$
> RewriteRule ^(.*)$ - [L,P,E=REMOTE_USER:%1]
> RequestHeader set X-Remote-User %{REMOTE_USER}s
> LogLevel debug
> AuthType Kerberos
> AuthName "Kerberos Login"
> Krb5Keytab /etc/httpd/http.keytab
> KrbAuthRealms GMU.EDU VSNET.GMU.EDU
> KrbServiceName HTTP/ ovirt-admin-hosted.vsnet.gmu.edu
> Require valid-user
> </LocationMatch>
>
>
> The LDAP server is: Sun-Directory-Server/11.1.1.5.0
>
> I have no administrative access to the ldap server, but I can successfully
> search via ldapsearch by binding with the proxy dn and password.
>
> Any ideas what might be wrong, or how to troubleshoot?
>
> -Alastair
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
More information about the Users
mailing list