[ovirt-users] Error authenticating bind using the AAA OpenLDAP module

Bruno Rodriguez bruno at pic.es
Thu Jan 15 04:20:57 EST 2015


Thank you very much,

using the following ldap.example.org file:

---------------------

include = <openldap_example.properties>
include = <rfc2307.properties>

vars.server = ldap1.example.org
#vars.user = cn=authenticate,ou=System,dc=example,dc=org
#vars.password = XXXXXXXXX

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN =
cn=authenticate,ou=System,dc=example,dc=org
pool.default.auth.simple.password = XXXXXXXXX

pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
/etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
pool.default.ssl.truststore.password = XXXXXXXXX

---------------------

Then I get the following in the engine log:


2015-01-15 10:04:15,250 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_NOTES;type=class
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org,Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=
authn-ldap.example.org,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class
java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(
org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org),
Extkey[name=EXTENSION_PROVIDES;type=interface
java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]},
Extkey[name=AAA_AUTHN_USER;type=class
java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno,
Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
 Output:
 {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=anonymous
bind disallowed}

-----------------------------------

And this is the ldap connection log:

/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114
ACCEPT from IP=192.168.XX.XX:41469 (IP=0.0.0.0:389)
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0
STARTTLS
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0
RESULT oid= err=0 text=
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114
TLS established tls_ssf=128 ssf=128
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND
dn="cn=authenticate,ou=System,dc=example,dc=org" method=128
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1 BIND
dn="cn=authenticate,ou=System,dc=example,dc=org" mech=SIMPLE ssf=0
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1
RESULT tag=97 err=0 text=

-----------------------------------

It looks like it got the dn correctly but it's unable to bind anyway ...

Thank you,

Bruno


On Wed, Jan 14, 2015 at 5:50 PM, Ondra Machacek <omachace at redhat.com> wrote:

> Hi,
>
> On 01/14/2015 04:53 PM, Bruno Rodriguez wrote:
>
>> Good afternoon,
>>
>> We cannot access to Ovirt using LDAP authentication against our openldap
>> server. We created the following files in /etc/ovirt-engine/extensions.d
>> (the organization name is not example.org <http://example.org> and the
>> passwords are not XXXXXXXX, obviously) :
>>
>> ----------- /etc/ovirt-engine/extensions.d/ldap.example.org
>> <http://ldap.example.org> -----------
>>
>> include = <openldap_example.properties>
>>
>> vars.server = ldap1.example.org <http://ldap1.example.org>
>> vars.user = cn=authenticate,ou=System,dc=example,dc=org
>> vars.password = "XXXXXXXX"
>>
>> pool.default.serverset.single.server = ${global:vars.server}
>> pool.default.auth.simple.bindDN = ${global:vars.user}
>> pool.default.auth.simple.password = ${global:vars.password}
>>
>> pool.default.ssl.startTLS = true
>> pool.default.ssl.truststore.file =
>> /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
>> pool.default.ssl.truststore.password = XXXXXXXX
>>
>> -----------
>> /etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties
>> -----------
>>
>> ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
>> authn-ldap.example.org <http://authn-ldap.example.org>
>> ovirt.engine.extension.bindings.method = jbossmodule
>> ovirt.engine.extension.binding.jbossmodule.module =
>> org.ovirt.engine-extensions.aaa.ldap
>> ovirt.engine.extension.binding.jbossmodule.class =
>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
>> ovirt.engine.extension.provides = org.ovirt.engine.api.
>> extensions.aaa.Authn
>>
>> ovirt.engine.aaa.authn.profile.name
>> <http://ovirt.engine.aaa.authn.profile.name> = ldap.example.org
>> <http://ldap.example.org>
>> ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org
>> <http://authz-ldap.example.org>
>>
>> config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org
>> <http://ldap.example.org>
>>
>> -----------
>> /etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties
>> -----------
>>
>> ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
>> authz-ldap.example.org <http://authz-ldap.example.org>
>> ovirt.engine.extension.bindings.method = jbossmodule
>> ovirt.engine.extension.binding.jbossmodule.module =
>> org.ovirt.engine-extensions.aaa.ldap
>> ovirt.engine.extension.binding.jbossmodule.class =
>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>>
>> ovirt.engine.extension.provides = org.ovirt.engine.api.
>> extensions.aaa.Authz
>> config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org
>> <http://ldap.example.org>
>>
>> ------------------------------------------------
>>
>> After all of this we restarted the service and tried to access via the
>> administration portal. The JKS has the right permissions and contains
>> the TLS CA, the password is correct and the user "esthera" exists. But
>> when we try to log in, we obtain the following error in the engine.log
>> (we already set the verbosity to ALL):
>>
>> ------------------------------------------------
>>
>> 2015-01-14 16:35:25,750 ERROR
>> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
>> (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class
>> org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedEx
>> ception
>> Input:
>> {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
>> java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-
>> 4bb5-4592-8167-810a5c909706];]=***,
>> Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
>> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[
>> 886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=
>> EXTENSION_INTERFACE_VERSION_MAX;type=class
>> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_
>> MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
>> Extkey[name=EXTENSION_LICENSE;type=class
>> java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-
>> 054c-4e31-9c6d-1ca4d60a4c18];]=ASL
>> 2.0, Extkey[name=EXTENSION_NOTES;type=class
>> java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-
>> 4584-aaff-97f66978e4ea];]=Display
>> name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
>> Extkey[name=EXTENSION_HOME_URL;type=class
>> java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-
>> f969-42d4-b399-72d192e18304];]=http://www.ovirt.org
>> <http://www.ovirt.org/>, Extkey[name=EXTENSION_LOCALE;type=class
>> java.lang.String;uuid=EXTENSION_LOCALE[0780b112-
>> 0ce0-404a-b85e-8765d778bb29];]=en_US,
>> Extkey[name=EXTENSION_NAME;type=class
>> java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-
>> 4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
>> Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
>> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_
>> MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
>> Extkey[name=EXTENSION_CONFIGURATION;type=class
>> java.util.Properties;uuid=EXTENSION_CONFIGURATION[
>> 2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
>> Extkey[name=EXTENSION_AUTHOR;type=class
>> java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-
>> 2dad-4bc5-9aad-e07018b7fbcc];]=The
>> oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
>> java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-
>> 8674327f011b];]=authn-ldap.
>> <http://authn-ldap.pic.es/>example.org <http://example.org>,
>> Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
>> java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_
>> VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
>> Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
>> java.util.Collection;uuid=EXTENSION_CONFIGURATION_
>> SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
>> Extkey[name=AAA_AUTHN_CAPABILITIES;type=class
>> java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-
>> 46f2-83f9-3d3c54cf258d];]=12,
>> Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
>> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[
>> 9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
>> Extkey[name=EXTENSION_VERSION;type=class
>> java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-
>> 8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
>> Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
>> org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[
>> 863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.
>> impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.
>> ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.
>> <http://org.ovirt.engine.core.extensions.mgr.
>> extensionsmanager.trace.ovirt-engine-extension-aaa-ldap.
>> authn.authn-ldap.pic.es/>example.org
>> <http://example.org>), Extkey[name=EXTENSION_PROVIDES;type=interface
>> java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-
>> 65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.
>> extensions.aaa.Authn]},
>> Extkey[name=AAA_AUTHN_USER;type=class
>> java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-
>> a3c6-5d926f9dd8f0];]=esthera,
>> Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
>> org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[
>> 485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_
>> AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
>> Output:
>> {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
>> java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-
>> 099c772ddd4e];]=2,
>> Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
>> java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-
>> b8bdb72f5893];]=invalid
>> credentials}
>>
>> ------------------------------------------------
>>
>> Having a look at the LDAP log we check that there is a "invalid
>> credentials" error while binding, but we are sure that the bind password
>> is the right one. We already tried to set the bind password without
>> quotes, but then the DN user then appear as an empty string ("")
>>
>
> I think problem is here. That's really strange, you have to use the
> password without quotes.
>
> Can you please try to set:
> pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=
> example,dc=org
> pool.default.auth.simple.password = XXXXXX
>
> just without the variables. if the DN is not empty now.
>
>
>> ------------------------------------------------
>>
>> [root at ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 |
>> cut -d: -f4 | cut -d\  -f2) /var/log/ldap.log
>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from
>> IP=192.168.XX.X:39501 <http://192.168.95.2:39501/> (IP=0.0.0.0:389
>> <http://0.0.0.0:389/>)
>>
>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT
>> oid=1.3.6.1.4.1.1466.20037
>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS
>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0
>> text=
>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established
>> tls_ssf=128 ssf=128
>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND
>> dn="cn=authenticate,ou=System,dc=example,dc=org" method=128
>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97
>> err=49 text=
>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND
>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
>>
>> ------------------------------------------------
>>
>> By the way, the Ovirt manager (ovmgr) machine can query correctly the
>> openldap server and retrieves everything OK
>>
>> ------------------------------------------------
>>
>> [root at ovmgr extensions.d]# ldapsearch -ZZ -D
>> cn=authenticate,ou=System,dc=example,dc=org -W
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=example,dc=org> (default) with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # pic.es <http://pic.es/>
>> dn: dc=example,dc=org
>> dc: pic
>> objectClass: top
>> objectClass: domain
>>
>> ------------------------------------------------
>>
>> Did anybody had a similar problem ? Is there anything that we didn't
>> check ?
>>
>> Thanks in advance !
>>
>> --
>> Bruno Rodríguez Rodríguez
>>
>>
>>
>> This body part will be downloaded on demand.
>>
>>


-- 
Bruno Rodríguez Rodríguez

PIC (Port d'Informació Científica)
Campus UAB, Edificio D
E-08193 Bellaterra, Barcelona
Tel: +34 93 581 33 22

"Si algo me ha enseñado el tetris, es que los errores se acumulan y los
triunfos desaparecen"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150115/db6e2412/attachment-0001.html>


More information about the Users mailing list