[ovirt-users] Error authenticating bind using the AAA OpenLDAP module

Ondra Machacek omachace at redhat.com
Thu Jan 15 04:35:20 EST 2015


Can you try add this line:

pool.default.auth.type = simple

to your prop file?

Something like:

......
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.type = simple
pool.default.auth.simple.bindDN = 
cn=authenticate,ou=System,dc=example,dc=org
pool.default.auth.simple.password = XXXXXXXXX
........

Thanks,
Ondra

On 01/15/2015 10:20 AM, Bruno Rodriguez wrote:
> Thank you very much,
>
> using the following ldap.example.org <http://ldap.example.org> file:
>
> ---------------------
>
> include = <openldap_example.properties>
> include = <rfc2307.properties>
>
> vars.server = ldap1.example.org <http://ldap1.example.org>
> #vars.user = cn=authenticate,ou=System,dc=example,dc=org
> #vars.password = XXXXXXXXX
>
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN =
> cn=authenticate,ou=System,dc=example,dc=org
> pool.default.auth.simple.password = XXXXXXXXX
>
> pool.default.ssl.startTLS = true
> pool.default.ssl.truststore.file =
> /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
> pool.default.ssl.truststore.password = XXXXXXXXX
>
> ---------------------
>
> Then I get the following in the engine log:
>
>
> 2015-01-15 10:04:15,250 ERROR
> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
> (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
> org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
> Input:
> {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
> java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
> Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
> Extkey[name=EXTENSION_LICENSE;type=class
> java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
> 2.0, Extkey[name=EXTENSION_NOTES;type=class
> java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
> name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
> Extkey[name=EXTENSION_HOME_URL;type=class
> java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=http://www.ovirt.org,Extkey[name=EXTENSION_LOCALE;type=class
> java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
> Extkey[name=EXTENSION_NAME;type=class
> java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
> Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
> Extkey[name=EXTENSION_CONFIGURATION;type=class
> java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
> Extkey[name=EXTENSION_AUTHOR;type=class
> java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
> oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
> java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=authn-ldap.example.org
> <http://authn-ldap.example.org>,
> Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
> java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
> Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
> java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
> Extkey[name=AAA_AUTHN_CAPABILITIES;type=class
> java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
> Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
> Extkey[name=EXTENSION_VERSION;type=class
> java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
> Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
> org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org
> <http://org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org>),
> Extkey[name=EXTENSION_PROVIDES;type=interface
> java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]},
> Extkey[name=AAA_AUTHN_USER;type=class
> java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno,
> Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
> org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
>   Output:
>   {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
> java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
> Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
> java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=anonymous
> bind disallowed}
>
> -----------------------------------
>
> And this is the ldap connection log:
>
> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114
> ACCEPT from IP=192.168.XX.XX:41469 (IP=0.0.0.0:389 <http://0.0.0.0:389>)
> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0
> EXT oid=1.3.6.1.4.1.1466.20037
> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0
> STARTTLS
> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0
> RESULT oid= err=0 text=
> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114
> TLS established tls_ssf=128 ssf=128
> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1
> BIND dn="cn=authenticate,ou=System,dc=example,dc=org" method=128
> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1
> BIND dn="cn=authenticate,ou=System,dc=example,dc=org" mech=SIMPLE ssf=0
> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1
> RESULT tag=97 err=0 text=
>
> -----------------------------------
>
> It looks like it got the dn correctly but it's unable to bind anyway ...
>
> Thank you,
>
> Bruno
>
>
> On Wed, Jan 14, 2015 at 5:50 PM, Ondra Machacek <omachace at redhat.com
> <mailto:omachace at redhat.com>> wrote:
>
>     Hi,
>
>     On 01/14/2015 04:53 PM, Bruno Rodriguez wrote:
>
>         Good afternoon,
>
>         We cannot access to Ovirt using LDAP authentication against our
>         openldap
>         server. We created the following files in
>         /etc/ovirt-engine/extensions.d
>         (the organization name is not example.org <http://example.org>
>         <http://example.org> and the
>         passwords are not XXXXXXXX, obviously) :
>
>         ----------- /etc/ovirt-engine/extensions.__d/ldap.example.org
>         <http://ldap.example.org>
>         <http://ldap.example.org> -----------
>
>         include = <openldap_example.properties>
>
>         vars.server = ldap1.example.org <http://ldap1.example.org>
>         <http://ldap1.example.org>
>         vars.user = cn=authenticate,ou=System,dc=__example,dc=org
>         vars.password = "XXXXXXXX"
>
>         pool.default.serverset.single.__server = ${global:vars.server}
>         pool.default.auth.simple.__bindDN = ${global:vars.user}
>         pool.default.auth.simple.__password = ${global:vars.password}
>
>         pool.default.ssl.startTLS = true
>         pool.default.ssl.truststore.__file =
>         /etc/ovirt-engine/extensions.__d/ldap.example.org_keystore.__jks
>         pool.default.ssl.truststore.__password = XXXXXXXX
>
>         -----------
>         /etc/ovirt-engine/extensions.__d/authn-ldap.example.org
>         <http://authn-ldap.example.org>.__properties -----------
>
>         ovirt.engine.extension.name <http://ovirt.engine.extension.name>
>         <http://ovirt.engine.__extension.name
>         <http://ovirt.engine.extension.name>> =
>         authn-ldap.example.org <http://authn-ldap.example.org>
>         <http://authn-ldap.example.org__>
>         ovirt.engine.extension.__bindings.method = jbossmodule
>         ovirt.engine.extension.__binding.jbossmodule.module =
>         org.ovirt.engine-extensions.__aaa.ldap
>         ovirt.engine.extension.__binding.jbossmodule.class =
>         org.ovirt.engineextensions.__aaa.ldap.AuthnExtension
>         ovirt.engine.extension.__provides =
>         org.ovirt.engine.api.__extensions.aaa.Authn
>
>         ovirt.engine.aaa.authn.__profile.name
>         <http://ovirt.engine.aaa.authn.profile.name>
>         <http://ovirt.engine.aaa.__authn.profile.name
>         <http://ovirt.engine.aaa.authn.profile.name>> = ldap.example.org
>         <http://ldap.example.org>
>         <http://ldap.example.org>
>         ovirt.engine.aaa.authn.authz.__plugin = authz-ldap.example.org
>         <http://authz-ldap.example.org>
>         <http://authz-ldap.example.org__>
>
>         config.profile.file.1 =
>         /etc/ovirt-engine/extensions.__d/ldap.example.org
>         <http://ldap.example.org>
>         <http://ldap.example.org>
>
>         -----------
>         /etc/ovirt-engine/extensions.__d/authz-ldap.example.org
>         <http://authz-ldap.example.org>.__properties -----------
>
>         ovirt.engine.extension.name <http://ovirt.engine.extension.name>
>         <http://ovirt.engine.__extension.name
>         <http://ovirt.engine.extension.name>> =
>         authz-ldap.example.org <http://authz-ldap.example.org>
>         <http://authz-ldap.example.org__>
>         ovirt.engine.extension.__bindings.method = jbossmodule
>         ovirt.engine.extension.__binding.jbossmodule.module =
>         org.ovirt.engine-extensions.__aaa.ldap
>         ovirt.engine.extension.__binding.jbossmodule.class =
>         org.ovirt.engineextensions.__aaa.ldap.AuthzExtension
>
>         ovirt.engine.extension.__provides =
>         org.ovirt.engine.api.__extensions.aaa.Authz
>         config.profile.file.1 =
>         /etc/ovirt-engine/extensions.__d/ldap.example.org
>         <http://ldap.example.org>
>         <http://ldap.example.org>
>
>         ------------------------------__------------------
>
>         After all of this we restarted the service and tried to access
>         via the
>         administration portal. The JKS has the right permissions and
>         contains
>         the TLS CA, the password is correct and the user "esthera"
>         exists. But
>         when we try to log in, we obtain the following error in the
>         engine.log
>         (we already set the verbosity to ALL):
>
>         ------------------------------__------------------
>
>         2015-01-14 16:35:25,750 ERROR
>         [org.ovirt.engine.core.bll.__aaa.LoginAdminUserCommand]
>         (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class:
>         class
>         org.ovirt.engine.core.__extensions.mgr.__ExtensionInvokeCommandFailedEx__ception
>         Input:
>         {Extkey[name=AAA_AUTHN___CREDENTIALS;type=class
>         java.lang.String;uuid=AAA___AUTHN_CREDENTIALS[03b96485-__4bb5-4592-8167-810a5c909706];]__=***,
>         Extkey[name=EXTENSION_INVOKE___CONTEXT;type=class
>         org.ovirt.engine.api.__extensions.ExtMap;uuid=__EXTENSION_INVOKE_CONTEXT[__886d2ebb-312a-49ae-9cc3-__e1f849834b7d];]={Extkey[name=__EXTENSION_INTERFACE_VERSION___MAX;type=class
>         java.lang.Integer;uuid=__EXTENSION_INTERFACE_VERSION___MAX[f4cff49f-2717-4901-8ee9-__df362446e3e7];]=0,
>         Extkey[name=EXTENSION_LICENSE;__type=class
>         java.lang.String;uuid=__EXTENSION_LICENSE[8a61ad65-__054c-4e31-9c6d-1ca4d60a4c18];]__=ASL
>         2.0, Extkey[name=EXTENSION_NOTES;__type=class
>         java.lang.String;uuid=__EXTENSION_NOTES[2da5ad7e-185a-__4584-aaff-97f66978e4ea];]=__Display
>         name: ovirt-engine-extension-aaa-__ldap-1.0.0-1.el6,
>         Extkey[name=EXTENSION_HOME___URL;type=class
>         java.lang.String;uuid=__EXTENSION_HOME_URL[4ad7a2f4-__f969-42d4-b399-72d192e18304];]__=http://www.ovirt.org
>         <http://www.ovirt.org/>, Extkey[name=EXTENSION_LOCALE;__type=class
>         java.lang.String;uuid=__EXTENSION_LOCALE[0780b112-__0ce0-404a-b85e-8765d778bb29];]__=en_US,
>         Extkey[name=EXTENSION_NAME;__type=class
>         java.lang.String;uuid=__EXTENSION_NAME[651381d3-f54f-__4547-bf28-b0b01a103184];]=__ovirt-engine-extension-aaa-__ldap.authn,
>         Extkey[name=EXTENSION___INTERFACE_VERSION_MIN;type=__class
>         java.lang.Integer;uuid=__EXTENSION_INTERFACE_VERSION___MIN[2b84fc91-305b-497b-a1d7-__d961b9d2ce0b];]=0,
>         Extkey[name=EXTENSION___CONFIGURATION;type=class
>         java.util.Properties;uuid=__EXTENSION_CONFIGURATION[__2d48ab72-f0a1-4312-b4ae-__5068a226b0fc];]=***,
>         Extkey[name=EXTENSION_AUTHOR;__type=class
>         java.lang.String;uuid=__EXTENSION_AUTHOR[ef242f7a-__2dad-4bc5-9aad-e07018b7fbcc];]__=The
>         oVirt Project, Extkey[name=EXTENSION___INSTANCE_NAME;type=class
>         java.lang.String;uuid=__EXTENSION_INSTANCE_NAME[__65c67ff6-aeca-4bd5-a245-__8674327f011b];]=authn-ldap.
>         <http://authn-ldap.pic.es/>exa__mple.org <http://example.org>
>         <http://example.org>,
>         Extkey[name=EXTENSION_BUILD___INTERFACE_VERSION;type=class
>         java.lang.Integer;uuid=__EXTENSION_BUILD_INTERFACE___VERSION[cb479e5a-4b23-46f8-__aed3-56a4747a8ab7];]=0,
>         Extkey[name=EXTENSION___CONFIGURATION_SENSITIVE_KEYS;__type=interface
>         java.util.Collection;uuid=__EXTENSION_CONFIGURATION___SENSITIVE_KEYS[a456efa1-73ff-__4204-9f9b-ebff01e35263];]=[],
>         Extkey[name=AAA_AUTHN___CAPABILITIES;type=class
>         java.lang.Long;uuid=AAA_AUTHN___CAPABILITIES[9d16bee3-10fd-__46f2-83f9-3d3c54cf258d];]=12,
>         Extkey[name=EXTENSION_GLOBAL___CONTEXT;type=class
>         org.ovirt.engine.api.__extensions.ExtMap;uuid=__EXTENSION_GLOBAL_CONTEXT[__9799e72f-7af6-4cf1-bf08-__297bc8903676];]=*skip*,
>         Extkey[name=EXTENSION_VERSION;__type=class
>         java.lang.String;uuid=__EXTENSION_VERSION[fe35f6a8-__8239-4bdb-ab1a-af9f779ce68c];]__=1.0.0,
>         Extkey[name=EXTENSION_MANAGER___TRACE_LOG;type=interface
>         org.slf4j.Logger;uuid=__EXTENSION_MANAGER_TRACE_LOG[__863db666-3ea7-4751-9695-__918a3197ad83];]=org.slf4j.__impl.Slf4jLogger(org.ovirt.__engine.core.extensions.mgr.__ExtensionsManager.trace.ovirt-__engine-extension-aaa-ldap.__authn.authn-ldap.
>         <http://org.ovirt.engine.core.__extensions.mgr.__extensionsmanager.trace.ovirt-__engine-extension-aaa-ldap.__authn.authn-ldap.pic.es/
>         <http://org.ovirt.engine.core.extensions.mgr.extensionsmanager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.pic.es/>>examp__le.org
>         <http://example.org>
>         <http://example.org>),
>         Extkey[name=EXTENSION___PROVIDES;type=interface
>         java.util.Collection;uuid=__EXTENSION_PROVIDES[8cf373a6-__65b5-4594-b828-0e275087de91];]__=[org.ovirt.engine.api.__extensions.aaa.Authn]},
>         Extkey[name=AAA_AUTHN_USER;__type=class
>         java.lang.String;uuid=AAA___AUTHN_USER[1ceaba26-1bdc-4663-__a3c6-5d926f9dd8f0];]=esthera,
>         Extkey[name=EXTENSION_INVOKE___COMMAND;type=class
>         org.ovirt.engine.api.__extensions.ExtUUID;uuid=__EXTENSION_INVOKE_COMMAND[__485778ab-bede-4f1a-b823-__77b262a2f28d];]=AAA_AUTHN___AUTHENTICATE_CREDENTIALS[__d9605c75-6b43-4b00-b32c-__06bdfa80244c]}
>         Output:
>         {Extkey[name=EXTENSION_INVOKE___RESULT;type=class
>         java.lang.Integer;uuid=__EXTENSION_INVOKE_RESULT[__0909d91d-8bde-40fb-b6c0-__099c772ddd4e];]=2,
>         Extkey[name=EXTENSION_INVOKE___MESSAGE;type=class
>         java.lang.String;uuid=__EXTENSION_INVOKE_MESSAGE[__b7b053de-dc73-4bf7-9d26-__b8bdb72f5893];]=invalid
>         credentials}
>
>         ------------------------------__------------------
>
>         Having a look at the LDAP log we check that there is a "invalid
>         credentials" error while binding, but we are sure that the bind
>         password
>         is the right one. We already tried to set the bind password without
>         quotes, but then the DN user then appear as an empty string ("")
>
>
>     I think problem is here. That's really strange, you have to use the
>     password without quotes.
>
>     Can you please try to set:
>     pool.default.auth.simple.__bindDN =
>     cn=authenticate,ou=System,dc=__example,dc=org
>     pool.default.auth.simple.__password = XXXXXX
>
>     just without the variables. if the DN is not empty now.
>
>
>         ------------------------------__------------------
>
>         [root at ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log |
>         tail -n 1 |
>         cut -d: -f4 | cut -d\  -f2) /var/log/ldap.log
>         Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from
>         IP=192.168.XX.X:39501 <http://192.168.95.2:39501/>
>         (IP=0.0.0.0:389 <http://0.0.0.0:389>
>         <http://0.0.0.0:389/>)
>
>         Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT
>         oid=1.3.6.1.4.1.1466.20037
>         Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS
>         Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid=
>         err=0 text=
>         Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS
>         established
>         tls_ssf=128 ssf=128
>         Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND
>         dn="cn=authenticate,ou=System,__dc=example,dc=org" method=128
>         Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97
>         err=49 text=
>         Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND
>         Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
>
>         ------------------------------__------------------
>
>         By the way, the Ovirt manager (ovmgr) machine can query
>         correctly the
>         openldap server and retrieves everything OK
>
>         ------------------------------__------------------
>
>         [root at ovmgr extensions.d]# ldapsearch -ZZ -D
>         cn=authenticate,ou=System,dc=__example,dc=org -W
>         Enter LDAP Password:
>         # extended LDIF
>         #
>         # LDAPv3
>         # base <dc=example,dc=org> (default) with scope subtree
>         # filter: (objectclass=*)
>         # requesting: ALL
>         #
>
>         # pic.es <http://pic.es> <http://pic.es/>
>         dn: dc=example,dc=org
>         dc: pic
>         objectClass: top
>         objectClass: domain
>
>         ------------------------------__------------------
>
>         Did anybody had a similar problem ? Is there anything that we
>         didn't check ?
>
>         Thanks in advance !
>
>         --
>         Bruno Rodríguez Rodríguez
>
>
>
>         This body part will be downloaded on demand.
>
>
>
>
> --
> Bruno Rodríguez Rodríguez
>
> PIC (Port d'Informació Científica)
> Campus UAB, Edificio D
> E-08193 Bellaterra, Barcelona
> Tel: +34 93 581 33 22
>
> "Si algo me ha enseñado el tetris, es que los errores se acumulan y los
> triunfos desaparecen"


More information about the Users mailing list