[ovirt-users] Error authenticating bind using the AAA OpenLDAP module

Alon Bar-Lev alonbl at redhat.com
Wed Jan 14 16:08:25 UTC 2015 

Hi!

Great information!

I really need you to add the log for org.ovirt.engineextensions.aaa.ldap, see [1] so I can see the entire sequence.

You are trying to authenticate the esthera user, this result in bind request using this user, so you should really try to see if bind succeeds with this user and passwod.

$ ldapsearch -ZZ -D replace_with_esthera_DN -W -b 'dc=example,dc=org'

It may be that the password of the user is not set or different than what you expect, or the schema is not openldap but rfc2307.

Alon

[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l270

----- Original Message -----
> From: "Bruno Rodriguez" <bruno at pic.es>
> To: users at ovirt.org, "Esther Accion" <esthera at pic.es>
> Sent: Wednesday, January 14, 2015 5:53:06 PM
> Subject: [ovirt-users] Error authenticating bind using the AAA OpenLDAP	module
> 
> Good afternoon,
> 
> We cannot access to Ovirt using LDAP authentication against our openldap
> server. We created the following files in /etc/ovirt-engine/extensions.d
> (the organization name is not example.org and the passwords are not
> XXXXXXXX, obviously) :
> 
> ----------- /etc/ovirt-engine/extensions.d/ ldap.example.org -----------
> 
> include = <openldap_example.properties>
> 
> vars.server = ldap1.example.org
> vars.user = cn=authenticate,ou=System,dc=example,dc=org
> vars.password = "XXXXXXXX"
> 
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
> 
> pool.default.ssl.startTLS = true
> pool.default.ssl.truststore.file =
> /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
> pool.default.ssl.truststore.password = XXXXXXXX
> 
> ----------- /etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties
> -----------
> 
> ovirt.engine.extension.name = authn-ldap.example.org
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> 
> ovirt.engine.aaa.authn.profile.name = ldap.example.org
> ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org
> 
> config.profile.file.1 = /etc/ovirt-engine/extensions.d/ ldap.example.org
> 
> ----------- /etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties
> -----------
> 
> ovirt.engine.extension.name = authz-ldap.example.org
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> 
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = /etc/ovirt-engine/extensions.d/ ldap.example.org
> 
> ------------------------------------------------
> 
> After all of this we restarted the service and tried to access via the
> administration portal. The JKS has the right permissions and contains the
> TLS CA, the password is correct and the user "esthera" exists. But when we
> try to log in, we obtain the following error in the engine.log (we already
> set the verbosity to ALL):
> 
> ------------------------------------------------
> 
> 2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll.
> aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during
> CanDoActionFailure.: Class: class org.ovirt.engine.core. extensions.mgr.
> ExtensionInvokeCommandFailedEx ception
> Input:
> {Extkey[name=AAA_AUTHN_ CREDENTIALS;type=class java.lang.String;uuid=AAA_
> AUTHN_CREDENTIALS[03b96485- 4bb5-4592-8167-810a5c909706];] =***,
> Extkey[name=EXTENSION_INVOKE_ CONTEXT;type=class org.ovirt.engine.api.
> extensions.ExtMap;uuid= EXTENSION_INVOKE_CONTEXT[ 886d2ebb-312a-49ae-9cc3-
> e1f849834b7d];]={Extkey[name= EXTENSION_INTERFACE_VERSION_ MAX;type=class
> java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_
> MAX[f4cff49f-2717-4901-8ee9- df362446e3e7];]=0,
> Extkey[name=EXTENSION_LICENSE; type=class java.lang.String;uuid=
> EXTENSION_LICENSE[8a61ad65- 054c-4e31-9c6d-1ca4d60a4c18];] =ASL 2.0,
> Extkey[name=EXTENSION_NOTES; type=class java.lang.String;uuid=
> EXTENSION_NOTES[2da5ad7e-185a- 4584-aaff-97f66978e4ea];]= Display name:
> ovirt-engine-extension-aaa- ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_
> URL;type=class java.lang.String;uuid= EXTENSION_HOME_URL[4ad7a2f4-
> f969-42d4-b399-72d192e18304];] = http://www.ovirt.org ,
> Extkey[name=EXTENSION_LOCALE; type=class java.lang.String;uuid=
> EXTENSION_LOCALE[0780b112- 0ce0-404a-b85e-8765d778bb29];] =en_US,
> Extkey[name=EXTENSION_NAME; type=class java.lang.String;uuid=
> EXTENSION_NAME[651381d3-f54f- 4547-bf28-b0b01a103184];]=
> ovirt-engine-extension-aaa- ldap.authn, Extkey[name=EXTENSION_
> INTERFACE_VERSION_MIN;type= class java.lang.Integer;uuid=
> EXTENSION_INTERFACE_VERSION_ MIN[2b84fc91-305b-497b-a1d7- d961b9d2ce0b];]=0,
> Extkey[name=EXTENSION_ CONFIGURATION;type=class java.util.Properties;uuid=
> EXTENSION_CONFIGURATION[ 2d48ab72-f0a1-4312-b4ae- 5068a226b0fc];]=***,
> Extkey[name=EXTENSION_AUTHOR; type=class java.lang.String;uuid=
> EXTENSION_AUTHOR[ef242f7a- 2dad-4bc5-9aad-e07018b7fbcc];] =The oVirt
> Project, Extkey[name=EXTENSION_ INSTANCE_NAME;type=class
> java.lang.String;uuid= EXTENSION_INSTANCE_NAME[ 65c67ff6-aeca-4bd5-a245-
> 8674327f011b];]= authn-ldap. example.org , Extkey[name=EXTENSION_BUILD_
> INTERFACE_VERSION;type=class java.lang.Integer;uuid=
> EXTENSION_BUILD_INTERFACE_ VERSION[cb479e5a-4b23-46f8-
> aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_ CONFIGURATION_SENSITIVE_KEYS;
> type=interface java.util.Collection;uuid= EXTENSION_CONFIGURATION_
> SENSITIVE_KEYS[a456efa1-73ff- 4204-9f9b-ebff01e35263];]=[],
> Extkey[name=AAA_AUTHN_ CAPABILITIES;type=class
> java.lang.Long;uuid=AAA_AUTHN_ CAPABILITIES[9d16bee3-10fd-
> 46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_
> CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid=
> EXTENSION_GLOBAL_CONTEXT[ 9799e72f-7af6-4cf1-bf08- 297bc8903676];]=*skip*,
> Extkey[name=EXTENSION_VERSION; type=class java.lang.String;uuid=
> EXTENSION_VERSION[fe35f6a8- 8239-4bdb-ab1a-af9f779ce68c];] =1.0.0,
> Extkey[name=EXTENSION_MANAGER_ TRACE_LOG;type=interface
> org.slf4j.Logger;uuid= EXTENSION_MANAGER_TRACE_LOG[ 863db666-3ea7-4751-9695-
> 918a3197ad83];]=org.slf4j. impl.Slf4jLogger(
> org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.
> example.org ), Extkey[name=EXTENSION_ PROVIDES;type=interface
> java.util.Collection;uuid= EXTENSION_PROVIDES[8cf373a6-
> 65b5-4594-b828-0e275087de91];] =[org.ovirt.engine.api.
> extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER; type=class
> java.lang.String;uuid=AAA_ AUTHN_USER[1ceaba26-1bdc-4663-
> a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_INVOKE_
> COMMAND;type=class org.ovirt.engine.api. extensions.ExtUUID;uuid=
> EXTENSION_INVOKE_COMMAND[ 485778ab-bede-4f1a-b823-
> 77b262a2f28d];]=AAA_AUTHN_ AUTHENTICATE_CREDENTIALS[
> d9605c75-6b43-4b00-b32c- 06bdfa80244c]}
> Output:
> {Extkey[name=EXTENSION_INVOKE_ RESULT;type=class java.lang.Integer;uuid=
> EXTENSION_INVOKE_RESULT[ 0909d91d-8bde-40fb-b6c0- 099c772ddd4e];]=2,
> Extkey[name=EXTENSION_INVOKE_ MESSAGE;type=class java.lang.String;uuid=
> EXTENSION_INVOKE_MESSAGE[ b7b053de-dc73-4bf7-9d26- b8bdb72f5893];]=invalid
> credentials}
> 
> ------------------------------------------------
> 
> Having a look at the LDAP log we check that there is a "invalid credentials"
> error while binding, but we are sure that the bind password is the right
> one. We already tried to set the bind password without quotes, but then the
> DN user then appear as an empty string ("")
> 
> ------------------------------------------------
> 
> [root at ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 | cut
> -d: -f4 | cut -d\ -f2) /var/log/ldap.log
> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from IP=
> 192.168.XX.X:39501 (IP= 0.0.0.0:389 )
> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT
> oid=1.3.6.1.4.1.1466.20037
> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS
> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0 text=
> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established
> tls_ssf=128 ssf=128
> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND
> dn="cn=authenticate,ou=System, dc=example,dc=org" method=128
> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 err=49
> text=
> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND
> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
> 
> ------------------------------------------------
> 
> By the way, the Ovirt manager (ovmgr) machine can query correctly the
> openldap server and retrieves everything OK
> 
> ------------------------------------------------
> 
> [root at ovmgr extensions.d]# ldapsearch -ZZ -D
> cn=authenticate,ou=System,dc=example ,dc=org -W
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=example,dc=org> (default) with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # pic.es
> dn: dc=example,dc=org
> dc: pic
> objectClass: top
> objectClass: domain
> 
> ------------------------------------------------
> 
> Did anybody had a similar problem ? Is there anything that we didn't check ?
> 
> Thanks in advance !
> 
> --
> Bruno Rodríguez Rodríguez
> 
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list