[ovirt-users] Error authenticating bind using the AAA OpenLDAP module

Thu Jan 15 09:01:09 UTC 2015

Thank you very much for the fast reply !

I grepped "org.ovirt.engineextensions.aaa.ldap" in the engine log file, but
I wasn't able to get enough information for me to know which was the
problem...

2015-01-14 16:04:18,575 INFO
 [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-3)
[ovirt-engine-extension-aaa-ldap.authz::authz-ldap.example.org] Creating
LDAP pool 'authz'
2015-01-14 16:04:18,648 ERROR
[org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread
1-3) [ovirt-engine-extension-aaa-ldap.authz::authz-ldap.example.org] Cannot
initialize LDAP framework, deferring initialization. Error: invalid
credentials
2015-01-14 16:04:36,913 INFO
 [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-2)
[ovirt-engine-extension-aaa-ldap.authn::authn-ldap.example.org] Creating
LDAP pool 'authz'
2015-01-14 16:08:34,521 INFO
 [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-1)
[ovirt-engine-extension-aaa-ldap.authn::authn-ldap.example.org] Creating
LDAP pool 'authz'
2015-01-14 16:35:25,670 INFO
 [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-6)
[ovirt-engine-extension-aaa-ldap.authn::authn-ldap.example.org] Creating
LDAP pool 'authz'
2015-01-14 17:44:19,769 INFO
 [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-4)
[ovirt-engine-extension-aaa-ldap.authn::authn-ldap.example.org] Creating
LDAP pool 'authz'
2015-01-14 17:44:20,096 ERROR
[org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread
1-4) [ovirt-engine-extension-aaa-ldap.authn::authn-ldap.example.org] Cannot
initialize LDAP framework, deferring initialization. Error: invalid
credentials
2015-01-14 17:44:20,105 INFO
 [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-4)
[ovirt-engine-extension-aaa-ldap.authz::authz-ldap.example.org] Creating
LDAP pool 'authz'
2015-01-14 17:44:20,178 ERROR
[org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread
1-4) [ovirt-engine-extension-aaa-ldap.authz::authz-ldap.example.org] Cannot
initialize LDAP framework, deferring initialization. Error: invalid
credentials

Thanks again.

On Wed, Jan 14, 2015 at 5:08 PM, Alon Bar-Lev <alonbl at redhat.com> wrote:

> Hi!
>
> Great information!
>
> I really need you to add the log for org.ovirt.engineextensions.aaa.ldap,
> see [1] so I can see the entire sequence.
>
> You are trying to authenticate the esthera user, this result in bind
> request using this user, so you should really try to see if bind succeeds
> with this user and passwod.
>
> $ ldapsearch -ZZ -D replace_with_esthera_DN -W -b 'dc=example,dc=org'
>
> It may be that the password of the user is not set or different than what
> you expect, or the schema is not openldap but rfc2307.
>
> Alon
>
> [1]
> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l270
>
> ----- Original Message -----
> > From: "Bruno Rodriguez" <bruno at pic.es>
> > To: users at ovirt.org, "Esther Accion" <esthera at pic.es>
> > Sent: Wednesday, January 14, 2015 5:53:06 PM
> > Subject: [ovirt-users] Error authenticating bind using the AAA OpenLDAP
>      module
> >
> > Good afternoon,
> >
> > We cannot access to Ovirt using LDAP authentication against our openldap
> > server. We created the following files in /etc/ovirt-engine/extensions.d
> > (the organization name is not example.org and the passwords are not
> > XXXXXXXX, obviously) :
> >
> > ----------- /etc/ovirt-engine/extensions.d/ ldap.example.org -----------
> >
> > include = <openldap_example.properties>
> >
> > vars.server = ldap1.example.org
> > vars.user = cn=authenticate,ou=System,dc=example,dc=org
> > vars.password = "XXXXXXXX"
> >
> > pool.default.serverset.single.server = ${global:vars.server}
> > pool.default.auth.simple.bindDN = ${global:vars.user}
> > pool.default.auth.simple.password = ${global:vars.password}
> >
> > pool.default.ssl.startTLS = true
> > pool.default.ssl.truststore.file =
> > /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
> > pool.default.ssl.truststore.password = XXXXXXXX
> >
> > -----------
> /etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties
> > -----------
> >
> > ovirt.engine.extension.name = authn-ldap.example.org
> > ovirt.engine.extension.bindings.method = jbossmodule
> > ovirt.engine.extension.binding.jbossmodule.module =
> > org.ovirt.engine-extensions.aaa.ldap
> > ovirt.engine.extension.binding.jbossmodule.class =
> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> > ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authn
> >
> > ovirt.engine.aaa.authn.profile.name = ldap.example.org
> > ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org
> >
> > config.profile.file.1 = /etc/ovirt-engine/extensions.d/ ldap.example.org
> >
> > -----------
> /etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties
> > -----------
> >
> > ovirt.engine.extension.name = authz-ldap.example.org
> > ovirt.engine.extension.bindings.method = jbossmodule
> > ovirt.engine.extension.binding.jbossmodule.module =
> > org.ovirt.engine-extensions.aaa.ldap
> > ovirt.engine.extension.binding.jbossmodule.class =
> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> >
> > ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authz
> > config.profile.file.1 = /etc/ovirt-engine/extensions.d/ ldap.example.org
> >
> > ------------------------------------------------
> >
> > After all of this we restarted the service and tried to access via the
> > administration portal. The JKS has the right permissions and contains the
> > TLS CA, the password is correct and the user "esthera" exists. But when
> we
> > try to log in, we obtain the following error in the engine.log (we
> already
> > set the verbosity to ALL):
> >
> > ------------------------------------------------
> >
> > 2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll.
> > aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during
> > CanDoActionFailure.: Class: class org.ovirt.engine.core. extensions.mgr.
> > ExtensionInvokeCommandFailedEx ception
> > Input:
> > {Extkey[name=AAA_AUTHN_ CREDENTIALS;type=class java.lang.String;uuid=AAA_
> > AUTHN_CREDENTIALS[03b96485- 4bb5-4592-8167-810a5c909706];] =***,
> > Extkey[name=EXTENSION_INVOKE_ CONTEXT;type=class org.ovirt.engine.api.
> > extensions.ExtMap;uuid= EXTENSION_INVOKE_CONTEXT[
> 886d2ebb-312a-49ae-9cc3-
> > e1f849834b7d];]={Extkey[name= EXTENSION_INTERFACE_VERSION_ MAX;type=class
> > java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_
> > MAX[f4cff49f-2717-4901-8ee9- df362446e3e7];]=0,
> > Extkey[name=EXTENSION_LICENSE; type=class java.lang.String;uuid=
> > EXTENSION_LICENSE[8a61ad65- 054c-4e31-9c6d-1ca4d60a4c18];] =ASL 2.0,
> > Extkey[name=EXTENSION_NOTES; type=class java.lang.String;uuid=
> > EXTENSION_NOTES[2da5ad7e-185a- 4584-aaff-97f66978e4ea];]= Display name:
> > ovirt-engine-extension-aaa- ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_
> > URL;type=class java.lang.String;uuid= EXTENSION_HOME_URL[4ad7a2f4-
> > f969-42d4-b399-72d192e18304];] = http://www.ovirt.org ,
> > Extkey[name=EXTENSION_LOCALE; type=class java.lang.String;uuid=
> > EXTENSION_LOCALE[0780b112- 0ce0-404a-b85e-8765d778bb29];] =en_US,
> > Extkey[name=EXTENSION_NAME; type=class java.lang.String;uuid=
> > EXTENSION_NAME[651381d3-f54f- 4547-bf28-b0b01a103184];]=
> > ovirt-engine-extension-aaa- ldap.authn, Extkey[name=EXTENSION_
> > INTERFACE_VERSION_MIN;type= class java.lang.Integer;uuid=
> > EXTENSION_INTERFACE_VERSION_ MIN[2b84fc91-305b-497b-a1d7-
> d961b9d2ce0b];]=0,
> > Extkey[name=EXTENSION_ CONFIGURATION;type=class
> java.util.Properties;uuid=
> > EXTENSION_CONFIGURATION[ 2d48ab72-f0a1-4312-b4ae- 5068a226b0fc];]=***,
> > Extkey[name=EXTENSION_AUTHOR; type=class java.lang.String;uuid=
> > EXTENSION_AUTHOR[ef242f7a- 2dad-4bc5-9aad-e07018b7fbcc];] =The oVirt
> > Project, Extkey[name=EXTENSION_ INSTANCE_NAME;type=class
> > java.lang.String;uuid= EXTENSION_INSTANCE_NAME[ 65c67ff6-aeca-4bd5-a245-
> > 8674327f011b];]= authn-ldap. example.org , Extkey[name=EXTENSION_BUILD_
> > INTERFACE_VERSION;type=class java.lang.Integer;uuid=
> > EXTENSION_BUILD_INTERFACE_ VERSION[cb479e5a-4b23-46f8-
> > aed3-56a4747a8ab7];]=0, Extkey[name=EXTENSION_
> CONFIGURATION_SENSITIVE_KEYS;
> > type=interface java.util.Collection;uuid= EXTENSION_CONFIGURATION_
> > SENSITIVE_KEYS[a456efa1-73ff- 4204-9f9b-ebff01e35263];]=[],
> > Extkey[name=AAA_AUTHN_ CAPABILITIES;type=class
> > java.lang.Long;uuid=AAA_AUTHN_ CAPABILITIES[9d16bee3-10fd-
> > 46f2-83f9-3d3c54cf258d];]=12, Extkey[name=EXTENSION_GLOBAL_
> > CONTEXT;type=class org.ovirt.engine.api. extensions.ExtMap;uuid=
> > EXTENSION_GLOBAL_CONTEXT[ 9799e72f-7af6-4cf1-bf08-
> 297bc8903676];]=*skip*,
> > Extkey[name=EXTENSION_VERSION; type=class java.lang.String;uuid=
> > EXTENSION_VERSION[fe35f6a8- 8239-4bdb-ab1a-af9f779ce68c];] =1.0.0,
> > Extkey[name=EXTENSION_MANAGER_ TRACE_LOG;type=interface
> > org.slf4j.Logger;uuid= EXTENSION_MANAGER_TRACE_LOG[
> 863db666-3ea7-4751-9695-
> > 918a3197ad83];]=org.slf4j. impl.Slf4jLogger(
> >
> org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.
> > example.org ), Extkey[name=EXTENSION_ PROVIDES;type=interface
> > java.util.Collection;uuid= EXTENSION_PROVIDES[8cf373a6-
> > 65b5-4594-b828-0e275087de91];] =[org.ovirt.engine.api.
> > extensions.aaa.Authn]}, Extkey[name=AAA_AUTHN_USER; type=class
> > java.lang.String;uuid=AAA_ AUTHN_USER[1ceaba26-1bdc-4663-
> > a3c6-5d926f9dd8f0];]=esthera, Extkey[name=EXTENSION_INVOKE_
> > COMMAND;type=class org.ovirt.engine.api. extensions.ExtUUID;uuid=
> > EXTENSION_INVOKE_COMMAND[ 485778ab-bede-4f1a-b823-
> > 77b262a2f28d];]=AAA_AUTHN_ AUTHENTICATE_CREDENTIALS[
> > d9605c75-6b43-4b00-b32c- 06bdfa80244c]}
> > Output:
> > {Extkey[name=EXTENSION_INVOKE_ RESULT;type=class java.lang.Integer;uuid=
> > EXTENSION_INVOKE_RESULT[ 0909d91d-8bde-40fb-b6c0- 099c772ddd4e];]=2,
> > Extkey[name=EXTENSION_INVOKE_ MESSAGE;type=class java.lang.String;uuid=
> > EXTENSION_INVOKE_MESSAGE[ b7b053de-dc73-4bf7-9d26-
> b8bdb72f5893];]=invalid
> > credentials}
> >
> > ------------------------------------------------
> >
> > Having a look at the LDAP log we check that there is a "invalid
> credentials"
> > error while binding, but we are sure that the bind password is the right
> > one. We already tried to set the bind password without quotes, but then
> the
> > DN user then appear as an empty string ("")
> >
> > ------------------------------------------------
> >
> > [root at ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1
> | cut
> > -d: -f4 | cut -d\ -f2) /var/log/ldap.log
> > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from IP=
> > 192.168.XX.X:39501 (IP= 0.0.0.0:389 )
> > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT
> > oid=1.3.6.1.4.1.1466.20037
> > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS
> > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0
> text=
> > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established
> > tls_ssf=128 ssf=128
> > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND
> > dn="cn=authenticate,ou=System, dc=example,dc=org" method=128
> > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97 err=49
> > text=
> > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND
> > Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
> >
> > ------------------------------------------------
> >
> > By the way, the Ovirt manager (ovmgr) machine can query correctly the
> > openldap server and retrieves everything OK
> >
> > ------------------------------------------------
> >
> > [root at ovmgr extensions.d]# ldapsearch -ZZ -D
> > cn=authenticate,ou=System,dc=example ,dc=org -W
> > Enter LDAP Password:
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <dc=example,dc=org> (default) with scope subtree
> > # filter: (objectclass=*)
> > # requesting: ALL
> > #
> >
> > # pic.es
> > dn: dc=example,dc=org
> > dc: pic
> > objectClass: top
> > objectClass: domain
> >
> > ------------------------------------------------
> >
> > Did anybody had a similar problem ? Is there anything that we didn't
> check ?
> >
> > Thanks in advance !
> >
> > --
> > Bruno Rodríguez Rodríguez
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
>

-- 
Bruno Rodríguez Rodríguez

PIC (Port d'Informació Científica)
Campus UAB, Edificio D
E-08193 Bellaterra, Barcelona
Tel: +34 93 581 33 22

"Si algo me ha enseñado el tetris, es que los errores se acumulan y los
triunfos desaparecen"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150115/ff921527/attachment-0001.html>