[ovirt-users] Error authenticating bind using the AAA OpenLDAP module

Bruno Rodriguez bruno at pic.es
Thu Jan 15 09:32:20 UTC 2015


Sorry, I forgot to restart the service. With the same ldap.example.org
file, the REAL logs are the following:

-------------- ldap log --------------

Jan 15 10:23:52 ldap1 slapd[6712]: conn=1672935 fd=109 ACCEPT from
IP=192.168.XX.XX:41522 (IP=0.0.0.0:389)
Jan 15 10:23:52 ldap1 slapd[6712]: conn=1672935 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Jan 15 10:23:52 ldap1 slapd[6712]: conn=1672935 op=0 STARTTLS
Jan 15 10:23:52 ldap1 slapd[6712]: conn=1672935 op=0 RESULT oid= err=0 text=
Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 fd=109 TLS established
tls_ssf=128 ssf=128
Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 op=1 BIND dn="" method=128
Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 op=1 RESULT tag=97 err=48
text=anonymous bind disallowed
Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 op=2 UNBIND
Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 fd=109 closed

-------------- engine log --------------

2015-01-15 10:23:53,010 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-2) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uu
id=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX
;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Ex tkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4
c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-
aaff-97f66978e4ea];]=Display name:
ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;t ype=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org, Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778
bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf2
8-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EX TENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a
226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc
5-9aad-e07018b7fbcc];]=The oVirt Project,
Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=E
XTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=
authn-ldap.example.org, Extkey[name=EXTENSION_BUILD_IN
TERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4
747a8ab7];]=0,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTEN
SION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_CAPABILITIES ;type=class
java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
Extkey[name=E XTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f
-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION
_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface o
rg.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLog
ger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-lda
p.example.org), Extkey[name=EXTENSION_PROVIDES;type=interface
java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-6
5b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]},
Extkey[name=AAA_AUTHN_USER;type=clas s
java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=esthera,
Extkey[name=EXTENSION_IN VOKE_COMMAND;type=class
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a
-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
 Output:
 {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40f
b-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
java.lang.String;uuid=EXTENSION_INVOKE
_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=anonymous bind disallowed}


As you can see, the engine tries to make an anonimous binding and it's
unsuccessful...

Thank you very much (and sorry for the previous message),

Bruno


On Thu, Jan 15, 2015 at 10:20 AM, Bruno Rodriguez <bruno at pic.es> wrote:

> Thank you very much,
>
> using the following ldap.example.org file:
>
> ---------------------
>
> include = <openldap_example.properties>
> include = <rfc2307.properties>
>
> vars.server = ldap1.example.org
> #vars.user = cn=authenticate,ou=System,dc=example,dc=org
> #vars.password = XXXXXXXXX
>
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN =
> cn=authenticate,ou=System,dc=example,dc=org
> pool.default.auth.simple.password = XXXXXXXXX
>
> pool.default.ssl.startTLS = true
> pool.default.ssl.truststore.file =
> /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
> pool.default.ssl.truststore.password = XXXXXXXXX
>
> ---------------------
>
> Then I get the following in the engine log:
>
>
> 2015-01-15 10:04:15,250 ERROR
> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
> (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
> org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
> Input:
> {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
> java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
> Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
> Extkey[name=EXTENSION_LICENSE;type=class
> java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
> 2.0, Extkey[name=EXTENSION_NOTES;type=class
> java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
> name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
> Extkey[name=EXTENSION_HOME_URL;type=class
> java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
> http://www.ovirt.org,Extkey[name=EXTENSION_LOCALE;type=class
> java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
> Extkey[name=EXTENSION_NAME;type=class
> java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
> Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
> Extkey[name=EXTENSION_CONFIGURATION;type=class
> java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
> Extkey[name=EXTENSION_AUTHOR;type=class
> java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
> oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
> java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=
> authn-ldap.example.org,
> Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
> java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
> Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
> java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
> Extkey[name=AAA_AUTHN_CAPABILITIES;type=class
> java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
> Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
> Extkey[name=EXTENSION_VERSION;type=class
> java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
> Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
> org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(
> org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org),
> Extkey[name=EXTENSION_PROVIDES;type=interface
> java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]},
> Extkey[name=AAA_AUTHN_USER;type=class
> java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno,
> Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
> org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
>  Output:
>  {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
> java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
> Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
> java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=anonymous
> bind disallowed}
>
> -----------------------------------
>
> And this is the ldap connection log:
>
> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114
> ACCEPT from IP=192.168.XX.XX:41469 (IP=0.0.0.0:389)
> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 EXT
> oid=1.3.6.1.4.1.1466.20037
> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0
> STARTTLS
> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0
> RESULT oid= err=0 text=
> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114
> TLS established tls_ssf=128 ssf=128
> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1
> BIND dn="cn=authenticate,ou=System,dc=example,dc=org" method=128
> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1
> BIND dn="cn=authenticate,ou=System,dc=example,dc=org" mech=SIMPLE ssf=0
> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1
> RESULT tag=97 err=0 text=
>
> -----------------------------------
>
> It looks like it got the dn correctly but it's unable to bind anyway ...
>
> Thank you,
>
> Bruno
>
>
> On Wed, Jan 14, 2015 at 5:50 PM, Ondra Machacek <omachace at redhat.com>
> wrote:
>
>> Hi,
>>
>> On 01/14/2015 04:53 PM, Bruno Rodriguez wrote:
>>
>>> Good afternoon,
>>>
>>> We cannot access to Ovirt using LDAP authentication against our openldap
>>> server. We created the following files in /etc/ovirt-engine/extensions.d
>>> (the organization name is not example.org <http://example.org> and the
>>> passwords are not XXXXXXXX, obviously) :
>>>
>>> ----------- /etc/ovirt-engine/extensions.d/ldap.example.org
>>> <http://ldap.example.org> -----------
>>>
>>> include = <openldap_example.properties>
>>>
>>> vars.server = ldap1.example.org <http://ldap1.example.org>
>>> vars.user = cn=authenticate,ou=System,dc=example,dc=org
>>> vars.password = "XXXXXXXX"
>>>
>>> pool.default.serverset.single.server = ${global:vars.server}
>>> pool.default.auth.simple.bindDN = ${global:vars.user}
>>> pool.default.auth.simple.password = ${global:vars.password}
>>>
>>> pool.default.ssl.startTLS = true
>>> pool.default.ssl.truststore.file =
>>> /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
>>> pool.default.ssl.truststore.password = XXXXXXXX
>>>
>>> -----------
>>> /etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties
>>> -----------
>>>
>>> ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
>>> authn-ldap.example.org <http://authn-ldap.example.org>
>>> ovirt.engine.extension.bindings.method = jbossmodule
>>> ovirt.engine.extension.binding.jbossmodule.module =
>>> org.ovirt.engine-extensions.aaa.ldap
>>> ovirt.engine.extension.binding.jbossmodule.class =
>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
>>> ovirt.engine.extension.provides = org.ovirt.engine.api.
>>> extensions.aaa.Authn
>>>
>>> ovirt.engine.aaa.authn.profile.name
>>> <http://ovirt.engine.aaa.authn.profile.name> = ldap.example.org
>>> <http://ldap.example.org>
>>> ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org
>>> <http://authz-ldap.example.org>
>>>
>>> config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org
>>> <http://ldap.example.org>
>>>
>>> -----------
>>> /etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties
>>> -----------
>>>
>>> ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
>>> authz-ldap.example.org <http://authz-ldap.example.org>
>>> ovirt.engine.extension.bindings.method = jbossmodule
>>> ovirt.engine.extension.binding.jbossmodule.module =
>>> org.ovirt.engine-extensions.aaa.ldap
>>> ovirt.engine.extension.binding.jbossmodule.class =
>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>>>
>>> ovirt.engine.extension.provides = org.ovirt.engine.api.
>>> extensions.aaa.Authz
>>> config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org
>>> <http://ldap.example.org>
>>>
>>> ------------------------------------------------
>>>
>>> After all of this we restarted the service and tried to access via the
>>> administration portal. The JKS has the right permissions and contains
>>> the TLS CA, the password is correct and the user "esthera" exists. But
>>> when we try to log in, we obtain the following error in the engine.log
>>> (we already set the verbosity to ALL):
>>>
>>> ------------------------------------------------
>>>
>>> 2015-01-14 16:35:25,750 ERROR
>>> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
>>> (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class
>>> org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedEx
>>> ception
>>> Input:
>>> {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
>>> java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-
>>> 4bb5-4592-8167-810a5c909706];]=***,
>>> Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
>>> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[
>>> 886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=
>>> EXTENSION_INTERFACE_VERSION_MAX;type=class
>>> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_
>>> MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
>>> Extkey[name=EXTENSION_LICENSE;type=class
>>> java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-
>>> 054c-4e31-9c6d-1ca4d60a4c18];]=ASL
>>> 2.0, Extkey[name=EXTENSION_NOTES;type=class
>>> java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-
>>> 4584-aaff-97f66978e4ea];]=Display
>>> name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
>>> Extkey[name=EXTENSION_HOME_URL;type=class
>>> java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-
>>> f969-42d4-b399-72d192e18304];]=http://www.ovirt.org
>>> <http://www.ovirt.org/>, Extkey[name=EXTENSION_LOCALE;type=class
>>> java.lang.String;uuid=EXTENSION_LOCALE[0780b112-
>>> 0ce0-404a-b85e-8765d778bb29];]=en_US,
>>> Extkey[name=EXTENSION_NAME;type=class
>>> java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-
>>> 4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
>>> Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
>>> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_
>>> MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
>>> Extkey[name=EXTENSION_CONFIGURATION;type=class
>>> java.util.Properties;uuid=EXTENSION_CONFIGURATION[
>>> 2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
>>> Extkey[name=EXTENSION_AUTHOR;type=class
>>> java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-
>>> 2dad-4bc5-9aad-e07018b7fbcc];]=The
>>> oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
>>> java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-
>>> 8674327f011b];]=authn-ldap.
>>> <http://authn-ldap.pic.es/>example.org <http://example.org>,
>>> Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
>>> java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_
>>> VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
>>> Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
>>> java.util.Collection;uuid=EXTENSION_CONFIGURATION_
>>> SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
>>> Extkey[name=AAA_AUTHN_CAPABILITIES;type=class
>>> java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-
>>> 46f2-83f9-3d3c54cf258d];]=12,
>>> Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
>>> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[
>>> 9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
>>> Extkey[name=EXTENSION_VERSION;type=class
>>> java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-
>>> 8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
>>> Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
>>> org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[
>>> 863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.
>>> impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.
>>> ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.
>>> authn.authn-ldap.
>>> <http://org.ovirt.engine.core.extensions.mgr.
>>> extensionsmanager.trace.ovirt-engine-extension-aaa-ldap.
>>> authn.authn-ldap.pic.es/>example.org
>>> <http://example.org>), Extkey[name=EXTENSION_PROVIDES;type=interface
>>> java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-
>>> 65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.
>>> extensions.aaa.Authn]},
>>> Extkey[name=AAA_AUTHN_USER;type=class
>>> java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-
>>> a3c6-5d926f9dd8f0];]=esthera,
>>> Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
>>> org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[
>>> 485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_
>>> AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
>>> Output:
>>> {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
>>> java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-
>>> 099c772ddd4e];]=2,
>>> Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
>>> java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-
>>> b8bdb72f5893];]=invalid
>>> credentials}
>>>
>>> ------------------------------------------------
>>>
>>> Having a look at the LDAP log we check that there is a "invalid
>>> credentials" error while binding, but we are sure that the bind password
>>> is the right one. We already tried to set the bind password without
>>> quotes, but then the DN user then appear as an empty string ("")
>>>
>>
>> I think problem is here. That's really strange, you have to use the
>> password without quotes.
>>
>> Can you please try to set:
>> pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=
>> example,dc=org
>> pool.default.auth.simple.password = XXXXXX
>>
>> just without the variables. if the DN is not empty now.
>>
>>
>>> ------------------------------------------------
>>>
>>> [root at ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 |
>>> cut -d: -f4 | cut -d\  -f2) /var/log/ldap.log
>>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from
>>> IP=192.168.XX.X:39501 <http://192.168.95.2:39501/> (IP=0.0.0.0:389
>>> <http://0.0.0.0:389/>)
>>>
>>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT
>>> oid=1.3.6.1.4.1.1466.20037
>>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS
>>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0
>>> text=
>>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established
>>> tls_ssf=128 ssf=128
>>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND
>>> dn="cn=authenticate,ou=System,dc=example,dc=org" method=128
>>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97
>>> err=49 text=
>>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND
>>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
>>>
>>> ------------------------------------------------
>>>
>>> By the way, the Ovirt manager (ovmgr) machine can query correctly the
>>> openldap server and retrieves everything OK
>>>
>>> ------------------------------------------------
>>>
>>> [root at ovmgr extensions.d]# ldapsearch -ZZ -D
>>> cn=authenticate,ou=System,dc=example,dc=org -W
>>> Enter LDAP Password:
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <dc=example,dc=org> (default) with scope subtree
>>> # filter: (objectclass=*)
>>> # requesting: ALL
>>> #
>>>
>>> # pic.es <http://pic.es/>
>>> dn: dc=example,dc=org
>>> dc: pic
>>> objectClass: top
>>> objectClass: domain
>>>
>>> ------------------------------------------------
>>>
>>> Did anybody had a similar problem ? Is there anything that we didn't
>>> check ?
>>>
>>> Thanks in advance !
>>>
>>> --
>>> Bruno Rodríguez Rodríguez
>>>
>>>
>>>
>>> This body part will be downloaded on demand.
>>>
>>>
>
>
> --
> Bruno Rodríguez Rodríguez
>
> PIC (Port d'Informació Científica)
> Campus UAB, Edificio D
> E-08193 Bellaterra, Barcelona
> Tel: +34 93 581 33 22
>
> "Si algo me ha enseñado el tetris, es que los errores se acumulan y los
> triunfos desaparecen"
>



-- 
Bruno Rodríguez Rodríguez

PIC (Port d'Informació Científica)
Campus UAB, Edificio D
E-08193 Bellaterra, Barcelona
Tel: +34 93 581 33 22

"Si algo me ha enseñado el tetris, es que los errores se acumulan y los
triunfos desaparecen"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150115/aed3f2c1/attachment-0001.html>


More information about the Users mailing list