[ovirt-users] Error authenticating bind using the AAA OpenLDAP module
Alon Bar-Lev
alonbl at redhat.com
Thu Jan 15 11:44:07 UTC 2015
----- Original Message -----
> From: "Bruno Rodriguez" <bruno at pic.es>
> To: "Ondra Machacek" <omachace at redhat.com>
> Cc: "Alon Bar-Lev" <alonbl at redhat.com>, "Esther Accion" <esthera at pic.es>, users at ovirt.org
> Sent: Thursday, January 15, 2015 12:03:39 PM
> Subject: Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module
>
> Thanks ! Now it's working!
>
> The problem was the absence of the line:
>
> pool.default.auth.type = simple
this should not be set to all pools, only for the authz pool.
the authn pool should be anonymous.
the process of authentication is:
1. create a pool X ldap connections with anonymous bind.
2. when user authenticate fetch a connection from (1) and bind user that user and password.
3. revert to anonymous, return to pool.
so basically your pool is now authenticated using your search user at all time.
if your ldap does not permit anonymous logins at all, maybe better is to provide different user for this authentication pool?
> It's strange, I thought that the default auth type was set to simple and I
> didn't check it twice. After setting that the problem has to do about a
> user/password incorrect, which is our problem because of the schema we are
> using (migrated from a NIS some time ago).
>
> The openldap_example.properties actually was a copy of openldap.properties,
> I did it that way to customize it to our schema, but in a first instance
> it was a carbon copy of the original.
in next version (1.0.2) there is rfc2307-openldap.properties to ease use :)
>
> Thanks again !
>
> Bruno
>
>
>
> On Thu, Jan 15, 2015 at 10:43 AM, Ondra Machacek <omachace at redhat.com>
> wrote:
>
> > On 01/15/2015 10:36 AM, Alon Bar-Lev wrote:
> >
> >>
> >>
> >> ----- Original Message -----
> >>
> >>> From: "Bruno Rodriguez" <bruno at pic.es>
> >>> To: "Ondra Machacek" <omachace at redhat.com>
> >>> Cc: "Esther Accion" <esthera at pic.es>, users at ovirt.org
> >>> Sent: Thursday, January 15, 2015 11:20:57 AM
> >>> Subject: Re: [ovirt-users] Error authenticating bind using the AAA
> >>> OpenLDAP module
> >>>
> >>> Thank you very much,
> >>>
> >>> using the following ldap.example.org file:
> >>>
> >>> ---------------------
> >>>
> >>> include = <openldap_example.properties>
> >>> include = <rfc2307.properties>
> >>>
> >>
> >> what do you have in openldap_example.properties?
> >>
> >
> > It seems you have specified anonymous bind in openldap_example.properties.
> > You should probably try it with original one (openldap.properties).
> >
> >
> >
> >> vars.server = ldap1.example.org
> >>> #vars.user = cn=authenticate,ou=System,dc=example,dc=org
> >>> #vars.password = XXXXXXXXX
> >>>
> >>
> >> why have you commented out the vars?
> >> you should have just removed the quotes from vars.password and keep
> >> bellow as-is.
> >>
> >> pool.default.serverset.single.server = ${global:vars.server}
> >>> pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=
> >>> example,dc=org
> >>> pool.default.auth.simple.password = XXXXXXXXX
> >>>
> >>> pool.default.ssl.startTLS = true
> >>> pool.default.ssl.truststore.file =
> >>> /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
> >>> pool.default.ssl.truststore.password = XXXXXXXXX
> >>>
> >>> ---------------------
> >>>
> >>> Then I get the following in the engine log:
> >>>
> >>>
> >>> 2015-01-15 10:04:15,250 ERROR
> >>> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
> >>> (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
> >>> org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedEx
> >>> ception
> >>> Input:
> >>> {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
> >>> java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-
> >>> 4bb5-4592-8167-810a5c909706];]=***,
> >>> Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
> >>> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[
> >>> 886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=
> >>> EXTENSION_INTERFACE_VERSION_MAX;type=class
> >>> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_
> >>> MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
> >>> Extkey[name=EXTENSION_LICENSE;type=class
> >>> java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-
> >>> 054c-4e31-9c6d-1ca4d60a4c18];]=ASL
> >>> 2.0, Extkey[name=EXTENSION_NOTES;type=class
> >>> java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-
> >>> 4584-aaff-97f66978e4ea];]=Display
> >>> name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
> >>> Extkey[name=EXTENSION_HOME_URL;type=class
> >>> java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-
> >>> f969-42d4-b399-72d192e18304];]=
> >>> http://www.ovirt.org ,Extkey[name=EXTENSION_LOCALE;type=class
> >>> java.lang.String;uuid=EXTENSION_LOCALE[0780b112-
> >>> 0ce0-404a-b85e-8765d778bb29];]=en_US,
> >>> Extkey[name=EXTENSION_NAME;type=class
> >>> java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-
> >>> 4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
> >>> Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
> >>> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_
> >>> MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
> >>> Extkey[name=EXTENSION_CONFIGURATION;type=class
> >>> java.util.Properties;uuid=EXTENSION_CONFIGURATION[
> >>> 2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
> >>> Extkey[name=EXTENSION_AUTHOR;type=class
> >>> java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-
> >>> 2dad-4bc5-9aad-e07018b7fbcc];]=The
> >>> oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
> >>> java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-
> >>> 8674327f011b];]=
> >>> authn-ldap.example.org ,
> >>> Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
> >>> java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_
> >>> VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
> >>> Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
> >>> java.util.Collection;uuid=EXTENSION_CONFIGURATION_
> >>> SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
> >>> Extkey[name=AAA_AUTHN_CAPABILITIES;type=class
> >>> java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-
> >>> 46f2-83f9-3d3c54cf258d];]=12,
> >>> Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
> >>> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[
> >>> 9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
> >>> Extkey[name=EXTENSION_VERSION;type=class
> >>> java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-
> >>> 8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
> >>> Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
> >>> org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[
> >>> 863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(
> >>> org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-
> >>> engine-extension-aaa-ldap.authn.authn-ldap.example.org
> >>> ), Extkey[name=EXTENSION_PROVIDES;type=interface
> >>> java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-
> >>> 65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.
> >>> extensions.aaa.Authn]},
> >>> Extkey[name=AAA_AUTHN_USER;type=class
> >>> java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-
> >>> a3c6-5d926f9dd8f0];]=bruno,
> >>> Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
> >>> org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[
> >>> 485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_
> >>> AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
> >>> Output:
> >>> {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
> >>> java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-
> >>> 099c772ddd4e];]=2,
> >>> Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
> >>> java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-
> >>> b8bdb72f5893];]=anonymous
> >>> bind disallowed}
> >>>
> >>
> >> error: anonymous bind disallowed
> >>
> >> can you please enable debug per what I instructed last time and send a
> >> complete log?
> >>
> >>
> >>> -----------------------------------
> >>>
> >>> And this is the ldap connection log:
> >>>
> >>> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114
> >>> ACCEPT from IP=192.168.XX.XX:41469 (IP= 0.0.0.0:389 )
> >>> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0
> >>> EXT
> >>> oid=1.3.6.1.4.1.1466.20037
> >>> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0
> >>> STARTTLS
> >>> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0
> >>> RESULT
> >>> oid= err=0 text=
> >>> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114
> >>> TLS
> >>> established tls_ssf=128 ssf=128
> >>> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1
> >>> BIND
> >>> dn="cn=authenticate,ou=System,dc=example,dc=org" method=128
> >>> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1
> >>> BIND
> >>> dn="cn=authenticate,ou=System,dc=example,dc=org" mech=SIMPLE ssf=0
> >>> /var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=1
> >>> RESULT
> >>> tag=97 err=0 text=
> >>>
> >>> -----------------------------------
> >>>
> >>> It looks like it got the dn correctly but it's unable to bind anyway ...
> >>>
> >>> Thank you,
> >>>
> >>> Bruno
> >>>
> >>>
> >>> On Wed, Jan 14, 2015 at 5:50 PM, Ondra Machacek < omachace at redhat.com >
> >>> wrote:
> >>>
> >>>
> >>> Hi,
> >>>
> >>> On 01/14/2015 04:53 PM, Bruno Rodriguez wrote:
> >>>
> >>>
> >>> Good afternoon,
> >>>
> >>> We cannot access to Ovirt using LDAP authentication against our openldap
> >>> server. We created the following files in /etc/ovirt-engine/extensions.d
> >>> (the organization name is not example.org < http://example.org > and the
> >>> passwords are not XXXXXXXX, obviously) :
> >>>
> >>> ----------- /etc/ovirt-engine/extensions. d/ ldap.example.org
> >>> < http://ldap.example.org > -----------
> >>>
> >>> include = <openldap_example.properties>
> >>>
> >>> vars.server = ldap1.example.org < http://ldap1.example.org >
> >>> vars.user = cn=authenticate,ou=System,dc= example,dc=org
> >>> vars.password = "XXXXXXXX"
> >>>
> >>> pool.default.serverset.single. server = ${global:vars.server}
> >>> pool.default.auth.simple. bindDN = ${global:vars.user}
> >>> pool.default.auth.simple. password = ${global:vars.password}
> >>>
> >>> pool.default.ssl.startTLS = true
> >>> pool.default.ssl.truststore. file =
> >>> /etc/ovirt-engine/extensions. d/ldap.example.org_keystore. jks
> >>> pool.default.ssl.truststore. password = XXXXXXXX
> >>>
> >>> -----------
> >>> /etc/ovirt-engine/extensions. d/ authn-ldap.example.org . properties
> >>> -----------
> >>>
> >>> ovirt.engine.extension.name < http://ovirt.engine. extension.name > =
> >>> authn-ldap.example.org < http://authn-ldap.example.org >
> >>> ovirt.engine.extension. bindings.method = jbossmodule
> >>> ovirt.engine.extension. binding.jbossmodule.module =
> >>> org.ovirt.engine-extensions. aaa.ldap
> >>> ovirt.engine.extension. binding.jbossmodule.class =
> >>> org.ovirt.engineextensions. aaa.ldap.AuthnExtension
> >>> ovirt.engine.extension. provides = org.ovirt.engine.api.
> >>> extensions.aaa.Authn
> >>>
> >>> ovirt.engine.aaa.authn. profile.name
> >>> < http://ovirt.engine.aaa. authn.profile.name > = ldap.example.org
> >>> < http://ldap.example.org >
> >>> ovirt.engine.aaa.authn.authz. plugin = authz-ldap.example.org
> >>> < http://authz-ldap.example.org >
> >>>
> >>> config.profile.file.1 = /etc/ovirt-engine/extensions. d/
> >>> ldap.example.org
> >>> < http://ldap.example.org >
> >>>
> >>> -----------
> >>> /etc/ovirt-engine/extensions. d/ authz-ldap.example.org . properties
> >>> -----------
> >>>
> >>> ovirt.engine.extension.name < http://ovirt.engine. extension.name > =
> >>> authz-ldap.example.org < http://authz-ldap.example.org >
> >>> ovirt.engine.extension. bindings.method = jbossmodule
> >>> ovirt.engine.extension. binding.jbossmodule.module =
> >>> org.ovirt.engine-extensions. aaa.ldap
> >>> ovirt.engine.extension. binding.jbossmodule.class =
> >>> org.ovirt.engineextensions. aaa.ldap.AuthzExtension
> >>>
> >>> ovirt.engine.extension. provides = org.ovirt.engine.api.
> >>> extensions.aaa.Authz
> >>> config.profile.file.1 = /etc/ovirt-engine/extensions. d/
> >>> ldap.example.org
> >>> < http://ldap.example.org >
> >>>
> >>> ------------------------------ ------------------
> >>>
> >>> After all of this we restarted the service and tried to access via the
> >>> administration portal. The JKS has the right permissions and contains
> >>> the TLS CA, the password is correct and the user "esthera" exists. But
> >>> when we try to log in, we obtain the following error in the engine.log
> >>> (we already set the verbosity to ALL):
> >>>
> >>> ------------------------------ ------------------
> >>>
> >>> 2015-01-14 16:35:25,750 ERROR
> >>> [org.ovirt.engine.core.bll. aaa.LoginAdminUserCommand]
> >>> (ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class
> >>> org.ovirt.engine.core. extensions.mgr. ExtensionInvokeCommandFailedEx
> >>> ception
> >>> Input:
> >>> {Extkey[name=AAA_AUTHN_ CREDENTIALS;type=class
> >>> java.lang.String;uuid=AAA_ AUTHN_CREDENTIALS[03b96485-
> >>> 4bb5-4592-8167-810a5c909706];] =***,
> >>> Extkey[name=EXTENSION_INVOKE_ CONTEXT;type=class
> >>> org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_INVOKE_CONTEXT[
> >>> 886d2ebb-312a-49ae-9cc3- e1f849834b7d];]={Extkey[name=
> >>> EXTENSION_INTERFACE_VERSION_ MAX;type=class
> >>> java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_
> >>> MAX[f4cff49f-2717-4901-8ee9- df362446e3e7];]=0,
> >>> Extkey[name=EXTENSION_LICENSE; type=class
> >>> java.lang.String;uuid= EXTENSION_LICENSE[8a61ad65-
> >>> 054c-4e31-9c6d-1ca4d60a4c18];] =ASL
> >>> 2.0, Extkey[name=EXTENSION_NOTES; type=class
> >>> java.lang.String;uuid= EXTENSION_NOTES[2da5ad7e-185a-
> >>> 4584-aaff-97f66978e4ea];]= Display
> >>> name: ovirt-engine-extension-aaa- ldap-1.0.0-1.el6,
> >>> Extkey[name=EXTENSION_HOME_ URL;type=class
> >>> java.lang.String;uuid= EXTENSION_HOME_URL[4ad7a2f4-
> >>> f969-42d4-b399-72d192e18304];] = http://www.ovirt.org
> >>> < http://www.ovirt.org/ >, Extkey[name=EXTENSION_LOCALE; type=class
> >>> java.lang.String;uuid= EXTENSION_LOCALE[0780b112-
> >>> 0ce0-404a-b85e-8765d778bb29];] =en_US,
> >>> Extkey[name=EXTENSION_NAME; type=class
> >>> java.lang.String;uuid= EXTENSION_NAME[651381d3-f54f-
> >>> 4547-bf28-b0b01a103184];]= ovirt-engine-extension-aaa- ldap.authn,
> >>> Extkey[name=EXTENSION_ INTERFACE_VERSION_MIN;type= class
> >>> java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_
> >>> MIN[2b84fc91-305b-497b-a1d7- d961b9d2ce0b];]=0,
> >>> Extkey[name=EXTENSION_ CONFIGURATION;type=class
> >>> java.util.Properties;uuid= EXTENSION_CONFIGURATION[
> >>> 2d48ab72-f0a1-4312-b4ae-
> >>> 5068a226b0fc];]=***,
> >>> Extkey[name=EXTENSION_AUTHOR; type=class
> >>> java.lang.String;uuid= EXTENSION_AUTHOR[ef242f7a-
> >>> 2dad-4bc5-9aad-e07018b7fbcc];] =The
> >>> oVirt Project, Extkey[name=EXTENSION_ INSTANCE_NAME;type=class
> >>> java.lang.String;uuid= EXTENSION_INSTANCE_NAME[ 65c67ff6-aeca-4bd5-a245-
> >>> 8674327f011b];]=authn-ldap.
> >>> < http://authn-ldap.pic.es/ > exa mple.org < http://example.org >,
> >>> Extkey[name=EXTENSION_BUILD_ INTERFACE_VERSION;type=class
> >>> java.lang.Integer;uuid= EXTENSION_BUILD_INTERFACE_
> >>> VERSION[cb479e5a-4b23-46f8- aed3-56a4747a8ab7];]=0,
> >>> Extkey[name=EXTENSION_ CONFIGURATION_SENSITIVE_KEYS; type=interface
> >>> java.util.Collection;uuid= EXTENSION_CONFIGURATION_
> >>> SENSITIVE_KEYS[a456efa1-73ff- 4204-9f9b-ebff01e35263];]=[],
> >>> Extkey[name=AAA_AUTHN_ CAPABILITIES;type=class
> >>> java.lang.Long;uuid=AAA_AUTHN_ CAPABILITIES[9d16bee3-10fd-
> >>> 46f2-83f9-3d3c54cf258d];]=12,
> >>> Extkey[name=EXTENSION_GLOBAL_ CONTEXT;type=class
> >>> org.ovirt.engine.api. extensions.ExtMap;uuid= EXTENSION_GLOBAL_CONTEXT[
> >>> 9799e72f-7af6-4cf1-bf08- 297bc8903676];]=*skip*,
> >>> Extkey[name=EXTENSION_VERSION; type=class
> >>> java.lang.String;uuid= EXTENSION_VERSION[fe35f6a8-
> >>> 8239-4bdb-ab1a-af9f779ce68c];] =1.0.0,
> >>> Extkey[name=EXTENSION_MANAGER_ TRACE_LOG;type=interface
> >>> org.slf4j.Logger;uuid= EXTENSION_MANAGER_TRACE_LOG[
> >>> 863db666-3ea7-4751-9695-
> >>> 918a3197ad83];]=org.slf4j. impl.Slf4jLogger(org.ovirt.
> >>> engine.core.extensions.mgr. ExtensionsManager.trace.ovirt-
> >>> engine-extension-aaa-ldap. authn.authn-ldap.
> >>> < http://org.ovirt.engine.core. extensions.mgr.
> >>> extensionsmanager.trace.ovirt- engine-extension-aaa-ldap.
> >>> authn.authn-ldap.pic.es/ > examp le.org
> >>> < http://example.org >), Extkey[name=EXTENSION_ PROVIDES;type=interface
> >>> java.util.Collection;uuid= EXTENSION_PROVIDES[8cf373a6-
> >>> 65b5-4594-b828-0e275087de91];] =[org.ovirt.engine.api.
> >>> extensions.aaa.Authn]},
> >>> Extkey[name=AAA_AUTHN_USER; type=class
> >>> java.lang.String;uuid=AAA_ AUTHN_USER[1ceaba26-1bdc-4663-
> >>> a3c6-5d926f9dd8f0];]=esthera,
> >>> Extkey[name=EXTENSION_INVOKE_ COMMAND;type=class
> >>> org.ovirt.engine.api. extensions.ExtUUID;uuid= EXTENSION_INVOKE_COMMAND[
> >>> 485778ab-bede-4f1a-b823- 77b262a2f28d];]=AAA_AUTHN_
> >>> AUTHENTICATE_CREDENTIALS[ d9605c75-6b43-4b00-b32c- 06bdfa80244c]}
> >>> Output:
> >>> {Extkey[name=EXTENSION_INVOKE_ RESULT;type=class
> >>> java.lang.Integer;uuid= EXTENSION_INVOKE_RESULT[ 0909d91d-8bde-40fb-b6c0-
> >>> 099c772ddd4e];]=2,
> >>> Extkey[name=EXTENSION_INVOKE_ MESSAGE;type=class
> >>> java.lang.String;uuid= EXTENSION_INVOKE_MESSAGE[ b7b053de-dc73-4bf7-9d26-
> >>> b8bdb72f5893];]=invalid
> >>> credentials}
> >>>
> >>> ------------------------------ ------------------
> >>>
> >>> Having a look at the LDAP log we check that there is a "invalid
> >>> credentials" error while binding, but we are sure that the bind password
> >>> is the right one. We already tried to set the bind password without
> >>> quotes, but then the DN user then appear as an empty string ("")
> >>>
> >>> I think problem is here. That's really strange, you have to use the
> >>> password
> >>> without quotes.
> >>>
> >>> Can you please try to set:
> >>> pool.default.auth.simple. bindDN = cn=authenticate,ou=System,dc=
> >>> example,dc=org
> >>> pool.default.auth.simple. password = XXXXXX
> >>>
> >>> just without the variables. if the DN is not empty now.
> >>>
> >>>
> >>>
> >>>
> >>> ------------------------------ ------------------
> >>>
> >>> [root at ldap1 ~]# grep $(grep 192.168.XX.X /var/log/ldap.log | tail -n 1 |
> >>> cut -d: -f4 | cut -d\ -f2) /var/log/ldap.log
> >>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 ACCEPT from
> >>> IP=192.168.XX.X:39501 < http://192.168.95.2:39501/ > (IP= 0.0.0.0:389
> >>> < http://0.0.0.0:389/ >)
> >>>
> >>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 EXT
> >>> oid=1.3.6.1.4.1.1466.20037
> >>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 STARTTLS
> >>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=0 RESULT oid= err=0
> >>> text=
> >>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 TLS established
> >>> tls_ssf=128 ssf=128
> >>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 BIND
> >>> dn="cn=authenticate,ou=System, dc=example,dc=org" method=128
> >>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=1 RESULT tag=97
> >>> err=49 text=
> >>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 op=2 UNBIND
> >>> Jan 14 16:35:25 ldap1 slapd[6712]: conn=1591408 fd=63 closed
> >>>
> >>> ------------------------------ ------------------
> >>>
> >>> By the way, the Ovirt manager (ovmgr) machine can query correctly the
> >>> openldap server and retrieves everything OK
> >>>
> >>> ------------------------------ ------------------
> >>>
> >>> [root at ovmgr extensions.d]# ldapsearch -ZZ -D
> >>> cn=authenticate,ou=System,dc= example,dc=org -W
> >>> Enter LDAP Password:
> >>> # extended LDIF
> >>> #
> >>> # LDAPv3
> >>> # base <dc=example,dc=org> (default) with scope subtree
> >>> # filter: (objectclass=*)
> >>> # requesting: ALL
> >>> #
> >>>
> >>> # pic.es < http://pic.es/ >
> >>> dn: dc=example,dc=org
> >>> dc: pic
> >>> objectClass: top
> >>> objectClass: domain
> >>>
> >>> ------------------------------ ------------------
> >>>
> >>> Did anybody had a similar problem ? Is there anything that we didn't
> >>> check ?
> >>>
> >>> Thanks in advance !
> >>>
> >>> --
> >>> Bruno Rodríguez Rodríguez
> >>>
> >>>
> >>>
> >>> This body part will be downloaded on demand.
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> Bruno Rodríguez Rodríguez
> >>>
> >>> PIC (Port d'Informació Científica)
> >>> Campus UAB, Edificio D
> >>> E-08193 Bellaterra, Barcelona
> >>> Tel: +34 93 581 33 22
> >>>
> >>> "Si algo me ha enseñado el tetris, es que los errores se acumulan y los
> >>> triunfos desaparecen"
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at ovirt.org
> >>> http://lists.ovirt.org/mailman/listinfo/users
> >>>
> >>>
>
>
> --
> Bruno Rodríguez Rodríguez
>
> PIC (Port d'Informació Científica)
> Campus UAB, Edificio D
> E-08193 Bellaterra, Barcelona
> Tel: +34 93 581 33 22
>
> "Si algo me ha enseñado el tetris, es que los errores se acumulan y los
> triunfos desaparecen"
>
More information about the Users
mailing list