Re: [Users] Joss fails to start ... Keystore was tampered.
Quoting Doron Fediuck dfedi...@redhat.com: Please explain from source- - Did you run maven using dep and started JBoss? yes, I followed the steps at http://www.ovirt.org/wiki/Building_Ovirt_Engine section Building oVirt-engine from source. -Sharad or - Did you create RPM's and used yum install? On 23/04/12 22:28, Sharad Mishra wrote: Quoting Doron Fediuck dfedi...@redhat.com: Thanks. Unfortunately the keystore is the most important file in the PKI area. Please try to recall your actions, and try to look for the keystore in case you moved / change folders or anything alike. Currently, the only valid solution for a lost keystore is re-installation. I reinstalled ovirt-engine from source on a fresh rhel6.2 machine. I still do not see .keystore in /etc/pki/ovirt-engine. Now I get FileNotFoundException but engine is running. 2012-04-23 11:21:14,900 ERROR [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] (MSC service thread 1-15) Failed to decryptjava.io.FileNotFoundException: .keystore (No such file or directory) 2012-04-23 11:21:14,900 ERROR [org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils] (MSC service thread 1-15) Failed to decrypt value for property AdminPassword will be used encrypted value 2012-04-23 11:21:14,902 INFO [org.ovirt.engine.core.bll.Backend] (MSC service thread 1-15) VDSBrokerFrontend: 4/23/12 11:21 AM -Sharad Mishra On 19/04/12 22:40, snmis...@linux.vnet.ibm.com wrote: Quoting Doron Fediuck dfedi...@redhat.com: Please check again using ls -la on that folder. Yes, I did run ls -la :-) -Sharad Mishra Sent from my Android phone. Please ignore typos. -Original Message- From: snmis...@linux.vnet.ibm.com Received: Thursday, 19 Apr 2012, 20:38 To: Ofer Schreiber [oschr...@redhat.com] CC: users@ovirt.org Subject: Re: [Users] Joss fails to start ... Keystore was tampered. Quoting Ofer Schreiber oschr...@redhat.com: I'm trying to understand few things: 1. Did you used RPM for deployment? No, it was from source. (git clone) 2. Was it an UPGRADE for the engine? yes, I updated the source which was about a month old. 3. Do you have /etc/pki/ovirt-engine/.keystore available? did it changed recently? There is no .keystore in /etc/pki/ovirt-engine. But rest of the files in this directory were modified on 4/17 (certs, keys, private, requests). I was playing with kerberos for ldap on 17th so it is possible that I did something that messed up the server, and it was just coincidental that I upgraded the source next day and ran into this issue. Any help on how I can get out of it? -Sharad Mishra Ofer. - Original Message - I had jboss running on my rhel6.2 machine. This morning I fetched latest engine source, built and deployed it. I did not see any errors. But now when I start jboss-as service I see following errors in engine.log - 2012-04-18 13:57:48,051 INFO [org.ovirt.engine.core.bll.Backend] (MSC service thread 1-5) Start time: 4/18/12 1:57 PM 2012-04-18 13:57:48,204 ERROR [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] (MSC service thread 1-5) Failed to decryptjava.io.IOException: Keystore was tampered with, or password was incorrect 2012-04-18 13:57:48,204 ERROR [org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils] (MSC service thread 1-5) Failed to decrypt value for property LocalAdminPassword will be used encrypted value 2012-04-18 13:57:48,209 WARN [org.ovirt.engine.core.utils.ConfigUtilsBase] (MSC service thread 1-5) Could not find enum value for option: NetConsolePort 2012-04-18 13:57:48,212 ERROR [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] (MSC service thread 1-5) Failed to decryptjava.io.IOException: Keystore was tampered with, or password was incorrect 2012-04-18 13:57:48,212 ERROR [org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils] (MSC service thread 1-5) Failed to decrypt value for property CertificatePassword will be used encrypted value 2012-04-18 13:57:48,214 ERROR [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] (MSC service thread 1-5) Failed to decryptjava.io.IOException: Keystore was tampered with, or password was incorrect Regards, Sharad Mishra IBM ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Sent from my Android phone. Please ignore typos. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Joss fails to start ... Keystore was tampered.
Quoting Doron Fediuck dfedi...@redhat.com: Thanks. Unfortunately the keystore is the most important file in the PKI area. Please try to recall your actions, and try to look for the keystore in case you moved / change folders or anything alike. Currently, the only valid solution for a lost keystore is re-installation. I reinstalled ovirt-engine from source on a fresh rhel6.2 machine. I still do not see .keystore in /etc/pki/ovirt-engine. Now I get FileNotFoundException but engine is running. 2012-04-23 11:21:14,900 ERROR [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] (MSC service thread 1-15) Failed to decryptjava.io.FileNotFoundException: .keystore (No such file or directory) 2012-04-23 11:21:14,900 ERROR [org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils] (MSC service thread 1-15) Failed to decrypt value for property AdminPassword will be used encrypted value 2012-04-23 11:21:14,902 INFO [org.ovirt.engine.core.bll.Backend] (MSC service thread 1-15) VDSBrokerFrontend: 4/23/12 11:21 AM -Sharad Mishra On 19/04/12 22:40, snmis...@linux.vnet.ibm.com wrote: Quoting Doron Fediuck dfedi...@redhat.com: Please check again using ls -la on that folder. Yes, I did run ls -la :-) -Sharad Mishra Sent from my Android phone. Please ignore typos. -Original Message- From: snmis...@linux.vnet.ibm.com Received: Thursday, 19 Apr 2012, 20:38 To: Ofer Schreiber [oschr...@redhat.com] CC: users@ovirt.org Subject: Re: [Users] Joss fails to start ... Keystore was tampered. Quoting Ofer Schreiber oschr...@redhat.com: I'm trying to understand few things: 1. Did you used RPM for deployment? No, it was from source. (git clone) 2. Was it an UPGRADE for the engine? yes, I updated the source which was about a month old. 3. Do you have /etc/pki/ovirt-engine/.keystore available? did it changed recently? There is no .keystore in /etc/pki/ovirt-engine. But rest of the files in this directory were modified on 4/17 (certs, keys, private, requests). I was playing with kerberos for ldap on 17th so it is possible that I did something that messed up the server, and it was just coincidental that I upgraded the source next day and ran into this issue. Any help on how I can get out of it? -Sharad Mishra Ofer. - Original Message - I had jboss running on my rhel6.2 machine. This morning I fetched latest engine source, built and deployed it. I did not see any errors. But now when I start jboss-as service I see following errors in engine.log - 2012-04-18 13:57:48,051 INFO [org.ovirt.engine.core.bll.Backend] (MSC service thread 1-5) Start time: 4/18/12 1:57 PM 2012-04-18 13:57:48,204 ERROR [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] (MSC service thread 1-5) Failed to decryptjava.io.IOException: Keystore was tampered with, or password was incorrect 2012-04-18 13:57:48,204 ERROR [org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils] (MSC service thread 1-5) Failed to decrypt value for property LocalAdminPassword will be used encrypted value 2012-04-18 13:57:48,209 WARN [org.ovirt.engine.core.utils.ConfigUtilsBase] (MSC service thread 1-5) Could not find enum value for option: NetConsolePort 2012-04-18 13:57:48,212 ERROR [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] (MSC service thread 1-5) Failed to decryptjava.io.IOException: Keystore was tampered with, or password was incorrect 2012-04-18 13:57:48,212 ERROR [org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils] (MSC service thread 1-5) Failed to decrypt value for property CertificatePassword will be used encrypted value 2012-04-18 13:57:48,214 ERROR [org.ovirt.engine.core.engineencryptutils.EncryptionUtils] (MSC service thread 1-5) Failed to decryptjava.io.IOException: Keystore was tampered with, or password was incorrect Regards, Sharad Mishra IBM ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users Sent from my Android phone. Please ignore typos. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Testing LDAP support.
On Tue, 2012-04-10 at 10:55 +0300, Itamar Heim wrote:
On 04/10/2012 04:51 AM, Sharad Mishra wrote:
On Mon, 2012-04-09 at 12:38 -0700, Sharad Mishra wrote:
On Mon, 2012-04-09 at 14:10 -0400, Oved Ourfalli wrote:
When a call is made to construct InitialDirContext with following
settings -
{java.naming.provider.url=ldap://ldapserver.ibm.com:389,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.security.principal=uid=1234567,c=us,ou=ldapserver,o=ibm.com,
java.naming.security.authentication=DIGEST-MD5 GSSAPI,
java.naming.security.credentials=password,
java.naming.referral=follow,
java.naming.ldap.attributes.binary=objectGUID}
How do I configure the ovirt test setup on my workstation to use LDAP
for authentication? I looked around webadmin GUI but could not find it.
-Sharad
Can you also attach the jboss log and engine log? (assuming you are
testing it in the ovirt-engine environment).
They can be helpful, as it might be related to some class loading issue
or something similar, and the log might shed light on that.
I think its my setup that is the issue here. I am unable to run
ldapsearch CLI with DIGEST-MD5 protocol. I am not sure how to setup/use
secret key with sasl. I am running my queries against a production ldap
server on which I have user access. I tried to look around on internet
but did not get a good hit.
have you tried the kebreros based authentication with it?
I see it is supposed to have it:
http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=%2Fliaai%2Fkerberos%2Fliaaikerberos1.htm
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Testing LDAP support.
On Wed, 2012-04-11 at 10:18 -0400, Oved Ourfalli wrote:
- Original Message -
From: Sharad Mishra snmis...@linux.vnet.ibm.com
To: Itamar Heim ih...@redhat.com
Cc: Oved Ourfalli ov...@redhat.com, users@ovirt.org
Sent: Wednesday, April 11, 2012 4:53:37 PM
Subject: Re: [Users] Testing LDAP support.
On Tue, 2012-04-10 at 10:55 +0300, Itamar Heim wrote:
On 04/10/2012 04:51 AM, Sharad Mishra wrote:
On Mon, 2012-04-09 at 12:38 -0700, Sharad Mishra wrote:
On Mon, 2012-04-09 at 14:10 -0400, Oved Ourfalli wrote:
When a call is made to construct InitialDirContext with
following
settings -
{java.naming.provider.url=ldap://ldapserver.ibm.com:389,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.security.principal=uid=1234567,c=us,ou=ldapserver,o=ibm.com,
java.naming.security.authentication=DIGEST-MD5 GSSAPI,
java.naming.security.credentials=password,
java.naming.referral=follow,
java.naming.ldap.attributes.binary=objectGUID}
How do I configure the ovirt test setup on my workstation to use LDAP
for authentication? I looked around webadmin GUI but could not find
it.
-Sharad
If you are working with an installed oVirt environment, you can use
engine-manage-domains utility in order to add/remove/edit domains.
It will create the krb5.conf file, update database entries, add permissions
for the user you use, and etc.
I was able to move around some jar files and config files to finally be
able to run engine-manage-domains to add new domains. First I ran
#./engine-manage-domains -action=list
Manage Domains completed successfully
I did not get any domain, which makes sense since I only have default
setup. then I tried
#./engine-manage-domains -action=add -domain=bluepages.ibm.com
-user=snmis...@us.ibm.com -passwordFile=/tmp/.pwd
where /tmp/.pwd has my ldap password.
I got the following error -
Error: Authentication Failed. Please verify the fully qualified domain
name that is used for authentication is correct.. Problematic domain is:
bluepages.ibm.com Failure while applying Kerberos configuration.
Details: Authentication Failed. Please verify the fully qualified domain
name that is used for authentication is correct.
I also tried -domain=bluepages.ibm.com:389
-Sharad
If, however, you are in a development environment, then currently it is not
easy to run this utility, as it requires some configuration files and jars
that are there when you install the engine, but not there in a development
environment.
So, in that case you'll need to run the following (change the domain name,
user name and user guid):
update vdc_options set option_value = 'your domain' where option_name =
'DomainName';
update vdc_options set option_value = 'your domain:your user@your
domain' where option_name= 'AdUserName';
update vdc_options set option_value = 'your domain:user guid' where
option_name='AdUserId';
update vdc_options set option_value = 'your domain:your password' where
option_name='AdUserPassword';
insert into permissions
(id,role_id,ad_element_id,object_id,object_type_id) values
('choose a random guid','----0001','user
guid','aaa0----123456789aaa',1);
Also, you'll have to create a krb5.conf file, and place it in
$JBOSS_HOME/standalone/configuration
An example for the contents of this file:
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = no
default_tkt_enctypes = arcfour-hmac-md5
udp_preference_limit = 1
[realms]
EXAMPLE.COM = {
kdc = my_host.example.com.:88
}
[domain_realm]
example.com = EXAMPLE.COM
Note that you need to have the following records for your LDAP server,
defined in the DNS:
* LDAP SRV record
* Kerberos SRV record
* PTR record
(You can use dnsmasq if you wish to create those records by yourself - if
you need help with this let me know).
Oved
Can you also attach the jboss log and engine log? (assuming you
are testing it in the ovirt-engine environment).
They can be helpful, as it might be related to some class
loading issue or something similar, and the log might shed
light on that.
I think its my setup that is the issue here. I am unable to run
ldapsearch CLI with DIGEST-MD5 protocol. I am not sure how to
setup/use
secret key with sasl. I am running my queries against a
production ldap
server on which I have user access. I tried to look around on
internet
but did not get a good hit.
have you tried the kebreros based authentication with it?
I see it is supposed to have it:
http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=%2Fliaai%2Fkerberos%2Fliaaikerberos1.htm
Re: [Users] Testing LDAP support.
On Mon, 2012-04-09 at 14:10 -0400, Oved Ourfalli wrote:
- Original Message -
From: Oved Ourfalli ov...@redhat.com
To: Sharad Mishra snmis...@linux.vnet.ibm.com
Cc: users@ovirt.org
Sent: Monday, April 9, 2012 8:36:49 PM
Subject: Re: [Users] Testing LDAP support.
- Original Message -
From: Sharad Mishra snmis...@linux.vnet.ibm.com
To: users@ovirt.org
Sent: Monday, April 9, 2012 8:19:23 PM
Subject: [Users] Testing LDAP support.
Hi,
I was able to successfully test simple authentication support of
IBM
Directory Server (IDS) in ovirt. Next step is to test DIGEST-MD5
support. This protocol is currently supported by my test IDS. But I
get
-
javax.naming.CommunicationException: [LDAP: error code 2 - Protocol
Error]
When a call is made to construct InitialDirContext with following
settings -
{java.naming.provider.url=ldap://ldapserver.ibm.com:389,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.security.principal=uid=1234567,c=us,ou=ldapserver,o=ibm.com,
java.naming.security.authentication=DIGEST-MD5 GSSAPI,
java.naming.security.credentials=password,
java.naming.referral=follow,
java.naming.ldap.attributes.binary=objectGUID}
Can you also attach the jboss log and engine log? (assuming you are testing
it in the ovirt-engine environment).
They can be helpful, as it might be related to some class loading issue or
something similar, and the log might shed light on that.
there is nothing much in jboss and engine logs.
2012-04-09 10:03:19,203 INFO
[org.ovirt.engine.core.bll.DbUserCacheManager]
(QuartzScheduler_Worker-56) DbUserCacheManager::refreshAllUserData() -
entered
2012-04-09 11:03:19,205 INFO
[org.ovirt.engine.core.bll.DbUserCacheManager]
(QuartzScheduler_Worker-11) DbUserCacheManager::refreshAllUserData() -
entered
2012-04-09 12:03:19,207 INFO
[org.ovirt.engine.core.bll.DbUserCacheManager]
(QuartzScheduler_Worker-84) DbUserCacheManager::refreshAllUserData() -
entered
Output of both, server.log and engine.log for this time period looks
exactly same. Do I need to enable more logging?
-Sharad
Do you know what could be going wrong here? I think its something
wrong
with my usage and not in code.
What test cases were run to verify RedHat DS support? I can try to
run
the same for IBM DS before posting the patch.
Hard to tell what went wrong there. I'll try to take a look a bit on
the web (as I assume you did but I guess it can't hurt).
As for RHDS, most tests were done manually:
* Adding users/groups
* Authentication
* Group membership
* Adding / removing / editing RHDS domain with the
engine-manage-domains utility.
* Refresh users/groups.
* Search for users/groups
That's basically the main scenarios.
We have an LdapTester as well. The problem there was to setup the
environment needed for the testing.
It contains test cases for AD/IPA.
Oved
Thanks
Sharad Mishra
IBM
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Testing LDAP support.
On Mon, 2012-04-09 at 12:38 -0700, Sharad Mishra wrote:
On Mon, 2012-04-09 at 14:10 -0400, Oved Ourfalli wrote:
- Original Message -
From: Oved Ourfalli ov...@redhat.com
To: Sharad Mishra snmis...@linux.vnet.ibm.com
Cc: users@ovirt.org
Sent: Monday, April 9, 2012 8:36:49 PM
Subject: Re: [Users] Testing LDAP support.
- Original Message -
From: Sharad Mishra snmis...@linux.vnet.ibm.com
To: users@ovirt.org
Sent: Monday, April 9, 2012 8:19:23 PM
Subject: [Users] Testing LDAP support.
Hi,
I was able to successfully test simple authentication support of
IBM
Directory Server (IDS) in ovirt. Next step is to test DIGEST-MD5
support. This protocol is currently supported by my test IDS. But I
get
-
javax.naming.CommunicationException: [LDAP: error code 2 - Protocol
Error]
When a call is made to construct InitialDirContext with following
settings -
{java.naming.provider.url=ldap://ldapserver.ibm.com:389,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.security.principal=uid=1234567,c=us,ou=ldapserver,o=ibm.com,
java.naming.security.authentication=DIGEST-MD5 GSSAPI,
java.naming.security.credentials=password,
java.naming.referral=follow,
java.naming.ldap.attributes.binary=objectGUID}
Can you also attach the jboss log and engine log? (assuming you are testing
it in the ovirt-engine environment).
They can be helpful, as it might be related to some class loading issue or
something similar, and the log might shed light on that.
I think its my setup that is the issue here. I am unable to run
ldapsearch CLI with DIGEST-MD5 protocol. I am not sure how to setup/use
secret key with sasl. I am running my queries against a production ldap
server on which I have user access. I tried to look around on internet
but did not get a good hit.
-Sharad
there is nothing much in jboss and engine logs.
2012-04-09 10:03:19,203 INFO
[org.ovirt.engine.core.bll.DbUserCacheManager]
(QuartzScheduler_Worker-56) DbUserCacheManager::refreshAllUserData() -
entered
2012-04-09 11:03:19,205 INFO
[org.ovirt.engine.core.bll.DbUserCacheManager]
(QuartzScheduler_Worker-11) DbUserCacheManager::refreshAllUserData() -
entered
2012-04-09 12:03:19,207 INFO
[org.ovirt.engine.core.bll.DbUserCacheManager]
(QuartzScheduler_Worker-84) DbUserCacheManager::refreshAllUserData() -
entered
Output of both, server.log and engine.log for this time period looks
exactly same. Do I need to enable more logging?
-Sharad
Do you know what could be going wrong here? I think its
something
wrong
with my usage and not in code.
What test cases were run to verify RedHat DS support? I can try
to
run
the same for IBM DS before posting the patch.
Hard to tell what went wrong there. I'll try to take a look a bit on
the web (as I assume you did but I guess it can't hurt).
As for RHDS, most tests were done manually:
* Adding users/groups
* Authentication
* Group membership
* Adding / removing / editing RHDS domain with the
engine-manage-domains utility.
* Refresh users/groups.
* Search for users/groups
That's basically the main scenarios.
We have an LdapTester as well. The problem there was to setup the
environment needed for the testing.
It contains test cases for AD/IPA.
Oved
Thanks
Sharad Mishra
IBM
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] LDAP SimpleAuthentication issue.
On Fri, 2012-02-24 at 22:19 +0200, Yair Zaslavsky wrote:
On 02/24/2012 09:19 PM, Sharad Mishra wrote:
Hi,
I am new to ovirt and LDAP. Looking at adding support for Tivoli
Directory Server. Here is a small java/jndi program (not using Spring
LDAP) that takes IBM intranet Id and searches the directory to return
IBM serial number.
Hi Sharard, welcome aboard.
First of all, although this can be found in our mailing list, I would
like to point you that currently Roy Golan (rgolan at redhat dot com),
Oved ourfali (ovedo at redhat dot com) and myself are the people that
work mostly on ldap/authentication issues at engine-core - so feel free
to ask us questions.
In addition, I would like to give you a WIKI to help that will give you
some getting started info (This WIKI was written by Oved) -
http://ovirt.org/wiki/DomainInfrastructure
Yair, Thanks for your prompt reply. I did find a link to above wiki page
in one of Oved's earlier post on this mailing list. I found the
documentation very helpful.
*
Hashtable env = new Hashtable();
env.put(java.naming.factory.initial,
com.sun.jndi.ldap.LdapCtxFactory);
env.put(java.naming.factory.url.pkgs, com.ibm.jndi);
env.put(java.naming.provider.url,
ldap://ldap-server:389);
String dn = null;
try{
InitialDirContext dirContext = new
InitialDirContext(env);
SearchControls constraints = new
SearchControls();
String[] attr = new String[] {uid};
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
constraints.setReturningAttributes(attr);
NamingEnumeration ne =
dirContext.search(ou=ldpap-server-name,o=ibm.com,
(mail= + intranetID + ),
constraints);
**
But when I try to use
org.ovirt.engine.core.utils.ipa.SimpleAuthenticationCheck.java, I get a
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
Credentials]
I am issuing - ldapTemplate.search(, , contextMapper);
Where contextMapper is RHDSUserContextMapper and
screenshots of ldapTemplate are attached.
As you willl probably see in Oved's WIKI, you don't need to provide
RHDSUserContextMapper - the name may be misleading, but this class is
for RedHat DS directory service - I think you need to have context
mappers for IBM Tivoli DS.
In addition you will have to add your own provider type, as can be seen
for example in GetRootDSE java (we send a ROOT DSE query in order to
understand what is our provider type, as currently engine-core
supports more than one type of DS.
Yes, I understand that there will be much more code changes to add
support for a new LDAP server. But my this post was to find the reason
for AuthenticationException.
There may be issues with the way I have setup filter and baseDN; but
that should not give AuthEx. At this time I am looking for ways to get
rid of authentication exception. Also, when using simple authentication,
why do I need to give password? I can run ldapsearch -LLL
(mail=intranetID) -h ldap-server:389 -x without password to give
me expected results.
This is a good question - I admit I did not work thoroughly enough with
SIMPLE authentication - maybe we can bypass this.
I looked at the code of this class - it uses Spring-LDAP
LdapContextSource class which extends AbstractContextSource which uses
SimpleDirContextAuthenticationStrategy as the default authentication
strategy - so I guess that playing with the code of this example, and
ignoring the password may work for you.
Thanks for the hint. While playing with AbstractContextSource class, I
was able to find the property AnonymousReadOnly. Setting it to 'true'
eliminated the AuthEx.
Regards,
Sharad Mishra
IBM
I would like to also point out that when I look at Spring-LDAP's
SimpleDirContextAuthenticationStrategy I it does set
env.put(Context.SECURITY_CREDENTIALS, password) (look at public void
setupEnvironment method ) - so what I have in mind is that you might
need to create your own AuthenticationStrategy - see for example
org.ovirt.engine.core.bll.adbroker.GSSAPIDirContextAuthenticationStrategy -
an authentication strategy that Oved, Roy and myself worked on to
support kerberos/GSS-API authentication with Spring-LDAP.
You will have to call after you implement such strategy a call to
context.setAuthenticationStategy with your implemented
AuthenticationStategy (for example, I think it can be placed after the
line of - LdapContextSource context = new LdapContextSource(); at
SimpleAuthenticationCheck.java
I think I gave you some pointers here,
Feel free to ask more questions
Yair
Thanks
Sharad Mishra
IBM
