subject:"\[ovirt\-users\] Error authenticating bind using the AAA OpenLDAP module"

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

2015-01-15 Thread Alon Bar-Lev



- Original Message -
> From: "Bruno Rodriguez" 
> To: "Ondra Machacek" 
> Cc: "Alon Bar-Lev" , "Esther Accion" , 
> users@ovirt.org
> Sent: Thursday, January 15, 2015 12:03:39 PM
> Subject: Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP 
> module
> 
> Thanks ! Now it's working!
> 
> The problem was the absence of the line:
> 
> pool.default.auth.type = simple

this should not be set to all pools, only for the authz pool.
the authn pool should be anonymous.

the process of authentication is:

1. create a pool X ldap connections with anonymous bind.
2. when user authenticate fetch a connection from (1) and bind user that user 
and password.
3. revert to anonymous, return to pool. 

so basically your pool is now authenticated using your search user at all time.
if your ldap does not permit anonymous logins at all, maybe better is to 
provide different user for this authentication pool?

> It's strange, I thought that the default auth type was set to simple and I
> didn't check it twice. After setting that the problem has to do about a
> user/password incorrect, which is our problem because of the schema we are
> using (migrated from a NIS some time ago).
> 
> The openldap_example.properties actually was a copy of openldap.properties,
> I did it that way to customize it to our  schema, but in a first instance
> it was a carbon copy of the original.

in next version (1.0.2) there is rfc2307-openldap.properties to ease use :)

> 
> Thanks again !
> 
> Bruno
> 
> 
> 
> On Thu, Jan 15, 2015 at 10:43 AM, Ondra Machacek 
> wrote:
> 
> > On 01/15/2015 10:36 AM, Alon Bar-Lev wrote:
> >
> >>
> >>
> >> - Original Message -----
> >>
> >>> From: "Bruno Rodriguez" 
> >>> To: "Ondra Machacek" 
> >>> Cc: "Esther Accion" , users@ovirt.org
> >>> Sent: Thursday, January 15, 2015 11:20:57 AM
> >>> Subject: Re: [ovirt-users] Error authenticating bind using the AAA
> >>> OpenLDAP module
> >>>
> >>> Thank you very much,
> >>>
> >>> using the following ldap.example.org file:
> >>>
> >>> -
> >>>
> >>> include = 
> >>> include = 
> >>>
> >>
> >> what do you have in openldap_example.properties?
> >>
> >
> > It seems you have specified anonymous bind in openldap_example.properties.
> > You should probably try it with original one (openldap.properties).
> >
> >
> >
> >>  vars.server = ldap1.example.org
> >>> #vars.user = cn=authenticate,ou=System,dc=example,dc=org
> >>> #vars.password = X
> >>>
> >>
> >> why have you commented out the vars?
> >> you should have just removed the quotes from vars.password and keep
> >> bellow as-is.
> >>
> >>  pool.default.serverset.single.server = ${global:vars.server}
> >>> pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=
> >>> example,dc=org
> >>> pool.default.auth.simple.password = X
> >>>
> >>> pool.default.ssl.startTLS = true
> >>> pool.default.ssl.truststore.file =
> >>> /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
> >>> pool.default.ssl.truststore.password = X
> >>>
> >>> -
> >>>
> >>> Then I get the following in the engine log:
> >>>
> >>>
> >>> 2015-01-15 10:04:15,250 ERROR
> >>> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
> >>> (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
> >>> org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedEx
> >>> ception
> >>> Input:
> >>> {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
> >>> java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-
> >>> 4bb5-4592-8167-810a5c909706];]=***,
> >>> Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
> >>> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[
> >>> 886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=
> >>> EXTENSION_INTERFACE_VERSION_MAX;type=class
> >>> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_
> >>> MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
> >>> Extkey[name=EXTENSION_LICENSE;type=class
> >>> java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-
> >>> 054c-4e31-9

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

2015-01-15 Thread Bruno Rodriguez

Thanks ! Now it's working!

The problem was the absence of the line:

pool.default.auth.type = simple

It's strange, I thought that the default auth type was set to simple and I
didn't check it twice. After setting that the problem has to do about a
user/password incorrect, which is our problem because of the schema we are
using (migrated from a NIS some time ago).

The openldap_example.properties actually was a copy of openldap.properties,
I did it that way to customize it to our  schema, but in a first instance
it was a carbon copy of the original.

Thanks again !

Bruno



On Thu, Jan 15, 2015 at 10:43 AM, Ondra Machacek 
wrote:

> On 01/15/2015 10:36 AM, Alon Bar-Lev wrote:
>
>>
>>
>> - Original Message -
>>
>>> From: "Bruno Rodriguez" 
>>> To: "Ondra Machacek" 
>>> Cc: "Esther Accion" , users@ovirt.org
>>> Sent: Thursday, January 15, 2015 11:20:57 AM
>>> Subject: Re: [ovirt-users] Error authenticating bind using the AAA
>>> OpenLDAP module
>>>
>>> Thank you very much,
>>>
>>> using the following ldap.example.org file:
>>>
>>> -
>>>
>>> include = 
>>> include = 
>>>
>>
>> what do you have in openldap_example.properties?
>>
>
> It seems you have specified anonymous bind in openldap_example.properties.
> You should probably try it with original one (openldap.properties).
>
>
>
>>  vars.server = ldap1.example.org
>>> #vars.user = cn=authenticate,ou=System,dc=example,dc=org
>>> #vars.password = X
>>>
>>
>> why have you commented out the vars?
>> you should have just removed the quotes from vars.password and keep
>> bellow as-is.
>>
>>  pool.default.serverset.single.server = ${global:vars.server}
>>> pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=
>>> example,dc=org
>>> pool.default.auth.simple.password = X
>>>
>>> pool.default.ssl.startTLS = true
>>> pool.default.ssl.truststore.file =
>>> /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
>>> pool.default.ssl.truststore.password = X
>>>
>>> -
>>>
>>> Then I get the following in the engine log:
>>>
>>>
>>> 2015-01-15 10:04:15,250 ERROR
>>> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
>>> (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
>>> org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedEx
>>> ception
>>> Input:
>>> {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
>>> java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-
>>> 4bb5-4592-8167-810a5c909706];]=***,
>>> Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
>>> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[
>>> 886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=
>>> EXTENSION_INTERFACE_VERSION_MAX;type=class
>>> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_
>>> MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
>>> Extkey[name=EXTENSION_LICENSE;type=class
>>> java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-
>>> 054c-4e31-9c6d-1ca4d60a4c18];]=ASL
>>> 2.0, Extkey[name=EXTENSION_NOTES;type=class
>>> java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-
>>> 4584-aaff-97f66978e4ea];]=Display
>>> name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
>>> Extkey[name=EXTENSION_HOME_URL;type=class
>>> java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-
>>> f969-42d4-b399-72d192e18304];]=
>>> http://www.ovirt.org ,Extkey[name=EXTENSION_LOCALE;type=class
>>> java.lang.String;uuid=EXTENSION_LOCALE[0780b112-
>>> 0ce0-404a-b85e-8765d778bb29];]=en_US,
>>> Extkey[name=EXTENSION_NAME;type=class
>>> java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-
>>> 4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
>>> Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
>>> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_
>>> MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
>>> Extkey[name=EXTENSION_CONFIGURATION;type=class
>>> java.util.Properties;uuid=EXTENSION_CONFIGURATION[
>>> 2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
>>> Extkey[name=EXTENSION_AUTHOR;type=class
>>> java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-
>>> 2dad-4bc5-9aad-e07018b7fbcc];]=The
>>> oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
>

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

2015-01-15 Thread Ondra Machacek


On 01/15/2015 10:36 AM, Alon Bar-Lev wrote:



- Original Message -

From: "Bruno Rodriguez" 
To: "Ondra Machacek" 
Cc: "Esther Accion" , users@ovirt.org
Sent: Thursday, January 15, 2015 11:20:57 AM
Subject: Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP 
module

Thank you very much,

using the following ldap.example.org file:

-

include = 
include = 


what do you have in openldap_example.properties?


It seems you have specified anonymous bind in 
openldap_example.properties. You should probably try it with original 
one (openldap.properties).





vars.server = ldap1.example.org
#vars.user = cn=authenticate,ou=System,dc=example,dc=org
#vars.password = X


why have you commented out the vars?
you should have just removed the quotes from vars.password and keep bellow 
as-is.


pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=example,dc=org
pool.default.auth.simple.password = X

pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
/etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
pool.default.ssl.truststore.password = X

-

Then I get the following in the engine log:


2015-01-15 10:04:15,250 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_NOTES;type=class
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org ,Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=
authn-ldap.example.org ,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class
java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(
org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org
), Extkey[name=EXTENSION_PROVIDES;type=interface
java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]},
Extkey[name=AAA_AUTHN_USER;type=class
java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno,
Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
Output:
{Extkey[name=EXTENSION_INVOKE_RESULT;type=class
java.lang.Integer;uuid=EXTENSI

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

2015-01-15 Thread Alon Bar-Lev



- Original Message -
> From: "Bruno Rodriguez" 
> To: "Ondra Machacek" 
> Cc: "Esther Accion" , users@ovirt.org
> Sent: Thursday, January 15, 2015 11:20:57 AM
> Subject: Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP   
> module
> 
> Thank you very much,
> 
> using the following ldap.example.org file:
> 
> -
> 
> include = 
> include = 

what do you have in openldap_example.properties?

> vars.server = ldap1.example.org
> #vars.user = cn=authenticate,ou=System,dc=example,dc=org
> #vars.password = X

why have you commented out the vars?
you should have just removed the quotes from vars.password and keep bellow 
as-is.
 
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=example,dc=org
> pool.default.auth.simple.password = X
> 
> pool.default.ssl.startTLS = true
> pool.default.ssl.truststore.file =
> /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
> pool.default.ssl.truststore.password = X
> 
> -
> 
> Then I get the following in the engine log:
> 
> 
> 2015-01-15 10:04:15,250 ERROR
> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
> (ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
> org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
> Input:
> {Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
> java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
> Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
> Extkey[name=EXTENSION_LICENSE;type=class
> java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
> 2.0, Extkey[name=EXTENSION_NOTES;type=class
> java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
> name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
> Extkey[name=EXTENSION_HOME_URL;type=class
> java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
> http://www.ovirt.org ,Extkey[name=EXTENSION_LOCALE;type=class
> java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
> Extkey[name=EXTENSION_NAME;type=class
> java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
> Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
> Extkey[name=EXTENSION_CONFIGURATION;type=class
> java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
> Extkey[name=EXTENSION_AUTHOR;type=class
> java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
> oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
> java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=
> authn-ldap.example.org ,
> Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
> java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
> Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
> java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
> Extkey[name=AAA_AUTHN_CAPABILITIES;type=class
> java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
> Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
> Extkey[name=EXTENSION_VERSION;type=class
> java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
> Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
> org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(
> org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org
> ), Extkey[name=EXTENSION_PROVIDES;type=interface
> java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]},
> Extkey[name=AAA_AUTHN_USER;type=class
> java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno,
> Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
> org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

2015-01-15 Thread Ondra Machacek


Can you try add this line:

pool.default.auth.type = simple

to your prop file?

Something like:

..
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.type = simple
pool.default.auth.simple.bindDN = 
cn=authenticate,ou=System,dc=example,dc=org

pool.default.auth.simple.password = X


Thanks,
Ondra

On 01/15/2015 10:20 AM, Bruno Rodriguez wrote:

Thank you very much,

using the following ldap.example.org  file:

-

include = 
include = 

vars.server = ldap1.example.org 
#vars.user = cn=authenticate,ou=System,dc=example,dc=org
#vars.password = X

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN =
cn=authenticate,ou=System,dc=example,dc=org
pool.default.auth.simple.password = X

pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
/etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
pool.default.ssl.truststore.password = X

-

Then I get the following in the engine log:


2015-01-15 10:04:15,250 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_NOTES;type=class
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=http://www.ovirt.org,Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=authn-ldap.example.org
,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class
java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org
),
Extkey[name=EXTENSION_PROVIDES;type=interface
java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]},
Extkey[name=AAA_AUTHN_USER;type=class
java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno,
Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
  Output:
  {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

2015-01-15 Thread Bruno Rodriguez

Sorry, I forgot to restart the service. With the same ldap.example.org
file, the REAL logs are the following:

-- ldap log --

Jan 15 10:23:52 ldap1 slapd[6712]: conn=1672935 fd=109 ACCEPT from
IP=192.168.XX.XX:41522 (IP=0.0.0.0:389)
Jan 15 10:23:52 ldap1 slapd[6712]: conn=1672935 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Jan 15 10:23:52 ldap1 slapd[6712]: conn=1672935 op=0 STARTTLS
Jan 15 10:23:52 ldap1 slapd[6712]: conn=1672935 op=0 RESULT oid= err=0 text=
Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 fd=109 TLS established
tls_ssf=128 ssf=128
Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 op=1 BIND dn="" method=128
Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 op=1 RESULT tag=97 err=48
text=anonymous bind disallowed
Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 op=2 UNBIND
Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 fd=109 closed

-- engine log --

2015-01-15 10:23:53,010 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-2) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uu
id=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX
;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Ex tkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4
c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-
aaff-97f66978e4ea];]=Display name:
ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;t ype=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org, Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778
bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf2
8-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EX TENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a
226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc
5-9aad-e07018b7fbcc];]=The oVirt Project,
Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=E
XTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=
authn-ldap.example.org, Extkey[name=EXTENSION_BUILD_IN
TERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4
747a8ab7];]=0,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTEN
SION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_CAPABILITIES ;type=class
java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
Extkey[name=E XTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f
-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION
_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface o
rg.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLog
ger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-lda
p.example.org), Extkey[name=EXTENSION_PROVIDES;type=interface
java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-6
5b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]},
Extkey[name=AAA_AUTHN_USER;type=clas s
java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=esthera,
Extkey[name=EXTENSION_IN VOKE_COMMAND;type=class
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a
-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
 Output:
 {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40f
b-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
java.lang.String;uuid=EXTENSION_INVOKE
_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=anonymous bind disallowed}


As you can see, the engine tries to make an anonimous binding and it's
unsuccessful...

Thank you very much (and sorry for the previous message),

Br

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

2015-01-15 Thread Bruno Rodriguez

Thank you very much,

using the following ldap.example.org file:

-

include = 
include = 

vars.server = ldap1.example.org
#vars.user = cn=authenticate,ou=System,dc=example,dc=org
#vars.password = X

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN =
cn=authenticate,ou=System,dc=example,dc=org
pool.default.auth.simple.password = X

pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
/etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
pool.default.ssl.truststore.password = X

-

Then I get the following in the engine log:


2015-01-15 10:04:15,250 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_NOTES;type=class
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org,Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=
authn-ldap.example.org,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class
java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(
org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org),
Extkey[name=EXTENSION_PROVIDES;type=interface
java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]},
Extkey[name=AAA_AUTHN_USER;type=class
java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno,
Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
 Output:
 {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=anonymous
bind disallowed}

---

And this is the ldap connection log:

/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114
ACCEPT from IP=192.168.XX.XX:41469 (IP=0.0.0.0:389)
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0
STARTTLS
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]:

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

2015-01-15 Thread Bruno Rodriguez

Thank you very much for the fast reply !

I grepped "org.ovirt.engineextensions.aaa.ldap" in the engine log file, but
I wasn't able to get enough information for me to know which was the
problem...

2015-01-14 16:04:18,575 INFO
 [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-3)
[ovirt-engine-extension-aaa-ldap.authz::authz-ldap.example.org] Creating
LDAP pool 'authz'
2015-01-14 16:04:18,648 ERROR
[org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread
1-3) [ovirt-engine-extension-aaa-ldap.authz::authz-ldap.example.org] Cannot
initialize LDAP framework, deferring initialization. Error: invalid
credentials
2015-01-14 16:04:36,913 INFO
 [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-2)
[ovirt-engine-extension-aaa-ldap.authn::authn-ldap.example.org] Creating
LDAP pool 'authz'
2015-01-14 16:08:34,521 INFO
 [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-1)
[ovirt-engine-extension-aaa-ldap.authn::authn-ldap.example.org] Creating
LDAP pool 'authz'
2015-01-14 16:35:25,670 INFO
 [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-6)
[ovirt-engine-extension-aaa-ldap.authn::authn-ldap.example.org] Creating
LDAP pool 'authz'
2015-01-14 17:44:19,769 INFO
 [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-4)
[ovirt-engine-extension-aaa-ldap.authn::authn-ldap.example.org] Creating
LDAP pool 'authz'
2015-01-14 17:44:20,096 ERROR
[org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread
1-4) [ovirt-engine-extension-aaa-ldap.authn::authn-ldap.example.org] Cannot
initialize LDAP framework, deferring initialization. Error: invalid
credentials
2015-01-14 17:44:20,105 INFO
 [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-4)
[ovirt-engine-extension-aaa-ldap.authz::authz-ldap.example.org] Creating
LDAP pool 'authz'
2015-01-14 17:44:20,178 ERROR
[org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread
1-4) [ovirt-engine-extension-aaa-ldap.authz::authz-ldap.example.org] Cannot
initialize LDAP framework, deferring initialization. Error: invalid
credentials

Thanks again.

On Wed, Jan 14, 2015 at 5:08 PM, Alon Bar-Lev  wrote:

> Hi!
>
> Great information!
>
> I really need you to add the log for org.ovirt.engineextensions.aaa.ldap,
> see [1] so I can see the entire sequence.
>
> You are trying to authenticate the esthera user, this result in bind
> request using this user, so you should really try to see if bind succeeds
> with this user and passwod.
>
> $ ldapsearch -ZZ -D replace_with_esthera_DN -W -b 'dc=example,dc=org'
>
> It may be that the password of the user is not set or different than what
> you expect, or the schema is not openldap but rfc2307.
>
> Alon
>
> [1]
> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l270
>
> - Original Message -----
> > From: "Bruno Rodriguez" 
> > To: users@ovirt.org, "Esther Accion" 
> > Sent: Wednesday, January 14, 2015 5:53:06 PM
> > Subject: [ovirt-users] Error authenticating bind using the AAA OpenLDAP
>  module
> >
> > Good afternoon,
> >
> > We cannot access to Ovirt using LDAP authentication against our openldap
> > server. We created the following files in /etc/ovirt-engine/extensions.d
> > (the organization name is not example.org and the passwords are not
> > , obviously) :
> >
> > --- /etc/ovirt-engine/extensions.d/ ldap.example.org ---
> >
> > include = 
> >
> > vars.server = ldap1.example.org
> > vars.user = cn=authenticate,ou=System,dc=example,dc=org
> > vars.password = ""
> >
> > pool.default.serverset.single.server = ${global:vars.server}
> > pool.default.auth.simple.bindDN = ${global:vars.user}
> > pool.default.auth.simple.password = ${global:vars.password}
> >
> > pool.default.ssl.startTLS = true
> > pool.default.ssl.truststore.file =
> > /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
> > pool.default.ssl.truststore.password = 
> >
> > ---
> /etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties
> > ---
> >
> > ovirt.engine.extension.name = authn-ldap.example.org
> > ovirt.engine.extension.bindings.method = jbossmodule
> > ovirt.engine.extension.binding.jbossmodule.module =
> > org.ovirt.engine-extensions.aaa.ldap
> > ovirt.engine.extension.binding.jbossmodule.class =
> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> > ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authn
>

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

2015-01-14 Thread Ondra Machacek


Hi,

On 01/14/2015 04:53 PM, Bruno Rodriguez wrote:

Good afternoon,

We cannot access to Ovirt using LDAP authentication against our openldap
server. We created the following files in /etc/ovirt-engine/extensions.d
(the organization name is not example.org  and the
passwords are not , obviously) :

--- /etc/ovirt-engine/extensions.d/ldap.example.org
 ---

include = 

vars.server = ldap1.example.org 
vars.user = cn=authenticate,ou=System,dc=example,dc=org
vars.password = ""

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
/etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
pool.default.ssl.truststore.password = 

---
/etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties ---

ovirt.engine.extension.name  =
authn-ldap.example.org 
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn

ovirt.engine.aaa.authn.profile.name
 = ldap.example.org

ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org


config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org


---
/etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties ---

ovirt.engine.extension.name  =
authz-ldap.example.org 
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension

ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org




After all of this we restarted the service and tried to access via the
administration portal. The JKS has the right permissions and contains
the TLS CA, the password is correct and the user "esthera" exists. But
when we try to log in, we obtain the following error in the engine.log
(we already set the verbosity to ALL):



2015-01-14 16:35:25,750 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_NOTES;type=class
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=http://www.ovirt.org
, Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=authn-ldap.
example.org ,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uu

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

2015-01-14 Thread Alon Bar-Lev

Hi!

Great information!

I really need you to add the log for org.ovirt.engineextensions.aaa.ldap, see 
[1] so I can see the entire sequence.

You are trying to authenticate the esthera user, this result in bind request 
using this user, so you should really try to see if bind succeeds with this 
user and passwod.

$ ldapsearch -ZZ -D replace_with_esthera_DN -W -b 'dc=example,dc=org'

It may be that the password of the user is not set or different than what you 
expect, or the schema is not openldap but rfc2307.

Alon

[1] 
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l270

- Original Message -
> From: "Bruno Rodriguez" 
> To: users@ovirt.org, "Esther Accion" 
> Sent: Wednesday, January 14, 2015 5:53:06 PM
> Subject: [ovirt-users] Error authenticating bind using the AAA OpenLDAP   
> module
> 
> Good afternoon,
> 
> We cannot access to Ovirt using LDAP authentication against our openldap
> server. We created the following files in /etc/ovirt-engine/extensions.d
> (the organization name is not example.org and the passwords are not
> , obviously) :
> 
> --- /etc/ovirt-engine/extensions.d/ ldap.example.org ---
> 
> include = 
> 
> vars.server = ldap1.example.org
> vars.user = cn=authenticate,ou=System,dc=example,dc=org
> vars.password = ""
> 
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
> 
> pool.default.ssl.startTLS = true
> pool.default.ssl.truststore.file =
> /etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
> pool.default.ssl.truststore.password = 
> 
> --- /etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties
> ---
> 
> ovirt.engine.extension.name = authn-ldap.example.org
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> 
> ovirt.engine.aaa.authn.profile.name = ldap.example.org
> ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org
> 
> config.profile.file.1 = /etc/ovirt-engine/extensions.d/ ldap.example.org
> 
> --- /etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties
> ---
> 
> ovirt.engine.extension.name = authz-ldap.example.org
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> 
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = /etc/ovirt-engine/extensions.d/ ldap.example.org
> 
> 
> 
> After all of this we restarted the service and tried to access via the
> administration portal. The JKS has the right permissions and contains the
> TLS CA, the password is correct and the user "esthera" exists. But when we
> try to log in, we obtain the following error in the engine.log (we already
> set the verbosity to ALL):
> 
> 
> 
> 2015-01-14 16:35:25,750 ERROR [org.ovirt.engine.core.bll.
> aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-6) Error during
> CanDoActionFailure.: Class: class org.ovirt.engine.core. extensions.mgr.
> ExtensionInvokeCommandFailedEx ception
> Input:
> {Extkey[name=AAA_AUTHN_ CREDENTIALS;type=class java.lang.String;uuid=AAA_
> AUTHN_CREDENTIALS[03b96485- 4bb5-4592-8167-810a5c909706];] =***,
> Extkey[name=EXTENSION_INVOKE_ CONTEXT;type=class org.ovirt.engine.api.
> extensions.ExtMap;uuid= EXTENSION_INVOKE_CONTEXT[ 886d2ebb-312a-49ae-9cc3-
> e1f849834b7d];]={Extkey[name= EXTENSION_INTERFACE_VERSION_ MAX;type=class
> java.lang.Integer;uuid= EXTENSION_INTERFACE_VERSION_
> MAX[f4cff49f-2717-4901-8ee9- df362446e3e7];]=0,
> Extkey[name=EXTENSION_LICENSE; type=class java.lang.String;uuid=
> EXTENSION_LICENSE[8a61ad65- 054c-4e31-9c6d-1ca4d60a4c18];] =ASL 2.0,
> Extkey[name=EXTENSION_NOTES; type=class java.lang.String;uuid=
> EXTENSION_NOTES[2da5ad7e-185a- 4584-aaff-97f66978e4ea];]= Display name:
> ovirt-engine-extension-aaa- ldap-1.0.0-1.el6, Extkey[name=EXTENSION_HOME_
> URL;type=class java.lang.String;uuid= EXTENSION_HOME_URL[4ad7a2f4-
> f969-42d4-b399-72d192e18304];] = http://www.ovirt.org ,
> Extkey[name=EXTENSION_LOCALE; type=class java.lang.Strin

[ovirt-users] Error authenticating bind using the AAA OpenLDAP module

2015-01-14 Thread Bruno Rodriguez

Good afternoon,

We cannot access to Ovirt using LDAP authentication against our openldap
server. We created the following files in /etc/ovirt-engine/extensions.d
(the organization name is not example.org and the passwords are not
, obviously) :

--- /etc/ovirt-engine/extensions.d/ldap.example.org ---

include = 

vars.server = ldap1.example.org
vars.user = cn=authenticate,ou=System,dc=example,dc=org
vars.password = ""

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
/etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
pool.default.ssl.truststore.password = 

---
/etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties ---

ovirt.engine.extension.name = authn-ldap.example.org
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn

ovirt.engine.aaa.authn.profile.name = ldap.example.org
ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org

config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org

---
/etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties ---

ovirt.engine.extension.name = authz-ldap.example.org
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension

ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org



After all of this we restarted the service and tried to access via the
administration portal. The JKS has the right permissions and contains the
TLS CA, the password is correct and the user "esthera" exists. But when we
try to log in, we obtain the following error in the engine.log (we already
set the verbosity to ALL):



2015-01-14 16:35:25,750 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class java.lang.String;uuid=AAA_
AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.
extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-
e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_
MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=
EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0,
Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid=
EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display name:
ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-
f969-42d4-b399-72d192e18304];]=http://www.ovirt.org,
Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=
EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=
EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=
ovirt-engine-extension-aaa-ldap.authn, Extkey[name=EXTENSION_
INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=
EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=
EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=
EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project,
Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=
EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=authn-ldap.
example.org,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTENSION_CONFIGURATION_
SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_
CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.eng

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module

[ovirt-users] Error authenticating bind using the AAA OpenLDAP module

11 matches

Site Navigation

Mail list logo

Footer information