Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module
- Original Message -
From: Bruno Rodriguez br...@pic.es
To: Ondra Machacek omach...@redhat.com
Cc: Esther Accion esth...@pic.es, users@ovirt.org
Sent: Thursday, January 15, 2015 11:20:57 AM
Subject: Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP
module
Thank you very much,
using the following ldap.example.org file:
-
include = openldap_example.properties
include = rfc2307.properties
what do you have in openldap_example.properties?
vars.server = ldap1.example.org
#vars.user = cn=authenticate,ou=System,dc=example,dc=org
#vars.password = X
why have you commented out the vars?
you should have just removed the quotes from vars.password and keep bellow
as-is.
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=example,dc=org
pool.default.auth.simple.password = X
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
/etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
pool.default.ssl.truststore.password = X
-
Then I get the following in the engine log:
2015-01-15 10:04:15,250 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_NOTES;type=class
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org ,Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=
authn-ldap.example.org ,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class
java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(
org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org
), Extkey[name=EXTENSION_PROVIDES;type=interface
java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]},
Extkey[name=AAA_AUTHN_USER;type=class
java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno,
Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
Output:
{Extkey[name=EXTENSION_INVOKE_RESULT;type=class
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
Extkey
Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module
- Original Message -
From: Bruno Rodriguez br...@pic.es
To: Ondra Machacek omach...@redhat.com
Cc: Alon Bar-Lev alo...@redhat.com, Esther Accion esth...@pic.es,
users@ovirt.org
Sent: Thursday, January 15, 2015 12:03:39 PM
Subject: Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP
module
Thanks ! Now it's working!
The problem was the absence of the line:
pool.default.auth.type = simple
this should not be set to all pools, only for the authz pool.
the authn pool should be anonymous.
the process of authentication is:
1. create a pool X ldap connections with anonymous bind.
2. when user authenticate fetch a connection from (1) and bind user that user
and password.
3. revert to anonymous, return to pool.
so basically your pool is now authenticated using your search user at all time.
if your ldap does not permit anonymous logins at all, maybe better is to
provide different user for this authentication pool?
It's strange, I thought that the default auth type was set to simple and I
didn't check it twice. After setting that the problem has to do about a
user/password incorrect, which is our problem because of the schema we are
using (migrated from a NIS some time ago).
The openldap_example.properties actually was a copy of openldap.properties,
I did it that way to customize it to our schema, but in a first instance
it was a carbon copy of the original.
in next version (1.0.2) there is rfc2307-openldap.properties to ease use :)
Thanks again !
Bruno
On Thu, Jan 15, 2015 at 10:43 AM, Ondra Machacek omach...@redhat.com
wrote:
On 01/15/2015 10:36 AM, Alon Bar-Lev wrote:
- Original Message -
From: Bruno Rodriguez br...@pic.es
To: Ondra Machacek omach...@redhat.com
Cc: Esther Accion esth...@pic.es, users@ovirt.org
Sent: Thursday, January 15, 2015 11:20:57 AM
Subject: Re: [ovirt-users] Error authenticating bind using the AAA
OpenLDAP module
Thank you very much,
using the following ldap.example.org file:
-
include = openldap_example.properties
include = rfc2307.properties
what do you have in openldap_example.properties?
It seems you have specified anonymous bind in openldap_example.properties.
You should probably try it with original one (openldap.properties).
vars.server = ldap1.example.org
#vars.user = cn=authenticate,ou=System,dc=example,dc=org
#vars.password = X
why have you commented out the vars?
you should have just removed the quotes from vars.password and keep
bellow as-is.
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=
example,dc=org
pool.default.auth.simple.password = X
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
/etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
pool.default.ssl.truststore.password = X
-
Then I get the following in the engine log:
2015-01-15 10:04:15,250 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedEx
ception
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-
4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[
886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=
EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_
MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-
054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_NOTES;type=class
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-
4584-aaff-97f66978e4ea];]=Display
name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-
f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org ,Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-
0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-
4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_
MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[
2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-
2dad-4bc5-9aad-e07018b7fbcc
Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module
Sorry, I forgot to restart the service. With the same ldap.example.org
file, the REAL logs are the following:
-- ldap log --
Jan 15 10:23:52 ldap1 slapd[6712]: conn=1672935 fd=109 ACCEPT from
IP=192.168.XX.XX:41522 (IP=0.0.0.0:389)
Jan 15 10:23:52 ldap1 slapd[6712]: conn=1672935 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Jan 15 10:23:52 ldap1 slapd[6712]: conn=1672935 op=0 STARTTLS
Jan 15 10:23:52 ldap1 slapd[6712]: conn=1672935 op=0 RESULT oid= err=0 text=
Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 fd=109 TLS established
tls_ssf=128 ssf=128
Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 op=1 BIND dn= method=128
Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 op=1 RESULT tag=97 err=48
text=anonymous bind disallowed
Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 op=2 UNBIND
Jan 15 10:23:53 ldap1 slapd[6712]: conn=1672935 fd=109 closed
-- engine log --
2015-01-15 10:23:53,010 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-2) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uu
id=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX
;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Ex tkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4
c18];]=ASL 2.0, Extkey[name=EXTENSION_NOTES;type=class
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-
aaff-97f66978e4ea];]=Display name:
ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;t ype=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org, Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778
bb29];]=en_US, Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf2
8-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EX TENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a
226b0fc];]=***, Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc
5-9aad-e07018b7fbcc];]=The oVirt Project,
Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=E
XTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=
authn-ldap.example.org, Extkey[name=EXTENSION_BUILD_IN
TERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4
747a8ab7];]=0,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTEN
SION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_CAPABILITIES ;type=class
java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
Extkey[name=E XTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f
-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class java.lang.String;uuid=EXTENSION
_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface o
rg.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLog
ger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-lda
p.example.org), Extkey[name=EXTENSION_PROVIDES;type=interface
java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-6
5b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]},
Extkey[name=AAA_AUTHN_USER;type=clas s
java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=esthera,
Extkey[name=EXTENSION_IN VOKE_COMMAND;type=class
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a
-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
Output:
{Extkey[name=EXTENSION_INVOKE_RESULT;type=class
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40f
b-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
java.lang.String;uuid=EXTENSION_INVOKE
_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=anonymous bind disallowed}
As you can see, the engine tries to make an anonimous binding and it's
unsuccessful...
Thank you very much (and sorry for the previous message),
Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module
On 01/15/2015 10:36 AM, Alon Bar-Lev wrote:
- Original Message -
From: Bruno Rodriguez br...@pic.es
To: Ondra Machacek omach...@redhat.com
Cc: Esther Accion esth...@pic.es, users@ovirt.org
Sent: Thursday, January 15, 2015 11:20:57 AM
Subject: Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP
module
Thank you very much,
using the following ldap.example.org file:
-
include = openldap_example.properties
include = rfc2307.properties
what do you have in openldap_example.properties?
It seems you have specified anonymous bind in
openldap_example.properties. You should probably try it with original
one (openldap.properties).
vars.server = ldap1.example.org
#vars.user = cn=authenticate,ou=System,dc=example,dc=org
#vars.password = X
why have you commented out the vars?
you should have just removed the quotes from vars.password and keep bellow
as-is.
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=example,dc=org
pool.default.auth.simple.password = X
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
/etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
pool.default.ssl.truststore.password = X
-
Then I get the following in the engine log:
2015-01-15 10:04:15,250 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_NOTES;type=class
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org ,Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=
authn-ldap.example.org ,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class
java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(
org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org
), Extkey[name=EXTENSION_PROVIDES;type=interface
java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]},
Extkey[name=AAA_AUTHN_USER;type=class
java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno,
Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
Output:
{Extkey[name
Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module
Thanks ! Now it's working!
The problem was the absence of the line:
pool.default.auth.type = simple
It's strange, I thought that the default auth type was set to simple and I
didn't check it twice. After setting that the problem has to do about a
user/password incorrect, which is our problem because of the schema we are
using (migrated from a NIS some time ago).
The openldap_example.properties actually was a copy of openldap.properties,
I did it that way to customize it to our schema, but in a first instance
it was a carbon copy of the original.
Thanks again !
Bruno
On Thu, Jan 15, 2015 at 10:43 AM, Ondra Machacek omach...@redhat.com
wrote:
On 01/15/2015 10:36 AM, Alon Bar-Lev wrote:
- Original Message -
From: Bruno Rodriguez br...@pic.es
To: Ondra Machacek omach...@redhat.com
Cc: Esther Accion esth...@pic.es, users@ovirt.org
Sent: Thursday, January 15, 2015 11:20:57 AM
Subject: Re: [ovirt-users] Error authenticating bind using the AAA
OpenLDAP module
Thank you very much,
using the following ldap.example.org file:
-
include = openldap_example.properties
include = rfc2307.properties
what do you have in openldap_example.properties?
It seems you have specified anonymous bind in openldap_example.properties.
You should probably try it with original one (openldap.properties).
vars.server = ldap1.example.org
#vars.user = cn=authenticate,ou=System,dc=example,dc=org
#vars.password = X
why have you commented out the vars?
you should have just removed the quotes from vars.password and keep
bellow as-is.
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = cn=authenticate,ou=System,dc=
example,dc=org
pool.default.auth.simple.password = X
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
/etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
pool.default.ssl.truststore.password = X
-
Then I get the following in the engine log:
2015-01-15 10:04:15,250 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedEx
ception
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-
4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[
886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=
EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_
MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-
054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_NOTES;type=class
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-
4584-aaff-97f66978e4ea];]=Display
name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-
f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org ,Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-
0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-
4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_
MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[
2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-
2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-
8674327f011b];]=
authn-ldap.example.org ,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_
VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTENSION_CONFIGURATION_
SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-
46f2-83f9-3d3c54cf258d];]=12,
Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[
9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class
java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-
8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
org.slf4j.Logger;uuid
Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module
Thank you very much,
using the following ldap.example.org file:
-
include = openldap_example.properties
include = rfc2307.properties
vars.server = ldap1.example.org
#vars.user = cn=authenticate,ou=System,dc=example,dc=org
#vars.password = X
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN =
cn=authenticate,ou=System,dc=example,dc=org
pool.default.auth.simple.password = X
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
/etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
pool.default.ssl.truststore.password = X
-
Then I get the following in the engine log:
2015-01-15 10:04:15,250 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_NOTES;type=class
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
http://www.ovirt.org,Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=
authn-ldap.example.org,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_CAPABILITIES;type=class
java.lang.Long;uuid=AAA_AUTHN_CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_VERSION;type=class
java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.0,
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(
org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authn.authn-ldap.example.org),
Extkey[name=EXTENSION_PROVIDES;type=interface
java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authn]},
Extkey[name=AAA_AUTHN_USER;type=class
java.lang.String;uuid=AAA_AUTHN_USER[1ceaba26-1bdc-4663-a3c6-5d926f9dd8f0];]=bruno,
Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-77b262a2f28d];]=AAA_AUTHN_AUTHENTICATE_CREDENTIALS[d9605c75-6b43-4b00-b32c-06bdfa80244c]}
Output:
{Extkey[name=EXTENSION_INVOKE_RESULT;type=class
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=anonymous
bind disallowed}
---
And this is the ldap connection log:
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 fd=114
ACCEPT from IP=192.168.XX.XX:41469 (IP=0.0.0.0:389)
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
/var/log/ldap.log:Jan 15 10:04:15 ldap1 slapd[6712]: conn=1671350 op=0
STARTTLS
[ovirt-users] Error authenticating bind using the AAA OpenLDAP module
Good afternoon,
We cannot access to Ovirt using LDAP authentication against our openldap
server. We created the following files in /etc/ovirt-engine/extensions.d
(the organization name is not example.org and the passwords are not
, obviously) :
--- /etc/ovirt-engine/extensions.d/ldap.example.org ---
include = openldap_example.properties
vars.server = ldap1.example.org
vars.user = cn=authenticate,ou=System,dc=example,dc=org
vars.password =
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
/etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
pool.default.ssl.truststore.password =
---
/etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties ---
ovirt.engine.extension.name = authn-ldap.example.org
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = ldap.example.org
ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org
config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org
---
/etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties ---
ovirt.engine.extension.name = authz-ldap.example.org
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org
After all of this we restarted the service and tried to access via the
administration portal. The JKS has the right permissions and contains the
TLS CA, the password is correct and the user esthera exists. But when we
try to log in, we obtain the following error in the engine.log (we already
set the verbosity to ALL):
2015-01-14 16:35:25,750 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class java.lang.String;uuid=AAA_
AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.
extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-
e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_
MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class java.lang.String;uuid=
EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL 2.0,
Extkey[name=EXTENSION_NOTES;type=class java.lang.String;uuid=
EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display name:
ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-
f969-42d4-b399-72d192e18304];]=http://www.ovirt.org,
Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=
EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class java.lang.String;uuid=
EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=
ovirt-engine-extension-aaa-ldap.authn, Extkey[name=EXTENSION_
INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=
EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=
EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class java.lang.String;uuid=
EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The oVirt Project,
Extkey[name=EXTENSION_INSTANCE_NAME;type=class java.lang.String;uuid=
EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=authn-ldap.
http://authn-ldap.pic.es/example.org,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collection;uuid=EXTENSION_CONFIGURATION_
SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=AAA_AUTHN_CAPABILITIES;type=class java.lang.Long;uuid=AAA_AUTHN_
CAPABILITIES[9d16bee3-10fd-46f2-83f9-3d3c54cf258d];]=12,
Re: [ovirt-users] Error authenticating bind using the AAA OpenLDAP module
Hi,
On 01/14/2015 04:53 PM, Bruno Rodriguez wrote:
Good afternoon,
We cannot access to Ovirt using LDAP authentication against our openldap
server. We created the following files in /etc/ovirt-engine/extensions.d
(the organization name is not example.org http://example.org and the
passwords are not , obviously) :
--- /etc/ovirt-engine/extensions.d/ldap.example.org
http://ldap.example.org ---
include = openldap_example.properties
vars.server = ldap1.example.org http://ldap1.example.org
vars.user = cn=authenticate,ou=System,dc=example,dc=org
vars.password =
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file =
/etc/ovirt-engine/extensions.d/ldap.example.org_keystore.jks
pool.default.ssl.truststore.password =
---
/etc/ovirt-engine/extensions.d/authn-ldap.example.org.properties ---
ovirt.engine.extension.name http://ovirt.engine.extension.name =
authn-ldap.example.org http://authn-ldap.example.org
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name
http://ovirt.engine.aaa.authn.profile.name = ldap.example.org
http://ldap.example.org
ovirt.engine.aaa.authn.authz.plugin = authz-ldap.example.org
http://authz-ldap.example.org
config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org
http://ldap.example.org
---
/etc/ovirt-engine/extensions.d/authz-ldap.example.org.properties ---
ovirt.engine.extension.name http://ovirt.engine.extension.name =
authz-ldap.example.org http://authz-ldap.example.org
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/extensions.d/ldap.example.org
http://ldap.example.org
After all of this we restarted the service and tried to access via the
administration portal. The JKS has the right permissions and contains
the TLS CA, the password is correct and the user esthera exists. But
when we try to log in, we obtain the following error in the engine.log
(we already set the verbosity to ALL):
2015-01-14 16:35:25,750 ERROR
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-6) Error during CanDoActionFailure.: Class: class
org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException
Input:
{Extkey[name=AAA_AUTHN_CREDENTIALS;type=class
java.lang.String;uuid=AAA_AUTHN_CREDENTIALS[03b96485-4bb5-4592-8167-810a5c909706];]=***,
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extkey[name=EXTENSION_LICENSE;type=class
java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
2.0, Extkey[name=EXTENSION_NOTES;type=class
java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
name: ovirt-engine-extension-aaa-ldap-1.0.0-1.el6,
Extkey[name=EXTENSION_HOME_URL;type=class
java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=http://www.ovirt.org
http://www.ovirt.org/, Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_NAME;type=class
java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authn,
Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
Extkey[name=EXTENSION_AUTHOR;type=class
java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
oVirt Project, Extkey[name=EXTENSION_INSTANCE_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=authn-ldap.
http://authn-ldap.pic.es/example.org http://example.org,
Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
