Re: [one-users] Problem with ldap authentication

Mon, 13 Jun 2011 12:16:57 -0700 

Hi again,
more on this! I managed to get a user without whitespaces and I have bad news: 


while stating a wrong DN/pass is almost instant to refuse connection by 
stating an authentication error, I cannot manage to authenticate using 
the proper DN/pass. I'm back to the original situation: the execution 
expired message.


In the log I can see the following message for the wrong ID:


Mon Jun 13 21:11:56 2011 [AuM][D]: Message received: AUTHENTICATE 
FAILURE 0 false


Mon Jun 13 21:11:56 2011 [AuM][E]: Auth Error: false

Mon Jun 13 21:11:56 2011 [ReM][E]: [VirtualMachinePoolInfo] User 
couldn't be authenticated, aborting call.


But nothing for the right ID.

Any idea on this?

Regards.


El 13/06/11 18:42, Carlos A. escribió:

Hi Tino,

finally I think that I got it. The problem is that my DN has spaces in the CN.
So I think that the one_auth file is not properly handled and it results in a
failure whenever an space is used in this file. That is why I got the same
failure when changing the authentication method to "simple" or to even a
nonexistent method. It is simply because the authentication method was not
launched at all because of a previous error.

The current problem is that I cannot authenticate because my DN has spaces ;) so
I cannot use it whithin Open Nebula. But at least I do not get the "expired
time" error and it outputs an authentication error.

Any workaround on this?

Regards,
Carlos A.

Mensaje citado por "Carlos A."<[email protected]>:


Hi,
i get the expected output
--
Enviado desde mi teléfono Android con K-9 Mail. Disculpa mi brevedad

Tino Vazquez<[email protected]>  escribió:

Hi Carlos,

Let's try executing the auth mad by hand (the error, from your input,
seems not to be exclusive of the ldap addon, but rather of the auth
module), to discard missing gems

# $ONE_LOCATION/lib/mads/one_auth_mad

after hitting return, it will wait for input, type

INIT

you should get

INIT SUCCESS - -

Regards,

-Tino

--
Constantino Vázquez Blanco, MSc
OpenNebula Major Contributor
www.OpenNebula.org | @tinova79



On Mon, Jun 13, 2011 at 1:29 PM, Carlos A.<[email protected]>  wrote:

Hi Tino,

more info on this.

While using my test script to authenticate I can see the sucess in the ldap
server, I cannot see any information when trying to authenticate using ONE

El 13/06/11 12:43, Tino Vazquez escribió:

Hi Carlos,

This may be due to a eager timeout that the core imposes over the ldap
driver.

Please find attached a patch for the OpenNebula source code, please
apply it, recompile and reinstall, we would appreciate feedback on
wether this fixes the improper ldap plugin behavior or not.

Regards,

-Tino

--
Constantino Vázquez Blanco, MSc
OpenNebula Major Contributor
www.OpenNebula.org | @tinova79



On Sat, Jun 11, 2011 at 10:22 AM, Carlos A.<[email protected]>   wrote:

Hello,

any help on this? is ldap addon supposed to work with opennebula 2.2? has
anyone tried it?

El 09/06/2011 10:46, Carlos A. escribió:

Hello,

first of all, thank you for your response.

Once I have managed to make ldap_auth work, I found the following issue:

root@keo01:/srv/cloud/one# onevm list
execution expired

I cannot manage to athenticate against my ldap server. I have tried the
ldap authentication that is carried out by ONE

require 'rubygems'
require 'net/ldap'
ldap = Net::LDAP.new
ldap.host = "my.ldap.server"
ldap.port = 389
ldap.auth "my-dn", "my-pass"
print ldap.bind

It is properly working, as my server authenticates me. I have (of
course)
tried changing the password and it works as expected.

Diving in the code It seems that there is some problem in the file
"src/um/UserPool.cc", at
        authm->trigger(AuthManager::AUTHENTICATE,&ar);
        ar.wait();

Any idea?


El 09/06/11 00:51, [email protected] escribió:

The official OpenNebula installation instructions for the ldap driver
are
incomplete and miss to mention some software packages that you have to
install first. I don't remember which ones they were, but you can find
out
as follows:

* cd to .../lib/ruby
* execute 'ruby ldap_auth.rb'.
* Ruby will complain about any missing packages. Install those until
ruby
is happy.

Carsten


Carsten Friedrich
Research Team leader
ICT Centre, GPO Box 664,Canberra, ACT 2601
Phone: +61 2 6216 7019
Email: [email protected]
Web:   http://www.csiro.au/org/ICT.html



-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Carlos A.
Sent: Wednesday, 8 June 2011 18:17
To: [email protected]
Subject: Re: [one-users] Problem with ldap authentication

any help on this?

El 02/06/11 16:55, Carlos A. escribió:

More information on this:

in /srv/cloud/one/var/oned.log I can see
Thu Jun  2 16:52:09 2011 [ONE][I]: Init OpenNebula Log system
Thu Jun  2 16:52:09 2011 [ONE][I]: Log Level: 3
[0=ERROR,1=WARNING,2=INFO,3=DEBUG]
Thu Jun  2 16:52:09 2011 [ONE][I]:
_____________________________________________
Thu Jun  2 16:52:09 2011 [ONE][I]:      OpenNebula Configuration File
Thu Jun  2 16:52:09 2011 [ONE][I]:
_____________________________________________
Thu Jun  2 16:52:09 2011 [ONE][I]:
_____________________________________________
AUTH_MAD=EXECUTABLE=/srv/cloud/one/lib/mads/one_auth_mad
DB=BACKEND=sqlite
DEBUG_LEVEL=3
DEFAULT_DEVICE_PREFIX=hd
DEFAULT_IMAGE_TYPE=OS
HM_MAD=EXECUTABLE=one_hm
HOST_MONITORING_INTERVAL=600
IMAGE_REPOSITORY_PATH=/srv/cloud/one/var//images
IM_MAD=ARGUMENTS=-r 0 -t 15 kvm,EXECUTABLE=one_im_ssh,NAME=im_kvm
MAC_PREFIX=02:00
MANAGER_TIMER=15
NETWORK_SIZE=254
PORT=2633
SCRIPTS_REMOTE_DIR=/var/tmp/one
TM_MAD=ARGUMENTS=tm_nfs/tm_nfs.conf,EXECUTABLE=one_tm,NAME=tm_nfs
VM_DIR=/srv/cloud/one/var/
VM_HOOK=ARGUMENTS=$VMID,COMMAND=image.rb,NAME=image,ON=DONE
VM_MAD=ARGUMENTS=-t 15 -r 0




kvm,DEFAULT=vmm_ssh/vmm_ssh_kvm.conf,EXECUTABLE=one_vmm_ssh,NAME=vmm_kvm,TYPE=kvm

VM_POLLING_INTERVAL=600
VNC_BASE_PORT=5900
_____________________________________________
Thu Jun  2 16:52:09 2011 [ONE][I]: Bootstraping OpenNebula database.
Thu Jun  2 16:52:09 2011 [VMM][I]: Starting Virtual Machine Manager...
Thu Jun  2 16:52:09 2011 [LCM][I]: Starting Life-cycle Manager...
Thu Jun  2 16:52:09 2011 [VMM][I]: Virtual Machine Manager started.
Thu Jun  2 16:52:09 2011 [InM][I]: Starting Information Manager...
Thu Jun  2 16:52:09 2011 [InM][I]: Information Manager started.
Thu Jun  2 16:52:09 2011 [LCM][I]: Life-cycle Manager started.
Thu Jun  2 16:52:09 2011 [TrM][I]: Starting Transfer Manager...
Thu Jun  2 16:52:09 2011 [DiM][I]: Starting Dispatch Manager...
Thu Jun  2 16:52:09 2011 [TrM][I]: Transfer Manager started.
Thu Jun  2 16:52:09 2011 [DiM][I]: Dispatch Manager started.
Thu Jun  2 16:52:09 2011 [ReM][I]: Starting Request Manager...
Thu Jun  2 16:52:09 2011 [ReM][I]: Starting XML-RPC server, port 2633
...
Thu Jun  2 16:52:09 2011 [ReM][I]: Request Manager started.
Thu Jun  2 16:52:09 2011 [HKM][I]: Starting Hook Manager...
Thu Jun  2 16:52:09 2011 [AuM][I]: Starting Auth Manager...
Thu Jun  2 16:52:09 2011 [AuM][I]: Authorization Manager started.
Thu Jun  2 16:52:09 2011 [HKM][I]: Hook Manager started.
Thu Jun  2 16:52:11 2011 [VMM][I]: Loading Virtual Machine Manager
drivers.
Thu Jun  2 16:52:11 2011 [VMM][I]:      Loading driver: vmm_kvm (KVM)
Thu Jun  2 16:52:11 2011 [VMM][I]:      Driver vmm_kvm loaded.
Thu Jun  2 16:52:11 2011 [InM][I]: Loading Information Manager
drivers.
Thu Jun  2 16:52:11 2011 [InM][I]:      Loading driver: im_kvm
Thu Jun  2 16:52:11 2011 [InM][I]:      Driver im_kvm loaded
Thu Jun  2 16:52:11 2011 [TM][I]: Loading Transfer Manager drivers.
Thu Jun  2 16:52:11 2011 [VMM][I]:      Loading driver: tm_nfs
Thu Jun  2 16:52:11 2011 [TM][I]:       Driver tm_nfs loaded.
Thu Jun  2 16:52:11 2011 [HKM][I]: Loading Hook Manager driver.
Thu Jun  2 16:52:11 2011 [HKM][I]:      Hook Manager loaded
Thu Jun  2 16:52:11 2011 [AuM][I]: Loading Auth. Manager driver.
Thu Jun  2 16:52:11 2011 [MAD][E]: MAD did not answer INIT command
Thu Jun  2 16:52:12 2011 [ReM][D]: VirtualMachinePoolInfo method
invoked
Thu Jun  2 16:52:12 2011 [AuM][E]: Auth Error: Could not find
Authorization driver
Thu Jun  2 16:52:12 2011 [ReM][E]: [VirtualMachinePoolInfo] User
couldn't be authenticated, aborting call.

It seems that it cannot find the driver as a relative path name, but I
have also tried to use the full path of the auth driver.

Any help would be appreciated.

Regards,
Carlos A.


El 02/06/11 11:39, Carlos A. escribió:

Hello,

I have just installed the ldap authentication addon on an fresh ONE
install. I followed the instructions and I found that I cannot
authenticate against the LDAP server.

what am I not doing in a wrong way?

_____________________________________________
carlos@keo01:~$ onevm list
[VirtualMachinePoolInfo] User couldn't be authenticated, aborting
call.

carlos@keo01:~$ tail /srv/cloud/one/var/oned.log
(...)
Thu Jun  2 11:27:22 2011 [AuM][E]: Auth Error: Could not find
Authorization driver
Thu Jun  2 11:27:22 2011 [ReM][E]: [VirtualMachinePoolInfo] User
couldn't be authenticated, aborting call.
(...)

calfonso@keo01:/srv/cloud/one/lib/mads$ ls -l one_auth_mad*
-rwxr-xr-x 1 oneadmin root 1632 Jun  2 09:53 one_auth_mad
-rwxr-xr-x 1 oneadmin root 3341 Jun  2 09:58 one_auth_mad.rb

carlos@keo01:/srv/cloud/one/lib/mads$ ls -l
/srv/cloud/one/lib/ruby/ldap_auth.rb
-rw-r--r-- 1 oneadmin cloud 1340 Jun  2 09:58
/srv/cloud/one/lib/ruby/ldap_auth.rb

*** content of /srv/cloud/one/etc/auth/auth.conf
:database: sqlite://auth.db
:authentication: ldap
:quota:
   :enabled: false
   :defaults:
     :cpu: 10.0
     :memory: 1048576
:ldap:
     :host: my.ldap.server
     :port: 389


*** content of /srv/cloud/one/etc/oned.conf
(...)
AUTH_MAD = [
     executable = "one_auth_mad" ]

_____________________________________________




_______________________________________________
Users mailing list
[email protected]
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org























					Reply via email to