[one-users] x509 Auth Failing after 24 hours

Fri Dec 16 10:39:05 PST 2011

Quick question:  I have my oneadmin user setup for x509
authentication... at least I thought I did.  When I query the one.db
database, I see:

0|oneadmin|<USER><ID>0</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>oneadmin</NAME><PASSWORD>Hash/Encrypted
Value Goes
Here</PASSWORD><AUTH_DRIVER>core</AUTH_DRIVER><ENABLED>1</ENABLED><TEMPLATE></TEMPLATE></USER>

If I have it setup for x509, why do I see "core" as my AUTH_DRIVER? 
Also, what is in the password field?  Is that the encrypted DN or
something else?

Thanks,

Anthony Tiradani
tiradani at fnal.gov
+1 630 840 4479

On 12/16/2011 11:53 AM, Daniel Molina wrote:
> Hi,
>
> On 16 December 2011 05:01, Anthony Tiradani <tiradani at fnal.gov> wrote:
>> I should also mention that this is an OpenNebula 3.1 installation (via the
>> rpm) on Scientific Linux 6.1.  I have the DEBUG setting set to 3 which
>> according to the comments in oned.conf should be the most verbose.
>>
> The logs should show more information, something like:
>
> Fri Dec 16 09:49:45 2011 [AuM][D]: Message received: AUTHENTICATE SUCCESS 1526 -
>
> and in case of FAILURE it will contain information about it
>
>> In trying to debug, I used the authenticate script in
>> /var/lib/one/remotes/auth/x509 which imports and uses
>> /usr/lib/one/ruby/x509_auth.rb.  If I take the token that is decrypted from
>> the file /var/lib/one/.one/one_x509 I can perform openssl operations on it
>> and verify it.  If I run the values through the authenticate script, I find
>> that there is a problem parsing the CA chain.  When it calculates the hash
>> value for the CA, it is dropping a leading 0 which makes the file path
>> invalid.  Could this be the problem?
> Would yo mind to try with a symlink and check if that fixes the problem?
>
> Kind regards.
>
>> Thanks,
>>
>> Anthony Tiradani
>> tiradani at fnal.gov
>> +1 630 840 4479
>>
>>
>> On 12/15/11 5:07 PM, Anthony Tiradani wrote:
>>
>> This is the only message I get in oned.log:
>>
>> Thu Dec 15 17:05:47 2011 [ReM][E]: [HostPoolInfo] User couldn't be
>> authenticated, aborting call.
>>
>> I am running onehost list when I see that error.
>>
>> Anthony Tiradani
>> tiradani at fnal.gov
>> +1 630 840 4479
>>
>>
>> On 12/15/2011 03:40 PM, Ruben S. Montero wrote:
>>
>> Hi,
>>
>> Could you send the messages in oned.log file? You should see there
>> messages from the driver describing the error...
>>
>> Cheers
>>
>> Ruben
>>
>> On Thu, Dec 15, 2011 at 5:31 PM, Anthony Tiradani <tiradani at fnal.gov> wrote:
>>
>> Hi,
>>
>> I am trying to setup OpenNebula with x509 authentication.  I am using
>> sqlite as the DB back end for now.  I am following the documentation
>> here: http://opennebula.org/documentation:rel3.0:x509_auth
>>
>> I've configured everything correctly as far as I can tell.  I can
>> successfully use x509 to login, but after 24 hours (no matter what I set
>> the expire time to with the --time argument) I get error messages saying
>> that the user couldn't be authenticated.
>>
>> I've tried re-running the "oneuser login ..." command to no avail.  The
>> only thing that works is if I delete one.db and restart OpenNebula.
>> Then I can log in just fine, but all the configuration that I have done
>> is lost.  What do I have to do to fix this?
>>
>> Thanks,
>>
>> --
>> Anthony Tiradani
>> tiradani at fnal.gov
>> +1 630 840 4479
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4076 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20111216/27423f67/attachment-0003.bin>