[one-users] Problem with ldap authentication

Carlos A. caralla at upv.es
Mon Jun 13 12:16:00 PDT 2011


Hi again,

more on this! I managed to get a user without whitespaces and I have bad 
news:

while stating a wrong DN/pass is almost instant to refuse connection by 
stating an authentication error, I cannot manage to authenticate using 
the proper DN/pass. I'm back to the original situation: the execution 
expired message.

In the log I can see the following message for the wrong ID:

Mon Jun 13 21:11:56 2011 [AuM][D]: Message received: AUTHENTICATE 
FAILURE 0 false

Mon Jun 13 21:11:56 2011 [AuM][E]: Auth Error: false
Mon Jun 13 21:11:56 2011 [ReM][E]: [VirtualMachinePoolInfo] User 
couldn't be authenticated, aborting call.

But nothing for the right ID.

Any idea on this?

Regards.


El 13/06/11 18:42, Carlos A. escribió:
> Hi Tino,
>
> finally I think that I got it. The problem is that my DN has spaces in the CN.
> So I think that the one_auth file is not properly handled and it results in a
> failure whenever an space is used in this file. That is why I got the same
> failure when changing the authentication method to "simple" or to even a
> nonexistent method. It is simply because the authentication method was not
> launched at all because of a previous error.
>
> The current problem is that I cannot authenticate because my DN has spaces ;) so
> I cannot use it whithin Open Nebula. But at least I do not get the "expired
> time" error and it outputs an authentication error.
>
> Any workaround on this?
>
> Regards,
> Carlos A.
>
> Mensaje citado por "Carlos A."<caralla at upv.es>:
>
>> Hi,
>> i get the expected output
>> --
>> Enviado desde mi teléfono Android con K-9 Mail. Disculpa mi brevedad
>>
>> Tino Vazquez<tinova at opennebula.org>  escribió:
>>
>> Hi Carlos,
>>
>> Let's try executing the auth mad by hand (the error, from your input,
>> seems not to be exclusive of the ldap addon, but rather of the auth
>> module), to discard missing gems
>>
>> # $ONE_LOCATION/lib/mads/one_auth_mad
>>
>> after hitting return, it will wait for input, type
>>
>> INIT
>>
>> you should get
>>
>> INIT SUCCESS - -
>>
>> Regards,
>>
>> -Tino
>>
>> --
>> Constantino Vázquez Blanco, MSc
>> OpenNebula Major Contributor
>> www.OpenNebula.org | @tinova79
>>
>>
>>
>> On Mon, Jun 13, 2011 at 1:29 PM, Carlos A.<caralla at upv.es>  wrote:
>>> Hi Tino,
>>>
>>> more info on this.
>>>
>>> While using my test script to authenticate I can see the sucess in the ldap
>>> server, I cannot see any information when trying to authenticate using ONE
>>>
>>> El 13/06/11 12:43, Tino Vazquez escribió:
>>>> Hi Carlos,
>>>>
>>>> This may be due to a eager timeout that the core imposes over the ldap
>>>> driver.
>>>>
>>>> Please find attached a patch for the OpenNebula source code, please
>>>> apply it, recompile and reinstall, we would appreciate feedback on
>>>> wether this fixes the improper ldap plugin behavior or not.
>>>>
>>>> Regards,
>>>>
>>>> -Tino
>>>>
>>>> --
>>>> Constantino Vázquez Blanco, MSc
>>>> OpenNebula Major Contributor
>>>> www.OpenNebula.org | @tinova79
>>>>
>>>>
>>>>
>>>> On Sat, Jun 11, 2011 at 10:22 AM, Carlos A.<caralla at upv.es>   wrote:
>>>>> Hello,
>>>>>
>>>>> any help on this? is ldap addon supposed to work with opennebula 2.2? has
>>>>> anyone tried it?
>>>>>
>>>>> El 09/06/2011 10:46, Carlos A. escribió:
>>>>>> Hello,
>>>>>>
>>>>>> first of all, thank you for your response.
>>>>>>
>>>>>> Once I have managed to make ldap_auth work, I found the following issue:
>>>>>>
>>>>>> root at keo01:/srv/cloud/one# onevm list
>>>>>> execution expired
>>>>>>
>>>>>> I cannot manage to athenticate against my ldap server. I have tried the
>>>>>> ldap authentication that is carried out by ONE
>>>>>>
>>>>>> require 'rubygems'
>>>>>> require 'net/ldap'
>>>>>> ldap = Net::LDAP.new
>>>>>> ldap.host = "my.ldap.server"
>>>>>> ldap.port = 389
>>>>>> ldap.auth "my-dn", "my-pass"
>>>>>> print ldap.bind
>>>>>>
>>>>>> It is properly working, as my server authenticates me. I have (of
>>>>>> course)
>>>>>> tried changing the password and it works as expected.
>>>>>>
>>>>>> Diving in the code It seems that there is some problem in the file
>>>>>> "src/um/UserPool.cc", at
>>>>>>         authm->trigger(AuthManager::AUTHENTICATE,&ar);
>>>>>>         ar.wait();
>>>>>>
>>>>>> Any idea?
>>>>>>
>>>>>>
>>>>>> El 09/06/11 00:51, Carsten.Friedrich at csiro.au escribió:
>>>>>>> The official OpenNebula installation instructions for the ldap driver
>>>>>>> are
>>>>>>> incomplete and miss to mention some software packages that you have to
>>>>>>> install first. I don't remember which ones they were, but you can find
>>>>>>> out
>>>>>>> as follows:
>>>>>>>
>>>>>>> * cd to .../lib/ruby
>>>>>>> * execute 'ruby ldap_auth.rb'.
>>>>>>> * Ruby will complain about any missing packages. Install those until
>>>>>>> ruby
>>>>>>> is happy.
>>>>>>>
>>>>>>> Carsten
>>>>>>>
>>>>>>>
>>>>>>> Carsten Friedrich
>>>>>>> Research Team leader
>>>>>>> ICT Centre, GPO Box 664,Canberra, ACT 2601
>>>>>>> Phone: +61 2 6216 7019
>>>>>>> Email: Carsten.Friedrich at csiro.au
>>>>>>> Web:   http://www.csiro.au/org/ICT.html
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: users-bounces at lists.opennebula.org
>>>>>>> [mailto:users-bounces at lists.opennebula.org] On Behalf Of Carlos A.
>>>>>>> Sent: Wednesday, 8 June 2011 18:17
>>>>>>> To: users at lists.opennebula.org
>>>>>>> Subject: Re: [one-users] Problem with ldap authentication
>>>>>>>
>>>>>>> any help on this?
>>>>>>>
>>>>>>> El 02/06/11 16:55, Carlos A. escribió:
>>>>>>>> More information on this:
>>>>>>>>
>>>>>>>> in /srv/cloud/one/var/oned.log I can see
>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]: Init OpenNebula Log system
>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]: Log Level: 3
>>>>>>>> [0=ERROR,1=WARNING,2=INFO,3=DEBUG]
>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]:
>>>>>>>> _____________________________________________
>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]:      OpenNebula Configuration File
>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]:
>>>>>>>> _____________________________________________
>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]:
>>>>>>>> _____________________________________________
>>>>>>>> AUTH_MAD=EXECUTABLE=/srv/cloud/one/lib/mads/one_auth_mad
>>>>>>>> DB=BACKEND=sqlite
>>>>>>>> DEBUG_LEVEL=3
>>>>>>>> DEFAULT_DEVICE_PREFIX=hd
>>>>>>>> DEFAULT_IMAGE_TYPE=OS
>>>>>>>> HM_MAD=EXECUTABLE=one_hm
>>>>>>>> HOST_MONITORING_INTERVAL=600
>>>>>>>> IMAGE_REPOSITORY_PATH=/srv/cloud/one/var//images
>>>>>>>> IM_MAD=ARGUMENTS=-r 0 -t 15 kvm,EXECUTABLE=one_im_ssh,NAME=im_kvm
>>>>>>>> MAC_PREFIX=02:00
>>>>>>>> MANAGER_TIMER=15
>>>>>>>> NETWORK_SIZE=254
>>>>>>>> PORT=2633
>>>>>>>> SCRIPTS_REMOTE_DIR=/var/tmp/one
>>>>>>>> TM_MAD=ARGUMENTS=tm_nfs/tm_nfs.conf,EXECUTABLE=one_tm,NAME=tm_nfs
>>>>>>>> VM_DIR=/srv/cloud/one/var/
>>>>>>>> VM_HOOK=ARGUMENTS=$VMID,COMMAND=image.rb,NAME=image,ON=DONE
>>>>>>>> VM_MAD=ARGUMENTS=-t 15 -r 0
>>>>>>>>
>>>>>>>>
>>>>>>>>
> kvm,DEFAULT=vmm_ssh/vmm_ssh_kvm.conf,EXECUTABLE=one_vmm_ssh,NAME=vmm_kvm,TYPE=kvm
>>>>>>>> VM_POLLING_INTERVAL=600
>>>>>>>> VNC_BASE_PORT=5900
>>>>>>>> _____________________________________________
>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]: Bootstraping OpenNebula database.
>>>>>>>> Thu Jun  2 16:52:09 2011 [VMM][I]: Starting Virtual Machine Manager...
>>>>>>>> Thu Jun  2 16:52:09 2011 [LCM][I]: Starting Life-cycle Manager...
>>>>>>>> Thu Jun  2 16:52:09 2011 [VMM][I]: Virtual Machine Manager started.
>>>>>>>> Thu Jun  2 16:52:09 2011 [InM][I]: Starting Information Manager...
>>>>>>>> Thu Jun  2 16:52:09 2011 [InM][I]: Information Manager started.
>>>>>>>> Thu Jun  2 16:52:09 2011 [LCM][I]: Life-cycle Manager started.
>>>>>>>> Thu Jun  2 16:52:09 2011 [TrM][I]: Starting Transfer Manager...
>>>>>>>> Thu Jun  2 16:52:09 2011 [DiM][I]: Starting Dispatch Manager...
>>>>>>>> Thu Jun  2 16:52:09 2011 [TrM][I]: Transfer Manager started.
>>>>>>>> Thu Jun  2 16:52:09 2011 [DiM][I]: Dispatch Manager started.
>>>>>>>> Thu Jun  2 16:52:09 2011 [ReM][I]: Starting Request Manager...
>>>>>>>> Thu Jun  2 16:52:09 2011 [ReM][I]: Starting XML-RPC server, port 2633
>>>>>>>> ...
>>>>>>>> Thu Jun  2 16:52:09 2011 [ReM][I]: Request Manager started.
>>>>>>>> Thu Jun  2 16:52:09 2011 [HKM][I]: Starting Hook Manager...
>>>>>>>> Thu Jun  2 16:52:09 2011 [AuM][I]: Starting Auth Manager...
>>>>>>>> Thu Jun  2 16:52:09 2011 [AuM][I]: Authorization Manager started.
>>>>>>>> Thu Jun  2 16:52:09 2011 [HKM][I]: Hook Manager started.
>>>>>>>> Thu Jun  2 16:52:11 2011 [VMM][I]: Loading Virtual Machine Manager
>>>>>>>> drivers.
>>>>>>>> Thu Jun  2 16:52:11 2011 [VMM][I]:      Loading driver: vmm_kvm (KVM)
>>>>>>>> Thu Jun  2 16:52:11 2011 [VMM][I]:      Driver vmm_kvm loaded.
>>>>>>>> Thu Jun  2 16:52:11 2011 [InM][I]: Loading Information Manager
>>>>>>>> drivers.
>>>>>>>> Thu Jun  2 16:52:11 2011 [InM][I]:      Loading driver: im_kvm
>>>>>>>> Thu Jun  2 16:52:11 2011 [InM][I]:      Driver im_kvm loaded
>>>>>>>> Thu Jun  2 16:52:11 2011 [TM][I]: Loading Transfer Manager drivers.
>>>>>>>> Thu Jun  2 16:52:11 2011 [VMM][I]:      Loading driver: tm_nfs
>>>>>>>> Thu Jun  2 16:52:11 2011 [TM][I]:       Driver tm_nfs loaded.
>>>>>>>> Thu Jun  2 16:52:11 2011 [HKM][I]: Loading Hook Manager driver.
>>>>>>>> Thu Jun  2 16:52:11 2011 [HKM][I]:      Hook Manager loaded
>>>>>>>> Thu Jun  2 16:52:11 2011 [AuM][I]: Loading Auth. Manager driver.
>>>>>>>> Thu Jun  2 16:52:11 2011 [MAD][E]: MAD did not answer INIT command
>>>>>>>> Thu Jun  2 16:52:12 2011 [ReM][D]: VirtualMachinePoolInfo method
>>>>>>>> invoked
>>>>>>>> Thu Jun  2 16:52:12 2011 [AuM][E]: Auth Error: Could not find
>>>>>>>> Authorization driver
>>>>>>>> Thu Jun  2 16:52:12 2011 [ReM][E]: [VirtualMachinePoolInfo] User
>>>>>>>> couldn't be authenticated, aborting call.
>>>>>>>>
>>>>>>>> It seems that it cannot find the driver as a relative path name, but I
>>>>>>>> have also tried to use the full path of the auth driver.
>>>>>>>>
>>>>>>>> Any help would be appreciated.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Carlos A.
>>>>>>>>
>>>>>>>>
>>>>>>>> El 02/06/11 11:39, Carlos A. escribió:
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I have just installed the ldap authentication addon on an fresh ONE
>>>>>>>>> install. I followed the instructions and I found that I cannot
>>>>>>>>> authenticate against the LDAP server.
>>>>>>>>>
>>>>>>>>> what am I not doing in a wrong way?
>>>>>>>>>
>>>>>>>>> _____________________________________________
>>>>>>>>> carlos at keo01:~$ onevm list
>>>>>>>>> [VirtualMachinePoolInfo] User couldn't be authenticated, aborting
>>>>>>>>> call.
>>>>>>>>>
>>>>>>>>> carlos at keo01:~$ tail /srv/cloud/one/var/oned.log
>>>>>>>>> (...)
>>>>>>>>> Thu Jun  2 11:27:22 2011 [AuM][E]: Auth Error: Could not find
>>>>>>>>> Authorization driver
>>>>>>>>> Thu Jun  2 11:27:22 2011 [ReM][E]: [VirtualMachinePoolInfo] User
>>>>>>>>> couldn't be authenticated, aborting call.
>>>>>>>>> (...)
>>>>>>>>>
>>>>>>>>> calfonso at keo01:/srv/cloud/one/lib/mads$ ls -l one_auth_mad*
>>>>>>>>> -rwxr-xr-x 1 oneadmin root 1632 Jun  2 09:53 one_auth_mad
>>>>>>>>> -rwxr-xr-x 1 oneadmin root 3341 Jun  2 09:58 one_auth_mad.rb
>>>>>>>>>
>>>>>>>>> carlos at keo01:/srv/cloud/one/lib/mads$ ls -l
>>>>>>>>> /srv/cloud/one/lib/ruby/ldap_auth.rb
>>>>>>>>> -rw-r--r-- 1 oneadmin cloud 1340 Jun  2 09:58
>>>>>>>>> /srv/cloud/one/lib/ruby/ldap_auth.rb
>>>>>>>>>
>>>>>>>>> *** content of /srv/cloud/one/etc/auth/auth.conf
>>>>>>>>> :database: sqlite://auth.db
>>>>>>>>> :authentication: ldap
>>>>>>>>> :quota:
>>>>>>>>>    :enabled: false
>>>>>>>>>    :defaults:
>>>>>>>>>      :cpu: 10.0
>>>>>>>>>      :memory: 1048576
>>>>>>>>> :ldap:
>>>>>>>>>      :host: my.ldap.server
>>>>>>>>>      :port: 389
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *** content of /srv/cloud/one/etc/oned.conf
>>>>>>>>> (...)
>>>>>>>>> AUTH_MAD = [
>>>>>>>>>      executable = "one_auth_mad" ]
>>>>>>>>>
>>>>>>>>> _____________________________________________
>>




More information about the Users mailing list