[one-users] Problem with ldap authentication

Carsten.Friedrich at csiro.au Carsten.Friedrich at csiro.au
Mon Jun 13 16:45:55 PDT 2011


I use the OpenNebula LDAP module against a corporate LDAP server (actually LDAP interface to an AD server). This works quite well, but I had to modify it quite a bit. If you search the mailing list archives you'll find an article on how I did this (it also works with DN names with spaces). 

There may also be an OpenNebula blog article describing it (I wrote it quite a while back, but I'm not sure if the OpenNebula team ever approved / released it).

Time-outs are a big problem as OpenNebula currently doesn't handle this very gracefully in the authentication module (the limit is hardcoded and no retry strategies). I'm also concerned about all the hits on the LDAP server this produces, especially if you use some polling front-end which updates VM status etc. I hope OpenNebula will eventually get session id, so LDAP authentication has to be done less frequently.

Carsten

Carsten Friedrich
Research Team leader
ICT Centre, GPO Box 664,Canberra, ACT 2601
Phone: +61 2 6216 7019 
Email: Carsten.Friedrich at csiro.au
Web:   http://www.csiro.au/org/ICT.html


-----Original Message-----
From: users-bounces at lists.opennebula.org [mailto:users-bounces at lists.opennebula.org] On Behalf Of Carlos A.
Sent: Tuesday, 14 June 2011 5:16
To: Carlos A.
Cc: users at lists.opennebula.org
Subject: Re: [one-users] Problem with ldap authentication

Hi again,

more on this! I managed to get a user without whitespaces and I have bad 
news:

while stating a wrong DN/pass is almost instant to refuse connection by 
stating an authentication error, I cannot manage to authenticate using 
the proper DN/pass. I'm back to the original situation: the execution 
expired message.

In the log I can see the following message for the wrong ID:

Mon Jun 13 21:11:56 2011 [AuM][D]: Message received: AUTHENTICATE 
FAILURE 0 false

Mon Jun 13 21:11:56 2011 [AuM][E]: Auth Error: false
Mon Jun 13 21:11:56 2011 [ReM][E]: [VirtualMachinePoolInfo] User 
couldn't be authenticated, aborting call.

But nothing for the right ID.

Any idea on this?

Regards.


El 13/06/11 18:42, Carlos A. escribió:
> Hi Tino,
>
> finally I think that I got it. The problem is that my DN has spaces in the CN.
> So I think that the one_auth file is not properly handled and it results in a
> failure whenever an space is used in this file. That is why I got the same
> failure when changing the authentication method to "simple" or to even a
> nonexistent method. It is simply because the authentication method was not
> launched at all because of a previous error.
>
> The current problem is that I cannot authenticate because my DN has spaces ;) so
> I cannot use it whithin Open Nebula. But at least I do not get the "expired
> time" error and it outputs an authentication error.
>
> Any workaround on this?
>
> Regards,
> Carlos A.
>
> Mensaje citado por "Carlos A."<caralla at upv.es>:
>
>> Hi,
>> i get the expected output
>> --
>> Enviado desde mi teléfono Android con K-9 Mail. Disculpa mi brevedad
>>
>> Tino Vazquez<tinova at opennebula.org>  escribió:
>>
>> Hi Carlos,
>>
>> Let's try executing the auth mad by hand (the error, from your input,
>> seems not to be exclusive of the ldap addon, but rather of the auth
>> module), to discard missing gems
>>
>> # $ONE_LOCATION/lib/mads/one_auth_mad
>>
>> after hitting return, it will wait for input, type
>>
>> INIT
>>
>> you should get
>>
>> INIT SUCCESS - -
>>
>> Regards,
>>
>> -Tino
>>
>> --
>> Constantino Vázquez Blanco, MSc
>> OpenNebula Major Contributor
>> www.OpenNebula.org | @tinova79
>>
>>
>>
>> On Mon, Jun 13, 2011 at 1:29 PM, Carlos A.<caralla at upv.es>  wrote:
>>> Hi Tino,
>>>
>>> more info on this.
>>>
>>> While using my test script to authenticate I can see the sucess in the ldap
>>> server, I cannot see any information when trying to authenticate using ONE
>>>
>>> El 13/06/11 12:43, Tino Vazquez escribió:
>>>> Hi Carlos,
>>>>
>>>> This may be due to a eager timeout that the core imposes over the ldap
>>>> driver.
>>>>
>>>> Please find attached a patch for the OpenNebula source code, please
>>>> apply it, recompile and reinstall, we would appreciate feedback on
>>>> wether this fixes the improper ldap plugin behavior or not.
>>>>
>>>> Regards,
>>>>
>>>> -Tino
>>>>
>>>> --
>>>> Constantino Vázquez Blanco, MSc
>>>> OpenNebula Major Contributor
>>>> www.OpenNebula.org | @tinova79
>>>>
>>>>
>>>>
>>>> On Sat, Jun 11, 2011 at 10:22 AM, Carlos A.<caralla at upv.es>   wrote:
>>>>> Hello,
>>>>>
>>>>> any help on this? is ldap addon supposed to work with opennebula 2.2? has
>>>>> anyone tried it?
>>>>>
>>>>> El 09/06/2011 10:46, Carlos A. escribió:
>>>>>> Hello,
>>>>>>
>>>>>> first of all, thank you for your response.
>>>>>>
>>>>>> Once I have managed to make ldap_auth work, I found the following issue:
>>>>>>
>>>>>> root at keo01:/srv/cloud/one# onevm list
>>>>>> execution expired
>>>>>>
>>>>>> I cannot manage to athenticate against my ldap server. I have tried the
>>>>>> ldap authentication that is carried out by ONE
>>>>>>
>>>>>> require 'rubygems'
>>>>>> require 'net/ldap'
>>>>>> ldap = Net::LDAP.new
>>>>>> ldap.host = "my.ldap.server"
>>>>>> ldap.port = 389
>>>>>> ldap.auth "my-dn", "my-pass"
>>>>>> print ldap.bind
>>>>>>
>>>>>> It is properly working, as my server authenticates me. I have (of
>>>>>> course)
>>>>>> tried changing the password and it works as expected.
>>>>>>
>>>>>> Diving in the code It seems that there is some problem in the file
>>>>>> "src/um/UserPool.cc", at
>>>>>>         authm->trigger(AuthManager::AUTHENTICATE,&ar);
>>>>>>         ar.wait();
>>>>>>
>>>>>> Any idea?
>>>>>>
>>>>>>
>>>>>> El 09/06/11 00:51, Carsten.Friedrich at csiro.au escribió:
>>>>>>> The official OpenNebula installation instructions for the ldap driver
>>>>>>> are
>>>>>>> incomplete and miss to mention some software packages that you have to
>>>>>>> install first. I don't remember which ones they were, but you can find
>>>>>>> out
>>>>>>> as follows:
>>>>>>>
>>>>>>> * cd to .../lib/ruby
>>>>>>> * execute 'ruby ldap_auth.rb'.
>>>>>>> * Ruby will complain about any missing packages. Install those until
>>>>>>> ruby
>>>>>>> is happy.
>>>>>>>
>>>>>>> Carsten
>>>>>>>
>>>>>>>
>>>>>>> Carsten Friedrich
>>>>>>> Research Team leader
>>>>>>> ICT Centre, GPO Box 664,Canberra, ACT 2601
>>>>>>> Phone: +61 2 6216 7019
>>>>>>> Email: Carsten.Friedrich at csiro.au
>>>>>>> Web:   http://www.csiro.au/org/ICT.html
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: users-bounces at lists.opennebula.org
>>>>>>> [mailto:users-bounces at lists.opennebula.org] On Behalf Of Carlos A.
>>>>>>> Sent: Wednesday, 8 June 2011 18:17
>>>>>>> To: users at lists.opennebula.org
>>>>>>> Subject: Re: [one-users] Problem with ldap authentication
>>>>>>>
>>>>>>> any help on this?
>>>>>>>
>>>>>>> El 02/06/11 16:55, Carlos A. escribió:
>>>>>>>> More information on this:
>>>>>>>>
>>>>>>>> in /srv/cloud/one/var/oned.log I can see
>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]: Init OpenNebula Log system
>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]: Log Level: 3
>>>>>>>> [0=ERROR,1=WARNING,2=INFO,3=DEBUG]
>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]:
>>>>>>>> _____________________________________________
>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]:      OpenNebula Configuration File
>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]:
>>>>>>>> _____________________________________________
>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]:
>>>>>>>> _____________________________________________
>>>>>>>> AUTH_MAD=EXECUTABLE=/srv/cloud/one/lib/mads/one_auth_mad
>>>>>>>> DB=BACKEND=sqlite
>>>>>>>> DEBUG_LEVEL=3
>>>>>>>> DEFAULT_DEVICE_PREFIX=hd
>>>>>>>> DEFAULT_IMAGE_TYPE=OS
>>>>>>>> HM_MAD=EXECUTABLE=one_hm
>>>>>>>> HOST_MONITORING_INTERVAL=600
>>>>>>>> IMAGE_REPOSITORY_PATH=/srv/cloud/one/var//images
>>>>>>>> IM_MAD=ARGUMENTS=-r 0 -t 15 kvm,EXECUTABLE=one_im_ssh,NAME=im_kvm
>>>>>>>> MAC_PREFIX=02:00
>>>>>>>> MANAGER_TIMER=15
>>>>>>>> NETWORK_SIZE=254
>>>>>>>> PORT=2633
>>>>>>>> SCRIPTS_REMOTE_DIR=/var/tmp/one
>>>>>>>> TM_MAD=ARGUMENTS=tm_nfs/tm_nfs.conf,EXECUTABLE=one_tm,NAME=tm_nfs
>>>>>>>> VM_DIR=/srv/cloud/one/var/
>>>>>>>> VM_HOOK=ARGUMENTS=$VMID,COMMAND=image.rb,NAME=image,ON=DONE
>>>>>>>> VM_MAD=ARGUMENTS=-t 15 -r 0
>>>>>>>>
>>>>>>>>
>>>>>>>>
> kvm,DEFAULT=vmm_ssh/vmm_ssh_kvm.conf,EXECUTABLE=one_vmm_ssh,NAME=vmm_kvm,TYPE=kvm
>>>>>>>> VM_POLLING_INTERVAL=600
>>>>>>>> VNC_BASE_PORT=5900
>>>>>>>> _____________________________________________
>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]: Bootstraping OpenNebula database.
>>>>>>>> Thu Jun  2 16:52:09 2011 [VMM][I]: Starting Virtual Machine Manager...
>>>>>>>> Thu Jun  2 16:52:09 2011 [LCM][I]: Starting Life-cycle Manager...
>>>>>>>> Thu Jun  2 16:52:09 2011 [VMM][I]: Virtual Machine Manager started.
>>>>>>>> Thu Jun  2 16:52:09 2011 [InM][I]: Starting Information Manager...
>>>>>>>> Thu Jun  2 16:52:09 2011 [InM][I]: Information Manager started.
>>>>>>>> Thu Jun  2 16:52:09 2011 [LCM][I]: Life-cycle Manager started.
>>>>>>>> Thu Jun  2 16:52:09 2011 [TrM][I]: Starting Transfer Manager...
>>>>>>>> Thu Jun  2 16:52:09 2011 [DiM][I]: Starting Dispatch Manager...
>>>>>>>> Thu Jun  2 16:52:09 2011 [TrM][I]: Transfer Manager started.
>>>>>>>> Thu Jun  2 16:52:09 2011 [DiM][I]: Dispatch Manager started.
>>>>>>>> Thu Jun  2 16:52:09 2011 [ReM][I]: Starting Request Manager...
>>>>>>>> Thu Jun  2 16:52:09 2011 [ReM][I]: Starting XML-RPC server, port 2633
>>>>>>>> ...
>>>>>>>> Thu Jun  2 16:52:09 2011 [ReM][I]: Request Manager started.
>>>>>>>> Thu Jun  2 16:52:09 2011 [HKM][I]: Starting Hook Manager...
>>>>>>>> Thu Jun  2 16:52:09 2011 [AuM][I]: Starting Auth Manager...
>>>>>>>> Thu Jun  2 16:52:09 2011 [AuM][I]: Authorization Manager started.
>>>>>>>> Thu Jun  2 16:52:09 2011 [HKM][I]: Hook Manager started.
>>>>>>>> Thu Jun  2 16:52:11 2011 [VMM][I]: Loading Virtual Machine Manager
>>>>>>>> drivers.
>>>>>>>> Thu Jun  2 16:52:11 2011 [VMM][I]:      Loading driver: vmm_kvm (KVM)
>>>>>>>> Thu Jun  2 16:52:11 2011 [VMM][I]:      Driver vmm_kvm loaded.
>>>>>>>> Thu Jun  2 16:52:11 2011 [InM][I]: Loading Information Manager
>>>>>>>> drivers.
>>>>>>>> Thu Jun  2 16:52:11 2011 [InM][I]:      Loading driver: im_kvm
>>>>>>>> Thu Jun  2 16:52:11 2011 [InM][I]:      Driver im_kvm loaded
>>>>>>>> Thu Jun  2 16:52:11 2011 [TM][I]: Loading Transfer Manager drivers.
>>>>>>>> Thu Jun  2 16:52:11 2011 [VMM][I]:      Loading driver: tm_nfs
>>>>>>>> Thu Jun  2 16:52:11 2011 [TM][I]:       Driver tm_nfs loaded.
>>>>>>>> Thu Jun  2 16:52:11 2011 [HKM][I]: Loading Hook Manager driver.
>>>>>>>> Thu Jun  2 16:52:11 2011 [HKM][I]:      Hook Manager loaded
>>>>>>>> Thu Jun  2 16:52:11 2011 [AuM][I]: Loading Auth. Manager driver.
>>>>>>>> Thu Jun  2 16:52:11 2011 [MAD][E]: MAD did not answer INIT command
>>>>>>>> Thu Jun  2 16:52:12 2011 [ReM][D]: VirtualMachinePoolInfo method
>>>>>>>> invoked
>>>>>>>> Thu Jun  2 16:52:12 2011 [AuM][E]: Auth Error: Could not find
>>>>>>>> Authorization driver
>>>>>>>> Thu Jun  2 16:52:12 2011 [ReM][E]: [VirtualMachinePoolInfo] User
>>>>>>>> couldn't be authenticated, aborting call.
>>>>>>>>
>>>>>>>> It seems that it cannot find the driver as a relative path name, but I
>>>>>>>> have also tried to use the full path of the auth driver.
>>>>>>>>
>>>>>>>> Any help would be appreciated.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Carlos A.
>>>>>>>>
>>>>>>>>
>>>>>>>> El 02/06/11 11:39, Carlos A. escribió:
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I have just installed the ldap authentication addon on an fresh ONE
>>>>>>>>> install. I followed the instructions and I found that I cannot
>>>>>>>>> authenticate against the LDAP server.
>>>>>>>>>
>>>>>>>>> what am I not doing in a wrong way?
>>>>>>>>>
>>>>>>>>> _____________________________________________
>>>>>>>>> carlos at keo01:~$ onevm list
>>>>>>>>> [VirtualMachinePoolInfo] User couldn't be authenticated, aborting
>>>>>>>>> call.
>>>>>>>>>
>>>>>>>>> carlos at keo01:~$ tail /srv/cloud/one/var/oned.log
>>>>>>>>> (...)
>>>>>>>>> Thu Jun  2 11:27:22 2011 [AuM][E]: Auth Error: Could not find
>>>>>>>>> Authorization driver
>>>>>>>>> Thu Jun  2 11:27:22 2011 [ReM][E]: [VirtualMachinePoolInfo] User
>>>>>>>>> couldn't be authenticated, aborting call.
>>>>>>>>> (...)
>>>>>>>>>
>>>>>>>>> calfonso at keo01:/srv/cloud/one/lib/mads$ ls -l one_auth_mad*
>>>>>>>>> -rwxr-xr-x 1 oneadmin root 1632 Jun  2 09:53 one_auth_mad
>>>>>>>>> -rwxr-xr-x 1 oneadmin root 3341 Jun  2 09:58 one_auth_mad.rb
>>>>>>>>>
>>>>>>>>> carlos at keo01:/srv/cloud/one/lib/mads$ ls -l
>>>>>>>>> /srv/cloud/one/lib/ruby/ldap_auth.rb
>>>>>>>>> -rw-r--r-- 1 oneadmin cloud 1340 Jun  2 09:58
>>>>>>>>> /srv/cloud/one/lib/ruby/ldap_auth.rb
>>>>>>>>>
>>>>>>>>> *** content of /srv/cloud/one/etc/auth/auth.conf
>>>>>>>>> :database: sqlite://auth.db
>>>>>>>>> :authentication: ldap
>>>>>>>>> :quota:
>>>>>>>>>    :enabled: false
>>>>>>>>>    :defaults:
>>>>>>>>>      :cpu: 10.0
>>>>>>>>>      :memory: 1048576
>>>>>>>>> :ldap:
>>>>>>>>>      :host: my.ldap.server
>>>>>>>>>      :port: 389
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> *** content of /srv/cloud/one/etc/oned.conf
>>>>>>>>> (...)
>>>>>>>>> AUTH_MAD = [
>>>>>>>>>      executable = "one_auth_mad" ]
>>>>>>>>>
>>>>>>>>> _____________________________________________
>>

_______________________________________________
Users mailing list
Users at lists.opennebula.org
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org



More information about the Users mailing list