[one-users] Problem with ldap authentication

Tino Vazquez tinova at opennebula.org
Thu Jun 16 04:11:17 PDT 2011


Hi Carlos,

Let's try the driver by hand again, but also with the authentication part:

# ruby -dw $ONE_LOCATION/lib/mads/one_auth_mad.rb
AUTHENTICATE 0 -1 <LDAP_DN> - <LDAP_DN:plain:LDAP_PASSWORD>

this will tell if the failure is in the driver or the core.

Regards,

-Tino

--
Constantino Vázquez Blanco, MSc
OpenNebula Major Contributor
www.OpenNebula.org | @tinova79


On Mon, Jun 13, 2011 at 9:16 PM, Carlos A. <caralla at upv.es> wrote:

> Hi again,
>
> more on this! I managed to get a user without whitespaces and I have bad
> news:
>
> while stating a wrong DN/pass is almost instant to refuse connection by
> stating an authentication error, I cannot manage to authenticate using the
> proper DN/pass. I'm back to the original situation: the execution expired
> message.
>
> In the log I can see the following message for the wrong ID:
>
> Mon Jun 13 21:11:56 2011 [AuM][D]: Message received: AUTHENTICATE FAILURE 0
> false
>
> Mon Jun 13 21:11:56 2011 [AuM][E]: Auth Error: false
> Mon Jun 13 21:11:56 2011 [ReM][E]: [VirtualMachinePoolInfo] User couldn't
> be authenticated, aborting call.
>
> But nothing for the right ID.
>
> Any idea on this?
>
> Regards.
>
>
> El 13/06/11 18:42, Carlos A. escribió:
>
>  Hi Tino,
>>
>> finally I think that I got it. The problem is that my DN has spaces in the
>> CN.
>> So I think that the one_auth file is not properly handled and it results
>> in a
>> failure whenever an space is used in this file. That is why I got the same
>> failure when changing the authentication method to "simple" or to even a
>> nonexistent method. It is simply because the authentication method was not
>> launched at all because of a previous error.
>>
>> The current problem is that I cannot authenticate because my DN has spaces
>> ;) so
>> I cannot use it whithin Open Nebula. But at least I do not get the
>> "expired
>> time" error and it outputs an authentication error.
>>
>> Any workaround on this?
>>
>> Regards,
>> Carlos A.
>>
>> Mensaje citado por "Carlos A."<caralla at upv.es>:
>>
>>  Hi,
>>> i get the expected output
>>> --
>>> Enviado desde mi teléfono Android con K-9 Mail. Disculpa mi brevedad
>>>
>>> Tino Vazquez<tinova at opennebula.org>  escribió:
>>>
>>> Hi Carlos,
>>>
>>> Let's try executing the auth mad by hand (the error, from your input,
>>> seems not to be exclusive of the ldap addon, but rather of the auth
>>> module), to discard missing gems
>>>
>>> # $ONE_LOCATION/lib/mads/one_auth_mad
>>>
>>> after hitting return, it will wait for input, type
>>>
>>> INIT
>>>
>>> you should get
>>>
>>> INIT SUCCESS - -
>>>
>>> Regards,
>>>
>>> -Tino
>>>
>>> --
>>> Constantino Vázquez Blanco, MSc
>>> OpenNebula Major Contributor
>>> www.OpenNebula.org | @tinova79
>>>
>>>
>>>
>>> On Mon, Jun 13, 2011 at 1:29 PM, Carlos A.<caralla at upv.es>  wrote:
>>>
>>>> Hi Tino,
>>>>
>>>> more info on this.
>>>>
>>>> While using my test script to authenticate I can see the sucess in the
>>>> ldap
>>>> server, I cannot see any information when trying to authenticate using
>>>> ONE
>>>>
>>>> El 13/06/11 12:43, Tino Vazquez escribió:
>>>>
>>>>> Hi Carlos,
>>>>>
>>>>> This may be due to a eager timeout that the core imposes over the ldap
>>>>> driver.
>>>>>
>>>>> Please find attached a patch for the OpenNebula source code, please
>>>>> apply it, recompile and reinstall, we would appreciate feedback on
>>>>> wether this fixes the improper ldap plugin behavior or not.
>>>>>
>>>>> Regards,
>>>>>
>>>>> -Tino
>>>>>
>>>>> --
>>>>> Constantino Vázquez Blanco, MSc
>>>>> OpenNebula Major Contributor
>>>>> www.OpenNebula.org | @tinova79
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Jun 11, 2011 at 10:22 AM, Carlos A.<caralla at upv.es>   wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> any help on this? is ldap addon supposed to work with opennebula 2.2?
>>>>>> has
>>>>>> anyone tried it?
>>>>>>
>>>>>> El 09/06/2011 10:46, Carlos A. escribió:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> first of all, thank you for your response.
>>>>>>>
>>>>>>> Once I have managed to make ldap_auth work, I found the following
>>>>>>> issue:
>>>>>>>
>>>>>>> root at keo01:/srv/cloud/one# onevm list
>>>>>>> execution expired
>>>>>>>
>>>>>>> I cannot manage to athenticate against my ldap server. I have tried
>>>>>>> the
>>>>>>> ldap authentication that is carried out by ONE
>>>>>>>
>>>>>>> require 'rubygems'
>>>>>>> require 'net/ldap'
>>>>>>> ldap = Net::LDAP.new
>>>>>>> ldap.host = "my.ldap.server"
>>>>>>> ldap.port = 389
>>>>>>> ldap.auth "my-dn", "my-pass"
>>>>>>> print ldap.bind
>>>>>>>
>>>>>>> It is properly working, as my server authenticates me. I have (of
>>>>>>> course)
>>>>>>> tried changing the password and it works as expected.
>>>>>>>
>>>>>>> Diving in the code It seems that there is some problem in the file
>>>>>>> "src/um/UserPool.cc", at
>>>>>>>        authm->trigger(AuthManager::AUTHENTICATE,&ar);
>>>>>>>        ar.wait();
>>>>>>>
>>>>>>> Any idea?
>>>>>>>
>>>>>>>
>>>>>>> El 09/06/11 00:51, Carsten.Friedrich at csiro.au escribió:
>>>>>>>
>>>>>>>> The official OpenNebula installation instructions for the ldap
>>>>>>>> driver
>>>>>>>> are
>>>>>>>> incomplete and miss to mention some software packages that you have
>>>>>>>> to
>>>>>>>> install first. I don't remember which ones they were, but you can
>>>>>>>> find
>>>>>>>> out
>>>>>>>> as follows:
>>>>>>>>
>>>>>>>> * cd to .../lib/ruby
>>>>>>>> * execute 'ruby ldap_auth.rb'.
>>>>>>>> * Ruby will complain about any missing packages. Install those until
>>>>>>>> ruby
>>>>>>>> is happy.
>>>>>>>>
>>>>>>>> Carsten
>>>>>>>>
>>>>>>>>
>>>>>>>> Carsten Friedrich
>>>>>>>> Research Team leader
>>>>>>>> ICT Centre, GPO Box 664,Canberra, ACT 2601
>>>>>>>> Phone: +61 2 6216 7019
>>>>>>>> Email: Carsten.Friedrich at csiro.au
>>>>>>>> Web:   http://www.csiro.au/org/ICT.html
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: users-bounces at lists.opennebula.org
>>>>>>>> [mailto:users-bounces at lists.opennebula.org] On Behalf Of Carlos A.
>>>>>>>> Sent: Wednesday, 8 June 2011 18:17
>>>>>>>> To: users at lists.opennebula.org
>>>>>>>> Subject: Re: [one-users] Problem with ldap authentication
>>>>>>>>
>>>>>>>> any help on this?
>>>>>>>>
>>>>>>>> El 02/06/11 16:55, Carlos A. escribió:
>>>>>>>>
>>>>>>>>> More information on this:
>>>>>>>>>
>>>>>>>>> in /srv/cloud/one/var/oned.log I can see
>>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]: Init OpenNebula Log system
>>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]: Log Level: 3
>>>>>>>>> [0=ERROR,1=WARNING,2=INFO,3=DEBUG]
>>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]:
>>>>>>>>> _____________________________________________
>>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]:      OpenNebula Configuration
>>>>>>>>> File
>>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]:
>>>>>>>>> _____________________________________________
>>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]:
>>>>>>>>> _____________________________________________
>>>>>>>>> AUTH_MAD=EXECUTABLE=/srv/cloud/one/lib/mads/one_auth_mad
>>>>>>>>> DB=BACKEND=sqlite
>>>>>>>>> DEBUG_LEVEL=3
>>>>>>>>> DEFAULT_DEVICE_PREFIX=hd
>>>>>>>>> DEFAULT_IMAGE_TYPE=OS
>>>>>>>>> HM_MAD=EXECUTABLE=one_hm
>>>>>>>>> HOST_MONITORING_INTERVAL=600
>>>>>>>>> IMAGE_REPOSITORY_PATH=/srv/cloud/one/var//images
>>>>>>>>> IM_MAD=ARGUMENTS=-r 0 -t 15 kvm,EXECUTABLE=one_im_ssh,NAME=im_kvm
>>>>>>>>> MAC_PREFIX=02:00
>>>>>>>>> MANAGER_TIMER=15
>>>>>>>>> NETWORK_SIZE=254
>>>>>>>>> PORT=2633
>>>>>>>>> SCRIPTS_REMOTE_DIR=/var/tmp/one
>>>>>>>>> TM_MAD=ARGUMENTS=tm_nfs/tm_nfs.conf,EXECUTABLE=one_tm,NAME=tm_nfs
>>>>>>>>> VM_DIR=/srv/cloud/one/var/
>>>>>>>>> VM_HOOK=ARGUMENTS=$VMID,COMMAND=image.rb,NAME=image,ON=DONE
>>>>>>>>> VM_MAD=ARGUMENTS=-t 15 -r 0
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> kvm,DEFAULT=vmm_ssh/vmm_ssh_kvm.conf,EXECUTABLE=one_vmm_ssh,NAME=vmm_kvm,TYPE=kvm
>>
>>>  VM_POLLING_INTERVAL=600
>>>>>>>>> VNC_BASE_PORT=5900
>>>>>>>>> _____________________________________________
>>>>>>>>> Thu Jun  2 16:52:09 2011 [ONE][I]: Bootstraping OpenNebula
>>>>>>>>> database.
>>>>>>>>> Thu Jun  2 16:52:09 2011 [VMM][I]: Starting Virtual Machine
>>>>>>>>> Manager...
>>>>>>>>> Thu Jun  2 16:52:09 2011 [LCM][I]: Starting Life-cycle Manager...
>>>>>>>>> Thu Jun  2 16:52:09 2011 [VMM][I]: Virtual Machine Manager started.
>>>>>>>>> Thu Jun  2 16:52:09 2011 [InM][I]: Starting Information Manager...
>>>>>>>>> Thu Jun  2 16:52:09 2011 [InM][I]: Information Manager started.
>>>>>>>>> Thu Jun  2 16:52:09 2011 [LCM][I]: Life-cycle Manager started.
>>>>>>>>> Thu Jun  2 16:52:09 2011 [TrM][I]: Starting Transfer Manager...
>>>>>>>>> Thu Jun  2 16:52:09 2011 [DiM][I]: Starting Dispatch Manager...
>>>>>>>>> Thu Jun  2 16:52:09 2011 [TrM][I]: Transfer Manager started.
>>>>>>>>> Thu Jun  2 16:52:09 2011 [DiM][I]: Dispatch Manager started.
>>>>>>>>> Thu Jun  2 16:52:09 2011 [ReM][I]: Starting Request Manager...
>>>>>>>>> Thu Jun  2 16:52:09 2011 [ReM][I]: Starting XML-RPC server, port
>>>>>>>>> 2633
>>>>>>>>> ...
>>>>>>>>> Thu Jun  2 16:52:09 2011 [ReM][I]: Request Manager started.
>>>>>>>>> Thu Jun  2 16:52:09 2011 [HKM][I]: Starting Hook Manager...
>>>>>>>>> Thu Jun  2 16:52:09 2011 [AuM][I]: Starting Auth Manager...
>>>>>>>>> Thu Jun  2 16:52:09 2011 [AuM][I]: Authorization Manager started.
>>>>>>>>> Thu Jun  2 16:52:09 2011 [HKM][I]: Hook Manager started.
>>>>>>>>> Thu Jun  2 16:52:11 2011 [VMM][I]: Loading Virtual Machine Manager
>>>>>>>>> drivers.
>>>>>>>>> Thu Jun  2 16:52:11 2011 [VMM][I]:      Loading driver: vmm_kvm
>>>>>>>>> (KVM)
>>>>>>>>> Thu Jun  2 16:52:11 2011 [VMM][I]:      Driver vmm_kvm loaded.
>>>>>>>>> Thu Jun  2 16:52:11 2011 [InM][I]: Loading Information Manager
>>>>>>>>> drivers.
>>>>>>>>> Thu Jun  2 16:52:11 2011 [InM][I]:      Loading driver: im_kvm
>>>>>>>>> Thu Jun  2 16:52:11 2011 [InM][I]:      Driver im_kvm loaded
>>>>>>>>> Thu Jun  2 16:52:11 2011 [TM][I]: Loading Transfer Manager drivers.
>>>>>>>>> Thu Jun  2 16:52:11 2011 [VMM][I]:      Loading driver: tm_nfs
>>>>>>>>> Thu Jun  2 16:52:11 2011 [TM][I]:       Driver tm_nfs loaded.
>>>>>>>>> Thu Jun  2 16:52:11 2011 [HKM][I]: Loading Hook Manager driver.
>>>>>>>>> Thu Jun  2 16:52:11 2011 [HKM][I]:      Hook Manager loaded
>>>>>>>>> Thu Jun  2 16:52:11 2011 [AuM][I]: Loading Auth. Manager driver.
>>>>>>>>> Thu Jun  2 16:52:11 2011 [MAD][E]: MAD did not answer INIT command
>>>>>>>>> Thu Jun  2 16:52:12 2011 [ReM][D]: VirtualMachinePoolInfo method
>>>>>>>>> invoked
>>>>>>>>> Thu Jun  2 16:52:12 2011 [AuM][E]: Auth Error: Could not find
>>>>>>>>> Authorization driver
>>>>>>>>> Thu Jun  2 16:52:12 2011 [ReM][E]: [VirtualMachinePoolInfo] User
>>>>>>>>> couldn't be authenticated, aborting call.
>>>>>>>>>
>>>>>>>>> It seems that it cannot find the driver as a relative path name,
>>>>>>>>> but I
>>>>>>>>> have also tried to use the full path of the auth driver.
>>>>>>>>>
>>>>>>>>> Any help would be appreciated.
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Carlos A.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> El 02/06/11 11:39, Carlos A. escribió:
>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> I have just installed the ldap authentication addon on an fresh
>>>>>>>>>> ONE
>>>>>>>>>> install. I followed the instructions and I found that I cannot
>>>>>>>>>> authenticate against the LDAP server.
>>>>>>>>>>
>>>>>>>>>> what am I not doing in a wrong way?
>>>>>>>>>>
>>>>>>>>>> _____________________________________________
>>>>>>>>>> carlos at keo01:~$ onevm list
>>>>>>>>>> [VirtualMachinePoolInfo] User couldn't be authenticated, aborting
>>>>>>>>>> call.
>>>>>>>>>>
>>>>>>>>>> carlos at keo01:~$ tail /srv/cloud/one/var/oned.log
>>>>>>>>>> (...)
>>>>>>>>>> Thu Jun  2 11:27:22 2011 [AuM][E]: Auth Error: Could not find
>>>>>>>>>> Authorization driver
>>>>>>>>>> Thu Jun  2 11:27:22 2011 [ReM][E]: [VirtualMachinePoolInfo] User
>>>>>>>>>> couldn't be authenticated, aborting call.
>>>>>>>>>> (...)
>>>>>>>>>>
>>>>>>>>>> calfonso at keo01:/srv/cloud/one/lib/mads$ ls -l one_auth_mad*
>>>>>>>>>> -rwxr-xr-x 1 oneadmin root 1632 Jun  2 09:53 one_auth_mad
>>>>>>>>>> -rwxr-xr-x 1 oneadmin root 3341 Jun  2 09:58 one_auth_mad.rb
>>>>>>>>>>
>>>>>>>>>> carlos at keo01:/srv/cloud/one/lib/mads$ ls -l
>>>>>>>>>> /srv/cloud/one/lib/ruby/ldap_auth.rb
>>>>>>>>>> -rw-r--r-- 1 oneadmin cloud 1340 Jun  2 09:58
>>>>>>>>>> /srv/cloud/one/lib/ruby/ldap_auth.rb
>>>>>>>>>>
>>>>>>>>>> *** content of /srv/cloud/one/etc/auth/auth.conf
>>>>>>>>>> :database: sqlite://auth.db
>>>>>>>>>> :authentication: ldap
>>>>>>>>>> :quota:
>>>>>>>>>>   :enabled: false
>>>>>>>>>>   :defaults:
>>>>>>>>>>     :cpu: 10.0
>>>>>>>>>>     :memory: 1048576
>>>>>>>>>> :ldap:
>>>>>>>>>>     :host: my.ldap.server
>>>>>>>>>>     :port: 389
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> *** content of /srv/cloud/one/etc/oned.conf
>>>>>>>>>> (...)
>>>>>>>>>> AUTH_MAD = [
>>>>>>>>>>     executable = "one_auth_mad" ]
>>>>>>>>>>
>>>>>>>>>> _____________________________________________
>>>>>>>>>>
>>>>>>>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20110616/9e550334/attachment-0003.htm>


More information about the Users mailing list