[one-users] Problem with ldap authentication
Tino Vazquez
tinova79 at gmail.com
Thu Jun 16 04:15:18 PDT 2011
Hi Carsten,
Thanks for the ldap plugins improvements, we are certainly evaluating them
to include it in the next release.
About the blog post, I'm going to get in touch with the community manager,
since I'm sure it is interesting for the community.
And last but not least, the session in ONE is something we have in our
backlog, but it unfortunately won't make it for v3.0.
Regards,
-Tino
--
Constantino Vázquez Blanco | dsa-research.org/tinova
Virtualization Technology Engineer / Researcher
OpenNebula Toolkit | opennebula.org
On Tue, Jun 14, 2011 at 1:45 AM, <Carsten.Friedrich at csiro.au> wrote:
> I use the OpenNebula LDAP module against a corporate LDAP server (actually
> LDAP interface to an AD server). This works quite well, but I had to modify
> it quite a bit. If you search the mailing list archives you'll find an
> article on how I did this (it also works with DN names with spaces).
>
> There may also be an OpenNebula blog article describing it (I wrote it
> quite a while back, but I'm not sure if the OpenNebula team ever approved /
> released it).
>
> Time-outs are a big problem as OpenNebula currently doesn't handle this
> very gracefully in the authentication module (the limit is hardcoded and no
> retry strategies). I'm also concerned about all the hits on the LDAP server
> this produces, especially if you use some polling front-end which updates VM
> status etc. I hope OpenNebula will eventually get session id, so LDAP
> authentication has to be done less frequently.
>
> Carsten
>
> Carsten Friedrich
> Research Team leader
> ICT Centre, GPO Box 664,Canberra, ACT 2601
> Phone: +61 2 6216 7019
> Email: Carsten.Friedrich at csiro.au
> Web: http://www.csiro.au/org/ICT.html
>
>
> -----Original Message-----
> From: users-bounces at lists.opennebula.org [mailto:
> users-bounces at lists.opennebula.org] On Behalf Of Carlos A.
> Sent: Tuesday, 14 June 2011 5:16
> To: Carlos A.
> Cc: users at lists.opennebula.org
> Subject: Re: [one-users] Problem with ldap authentication
>
> Hi again,
>
> more on this! I managed to get a user without whitespaces and I have bad
> news:
>
> while stating a wrong DN/pass is almost instant to refuse connection by
> stating an authentication error, I cannot manage to authenticate using
> the proper DN/pass. I'm back to the original situation: the execution
> expired message.
>
> In the log I can see the following message for the wrong ID:
>
> Mon Jun 13 21:11:56 2011 [AuM][D]: Message received: AUTHENTICATE
> FAILURE 0 false
>
> Mon Jun 13 21:11:56 2011 [AuM][E]: Auth Error: false
> Mon Jun 13 21:11:56 2011 [ReM][E]: [VirtualMachinePoolInfo] User
> couldn't be authenticated, aborting call.
>
> But nothing for the right ID.
>
> Any idea on this?
>
> Regards.
>
>
> El 13/06/11 18:42, Carlos A. escribió:
> > Hi Tino,
> >
> > finally I think that I got it. The problem is that my DN has spaces in
> the CN.
> > So I think that the one_auth file is not properly handled and it results
> in a
> > failure whenever an space is used in this file. That is why I got the
> same
> > failure when changing the authentication method to "simple" or to even a
> > nonexistent method. It is simply because the authentication method was
> not
> > launched at all because of a previous error.
> >
> > The current problem is that I cannot authenticate because my DN has
> spaces ;) so
> > I cannot use it whithin Open Nebula. But at least I do not get the
> "expired
> > time" error and it outputs an authentication error.
> >
> > Any workaround on this?
> >
> > Regards,
> > Carlos A.
> >
> > Mensaje citado por "Carlos A."<caralla at upv.es>:
> >
> >> Hi,
> >> i get the expected output
> >> --
> >> Enviado desde mi teléfono Android con K-9 Mail. Disculpa mi brevedad
> >>
> >> Tino Vazquez<tinova at opennebula.org> escribió:
> >>
> >> Hi Carlos,
> >>
> >> Let's try executing the auth mad by hand (the error, from your input,
> >> seems not to be exclusive of the ldap addon, but rather of the auth
> >> module), to discard missing gems
> >>
> >> # $ONE_LOCATION/lib/mads/one_auth_mad
> >>
> >> after hitting return, it will wait for input, type
> >>
> >> INIT
> >>
> >> you should get
> >>
> >> INIT SUCCESS - -
> >>
> >> Regards,
> >>
> >> -Tino
> >>
> >> --
> >> Constantino Vázquez Blanco, MSc
> >> OpenNebula Major Contributor
> >> www.OpenNebula.org | @tinova79
> >>
> >>
> >>
> >> On Mon, Jun 13, 2011 at 1:29 PM, Carlos A.<caralla at upv.es> wrote:
> >>> Hi Tino,
> >>>
> >>> more info on this.
> >>>
> >>> While using my test script to authenticate I can see the sucess in the
> ldap
> >>> server, I cannot see any information when trying to authenticate using
> ONE
> >>>
> >>> El 13/06/11 12:43, Tino Vazquez escribió:
> >>>> Hi Carlos,
> >>>>
> >>>> This may be due to a eager timeout that the core imposes over the ldap
> >>>> driver.
> >>>>
> >>>> Please find attached a patch for the OpenNebula source code, please
> >>>> apply it, recompile and reinstall, we would appreciate feedback on
> >>>> wether this fixes the improper ldap plugin behavior or not.
> >>>>
> >>>> Regards,
> >>>>
> >>>> -Tino
> >>>>
> >>>> --
> >>>> Constantino Vázquez Blanco, MSc
> >>>> OpenNebula Major Contributor
> >>>> www.OpenNebula.org | @tinova79
> >>>>
> >>>>
> >>>>
> >>>> On Sat, Jun 11, 2011 at 10:22 AM, Carlos A.<caralla at upv.es> wrote:
> >>>>> Hello,
> >>>>>
> >>>>> any help on this? is ldap addon supposed to work with opennebula 2.2?
> has
> >>>>> anyone tried it?
> >>>>>
> >>>>> El 09/06/2011 10:46, Carlos A. escribió:
> >>>>>> Hello,
> >>>>>>
> >>>>>> first of all, thank you for your response.
> >>>>>>
> >>>>>> Once I have managed to make ldap_auth work, I found the following
> issue:
> >>>>>>
> >>>>>> root at keo01:/srv/cloud/one# onevm list
> >>>>>> execution expired
> >>>>>>
> >>>>>> I cannot manage to athenticate against my ldap server. I have tried
> the
> >>>>>> ldap authentication that is carried out by ONE
> >>>>>>
> >>>>>> require 'rubygems'
> >>>>>> require 'net/ldap'
> >>>>>> ldap = Net::LDAP.new
> >>>>>> ldap.host = "my.ldap.server"
> >>>>>> ldap.port = 389
> >>>>>> ldap.auth "my-dn", "my-pass"
> >>>>>> print ldap.bind
> >>>>>>
> >>>>>> It is properly working, as my server authenticates me. I have (of
> >>>>>> course)
> >>>>>> tried changing the password and it works as expected.
> >>>>>>
> >>>>>> Diving in the code It seems that there is some problem in the file
> >>>>>> "src/um/UserPool.cc", at
> >>>>>> authm->trigger(AuthManager::AUTHENTICATE,&ar);
> >>>>>> ar.wait();
> >>>>>>
> >>>>>> Any idea?
> >>>>>>
> >>>>>>
> >>>>>> El 09/06/11 00:51, Carsten.Friedrich at csiro.au escribió:
> >>>>>>> The official OpenNebula installation instructions for the ldap
> driver
> >>>>>>> are
> >>>>>>> incomplete and miss to mention some software packages that you have
> to
> >>>>>>> install first. I don't remember which ones they were, but you can
> find
> >>>>>>> out
> >>>>>>> as follows:
> >>>>>>>
> >>>>>>> * cd to .../lib/ruby
> >>>>>>> * execute 'ruby ldap_auth.rb'.
> >>>>>>> * Ruby will complain about any missing packages. Install those
> until
> >>>>>>> ruby
> >>>>>>> is happy.
> >>>>>>>
> >>>>>>> Carsten
> >>>>>>>
> >>>>>>>
> >>>>>>> Carsten Friedrich
> >>>>>>> Research Team leader
> >>>>>>> ICT Centre, GPO Box 664,Canberra, ACT 2601
> >>>>>>> Phone: +61 2 6216 7019
> >>>>>>> Email: Carsten.Friedrich at csiro.au
> >>>>>>> Web: http://www.csiro.au/org/ICT.html
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: users-bounces at lists.opennebula.org
> >>>>>>> [mailto:users-bounces at lists.opennebula.org] On Behalf Of Carlos A.
> >>>>>>> Sent: Wednesday, 8 June 2011 18:17
> >>>>>>> To: users at lists.opennebula.org
> >>>>>>> Subject: Re: [one-users] Problem with ldap authentication
> >>>>>>>
> >>>>>>> any help on this?
> >>>>>>>
> >>>>>>> El 02/06/11 16:55, Carlos A. escribió:
> >>>>>>>> More information on this:
> >>>>>>>>
> >>>>>>>> in /srv/cloud/one/var/oned.log I can see
> >>>>>>>> Thu Jun 2 16:52:09 2011 [ONE][I]: Init OpenNebula Log system
> >>>>>>>> Thu Jun 2 16:52:09 2011 [ONE][I]: Log Level: 3
> >>>>>>>> [0=ERROR,1=WARNING,2=INFO,3=DEBUG]
> >>>>>>>> Thu Jun 2 16:52:09 2011 [ONE][I]:
> >>>>>>>> _____________________________________________
> >>>>>>>> Thu Jun 2 16:52:09 2011 [ONE][I]: OpenNebula Configuration
> File
> >>>>>>>> Thu Jun 2 16:52:09 2011 [ONE][I]:
> >>>>>>>> _____________________________________________
> >>>>>>>> Thu Jun 2 16:52:09 2011 [ONE][I]:
> >>>>>>>> _____________________________________________
> >>>>>>>> AUTH_MAD=EXECUTABLE=/srv/cloud/one/lib/mads/one_auth_mad
> >>>>>>>> DB=BACKEND=sqlite
> >>>>>>>> DEBUG_LEVEL=3
> >>>>>>>> DEFAULT_DEVICE_PREFIX=hd
> >>>>>>>> DEFAULT_IMAGE_TYPE=OS
> >>>>>>>> HM_MAD=EXECUTABLE=one_hm
> >>>>>>>> HOST_MONITORING_INTERVAL=600
> >>>>>>>> IMAGE_REPOSITORY_PATH=/srv/cloud/one/var//images
> >>>>>>>> IM_MAD=ARGUMENTS=-r 0 -t 15 kvm,EXECUTABLE=one_im_ssh,NAME=im_kvm
> >>>>>>>> MAC_PREFIX=02:00
> >>>>>>>> MANAGER_TIMER=15
> >>>>>>>> NETWORK_SIZE=254
> >>>>>>>> PORT=2633
> >>>>>>>> SCRIPTS_REMOTE_DIR=/var/tmp/one
> >>>>>>>> TM_MAD=ARGUMENTS=tm_nfs/tm_nfs.conf,EXECUTABLE=one_tm,NAME=tm_nfs
> >>>>>>>> VM_DIR=/srv/cloud/one/var/
> >>>>>>>> VM_HOOK=ARGUMENTS=$VMID,COMMAND=image.rb,NAME=image,ON=DONE
> >>>>>>>> VM_MAD=ARGUMENTS=-t 15 -r 0
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >
> kvm,DEFAULT=vmm_ssh/vmm_ssh_kvm.conf,EXECUTABLE=one_vmm_ssh,NAME=vmm_kvm,TYPE=kvm
> >>>>>>>> VM_POLLING_INTERVAL=600
> >>>>>>>> VNC_BASE_PORT=5900
> >>>>>>>> _____________________________________________
> >>>>>>>> Thu Jun 2 16:52:09 2011 [ONE][I]: Bootstraping OpenNebula
> database.
> >>>>>>>> Thu Jun 2 16:52:09 2011 [VMM][I]: Starting Virtual Machine
> Manager...
> >>>>>>>> Thu Jun 2 16:52:09 2011 [LCM][I]: Starting Life-cycle Manager...
> >>>>>>>> Thu Jun 2 16:52:09 2011 [VMM][I]: Virtual Machine Manager
> started.
> >>>>>>>> Thu Jun 2 16:52:09 2011 [InM][I]: Starting Information Manager...
> >>>>>>>> Thu Jun 2 16:52:09 2011 [InM][I]: Information Manager started.
> >>>>>>>> Thu Jun 2 16:52:09 2011 [LCM][I]: Life-cycle Manager started.
> >>>>>>>> Thu Jun 2 16:52:09 2011 [TrM][I]: Starting Transfer Manager...
> >>>>>>>> Thu Jun 2 16:52:09 2011 [DiM][I]: Starting Dispatch Manager...
> >>>>>>>> Thu Jun 2 16:52:09 2011 [TrM][I]: Transfer Manager started.
> >>>>>>>> Thu Jun 2 16:52:09 2011 [DiM][I]: Dispatch Manager started.
> >>>>>>>> Thu Jun 2 16:52:09 2011 [ReM][I]: Starting Request Manager...
> >>>>>>>> Thu Jun 2 16:52:09 2011 [ReM][I]: Starting XML-RPC server, port
> 2633
> >>>>>>>> ...
> >>>>>>>> Thu Jun 2 16:52:09 2011 [ReM][I]: Request Manager started.
> >>>>>>>> Thu Jun 2 16:52:09 2011 [HKM][I]: Starting Hook Manager...
> >>>>>>>> Thu Jun 2 16:52:09 2011 [AuM][I]: Starting Auth Manager...
> >>>>>>>> Thu Jun 2 16:52:09 2011 [AuM][I]: Authorization Manager started.
> >>>>>>>> Thu Jun 2 16:52:09 2011 [HKM][I]: Hook Manager started.
> >>>>>>>> Thu Jun 2 16:52:11 2011 [VMM][I]: Loading Virtual Machine Manager
> >>>>>>>> drivers.
> >>>>>>>> Thu Jun 2 16:52:11 2011 [VMM][I]: Loading driver: vmm_kvm
> (KVM)
> >>>>>>>> Thu Jun 2 16:52:11 2011 [VMM][I]: Driver vmm_kvm loaded.
> >>>>>>>> Thu Jun 2 16:52:11 2011 [InM][I]: Loading Information Manager
> >>>>>>>> drivers.
> >>>>>>>> Thu Jun 2 16:52:11 2011 [InM][I]: Loading driver: im_kvm
> >>>>>>>> Thu Jun 2 16:52:11 2011 [InM][I]: Driver im_kvm loaded
> >>>>>>>> Thu Jun 2 16:52:11 2011 [TM][I]: Loading Transfer Manager
> drivers.
> >>>>>>>> Thu Jun 2 16:52:11 2011 [VMM][I]: Loading driver: tm_nfs
> >>>>>>>> Thu Jun 2 16:52:11 2011 [TM][I]: Driver tm_nfs loaded.
> >>>>>>>> Thu Jun 2 16:52:11 2011 [HKM][I]: Loading Hook Manager driver.
> >>>>>>>> Thu Jun 2 16:52:11 2011 [HKM][I]: Hook Manager loaded
> >>>>>>>> Thu Jun 2 16:52:11 2011 [AuM][I]: Loading Auth. Manager driver.
> >>>>>>>> Thu Jun 2 16:52:11 2011 [MAD][E]: MAD did not answer INIT command
> >>>>>>>> Thu Jun 2 16:52:12 2011 [ReM][D]: VirtualMachinePoolInfo method
> >>>>>>>> invoked
> >>>>>>>> Thu Jun 2 16:52:12 2011 [AuM][E]: Auth Error: Could not find
> >>>>>>>> Authorization driver
> >>>>>>>> Thu Jun 2 16:52:12 2011 [ReM][E]: [VirtualMachinePoolInfo] User
> >>>>>>>> couldn't be authenticated, aborting call.
> >>>>>>>>
> >>>>>>>> It seems that it cannot find the driver as a relative path name,
> but I
> >>>>>>>> have also tried to use the full path of the auth driver.
> >>>>>>>>
> >>>>>>>> Any help would be appreciated.
> >>>>>>>>
> >>>>>>>> Regards,
> >>>>>>>> Carlos A.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> El 02/06/11 11:39, Carlos A. escribió:
> >>>>>>>>> Hello,
> >>>>>>>>>
> >>>>>>>>> I have just installed the ldap authentication addon on an fresh
> ONE
> >>>>>>>>> install. I followed the instructions and I found that I cannot
> >>>>>>>>> authenticate against the LDAP server.
> >>>>>>>>>
> >>>>>>>>> what am I not doing in a wrong way?
> >>>>>>>>>
> >>>>>>>>> _____________________________________________
> >>>>>>>>> carlos at keo01:~$ onevm list
> >>>>>>>>> [VirtualMachinePoolInfo] User couldn't be authenticated, aborting
> >>>>>>>>> call.
> >>>>>>>>>
> >>>>>>>>> carlos at keo01:~$ tail /srv/cloud/one/var/oned.log
> >>>>>>>>> (...)
> >>>>>>>>> Thu Jun 2 11:27:22 2011 [AuM][E]: Auth Error: Could not find
> >>>>>>>>> Authorization driver
> >>>>>>>>> Thu Jun 2 11:27:22 2011 [ReM][E]: [VirtualMachinePoolInfo] User
> >>>>>>>>> couldn't be authenticated, aborting call.
> >>>>>>>>> (...)
> >>>>>>>>>
> >>>>>>>>> calfonso at keo01:/srv/cloud/one/lib/mads$ ls -l one_auth_mad*
> >>>>>>>>> -rwxr-xr-x 1 oneadmin root 1632 Jun 2 09:53 one_auth_mad
> >>>>>>>>> -rwxr-xr-x 1 oneadmin root 3341 Jun 2 09:58 one_auth_mad.rb
> >>>>>>>>>
> >>>>>>>>> carlos at keo01:/srv/cloud/one/lib/mads$ ls -l
> >>>>>>>>> /srv/cloud/one/lib/ruby/ldap_auth.rb
> >>>>>>>>> -rw-r--r-- 1 oneadmin cloud 1340 Jun 2 09:58
> >>>>>>>>> /srv/cloud/one/lib/ruby/ldap_auth.rb
> >>>>>>>>>
> >>>>>>>>> *** content of /srv/cloud/one/etc/auth/auth.conf
> >>>>>>>>> :database: sqlite://auth.db
> >>>>>>>>> :authentication: ldap
> >>>>>>>>> :quota:
> >>>>>>>>> :enabled: false
> >>>>>>>>> :defaults:
> >>>>>>>>> :cpu: 10.0
> >>>>>>>>> :memory: 1048576
> >>>>>>>>> :ldap:
> >>>>>>>>> :host: my.ldap.server
> >>>>>>>>> :port: 389
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> *** content of /srv/cloud/one/etc/oned.conf
> >>>>>>>>> (...)
> >>>>>>>>> AUTH_MAD = [
> >>>>>>>>> executable = "one_auth_mad" ]
> >>>>>>>>>
> >>>>>>>>> _____________________________________________
> >>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20110616/47ae1834/attachment-0003.htm>
More information about the Users
mailing list