[one-users] OpenNebula and FreeIPA authentication

Peter Harris doilooksensible at gmail.com
Thu Dec 11 08:41:26 PST 2014 

Thanks Javier

Output from onegroup list -x
----------------------------------------------------------------------
<GROUP_POOL>
  <GROUP>
    <ID>0</ID>
    <NAME>oneadmin</NAME>
    <TEMPLATE/>
    <USERS>
      <ID>0</ID>
      <ID>1</ID>
    </USERS>
  </GROUP>
  <QUOTAS>
    <ID>0</ID>
    <DATASTORE_QUOTA/>
    <NETWORK_QUOTA/>
    <VM_QUOTA/>
    <IMAGE_QUOTA/>
  </QUOTAS>
  <GROUP>
    <ID>1</ID>
    <NAME>users</NAME>
    <TEMPLATE/>
    <USERS>
      <ID>2</ID>
    </USERS>
    <RESOURCE_PROVIDER>
      <ZONE_ID>0</ZONE_ID>
      <CLUSTER_ID>10</CLUSTER_ID>
    </RESOURCE_PROVIDER>
  </GROUP>
  <QUOTAS>
    <ID>1</ID>
    <DATASTORE_QUOTA/>
    <NETWORK_QUOTA/>
    <VM_QUOTA/>
    <IMAGE_QUOTA/>
  </QUOTAS>
  <DEFAULT_GROUP_QUOTAS>
    <DATASTORE_QUOTA/>
    <NETWORK_QUOTA/>
    <VM_QUOTA/>
    <IMAGE_QUOTA/>
  </DEFAULT_GROUP_QUOTAS>
</GROUP_POOL>
----------------------------------------------------------------------

my /etc/one/auth/ldap_auth.conf
----------------------------------------------------------------------

    # Ldap authentication method
    :auth_method: :simple

    # Ldap server
    :host: ipa1.lab.mycompany.com
    :port: 389

    # Uncomment this line for tsl conections
    #:encryption: :simple_tls

    # base hierarchy where to search for users and groups
    :base: 'cn=users,cn=accounts,dc=lab,dc=mycompany,dc=com'

    # group the users need to belong to. If not set any user will do
    #:group: 'cn=cloud,ou=groups,dc=domain'

    # field that holds the user name, if not set 'cn' will be used
    :user_field: 'uid'

    # for Active Directory use this user_field instead
    #:user_field: 'sAMAccountName'

    # field name for group membership, by default it is 'member'
    #:group_field: 'member'

    # user field that that is in in the group group_field, if not set 'dn'
will be used
    #:user_group_field: 'dn'

    # Generate mapping file from group template info
    #:mapping_generate: true
    :mapping_generate: false

    # Seconds a mapping file remain untouched until the next regeneration
    :mapping_timeout: 300

    # Name of the mapping file in OpenNebula var diretory
    :mapping_filename: server1.yaml

    # Key from the OpenNebula template to map to an AD group
    :mapping_key: GROUP_DN

    # Default group ID used for users in an AD group not mapped
    :mapping_default: 1
----------------------------------------------------------------------

I can confirm that setting mapping_generate to false allows my user to get
in, many thanks for that.

I currently have vm groups configured in IPA, but happy enough to manage
these groups in OpenNebula if the group mapping for FreeIPA is problematic.

Thanks again

Peter

On 11 December 2014 at 09:12, Javier Fontan <jfontan at opennebula.org> wrote:
>
> There seems to be a problem getting the groups from OpenNebula. Can you
> send us the output of:
>
> onegroup list -x
>
> To fix the problem you can disable mapping generation adding this line to
> the server configuration:
>
> :mapping_generate: false
>
> Cheers
>
> On Mon Dec 08 2014 at 3:55:46 PM Mr Sensible <doilooksensible at gmail.com>
> wrote:
>
>> I am struggling a little bit with hooking my test OpenNebula in to my
>> existing FreeIPA authentication domain.
>>
>> I am currently running OpenNebula 4.10.1 running on Centos 6.5, and I am
>> trying to connect it to my existing FreeIPA 3.0.0 server.
>>
>> I currently have three services authenticating via ldap to the IPA
>> server, so I "think" that bit is right.
>>
>> When I install opennebula for the first time, get everything setup, add
>> the ldap authentication config, everything looks OK. I create a user in
>> Sunstone, set the auth method to LDAP, and then successfully sign in to
>> Sunstone. Happy face.
>> I change the user to oneadmin group in Sunstone.
>>
>> The following day, I am no longer able to log in as that user, and no
>> amount of deleting user and re-adding user seems to make any difference.
>> I have also tried NOT creating the user via sunstone, and just logging
>> in, same errors.
>>
>> Does anybody have any idea what I might be doing wrong, or even where I
>> can look to figure what is not working? Config and log files below. Many
>> thanks in advance.
>>
>> ------------------------------
>> oned.conf
>> ---------------------------
>> AUTH_MAD = [
>>      executable = "one_auth_mad",
>>      authn = "ssh,x509,ldap,default,server_cipher,server_x509"
>> ]
>>
>> ------------------------------
>> ldap_auth.conf
>> ----------------------------
>> server 1:
>>      # Ldap authentication method
>>      :auth_method: :simple
>>
>>      # Ldap server
>>      :host: ipa1.lab.company.com
>>      :port: 389
>>
>>      # Uncomment this line for tsl conections
>>      #:encryption: :simple_tls
>>
>>      # base hierarchy where to search for users and groups
>>      :base: 'cn=users,cn=accounts,dc=lab,dc=company,dc=com'
>>
>>      # group the users need to belong to. If not set any user will do
>>      #:group: 'cn=users,cn=accounts'
>>
>>      # field that holds the user name, if not set 'cn' will be used
>>      :user_field: 'uid'
>>
>>   :order:
>>       - server 1
>>
>> ------------------------------
>> oned.log
>> ------------------------------
>> Mon Dec  8 13:24:50 2014 [Z0][ReM][D]: Req:8640 UID:-1 GroupPoolInfo
>> invoked
>> Mon Dec  8 13:24:50 2014 [Z0][ReM][E]: Req:8640 UID:- GroupPoolInfo
>> result FAILURE [GroupPoolInfo] User couldn't be authenticated, aborting
>> call.
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 Command
>> execution fail: /var/lib/one/remotes/auth/ldap/authenticate peter.harris
>> - ****
>>
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]: Command execution fail:
>> /var/lib/one/remotes/auth/ldap/authenticate peter.harris - ****
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 Trying
>> server server 1
>>
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]: Trying server server 1
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>> Exception raised authenticating to LDAP
>>
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]: Exception raised authenticating
>> to LDAP
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>> #<NoMethodError: undefined method `children' for nil:NilClass>
>>
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]: #<NoMethodError: undefined method
>> `children' for nil:NilClass>
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>> /usr/lib/one/ruby/opennebula/xml_element.rb:357:in `build_hash'
>>
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]:
>> /usr/lib/one/ruby/opennebula/xml_element.rb:357:in `build_hash'
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>> /usr/lib/one/ruby/opennebula/xml_element.rb:341:in `to_hash'
>>
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]:
>> /usr/lib/one/ruby/opennebula/xml_element.rb:341:in `to_hash'
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>> /usr/lib/one/ruby/opennebula/ldap_auth.rb:93:in `generate_mapping'
>>
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]:
>> /usr/lib/one/ruby/opennebula/ldap_auth.rb:93:in `generate_mapping'
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>> /usr/lib/one/ruby/opennebula/ldap_auth.rb:69:in `initialize'
>>
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]:
>> /usr/lib/one/ruby/opennebula/ldap_auth.rb:69:in `initialize'
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>> /var/lib/one/remotes/auth/ldap/authenticate:69:in `new'
>>
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]:
>> /var/lib/one/remotes/auth/ldap/authenticate:69:in `new'
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>> /var/lib/one/remotes/auth/ldap/authenticate:69
>>
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]:
>> /var/lib/one/remotes/auth/ldap/authenticate:69
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>> /var/lib/one/remotes/auth/ldap/authenticate:59:in `each'
>>
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]:
>> /var/lib/one/remotes/auth/ldap/authenticate:59:in `each'
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>> /var/lib/one/remotes/auth/ldap/authenticate:59
>>
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]:
>> /var/lib/one/remotes/auth/ldap/authenticate:59
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 Could
>> not authenticate user peter.harris
>>
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]: Could not authenticate user
>> peter.harris
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>> ExitCode: 255
>>
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]: ExitCode: 255
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: AUTHENTICATE
>> FAILURE 1 -
>>
>> Mon Dec  8 13:24:50 2014 [Z0][AuM][E]: Auth Error:
>> Mon Dec  8 13:24:50 2014 [Z0][ReM][D]: Req:6320 UID:-1 UserInfo invoked ,
>> -1
>> Mon Dec  8 13:24:50 2014 [Z0][ReM][E]: Req:6320 UID:- UserInfo result
>> FAILURE [UserInfo] User couldn't be authenticated, aborting call.
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20141211/479694d6/attachment-0001.htm>

More information about the Users mailing list