[one-users] OpenNebula and FreeIPA authentication

Javier Fontan jfontan at opennebula.org
Thu Dec 11 01:12:36 PST 2014 

There seems to be a problem getting the groups from OpenNebula. Can you
send us the output of:

onegroup list -x

To fix the problem you can disable mapping generation adding this line to
the server configuration:

:mapping_generate: false

Cheers

On Mon Dec 08 2014 at 3:55:46 PM Mr Sensible <doilooksensible at gmail.com>
wrote:

> I am struggling a little bit with hooking my test OpenNebula in to my
> existing FreeIPA authentication domain.
>
> I am currently running OpenNebula 4.10.1 running on Centos 6.5, and I am
> trying to connect it to my existing FreeIPA 3.0.0 server.
>
> I currently have three services authenticating via ldap to the IPA
> server, so I "think" that bit is right.
>
> When I install opennebula for the first time, get everything setup, add
> the ldap authentication config, everything looks OK. I create a user in
> Sunstone, set the auth method to LDAP, and then successfully sign in to
> Sunstone. Happy face.
> I change the user to oneadmin group in Sunstone.
>
> The following day, I am no longer able to log in as that user, and no
> amount of deleting user and re-adding user seems to make any difference.
> I have also tried NOT creating the user via sunstone, and just logging
> in, same errors.
>
> Does anybody have any idea what I might be doing wrong, or even where I
> can look to figure what is not working? Config and log files below. Many
> thanks in advance.
>
> ------------------------------
> oned.conf
> ---------------------------
> AUTH_MAD = [
>      executable = "one_auth_mad",
>      authn = "ssh,x509,ldap,default,server_cipher,server_x509"
> ]
>
> ------------------------------
> ldap_auth.conf
> ----------------------------
> server 1:
>      # Ldap authentication method
>      :auth_method: :simple
>
>      # Ldap server
>      :host: ipa1.lab.company.com
>      :port: 389
>
>      # Uncomment this line for tsl conections
>      #:encryption: :simple_tls
>
>      # base hierarchy where to search for users and groups
>      :base: 'cn=users,cn=accounts,dc=lab,dc=company,dc=com'
>
>      # group the users need to belong to. If not set any user will do
>      #:group: 'cn=users,cn=accounts'
>
>      # field that holds the user name, if not set 'cn' will be used
>      :user_field: 'uid'
>
>   :order:
>       - server 1
>
> ------------------------------
> oned.log
> ------------------------------
> Mon Dec  8 13:24:50 2014 [Z0][ReM][D]: Req:8640 UID:-1 GroupPoolInfo
> invoked
> Mon Dec  8 13:24:50 2014 [Z0][ReM][E]: Req:8640 UID:- GroupPoolInfo
> result FAILURE [GroupPoolInfo] User couldn't be authenticated, aborting
> call.
> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 Command
> execution fail: /var/lib/one/remotes/auth/ldap/authenticate peter.harris
> - ****
>
> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]: Command execution fail:
> /var/lib/one/remotes/auth/ldap/authenticate peter.harris - ****
> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 Trying
> server server 1
>
> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]: Trying server server 1
> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
> Exception raised authenticating to LDAP
>
> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]: Exception raised authenticating
> to LDAP
> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
> #<NoMethodError: undefined method `children' for nil:NilClass>
>
> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]: #<NoMethodError: undefined method
> `children' for nil:NilClass>
> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
> /usr/lib/one/ruby/opennebula/xml_element.rb:357:in `build_hash'
>
> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]:
> /usr/lib/one/ruby/opennebula/xml_element.rb:357:in `build_hash'
> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
> /usr/lib/one/ruby/opennebula/xml_element.rb:341:in `to_hash'
>
> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]:
> /usr/lib/one/ruby/opennebula/xml_element.rb:341:in `to_hash'
> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
> /usr/lib/one/ruby/opennebula/ldap_auth.rb:93:in `generate_mapping'
>
> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]:
> /usr/lib/one/ruby/opennebula/ldap_auth.rb:93:in `generate_mapping'
> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
> /usr/lib/one/ruby/opennebula/ldap_auth.rb:69:in `initialize'
>
> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]:
> /usr/lib/one/ruby/opennebula/ldap_auth.rb:69:in `initialize'
> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
> /var/lib/one/remotes/auth/ldap/authenticate:69:in `new'
>
> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]:
> /var/lib/one/remotes/auth/ldap/authenticate:69:in `new'
> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
> /var/lib/one/remotes/auth/ldap/authenticate:69
>
> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]:
> /var/lib/one/remotes/auth/ldap/authenticate:69
> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
> /var/lib/one/remotes/auth/ldap/authenticate:59:in `each'
>
> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]:
> /var/lib/one/remotes/auth/ldap/authenticate:59:in `each'
> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
> /var/lib/one/remotes/auth/ldap/authenticate:59
>
> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]:
> /var/lib/one/remotes/auth/ldap/authenticate:59
> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 Could
> not authenticate user peter.harris
>
> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]: Could not authenticate user
> peter.harris
> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
> ExitCode: 255
>
> Mon Dec  8 13:24:50 2014 [Z0][AuM][I]: ExitCode: 255
> Mon Dec  8 13:24:50 2014 [Z0][AuM][D]: Message received: AUTHENTICATE
> FAILURE 1 -
>
> Mon Dec  8 13:24:50 2014 [Z0][AuM][E]: Auth Error:
> Mon Dec  8 13:24:50 2014 [Z0][ReM][D]: Req:6320 UID:-1 UserInfo invoked ,
> -1
> Mon Dec  8 13:24:50 2014 [Z0][ReM][E]: Req:6320 UID:- UserInfo result
> FAILURE [UserInfo] User couldn't be authenticated, aborting call.
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20141211/60054a4a/attachment-0001.htm>

More information about the Users mailing list