<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
ok, I am getting somewhere I think... (version OpenNebula 3.1.0 -
taken from the oned.log)<br>
<br>
So the first problem was that AUTH_DRIVERwas set to core. Once I
manually updated it to x509, I started seeing actual error messages
in the oned.log.<br>
<br>
Fri Dec 16 15:26:40 2011 [ReM][D]: HostPoolInfo method invoked<br>
Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG I 1 Command
execution fail: /var/lib/one/remotes/auth/x509/authenticate oneadmin
<encrypted password> <encrypted proxy><br>
<br>
Fri Dec 16 15:26:40 2011 [AuM][I]: Command execution fail:
/var/lib/one/remotes/auth/x509/authenticate oneadmin <encrypted
password> <encrypted proxy><br>
Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG E 1
Certificate subject missmatch<br>
<br>
Fri Dec 16 15:26:40 2011 [AuM][I]: Certificate subject missmatch<br>
Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG I 1
ExitCode: 255<br>
<br>
Fri Dec 16 15:26:40 2011 [AuM][I]: ExitCode: 255<br>
Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: AUTHENTICATE
FAILURE 1 Certificate subject missmatch<br>
<br>
Fri Dec 16 15:26:40 2011 [AuM][E]: Auth Error: Certificate subject
missmatch<br>
Fri Dec 16 15:26:40 2011 [ReM][E]: [HostPoolInfo] User couldn't be
authenticated, aborting call.<br>
<br>
So from what I can tell, the dn is encrypted then base64 encoded
prior to insertion into the database. The problem is that there
does not seem to be a corresponding decode/decrypt operation prior
to passing the password to the authenticate script.<br>
<br>
The docs suggest that there should be a --plain option for the
password that can be used with the DNs however that seems to have
been removed from the oneuser utility.<br>
<br>
Any suggestions on how to proceed?<br>
<br>
Thanks,<br>
<br>
<pre class="moz-signature" cols="72">Anthony Tiradani
<a class="moz-txt-link-abbreviated" href="mailto:tiradani@fnal.gov">tiradani@fnal.gov</a>
+1 630 840 4479</pre>
<br>
On 12/16/2011 12:39 PM, Anthony Tiradani wrote:
<blockquote cite="mid:4EEB9049.6080800@fnal.gov" type="cite">
<pre wrap="">Quick question: I have my oneadmin user setup for x509
authentication... at least I thought I did. When I query the one.db
database, I see:
0|oneadmin|<USER><ID>0</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>oneadmin</NAME><PASSWORD>Hash/Encrypted
Value Goes
Here</PASSWORD><AUTH_DRIVER>core</AUTH_DRIVER><ENABLED>1</ENABLED><TEMPLATE></TEMPLATE></USER>
If I have it setup for x509, why do I see "core" as my AUTH_DRIVER?
Also, what is in the password field? Is that the encrypted DN or
something else?
Thanks,
Anthony Tiradani
<a class="moz-txt-link-abbreviated" href="mailto:tiradani@fnal.gov">tiradani@fnal.gov</a>
+1 630 840 4479
On 12/16/2011 11:53 AM, Daniel Molina wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
On 16 December 2011 05:01, Anthony Tiradani <a class="moz-txt-link-rfc2396E" href="mailto:tiradani@fnal.gov"><tiradani@fnal.gov></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I should also mention that this is an OpenNebula 3.1 installation (via the
rpm) on Scientific Linux 6.1. I have the DEBUG setting set to 3 which
according to the comments in oned.conf should be the most verbose.
</pre>
</blockquote>
<pre wrap="">The logs should show more information, something like:
Fri Dec 16 09:49:45 2011 [AuM][D]: Message received: AUTHENTICATE SUCCESS 1526 -
and in case of FAILURE it will contain information about it
</pre>
<blockquote type="cite">
<pre wrap="">In trying to debug, I used the authenticate script in
/var/lib/one/remotes/auth/x509 which imports and uses
/usr/lib/one/ruby/x509_auth.rb. If I take the token that is decrypted from
the file /var/lib/one/.one/one_x509 I can perform openssl operations on it
and verify it. If I run the values through the authenticate script, I find
that there is a problem parsing the CA chain. When it calculates the hash
value for the CA, it is dropping a leading 0 which makes the file path
invalid. Could this be the problem?
</pre>
</blockquote>
<pre wrap="">Would yo mind to try with a symlink and check if that fixes the problem?
Kind regards.
</pre>
<blockquote type="cite">
<pre wrap="">Thanks,
Anthony Tiradani
<a class="moz-txt-link-abbreviated" href="mailto:tiradani@fnal.gov">tiradani@fnal.gov</a>
+1 630 840 4479
On 12/15/11 5:07 PM, Anthony Tiradani wrote:
This is the only message I get in oned.log:
Thu Dec 15 17:05:47 2011 [ReM][E]: [HostPoolInfo] User couldn't be
authenticated, aborting call.
I am running onehost list when I see that error.
Anthony Tiradani
<a class="moz-txt-link-abbreviated" href="mailto:tiradani@fnal.gov">tiradani@fnal.gov</a>
+1 630 840 4479
On 12/15/2011 03:40 PM, Ruben S. Montero wrote:
Hi,
Could you send the messages in oned.log file? You should see there
messages from the driver describing the error...
Cheers
Ruben
On Thu, Dec 15, 2011 at 5:31 PM, Anthony Tiradani <a class="moz-txt-link-rfc2396E" href="mailto:tiradani@fnal.gov"><tiradani@fnal.gov></a> wrote:
Hi,
I am trying to setup OpenNebula with x509 authentication. I am using
sqlite as the DB back end for now. I am following the documentation
here: <a class="moz-txt-link-freetext" href="http://opennebula.org/documentation:rel3.0:x509_auth">http://opennebula.org/documentation:rel3.0:x509_auth</a>
I've configured everything correctly as far as I can tell. I can
successfully use x509 to login, but after 24 hours (no matter what I set
the expire time to with the --time argument) I get error messages saying
that the user couldn't be authenticated.
I've tried re-running the "oneuser login ..." command to no avail. The
only thing that works is if I delete one.db and restart OpenNebula.
Then I can log in just fine, but all the configuration that I have done
is lost. What do I have to do to fix this?
Thanks,
--
Anthony Tiradani
<a class="moz-txt-link-abbreviated" href="mailto:tiradani@fnal.gov">tiradani@fnal.gov</a>
+1 630 840 4479
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a>
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a>
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
</pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a>
</pre>
</blockquote>
</body>
</html>