<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Hi,<br>
<br>
So are you telling me that version 3.1 == version 3.2? If so, can
you please point me to the page that explains the version numbering
system? Once you gave me the hint that I was actually using version
3.2 (not version 3.1, which is what I thought I downloaded), I
finally found the links to the 3.2 documentation.<br>
<br>
Thanks,<br>
<pre class="moz-signature" cols="72">Anthony Tiradani
<a class="moz-txt-link-abbreviated" href="mailto:tiradani@fnal.gov">tiradani@fnal.gov</a>
+1 630 840 4479</pre>
<br>
On 12/16/2011 04:39 PM, Ruben S. Montero wrote:
<blockquote
cite="mid:CAGi56teBgBvbXf2-74cC+8rA+cJEDejxEnnntYRmHNX1+K0bhg@mail.gmail.com"
type="cite">Hi
<div><br>
</div>
<div>This error</div>
<div><br>
</div>
<div>Fri Dec 16 15:26:40 2011 [AuM][E]: Auth Error: Certificate
subject missmatch</div>
<div><br>
</div>
<div>Usually means that the DN registered in the OpenNebula db
(i.e. the password of the user) is different from that used to
generate the token. Have you created the user as explained in
[1]?</div>
<div><br>
</div>
<div>[1] <a moz-do-not-send="true"
href="http://www.opennebula.org/documentation:rel3.2:x509_auth">http://www.opennebula.org/documentation:rel3.2:x509_auth</a></div>
<div><br>
</div>
<div>Cheers</div>
<div><br>
</div>
<div>Ruben</div>
<div>
<br>
</div>
<div>PS: You are using a devel version, the documentation for that
release is in <a moz-do-not-send="true"
href="http://www.opennebula.org/documentation:rel3.2">http://www.opennebula.org/documentation:rel3.2</a>.<br>
<br>
<div class="gmail_quote">
On Fri, Dec 16, 2011 at 11:18 PM, Anthony Tiradani <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:tiradani@fnal.gov">tiradani@fnal.gov</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"> ok, I am getting
somewhere I think... (version OpenNebula 3.1.0 - taken
from the oned.log)<br>
<br>
So the first problem was that AUTH_DRIVERwas set to core.
Once I manually updated it to x509, I started seeing
actual error messages in the oned.log.<br>
<br>
Fri Dec 16 15:26:40 2011 [ReM][D]: HostPoolInfo method
invoked<br>
Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG I
1 Command execution fail:
/var/lib/one/remotes/auth/x509/authenticate oneadmin
<encrypted password> <encrypted proxy><br>
<br>
Fri Dec 16 15:26:40 2011 [AuM][I]: Command execution fail:
/var/lib/one/remotes/auth/x509/authenticate oneadmin
<encrypted password> <encrypted proxy><br>
Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG E
1 Certificate subject missmatch<br>
<br>
Fri Dec 16 15:26:40 2011 [AuM][I]: Certificate subject
missmatch<br>
Fri Dec 16 15:26:40 2011 [AuM][D]: Message received: LOG I
1 ExitCode: 255<br>
<br>
Fri Dec 16 15:26:40 2011 [AuM][I]: ExitCode: 255<br>
Fri Dec 16 15:26:40 2011 [AuM][D]: Message received:
AUTHENTICATE FAILURE 1 Certificate subject missmatch<br>
<br>
Fri Dec 16 15:26:40 2011 [AuM][E]: Auth Error: Certificate
subject missmatch<br>
Fri Dec 16 15:26:40 2011 [ReM][E]: [HostPoolInfo] User
couldn't be authenticated, aborting call.<br>
<br>
So from what I can tell, the dn is encrypted then base64
encoded prior to insertion into the database. The problem
is that there does not seem to be a corresponding
decode/decrypt operation prior to passing the password to
the authenticate script.<br>
<br>
The docs suggest that there should be a --plain option for
the password that can be used with the DNs however that
seems to have been removed from the oneuser utility.<br>
<br>
Any suggestions on how to proceed?
<div class="im"><br>
<br>
Thanks,<br>
<br>
<pre cols="72">Anthony Tiradani
<a moz-do-not-send="true" href="mailto:tiradani@fnal.gov" target="_blank">tiradani@fnal.gov</a>
<a moz-do-not-send="true" href="tel:%2B1%20630%20840%204479" value="+16308404479" target="_blank">+1 630 840 4479</a></pre>
<br>
</div>
<div>
<div class="h5"> On 12/16/2011 12:39 PM, Anthony
Tiradani wrote:
<blockquote type="cite">
<pre>Quick question: I have my oneadmin user setup for x509
authentication... at least I thought I did. When I query the one.db
database, I see:
0|oneadmin|<USER><ID>0</ID><GID>0</GID><GNAME>oneadmin</GNAME><NAME>oneadmin</NAME><PASSWORD>Hash/Encrypted
Value Goes
Here</PASSWORD><AUTH_DRIVER>core</AUTH_DRIVER><ENABLED>1</ENABLED><TEMPLATE></TEMPLATE></USER>
If I have it setup for x509, why do I see "core" as my AUTH_DRIVER?
Also, what is in the password field? Is that the encrypted DN or
something else?
Thanks,
Anthony Tiradani
<a moz-do-not-send="true" href="mailto:tiradani@fnal.gov" target="_blank">tiradani@fnal.gov</a>
<a moz-do-not-send="true" href="tel:%2B1%20630%20840%204479" value="+16308404479" target="_blank">+1 630 840 4479</a>
On 12/16/2011 11:53 AM, Daniel Molina wrote:
</pre>
<blockquote type="cite">
<pre>Hi,
On 16 December 2011 05:01, Anthony Tiradani <a moz-do-not-send="true" href="mailto:tiradani@fnal.gov" target="_blank"><tiradani@fnal.gov></a> wrote:
</pre>
<blockquote type="cite">
<pre>I should also mention that this is an OpenNebula 3.1 installation (via the
rpm) on Scientific Linux 6.1. I have the DEBUG setting set to 3 which
according to the comments in oned.conf should be the most verbose.
</pre>
</blockquote>
<pre>The logs should show more information, something like:
Fri Dec 16 09:49:45 2011 [AuM][D]: Message received: AUTHENTICATE SUCCESS 1526 -
and in case of FAILURE it will contain information about it
</pre>
<blockquote type="cite">
<pre>In trying to debug, I used the authenticate script in
/var/lib/one/remotes/auth/x509 which imports and uses
/usr/lib/one/ruby/x509_auth.rb. If I take the token that is decrypted from
the file /var/lib/one/.one/one_x509 I can perform openssl operations on it
and verify it. If I run the values through the authenticate script, I find
that there is a problem parsing the CA chain. When it calculates the hash
value for the CA, it is dropping a leading 0 which makes the file path
invalid. Could this be the problem?
</pre>
</blockquote>
<pre>Would yo mind to try with a symlink and check if that fixes the problem?
Kind regards.
</pre>
<blockquote type="cite">
<pre>Thanks,
Anthony Tiradani
<a moz-do-not-send="true" href="mailto:tiradani@fnal.gov" target="_blank">tiradani@fnal.gov</a>
<a moz-do-not-send="true" href="tel:%2B1%20630%20840%204479" value="+16308404479" target="_blank">+1 630 840 4479</a>
On 12/15/11 5:07 PM, Anthony Tiradani wrote:
This is the only message I get in oned.log:
Thu Dec 15 17:05:47 2011 [ReM][E]: [HostPoolInfo] User couldn't be
authenticated, aborting call.
I am running onehost list when I see that error.
Anthony Tiradani
<a moz-do-not-send="true" href="mailto:tiradani@fnal.gov" target="_blank">tiradani@fnal.gov</a>
<a moz-do-not-send="true" href="tel:%2B1%20630%20840%204479" value="+16308404479" target="_blank">+1 630 840 4479</a>
On 12/15/2011 03:40 PM, Ruben S. Montero wrote:
Hi,
Could you send the messages in oned.log file? You should see there
messages from the driver describing the error...
Cheers
Ruben
On Thu, Dec 15, 2011 at 5:31 PM, Anthony Tiradani <a moz-do-not-send="true" href="mailto:tiradani@fnal.gov" target="_blank"><tiradani@fnal.gov></a> wrote:
Hi,
I am trying to setup OpenNebula with x509 authentication. I am using
sqlite as the DB back end for now. I am following the documentation
here: <a moz-do-not-send="true" href="http://opennebula.org/documentation:rel3.0:x509_auth" target="_blank">http://opennebula.org/documentation:rel3.0:x509_auth</a>
I've configured everything correctly as far as I can tell. I can
successfully use x509 to login, but after 24 hours (no matter what I set
the expire time to with the --time argument) I get error messages saying
that the user couldn't be authenticated.
I've tried re-running the "oneuser login ..." command to no avail. The
only thing that works is if I delete one.db and restart OpenNebula.
Then I can log in just fine, but all the configuration that I have done
is lost. What do I have to do to fix this?
Thanks,
--
Anthony Tiradani
<a moz-do-not-send="true" href="mailto:tiradani@fnal.gov" target="_blank">tiradani@fnal.gov</a>
<a moz-do-not-send="true" href="tel:%2B1%20630%20840%204479" value="+16308404479" target="_blank">+1 630 840 4479</a>
_______________________________________________
Users mailing list
<a moz-do-not-send="true" href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a>
<a moz-do-not-send="true" href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a>
_______________________________________________
Users mailing list
<a moz-do-not-send="true" href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a>
<a moz-do-not-send="true" href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a>
_______________________________________________
Users mailing list
<a moz-do-not-send="true" href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a>
<a moz-do-not-send="true" href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a>
</pre>
</blockquote>
</blockquote>
<pre><fieldset></fieldset>
_______________________________________________
Users mailing list
<a moz-do-not-send="true" href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a>
<a moz-do-not-send="true" href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a>
</pre>
</blockquote>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a><br>
<a moz-do-not-send="true"
href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org"
target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Dr. Ruben Santiago Montero<br>
Associate Professor (Profesor Titular), Complutense University
of Madrid<br>
<br>
URL: <a moz-do-not-send="true"
href="http://dsa-research.org/doku.php?id=people:ruben"
target="_blank">http://dsa-research.org/doku.php?id=people:ruben</a><br>
Weblog: <a moz-do-not-send="true"
href="http://blog.dsa-research.org/?author=7" target="_blank">http://blog.dsa-research.org/?author=7</a><br>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opennebula.org">Users@lists.opennebula.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a>
</pre>
</blockquote>
</body>
</html>