Authentication to LDAP/AD for Sunstone fails

Community Support
1

I’ve deployed and setup the OpenNebula 5.4 virtual appliance in VMware for a testdrive. I’ve followed the ducumentation to setup LDAP auth towards my Active directory. I started out in the control panel gui but that didn’t work so I altered the config files on the appliance instead. These are the settings:

oned.conf

AUTH_MAD = [
EXECUTABLE = “one_auth_mad”,
AUTHN = “ssh,x509,ldap,server_cipher,server_x509”
]

DEFAULT_AUTH = “ldap”

ldap_auth.conf
dchostname:
:mapping_generate: true
:mapping_timeout: 300
:mapping_filename: server1.yaml
:mapping_key: GROUP_DN
:mapping_default: 1
:user: ‘AD user’
:password: ‘AD user pass’
:auth_method: :simple
:host: dchostname
:port: 389
:base: ‘dc=domain,dc=com’
:user_field: sAMAccountName
:group: ‘dn of a group’
:rfc2307bis: true
:order:

  • dchostname

When I try to login to Sunstone web GUI the error I get is:
“OpenNebula is not running or there was a server exception. Please check the server logs.”

In the sunstone.log I see this:
Wed Aug 23 07:56:16 2017 [E]: User niclas.eriksson could not be authenticated
Wed Aug 23 07:56:16 2017 [E]: Net::ReadTimeout
Wed Aug 23 07:56:16 2017 [E]: undefined method `Exception’ for #CloudAuth:0x000000031abe88
Wed Aug 23 07:56:16 2017 [I]: 10.122.95.7 - - [23/Aug/2017:07:56:16 +0200] “POST /login HTTP/1.1” 500 - 60.0919

In the oned.log I see this:
Message received: AUTHENTICATE SUCCESS 1831 ldap niclas.eriksson CN=Niclas%20Eriksson,OU=Users,OU=IC-Systems,DC=invidcloud,DC=com 1

If I run:
ruby -wd /var/lib/one/remotes/auth/ldap/authenticate niclas.eriksson - password

I get this:
Exception LoadError' at /usr/share/rubygems/rubygems.rb:1096 - cannot load such file -- rubygems/defaults/ruby ExceptionLoadError’ at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55 - cannot load such file – abrt
Exception LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:141 - cannot load such file -- abrt /var/lib/one/remotes/auth/ldap/authenticate:42: warning: assigned but unused variable - pass ExceptionNameError’ at /usr/share/ruby/psych/core_ext.rb:16 - method to_yaml' not defined in Object ExceptionNameError’ at /usr/share/ruby/psych/core_ext.rb:29 - method yaml_as' not defined in Module ExceptionNameError’ at /usr/share/ruby/psych/deprecated.rb:80 - undefined method to_yaml_properties' for classObject’
/usr/lib/one/ruby/opennebula/xml_utils.rb:94: warning: -' after local variable is interpreted as binary operator /usr/lib/one/ruby/opennebula/xml_utils.rb:94: warning: even though it seems like unary operator /usr/lib/one/ruby/opennebula/xml_pool.rb:25: warning: method redefined; discarding old initialize /usr/lib/one/ruby/opennebula/xml_element.rb:429: warning: previous definition of initialize was here /usr/lib/one/ruby/opennebula/xml_pool.rb:31: warning: method redefined; discarding old each_element /usr/lib/one/ruby/opennebula/xml_element.rb:435: warning: previous definition of each_element was here ExceptionLoadError’ at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55 - cannot load such file – nokogiri
Exception LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55 - cannot load such file -- ox ExceptionLoadError’ at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55 - cannot load such file – xmlparser
Exception LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:141 - cannot load such file -- xmlparser /usr/lib/one/ruby/opennebula/virtual_machine_pool.rb:297: warning: assigned but unused variable - acct_hash /usr/lib/one/ruby/opennebula/host.rb:136: warning: ambiguous first argument; put parentheses or even spaces /usr/lib/one/ruby/opennebula/vdc.rb:176: warning: method redefined; discarding old add_host /usr/lib/one/ruby/opennebula/vdc.rb:164: warning: previous definition of add_host was here /usr/lib/one/ruby/opennebula/vdc.rb:192: warning: method redefined; discarding old del_host /usr/lib/one/ruby/opennebula/vdc.rb:186: warning: previous definition of del_host was here ExceptionLoadError’ at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55 - cannot load such file – net/ldap
/usr/local/share/gems/gems/net-ldap-0.16.0/lib/net/ldap/password.rb:22: warning: assigned but unused variable - attribute_value
/usr/local/share/gems/gems/net-ldap-0.16.0/lib/net/ldap/instrumentation.rb:15: warning: shadowing outer local variable - payload
/usr/local/share/gems/gems/net-ldap-0.16.0/lib/net/ldap/connection.rb:303: warning: assigned but unused variable - sort_control
Trying server ic-dc02.invidcloud.com
Exception Errno::EAGAIN' at /usr/share/ruby/net/protocol.rb:153 - Resource temporarily unavailable - read would block ExceptionErrno::EAGAIN’ at /usr/share/ruby/net/protocol.rb:153 - Resource temporarily unavailable - read would block
Exception Errno::EINPROGRESS' at /usr/share/ruby/socket.rb:54 - Operation now in progress - connect(2) would block ExceptionErrno::EINPROGRESS’ at /usr/share/ruby/socket.rb:54 - Operation now in progress - connect(2) would block
Exception Errno::EINPROGRESS' at /usr/share/ruby/socket.rb:54 - Operation now in progress - connect(2) would block ExceptionErrno::EINPROGRESS’ at /usr/share/ruby/socket.rb:54 - Operation now in progress - connect(2) would block
ldap niclas.eriksson CN=Niclas%20Eriksson,OU=Users,OU=IC-Systems,DC=invidcloud,DC=com 1

Anyone that has some input what I do wrong?

2

LDAP auth seems to be working fine.

  • Do you see any other messages in oned.log? Maybe a user creation error.
  • Does the user niclas.eriksson exist in OpenNebula?
  • Do you have a proxy configured in that server?
3

Thanks for the input Javi.
The user gets added to OpenNebula automatically. No other error messages in oned.log that touches the user login/adding or similar what I can see.
I haven’t set any proxy settings, but how can I check them?

4

I can’t see any proxy settings.

5

Anyone that has some input on this?

6

There’s also a timeout in the logs. Can you check how much does it take to contact the LDAP server?

$ time ruby -wd /var/lib/one/remotes/auth/ldap/authenticate niclas.eriksson - password
7

Result:
Trying server dchostname
Exception Errno::EAGAIN' at /usr/share/ruby/net/protocol.rb:153 - Resource temporarily unavailable - read would block ExceptionErrno::EAGAIN’ at /usr/share/ruby/net/protocol.rb:153 - Resource temporarily unavailable - read would block
Exception Errno::EINPROGRESS' at /usr/share/ruby/socket.rb:54 - Operation now in progress - connect(2) would block ExceptionErrno::EINPROGRESS’ at /usr/share/ruby/socket.rb:54 - Operation now in progress - connect(2) would block
Exception Errno::EINPROGRESS' at /usr/share/ruby/socket.rb:54 - Operation now in progress - connect(2) would block ExceptionErrno::EINPROGRESS’ at /usr/share/ruby/socket.rb:54 - Operation now in progress - connect(2) would block
ldap niclas.eriksson CN=Niclas%20Eriksson,OU=Users,OU=IC-Systems,DC=invidcloud,DC=com 1

real 0m51.661s
user 0m0.230s
sys 0m0.030s

8

The OpenNebula server and DC’s are in the same subnet with no FW between. The DC/forest/domain is in 2016 level if that has anything to do with it.

9

I’ve tested this on a fresh install and it seems to work better now, but towards another domain. Can it be a domain/forrest level thing?

10

I’ve got it working now after a few tweaks. Followed this (old?) guide:

Now it works.