Problems with Active Directory authentication via LDAPS

Hi all,
i’m trying to build e prof-of-concept architecture in my company, for a cloud-enabled solution using opennebula/vonecloud and vmware.
Everything is ok, but when i try active directory integration (it’s a mandatory field in this POC)ldap users don’t get any access via sunstone.
I’ve followed docs on http://docs.opennebula.org/4.12/administration/authentication/ldap.html. My configuration is:

/etc/one/auth/ldap_auth.conf:

---
:order:
- ldap-server
ldap-server:
  :mapping_generate: true
  :mapping_timeout: 300
  :mapping_filename: server1.yaml
  :mapping_key: GROUP_DN
  :mapping_default: 1
  :user: ldap@mydomain.local
  :password: ldapsecret
  :auth_method: simple
  :encryption: simple_tls
  :host: 10.10.10.4
  :port: 636
  :base: dc=mydomain,dc=local
  :group: CN=Users,DC=mydomain,DC=local
  :user_field: sAMAccountName

/etc/one/sunstone-server.conf

 :auth: opennebula

/etc/one/oned.conf:

AUTH_MAD = [
    executable = "one_auth_mad",

    authn = "default,ssh,x509,ldap,server_cipher,server_x509"

]

On sunstone’s log i’ve:

Wed Apr 29 11:35:36 2015 [E]: User ldapuser could not be authenticated
Wed Apr 29 11:35:36 2015 [E]: [UserInfo] User couldn't be authenticated, aborting call.
Wed Apr 29 11:35:36 2015 [I]: Unauthorized login attempt

On stout, trying to authenticate directy via opennebula ruby code:

Trying server ldap-server
User ldapuser not found
Could not authenticate user ldapuser

I’m using OpenNebula 4.12.2 on Centos 7, and Active Directory ldap service with ldaps.
I also tried to authenticate via ldaps on active directory using my own ruby code and everything goes fine!

Is there someone with the same configuration or anyone with the same issue?

Regards

P

Hi Porgfa,

I’d check a couple of things - firstly, you may need to specify the hostname of the ldap server in the /etc/one/ldap_auth.conf file instead of the IP address (using the IP address might cause the certificate not to be valid when negotiating the ssl connection). (Personally I would also check you can connect and negotiate an SSL connection with ‘openssl s_client connect’ to check the AD server is reachable and has a proper certificate installed)

Also, the Group DN you have set there (CN=Users,DC=mydomain,DC=local) is normally a container on Active Directory. The actual ‘all users’ group DN would be something like CN=Domain Users,CN=Users,DC=mydomain,DC=com)

Cheers

Hi Paul
i tried the settings you pointed me, but nothing happened: i got the same errors. Of course the openssl connection works fine without warnings.

I’d like to know if there’s something else i can try or change to debug this issue

Regards,

P

Hi Porgfa,

Are there any useful error messages in oned.log?
This command should give you the messages from the auth manager

grep AuM /var/log/one/oned.log

Hi Paul, i have always the same kind of errors:

Mon May 11 11:51:39 2015 [Z0][AuM][D]: Message received: AUTHENTICATE SUCCESS 352 -
Mon May 11 11:51:50 2015 [Z0][AuM][D]: Message received: LOG I 353 Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate testuser - ****
Mon May 11 11:51:50 2015 [Z0][AuM][I]: Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate testuser - ****
Mon May 11 11:51:50 2015 [Z0][AuM][D]: Message received: LOG I 353 Trying server ldap-server.domain.local
Mon May 11 11:51:50 2015 [Z0][AuM][I]: Trying server ldap-server.domain.local
Mon May 11 11:51:50 2015 [Z0][AuM][D]: Message received: LOG I 353 User testuser not found
Mon May 11 11:51:50 2015 [Z0][AuM][I]: User testuser not found
Mon May 11 11:51:50 2015 [Z0][AuM][D]: Message received: LOG I 353 Could not authenticate user testuser
Mon May 11 11:51:50 2015 [Z0][AuM][I]: Could not authenticate user testuser
Mon May 11 11:51:50 2015 [Z0][AuM][D]: Message received: LOG I 353 ExitCode: 255
Mon May 11 11:51:50 2015 [Z0][AuM][I]: ExitCode: 255
Mon May 11 11:51:50 2015 [Z0][AuM][D]: Message received: AUTHENTICATE FAILURE 353 -
Mon May 11 11:51:50 2015 [Z0][AuM][E]: Auth Error:

Looking at our config in /etc/one/ldap_auth.conf we have some different settings from you - specifically -

:user: ldap # Note: The UPN is not used here, just the samaccountname. Change to whatever your actual ldap search account is
:user_group_field: cn=ldapgroup,ou=Security Groups,dc=mydomain,dc=local # change this to whatever your actual group DN is
:group_field: ‘member’


Remove the :group: setting

Cheers

Try executing the command with debug flags, as oneadmin user:

$ ruby -wd /var/lib/one/remotes/auth/ldap/authenticate testuser - <password>

Hi Javi, here the output:

Exception `LoadError' at /usr/share/rubygems/rubygems.rb:1096 - cannot load such file -- rubygems/defaults/ruby
Exception `LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55 - cannot load such file -- abrt
Exception `LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:141 - cannot load such file -- abrt
/var/lib/one/remotes/auth/ldap/authenticate:42: warning: assigned but unused variable - pass
Exception `NameError' at /usr/share/ruby/psych/core_ext.rb:16 - method `to_yaml' not defined in Object
Exception `NameError' at /usr/share/ruby/psych/core_ext.rb:29 - method `yaml_as' not defined in Module
Exception `NameError' at /usr/share/ruby/psych/deprecated.rb:80 - undefined method `to_yaml_properties' for class `Object'
/usr/lib/one/ruby/opennebula/xml_utils.rb:90: warning: `-' after local variable is interpreted as binary operator
/usr/lib/one/ruby/opennebula/xml_utils.rb:90: warning: even though it seems like unary operator
/usr/lib/one/ruby/opennebula/xml_pool.rb:25: warning: method redefined; discarding old initialize
/usr/lib/one/ruby/opennebula/xml_element.rb:406: warning: previous definition of initialize was here
/usr/lib/one/ruby/opennebula/xml_pool.rb:31: warning: method redefined; discarding old each_element
/usr/lib/one/ruby/opennebula/xml_element.rb:412: warning: previous definition of each_element was here
Exception `LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55 - cannot load such file -- nokogiri
Exception `LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55 - cannot load such file -- ox
Exception `LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55 - cannot load such file -- xmlparser
Exception `LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:141 - cannot load such file -- xmlparser
/usr/lib/one/ruby/opennebula/virtual_machine_pool.rb:296: warning: assigned but unused variable - acct_hash
/usr/lib/one/ruby/opennebula/host.rb:124: warning: ambiguous first argument; put parentheses or even spaces
/usr/lib/one/ruby/opennebula/vdc.rb:176: warning: method redefined; discarding old add_host
/usr/lib/one/ruby/opennebula/vdc.rb:164: warning: previous definition of add_host was here
/usr/lib/one/ruby/opennebula/vdc.rb:192: warning: method redefined; discarding old del_host
/usr/lib/one/ruby/opennebula/vdc.rb:186: warning: previous definition of del_host was here
Exception `LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55 - cannot load such file -- net/ldap
/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/password.rb:22: warning: assigned but unused variable - attribute_value
/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/instrumentation.rb:15: warning: shadowing outer local variable - payload
/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/connection.rb:366: warning: assigned but unused variable - sort_control
Trying server ldap-server.domain.local
Exception `Errno::EAGAIN' at /usr/share/ruby/net/protocol.rb:153 - Resource temporarily unavailable - read would block
Exception `Errno::EAGAIN' at /usr/share/ruby/net/protocol.rb:153 - Resource temporarily unavailable - read would block
Exception `TypeError' at /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/connection.rb:92 - no implicit conversion of Symbol into Integer
User testuser not found
Could not authenticate user testuser

Regards,

P

Are you sure you can access the ldap server from the frontend? Try this:

$ telnet ldap-server.domain.local 636

Maybe I got the connection data wrong. In that case change them to the values in the ldap auth configuration file.

Well Javi,
i think the exception “Errno::EAGAIN” seems to be referred to my authentication request during opennebula service (slow) restart.

Thease are the correct logs:

Exception `LoadError' at /usr/share/rubygems/rubygems.rb:1096 - cannot load such file -- rubygems/defaults/ruby
Exception `LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55 - cannot load such file -- abrt
Exception `LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:141 - cannot load such file -- abrt
/var/lib/one/remotes/auth/ldap/authenticate:42: warning: assigned but unused variable - pass
Exception `NameError' at /usr/share/ruby/psych/core_ext.rb:16 - method `to_yaml' not defined in Object
Exception `NameError' at /usr/share/ruby/psych/core_ext.rb:29 - method `yaml_as' not defined in Module
Exception `NameError' at /usr/share/ruby/psych/deprecated.rb:80 - undefined method `to_yaml_properties' for class `Object'
/usr/lib/one/ruby/opennebula/xml_utils.rb:90: warning: `-' after local variable is interpreted as binary operator
/usr/lib/one/ruby/opennebula/xml_utils.rb:90: warning: even though it seems like unary operator
/usr/lib/one/ruby/opennebula/xml_pool.rb:25: warning: method redefined; discarding old initialize
/usr/lib/one/ruby/opennebula/xml_element.rb:406: warning: previous definition of initialize was here
/usr/lib/one/ruby/opennebula/xml_pool.rb:31: warning: method redefined; discarding old each_element
/usr/lib/one/ruby/opennebula/xml_element.rb:412: warning: previous definition of each_element was here
Exception `LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55 - cannot load such file -- nokogiri
Exception `LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55 - cannot load such file -- ox
Exception `LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55 - cannot load such file -- xmlparser
Exception `LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:141 - cannot load such file -- xmlparser
/usr/lib/one/ruby/opennebula/virtual_machine_pool.rb:296: warning: assigned but unused variable - acct_hash
/usr/lib/one/ruby/opennebula/host.rb:124: warning: ambiguous first argument; put parentheses or even spaces
/usr/lib/one/ruby/opennebula/vdc.rb:176: warning: method redefined; discarding old add_host
/usr/lib/one/ruby/opennebula/vdc.rb:164: warning: previous definition of add_host was here
/usr/lib/one/ruby/opennebula/vdc.rb:192: warning: method redefined; discarding old del_host
/usr/lib/one/ruby/opennebula/vdc.rb:186: warning: previous definition of del_host was here
Exception `LoadError' at /usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55 - cannot load such file -- net/ldap
/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/password.rb:22: warning: assigned but unused variable - attribute_value
/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/instrumentation.rb:15: warning: shadowing outer local variable - payload
/usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/connection.rb:366: warning: assigned but unused variable - sort_control
Trying server ldap-server.domain.local
Exception `TypeError' at /usr/local/share/gems/gems/net-ldap-0.11/lib/net/ldap/connection.rb:92 - no implicit conversion of Symbol into Integer
User testuser not found
Could not authenticate user testuser

If run openssl s_client -connect ldap-server.domain.local:636, connection is ok.

Cheers,

P

I’ve been doing more tests and I can connect to the Active directory using SSL with the configuration you’ve sent:

  :auth_method: simple
  :encryption: simple_tls
  :host: 10.10.10.4
  :port: 636
  :user_field: sAMAccountName

I also checked for other problems like closed port or missing SSL configuration and I get other error that I don’t seen in your logs. I believe the connection conf is ok. For example:

• Bad admin user/password:

Exception `OpenSSL::SSL::SSLError' at /home/jfontan/.gem/ruby/2.2.0/gems/net-ldap-0.8.0/lib/net/ldap.rb:1221 - SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A

• :encryption not set:

Exception `Net::LDAP::LdapError' at /home/jfontan/.gem/ruby/2.2.0/gems/net-ldap-0.8.0/lib/net/ldap.rb:1360 - no bind result

I believe the problem is in the base DN, the group or the user_field. I’d start commenting :group configuration and checking that the :base DN is correct. Another test you can do is using the full DN instead of the user name. The driver tries to find the user with both methods.

Hi Javi,
I solved my issue making this substitution (look at the colon sign):

:encryption: :simple_tls

instead

:encryption: simple_tls

Thanks for support!

Regards

M

(Sorry for reviving an old thread, but since I found this thread looking for answers, prob. more people will. )
I had similar problems with securing ldap in an environment with Windows AD servers and with the info from this thread I got it working.
This way we use encryption for transport and we use LDAPSSL (port 636) instead of LDAP (tcp port 389). Please note that we used “:simple” and not “simple”.
The current /etc/one/auth/ldap_auth.conf contains:

# List of LDAP servers to query
server 1:
    :user: 'sa_read'
    :password: 'password'
    :auth_method: :simple
    :host: ad1.company.local
    :port: 636
    :base: 'dc=company,dc=local'
    :user_field: 'sAMAccountName'
    :encryption: :simple_tls

server 2:
    :user: 'sa_read'
    :password: 'password'
    :auth_method: :simple
    :host: ad2.company.local
    :port: 636
    :base: 'dc=company,dc=local'
    :user_field: 'sAMAccountName'
    :encryption: :simple_tls

# List the order the servers are queried
:order:
    - server 1
    - server 2

Thanks for the very useful debugging tips in this thread, hope this helps another user looking for answers.