The problem seems to be generated by a connection problem from the driver
to OpenNebula itself.
Can you change the file /var/lib/one/ruby/opennebula/ldap_auth.rb and
around line 89 change the code:
client = OpenNebula::Client.new
group_pool = OpenNebula::GroupPool.new(client)
group_pool.info
by
client = OpenNebula::Client.new
group_pool = OpenNebula::GroupPool.new(client)
STDERR.puts group_pool.info.inspect
After that enable mapping_generate and send me the output of the error. You
can leave that code changed as it only adds more information to errors.
Thanks
On Thu Dec 11 2014 at 5:41:26 PM Peter Harris <[email protected]>
wrote:
> Thanks Javier
>
> Output from onegroup list -x
> ----------------------------------------------------------------------
> <GROUP_POOL>
> <GROUP>
> <ID>0</ID>
> <NAME>oneadmin</NAME>
> <TEMPLATE/>
> <USERS>
> <ID>0</ID>
> <ID>1</ID>
> </USERS>
> </GROUP>
> <QUOTAS>
> <ID>0</ID>
> <DATASTORE_QUOTA/>
> <NETWORK_QUOTA/>
> <VM_QUOTA/>
> <IMAGE_QUOTA/>
> </QUOTAS>
> <GROUP>
> <ID>1</ID>
> <NAME>users</NAME>
> <TEMPLATE/>
> <USERS>
> <ID>2</ID>
> </USERS>
> <RESOURCE_PROVIDER>
> <ZONE_ID>0</ZONE_ID>
> <CLUSTER_ID>10</CLUSTER_ID>
> </RESOURCE_PROVIDER>
> </GROUP>
> <QUOTAS>
> <ID>1</ID>
> <DATASTORE_QUOTA/>
> <NETWORK_QUOTA/>
> <VM_QUOTA/>
> <IMAGE_QUOTA/>
> </QUOTAS>
> <DEFAULT_GROUP_QUOTAS>
> <DATASTORE_QUOTA/>
> <NETWORK_QUOTA/>
> <VM_QUOTA/>
> <IMAGE_QUOTA/>
> </DEFAULT_GROUP_QUOTAS>
> </GROUP_POOL>
> ----------------------------------------------------------------------
>
> my /etc/one/auth/ldap_auth.conf
> ----------------------------------------------------------------------
>
>
> # Ldap authentication method
> :auth_method: :simple
>
> # Ldap server
> :host: ipa1.lab.mycompany.com
>
> :port: 389
>
> # Uncomment this line for tsl conections
> #:encryption: :simple_tls
>
> # base hierarchy where to search for users and groups
> :base: 'cn=users,cn=accounts,dc=lab,dc=mycompany,dc=com'
>
>
> # group the users need to belong to. If not set any user will do
> #:group: 'cn=cloud,ou=groups,dc=domain'
>
>
> # field that holds the user name, if not set 'cn' will be used
> :user_field: 'uid'
>
> # for Active Directory use this user_field instead
> #:user_field: 'sAMAccountName'
>
> # field name for group membership, by default it is 'member'
> #:group_field: 'member'
>
> # user field that that is in in the group group_field, if not set 'dn'
> will be used
> #:user_group_field: 'dn'
>
> # Generate mapping file from group template info
> #:mapping_generate: true
> :mapping_generate: false
>
> # Seconds a mapping file remain untouched until the next regeneration
> :mapping_timeout: 300
>
> # Name of the mapping file in OpenNebula var diretory
> :mapping_filename: server1.yaml
>
> # Key from the OpenNebula template to map to an AD group
> :mapping_key: GROUP_DN
>
> # Default group ID used for users in an AD group not mapped
> :mapping_default: 1
> ----------------------------------------------------------------------
>
> I can confirm that setting mapping_generate to false allows my user to get
> in, many thanks for that.
>
> I currently have vm groups configured in IPA, but happy enough to manage
> these groups in OpenNebula if the group mapping for FreeIPA is problematic.
>
> Thanks again
>
> Peter
>
> On 11 December 2014 at 09:12, Javier Fontan <[email protected]>
> wrote:
>>
>> There seems to be a problem getting the groups from OpenNebula. Can you
>> send us the output of:
>>
>> onegroup list -x
>>
>> To fix the problem you can disable mapping generation adding this line to
>> the server configuration:
>>
>> :mapping_generate: false
>>
>> Cheers
>>
>> On Mon Dec 08 2014 at 3:55:46 PM Mr Sensible <[email protected]>
>> wrote:
>>
>>> I am struggling a little bit with hooking my test OpenNebula in to my
>>> existing FreeIPA authentication domain.
>>>
>>> I am currently running OpenNebula 4.10.1 running on Centos 6.5, and I am
>>> trying to connect it to my existing FreeIPA 3.0.0 server.
>>>
>>> I currently have three services authenticating via ldap to the IPA
>>> server, so I "think" that bit is right.
>>>
>>> When I install opennebula for the first time, get everything setup, add
>>> the ldap authentication config, everything looks OK. I create a user in
>>> Sunstone, set the auth method to LDAP, and then successfully sign in to
>>> Sunstone. Happy face.
>>> I change the user to oneadmin group in Sunstone.
>>>
>>> The following day, I am no longer able to log in as that user, and no
>>> amount of deleting user and re-adding user seems to make any difference.
>>> I have also tried NOT creating the user via sunstone, and just logging
>>> in, same errors.
>>>
>>> Does anybody have any idea what I might be doing wrong, or even where I
>>> can look to figure what is not working? Config and log files below. Many
>>> thanks in advance.
>>>
>>> ------------------------------
>>> oned.conf
>>> ---------------------------
>>> AUTH_MAD = [
>>> executable = "one_auth_mad",
>>> authn = "ssh,x509,ldap,default,server_cipher,server_x509"
>>> ]
>>>
>>> ------------------------------
>>> ldap_auth.conf
>>> ----------------------------
>>> server 1:
>>> # Ldap authentication method
>>> :auth_method: :simple
>>>
>>> # Ldap server
>>> :host: ipa1.lab.company.com
>>> :port: 389
>>>
>>> # Uncomment this line for tsl conections
>>> #:encryption: :simple_tls
>>>
>>> # base hierarchy where to search for users and groups
>>> :base: 'cn=users,cn=accounts,dc=lab,dc=company,dc=com'
>>>
>>> # group the users need to belong to. If not set any user will do
>>> #:group: 'cn=users,cn=accounts'
>>>
>>> # field that holds the user name, if not set 'cn' will be used
>>> :user_field: 'uid'
>>>
>>> :order:
>>> - server 1
>>>
>>> ------------------------------
>>> oned.log
>>> ------------------------------
>>> Mon Dec 8 13:24:50 2014 [Z0][ReM][D]: Req:8640 UID:-1 GroupPoolInfo
>>> invoked
>>> Mon Dec 8 13:24:50 2014 [Z0][ReM][E]: Req:8640 UID:- GroupPoolInfo
>>> result FAILURE [GroupPoolInfo] User couldn't be authenticated, aborting
>>> call.
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 Command
>>> execution fail: /var/lib/one/remotes/auth/ldap/authenticate peter.harris
>>> - ****
>>>
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: Command execution fail:
>>> /var/lib/one/remotes/auth/ldap/authenticate peter.harris - ****
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 Trying
>>> server server 1
>>>
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: Trying server server 1
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>>> Exception raised authenticating to LDAP
>>>
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: Exception raised authenticating
>>> to LDAP
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>>> #<NoMethodError: undefined method `children' for nil:NilClass>
>>>
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: #<NoMethodError: undefined method
>>> `children' for nil:NilClass>
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>>> /usr/lib/one/ruby/opennebula/xml_element.rb:357:in `build_hash'
>>>
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]:
>>> /usr/lib/one/ruby/opennebula/xml_element.rb:357:in `build_hash'
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>>> /usr/lib/one/ruby/opennebula/xml_element.rb:341:in `to_hash'
>>>
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]:
>>> /usr/lib/one/ruby/opennebula/xml_element.rb:341:in `to_hash'
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>>> /usr/lib/one/ruby/opennebula/ldap_auth.rb:93:in `generate_mapping'
>>>
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]:
>>> /usr/lib/one/ruby/opennebula/ldap_auth.rb:93:in `generate_mapping'
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>>> /usr/lib/one/ruby/opennebula/ldap_auth.rb:69:in `initialize'
>>>
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]:
>>> /usr/lib/one/ruby/opennebula/ldap_auth.rb:69:in `initialize'
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>>> /var/lib/one/remotes/auth/ldap/authenticate:69:in `new'
>>>
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]:
>>> /var/lib/one/remotes/auth/ldap/authenticate:69:in `new'
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>>> /var/lib/one/remotes/auth/ldap/authenticate:69
>>>
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]:
>>> /var/lib/one/remotes/auth/ldap/authenticate:69
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>>> /var/lib/one/remotes/auth/ldap/authenticate:59:in `each'
>>>
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]:
>>> /var/lib/one/remotes/auth/ldap/authenticate:59:in `each'
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>>> /var/lib/one/remotes/auth/ldap/authenticate:59
>>>
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]:
>>> /var/lib/one/remotes/auth/ldap/authenticate:59
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 Could
>>> not authenticate user peter.harris
>>>
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: Could not authenticate user
>>> peter.harris
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1
>>> ExitCode: 255
>>>
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: ExitCode: 255
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: AUTHENTICATE
>>> FAILURE 1 -
>>>
>>> Mon Dec 8 13:24:50 2014 [Z0][AuM][E]: Auth Error:
>>> Mon Dec 8 13:24:50 2014 [Z0][ReM][D]: Req:6320 UID:-1 UserInfo invoked
>>> , -1
>>> Mon Dec 8 13:24:50 2014 [Z0][ReM][E]: Req:6320 UID:- UserInfo result
>>> FAILURE [UserInfo] User couldn't be authenticated, aborting call.
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> [email protected]
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>
_______________________________________________
Users mailing list
[email protected]
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
