Error LDAP user not found

Community Support
1

Hello everybody,

We have installed a new OpenNebula infraestructure at the moment with one host Hypervisor machine, (64GB RAM, 400 GB HD, 48 cores) and the SunSotone machine.

We have configure /etc/one/auth/ldap_auth.conf as the documentation says.
After that we execute the following command line in the sunstone console:

oneuser login “ldap_user”

and we receive the message after introduce user password:

Password:
[one.user.login] User couldn’t be authenticated, aborting call.

frontend: debian 9.3
hypervisor: debian 9.3

Steps to reproduce:
oneuser login "ldap_user"
Password:

Current results:
[one.user.login] User couldn’t be authenticated, aborting call.

Expected results:
Correct login:

ldap_auth.conf:
server 1:
# Ldap user able to query, if not set connects as anonymous. For
# Active Directory append the domain name. Example:
# Administrator@my.domain.com
:user: 'user_to_make_ldap_queries"
:password: ‘password_user_to_,make_ldap_queries’

# Ldap authentication method
:auth_method: :simple

# Ldap server
:host: our_ldap_server_name 
:port: 389 

# Uncomment this line for tsl conections
# :encryption: :simple_tls

# base hierarchy where to search for users and groups
:base: 'our_base_tree_for_users'

# group the users need to belong to. If not set any user will do
#:group: 'cn=cloud,ou=groups,dc=domain'

# field that holds the user name, if not set 'cn' will be used
:user_field: 'uid'

# for Active Directory use this user_field instead
#:user_field: 'sAMAccountName'

# field name for group membership, by default it is 'member'
# :group_field: 'dn'

# user field that that is in in the group group_field, if not set 'dn' will be used
# :user_group_field: 'uid'

# Generate mapping file from group template info
:mapping_generate: false

# Seconds a mapping file remain untouched until the next regeneration
:mapping_timeout: 300

# Name of the mapping file in OpenNebula var diretory
:mapping_filename: server1.yaml

# Key from the OpenNebula template to map to an AD group
:mapping_key: GROUP_DN

# Default group ID used for users in an AD group not mapped
:mapping_default: 1

# use RFC2307bis for groups
# if false, depending on your LDAP server configuration,
# set user_field and user_group_field 'uid' and group_field 'memberUid'
:rfc2307bis: true

this example server wont be called as it is not in the :order list

server 2:
:auth_method: :simple
:host: localhost
:port: 389
:base: ‘dc=domain’
#:group: ‘cn=cloud,ou=groups,dc=domain’
:user_field: ‘cn’

List the order the servers are queried

:order:
- server 1
#- server 2

oned.log after oneuser command:

Wed Jan 17 16:28:59 2018 [Z0][AuM][D]: Message received: LOG I 793 Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate 1104562 - ****

Wed Jan 17 16:28:59 2018 [Z0][AuM][I]: Command execution fail: /var/lib/one/remotes/auth/ldap/authenticate 1104562 - ****
Wed Jan 17 16:28:59 2018 [Z0][AuM][D]: Message received: LOG I 793 hola que ase

Wed Jan 17 16:28:59 2018 [Z0][AuM][I]: hola que ase
Wed Jan 17 16:28:59 2018 [Z0][AuM][D]: Message received: LOG I 793 Trying server server 1

Wed Jan 17 16:28:59 2018 [Z0][AuM][I]: Trying server server 1
Wed Jan 17 16:28:59 2018 [Z0][AuM][D]: Message received: LOG I 793 Server conf= {:user=>“user_to_query_ldap”, :password=>“password_user_to_query_ldap”, :auth_method=>:simple, :host=>“our_ldap_server_name”, :port=>389, :base=>“our_base_tree”, :user_field=>“uid”, :mapping_generate=>false, :mapping_timeout=>300, :mapping_filename=>“server1.yaml”, :mapping_key=>“GROUP_DN”, :mapping_default=>1, :rfc2307bis=>true}

Wed Jan 17 16:28:59 2018 [Z0][AuM][I]: Server conf= {:user=>“user_to_query_ldap”, :password=>“password_user_to_query_ldap”, :auth_method=>:simple, :host=>“our_ldap_server_name”, :port=>389, :base=>“our_base_tree”, :user_field=>“uid”, :mapping_generate=>false, :mapping_timeout=>300, :mapping_filename=>“server1.yaml”, :mapping_key=>“GROUP_DN”, :mapping_default=>1, :rfc2307bis=>true}

Wed Jan 17 16:28:59 2018 [Z0][AuM][D]: Message received: LOG I 793 Usuari a cercar= 1104562

Wed Jan 17 16:28:59 2018 [Z0][AuM][I]: Usuari a cercar= 1104562
Wed Jan 17 16:28:59 2018 [Z0][AuM][D]: Message received: LOG I 793 user_name =

Wed Jan 17 16:28:59 2018 [Z0][AuM][I]: user_name =
Wed Jan 17 16:28:59 2018 [Z0][AuM][D]: Message received: LOG I 793 user_group_name =

Wed Jan 17 16:28:59 2018 [Z0][AuM][I]: user_group_name =
Wed Jan 17 16:28:59 2018 [Z0][AuM][D]: Message received: LOG I 793 User 1104562 not found

Wed Jan 17 16:28:59 2018 [Z0][AuM][I]: User 1104562 not found
Wed Jan 17 16:28:59 2018 [Z0][AuM][D]: Message received: LOG I 793 Could not authenticate user 1104562

Wed Jan 17 16:28:59 2018 [Z0][AuM][I]: Could not authenticate user 1104562
Wed Jan 17 16:28:59 2018 [Z0][AuM][D]: Message received: LOG I 793 ExitCode: 255

Wed Jan 17 16:28:59 2018 [Z0][AuM][I]: ExitCode: 255
Wed Jan 17 16:28:59 2018 [Z0][AuM][D]: Message received: AUTHENTICATE FAILURE 793 -

Wed Jan 17 16:28:59 2018 [Z0][AuM][E]: Auth Error:
Wed Jan 17 16:28:59 2018 [Z0][ReM][D]: Req:9728 UID:-1 one.user.login invoked , “1104562”, ****, 36000, -1
Wed Jan 17 16:28:59 2018 [Z0][ReM][E]: Req:9728 UID:- one.user.login result FAILURE [one.user.login] User couldn’t be authenticated, aborting call.
Wed Jan 17 16:29:10 2018 [Z0][InM][D]: Host on-host1 (3) successfully monitored.

Many thanks in advanced.

2

Hi,

Can you run the following command as oneadmin and let us know the output?

/var/lib/one/remotes/auth/ldap/authenticate 1104562 - ****

3

Hello again,

As many time ago I open this thread I put here some information because I continue with the problem.
OpenNebula version: 5.10.1
/etc/one/auth/ldap_auth.conf:

server 1:
# Ldap user able to query, if not set connects as anonymous. For
# Active Directory append the domain name. Example:
# Administrator@my.domain.com
:user: my_user
:password: my_password

# Ldap authentication method
:auth_method: :simple

# Ldap server
:host: localhost
:port: 389

# Connection and authentication timeout
#:timeout: 15

# Uncomment this line for tls connections, use :simple_tls or :start_tls
#:encryption: :simple_tls

# base hierarchy where to search for users and groups
:base: 'ou=users,o=es'

# group the users need to belong to. If not set any user will do
#:group: 'n=cloud,ou=groups,dc=domain'

# field that holds the user name, if not set 'cn' will be used
:user_field: 'uid'

# for Active Directory use this user_field instead
#:user_field: 'sAMAccountName'

# field name for group membership, by default it is 'member'
#:group_field: 'member'

# user field that is in the group group_field, if not set 'dn' will be used
#:user_group_field: 'dn'

# Generate mapping file from group template info
:mapping_generate: true

# Seconds a mapping file remain untouched until the next regeneration
:mapping_timeout: 300

# Name of the mapping file in OpenNebula var diretory
:mapping_filename: server1.yaml

# Key from the OpenNebula template to map to an AD group
:mapping_key: GROUP_DN

# Default group ID used for users in an AD group not mapped
:mapping_default: 1

# use RFC2307bis for groups
# if false, depending on your LDAP server configuration,
# set user_field and user_group_field 'uid' and group_field 'memberUid'
:rfc2307bis: true

this example server wont be called as it is not in the :order list

server 2:
:auth_method: :simple
:host: localhost
:port: 389
:base: ‘dc=domain’
#:group: ‘cn=cloud,ou=groups,dc=domain’
:user_field: ‘cn’

:order:
- server 1
#- server 2

/var/log/one/oned.conf:

Wed Feb 3 15:07:18 2021 [Z0][AuM][I]: Command execution failed (exit code: 255): /var/lib/one/remotes/auth/ldap/authenticate
Wed Feb 3 15:07:18 2021 [Z0][AuM][D]: Message received: LOG I 0 Trying LDAP server server 1

Wed Feb 3 15:07:18 2021 [Z0][AuM][I]: Trying LDAP server server 1
Wed Feb 3 15:07:18 2021 [Z0][AuM][D]: Message received: LOG I 0 User 1104562 not found

Wed Feb 3 15:07:18 2021 [Z0][AuM][I]: User 1104562 not found
Wed Feb 3 15:07:18 2021 [Z0][AuM][D]: Message received: LOG I 0 Could not authenticate user 1104562

Wed Feb 3 15:07:18 2021 [Z0][AuM][I]: Could not authenticate user 1104562
Wed Feb 3 15:07:18 2021 [Z0][AuM][D]: Message received: AUTHENTICATE FAILURE 0 -

Wed Feb 3 15:07:18 2021 [Z0][AuM][E]: Auth Error:
Wed Feb 3 15:07:18 2021 [Z0][ReM][D]: Req:8672 UID:-1 IP:127.0.0.1 one.user.info invoked , -1, false
Wed Feb 3 15:07:18 2021 [Z0][ReM][E]: Req:8672 UID:- one.user.info result FAILURE [one.user.info] User couldn’t be authenticated, aborting call.
Wed Feb 3 15:07:19 2021 [Z0][AuM][D]: Message received: LOG I 1 Command execution failed (exit code: 255): /var/lib/one/remotes/auth/ldap/authenticate

Wed Feb 3 15:07:19 2021 [Z0][AuM][I]: Command execution failed (exit code: 255): /var/lib/one/remotes/auth/ldap/authenticate
Wed Feb 3 15:07:19 2021 [Z0][AuM][D]: Message received: LOG I 1 Trying LDAP server server 1

Wed Feb 3 15:07:19 2021 [Z0][AuM][I]: Trying LDAP server server 1
Wed Feb 3 15:07:19 2021 [Z0][AuM][D]: Message received: LOG I 1 User 1104562 not found

Wed Feb 3 15:07:19 2021 [Z0][AuM][I]: User 1104562 not found
Wed Feb 3 15:07:19 2021 [Z0][AuM][D]: Message received: LOG I 1 Could not authenticate user 1104562

Wed Feb 3 15:07:19 2021 [Z0][AuM][I]: Could not authenticate user 1104562
Wed Feb 3 15:07:19 2021 [Z0][AuM][D]: Message received: AUTHENTICATE FAILURE 1 -

Wed Feb 3 15:07:19 2021 [Z0][AuM][E]: Auth Error:
Wed Feb 3 15:07:19 2021 [Z0][ReM][D]: Req:6976 UID:-1 IP:127.0.0.1 one.user.info invoked , -1, false
Wed Feb 3 15:07:19 2021 [Z0][ReM][E]: Req:6976 UID:- one.user.info result FAILURE [one.user.info] User couldn’t be authenticated, aborting call.

And if I try the command:

/var/lib/one/remotes/auth/ldap/authenticate 1104562 - my_password

nothing happens and the cursor stays in the next line until I send a CTRL+C combination, and then apperars:

^CTraceback (most recent call last):
1: from remotes/auth/ldap/authenticate:53:in <main>' remotes/auth/ldap/authenticate:53:in read’: Interrupt

Could you tell me how can I proceed or check?

Many thanks in advanced.

4

To see what’s happening you need to pass the user + password to the script using STDIN. Something like:

/var/lib/one/remotes/auth/ldap/authenticate <<EOF
> <AUTHN>
>   <USERNAME>1104562</USERNAME>
>   <PASSWORD></PASSWORD>
>   <SECRET>*password* </SECRET>
> </AUTHN>
> EOF
5

Many thanks Jan,

I have done this command execution and I receive this result:

remotes/auth/ldap/authenticate -v << EOF

1104561

my_password

EOF
Trying LDAP server server 1
User 1104561 not found
Could not authenticate user 1104561

But I do a ldapsearch, it works:

ldapsearch -x -b ou=users,o=… -D cn=searchUser,ou=… -W -h localhost -LLL ‘(uid=1104561)’
Enter LDAP Password:
dn: uid=1104561,ou=…
objectClass: top
objectClass: sjPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: sambaSamAccount
uid: 1104561
uidNumber: 177947
gidNumber: 513

I don’t know what could be the problem. Any other suggestion to test or to do will be very helpful.

Many thanks in advanced.

6

Hi

From Jan:

1104562

From you:

User 1104561 not found

Are you sure it’s not just a typo?

7

Hello,

I don’t know what you want to say with a typo, but if you meaning an error, it is not an error. All users from our organization are numbers.

Many thanks.

8

Yes it is a typo error, but it doesn’t change the result.

9

Hello everybody,

We have finally been able to authenticate users. It was a problem with the ldap_auth.conf. We have configured a :group: and :group_field:, and also we have configured the same grup in :mapping_key: and :mapping_default: 1.

And after put this configuration the ldap authentication is successfull.

Many thank for the support.

1 Like
10

I am having this same issue (I think). Can you clarify what exactly you set as “group”, “group_field”, and “mapping_key”? Is it a generic LDAP variable name, or a specific group name?

Thanks

11

Hello Nathan,

We have to configure in group a group with the user in our LDAP and in group_field we specified the field in our LDAP which has group name. And :mapping_key has the same value that :group.

I hope this help you.

Many thanks.