The problem seems to be generated by a connection problem from the driver to OpenNebula itself.
Can you change the file /var/lib/one/ruby/opennebula/ldap_auth.rb and around line 89 change the code: client = OpenNebula::Client.new group_pool = OpenNebula::GroupPool.new(client) group_pool.info by client = OpenNebula::Client.new group_pool = OpenNebula::GroupPool.new(client) STDERR.puts group_pool.info.inspect After that enable mapping_generate and send me the output of the error. You can leave that code changed as it only adds more information to errors. Thanks On Thu Dec 11 2014 at 5:41:26 PM Peter Harris <doilooksensi...@gmail.com> wrote: > Thanks Javier > > Output from onegroup list -x > ---------------------------------------------------------------------- > <GROUP_POOL> > <GROUP> > <ID>0</ID> > <NAME>oneadmin</NAME> > <TEMPLATE/> > <USERS> > <ID>0</ID> > <ID>1</ID> > </USERS> > </GROUP> > <QUOTAS> > <ID>0</ID> > <DATASTORE_QUOTA/> > <NETWORK_QUOTA/> > <VM_QUOTA/> > <IMAGE_QUOTA/> > </QUOTAS> > <GROUP> > <ID>1</ID> > <NAME>users</NAME> > <TEMPLATE/> > <USERS> > <ID>2</ID> > </USERS> > <RESOURCE_PROVIDER> > <ZONE_ID>0</ZONE_ID> > <CLUSTER_ID>10</CLUSTER_ID> > </RESOURCE_PROVIDER> > </GROUP> > <QUOTAS> > <ID>1</ID> > <DATASTORE_QUOTA/> > <NETWORK_QUOTA/> > <VM_QUOTA/> > <IMAGE_QUOTA/> > </QUOTAS> > <DEFAULT_GROUP_QUOTAS> > <DATASTORE_QUOTA/> > <NETWORK_QUOTA/> > <VM_QUOTA/> > <IMAGE_QUOTA/> > </DEFAULT_GROUP_QUOTAS> > </GROUP_POOL> > ---------------------------------------------------------------------- > > my /etc/one/auth/ldap_auth.conf > ---------------------------------------------------------------------- > > > # Ldap authentication method > :auth_method: :simple > > # Ldap server > :host: ipa1.lab.mycompany.com > > :port: 389 > > # Uncomment this line for tsl conections > #:encryption: :simple_tls > > # base hierarchy where to search for users and groups > :base: 'cn=users,cn=accounts,dc=lab,dc=mycompany,dc=com' > > > # group the users need to belong to. If not set any user will do > #:group: 'cn=cloud,ou=groups,dc=domain' > > > # field that holds the user name, if not set 'cn' will be used > :user_field: 'uid' > > # for Active Directory use this user_field instead > #:user_field: 'sAMAccountName' > > # field name for group membership, by default it is 'member' > #:group_field: 'member' > > # user field that that is in in the group group_field, if not set 'dn' > will be used > #:user_group_field: 'dn' > > # Generate mapping file from group template info > #:mapping_generate: true > :mapping_generate: false > > # Seconds a mapping file remain untouched until the next regeneration > :mapping_timeout: 300 > > # Name of the mapping file in OpenNebula var diretory > :mapping_filename: server1.yaml > > # Key from the OpenNebula template to map to an AD group > :mapping_key: GROUP_DN > > # Default group ID used for users in an AD group not mapped > :mapping_default: 1 > ---------------------------------------------------------------------- > > I can confirm that setting mapping_generate to false allows my user to get > in, many thanks for that. > > I currently have vm groups configured in IPA, but happy enough to manage > these groups in OpenNebula if the group mapping for FreeIPA is problematic. > > Thanks again > > Peter > > On 11 December 2014 at 09:12, Javier Fontan <jfon...@opennebula.org> > wrote: >> >> There seems to be a problem getting the groups from OpenNebula. Can you >> send us the output of: >> >> onegroup list -x >> >> To fix the problem you can disable mapping generation adding this line to >> the server configuration: >> >> :mapping_generate: false >> >> Cheers >> >> On Mon Dec 08 2014 at 3:55:46 PM Mr Sensible <doilooksensi...@gmail.com> >> wrote: >> >>> I am struggling a little bit with hooking my test OpenNebula in to my >>> existing FreeIPA authentication domain. >>> >>> I am currently running OpenNebula 4.10.1 running on Centos 6.5, and I am >>> trying to connect it to my existing FreeIPA 3.0.0 server. >>> >>> I currently have three services authenticating via ldap to the IPA >>> server, so I "think" that bit is right. >>> >>> When I install opennebula for the first time, get everything setup, add >>> the ldap authentication config, everything looks OK. I create a user in >>> Sunstone, set the auth method to LDAP, and then successfully sign in to >>> Sunstone. Happy face. >>> I change the user to oneadmin group in Sunstone. >>> >>> The following day, I am no longer able to log in as that user, and no >>> amount of deleting user and re-adding user seems to make any difference. >>> I have also tried NOT creating the user via sunstone, and just logging >>> in, same errors. >>> >>> Does anybody have any idea what I might be doing wrong, or even where I >>> can look to figure what is not working? Config and log files below. Many >>> thanks in advance. >>> >>> ------------------------------ >>> oned.conf >>> --------------------------- >>> AUTH_MAD = [ >>> executable = "one_auth_mad", >>> authn = "ssh,x509,ldap,default,server_cipher,server_x509" >>> ] >>> >>> ------------------------------ >>> ldap_auth.conf >>> ---------------------------- >>> server 1: >>> # Ldap authentication method >>> :auth_method: :simple >>> >>> # Ldap server >>> :host: ipa1.lab.company.com >>> :port: 389 >>> >>> # Uncomment this line for tsl conections >>> #:encryption: :simple_tls >>> >>> # base hierarchy where to search for users and groups >>> :base: 'cn=users,cn=accounts,dc=lab,dc=company,dc=com' >>> >>> # group the users need to belong to. If not set any user will do >>> #:group: 'cn=users,cn=accounts' >>> >>> # field that holds the user name, if not set 'cn' will be used >>> :user_field: 'uid' >>> >>> :order: >>> - server 1 >>> >>> ------------------------------ >>> oned.log >>> ------------------------------ >>> Mon Dec 8 13:24:50 2014 [Z0][ReM][D]: Req:8640 UID:-1 GroupPoolInfo >>> invoked >>> Mon Dec 8 13:24:50 2014 [Z0][ReM][E]: Req:8640 UID:- GroupPoolInfo >>> result FAILURE [GroupPoolInfo] User couldn't be authenticated, aborting >>> call. >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 Command >>> execution fail: /var/lib/one/remotes/auth/ldap/authenticate peter.harris >>> - **** >>> >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: Command execution fail: >>> /var/lib/one/remotes/auth/ldap/authenticate peter.harris - **** >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 Trying >>> server server 1 >>> >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: Trying server server 1 >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 >>> Exception raised authenticating to LDAP >>> >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: Exception raised authenticating >>> to LDAP >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 >>> #<NoMethodError: undefined method `children' for nil:NilClass> >>> >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: #<NoMethodError: undefined method >>> `children' for nil:NilClass> >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 >>> /usr/lib/one/ruby/opennebula/xml_element.rb:357:in `build_hash' >>> >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: >>> /usr/lib/one/ruby/opennebula/xml_element.rb:357:in `build_hash' >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 >>> /usr/lib/one/ruby/opennebula/xml_element.rb:341:in `to_hash' >>> >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: >>> /usr/lib/one/ruby/opennebula/xml_element.rb:341:in `to_hash' >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 >>> /usr/lib/one/ruby/opennebula/ldap_auth.rb:93:in `generate_mapping' >>> >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: >>> /usr/lib/one/ruby/opennebula/ldap_auth.rb:93:in `generate_mapping' >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 >>> /usr/lib/one/ruby/opennebula/ldap_auth.rb:69:in `initialize' >>> >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: >>> /usr/lib/one/ruby/opennebula/ldap_auth.rb:69:in `initialize' >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 >>> /var/lib/one/remotes/auth/ldap/authenticate:69:in `new' >>> >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: >>> /var/lib/one/remotes/auth/ldap/authenticate:69:in `new' >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 >>> /var/lib/one/remotes/auth/ldap/authenticate:69 >>> >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: >>> /var/lib/one/remotes/auth/ldap/authenticate:69 >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 >>> /var/lib/one/remotes/auth/ldap/authenticate:59:in `each' >>> >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: >>> /var/lib/one/remotes/auth/ldap/authenticate:59:in `each' >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 >>> /var/lib/one/remotes/auth/ldap/authenticate:59 >>> >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: >>> /var/lib/one/remotes/auth/ldap/authenticate:59 >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 Could >>> not authenticate user peter.harris >>> >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: Could not authenticate user >>> peter.harris >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: LOG I 1 >>> ExitCode: 255 >>> >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][I]: ExitCode: 255 >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][D]: Message received: AUTHENTICATE >>> FAILURE 1 - >>> >>> Mon Dec 8 13:24:50 2014 [Z0][AuM][E]: Auth Error: >>> Mon Dec 8 13:24:50 2014 [Z0][ReM][D]: Req:6320 UID:-1 UserInfo invoked >>> , -1 >>> Mon Dec 8 13:24:50 2014 [Z0][ReM][E]: Req:6320 UID:- UserInfo result >>> FAILURE [UserInfo] User couldn't be authenticated, aborting call. >>> >>> >>> _______________________________________________ >>> Users mailing list >>> Users@lists.opennebula.org >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>> >>
_______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org