My Oracle Support Banner

OLVM:Setting up openLDAP Fails During authentication with Error "AUTHENTICATE_CREDENTIALS profile='<profile name>' result=CREDENTIALS_INVALID (Doc ID 2695139.1)

Last updated on JULY 30, 2020

Applies to:

Linux OS - Version Oracle Linux 7.6 with Unbreakable Enterprise Kernel [4.14.35] and later
Linux x86-64

Symptoms

Setting up openldap in OLVM fails with credentials invalid despite giving the correct one:

[root@<hostname>]# ovirt-engine-extension-aaa-ldap-setup
[ INFO ] Stage: Initializing
[ INFO ] Stage: Environment setup
Configuration files:
['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
Log file:
/tmp/ovirt-engine-extension-aaa-ldap-setup-20190322130822-xxyeuc.log
Version: otopi-1.7.8 (otopi-1.7.8-1.el7)
[ INFO ] Stage: Environment packages setup
[ INFO ] Stage: Programs detection
[ INFO ] Stage: Environment customization
Welcome to LDAP extension configuration program
Available LDAP implementations:
1 - 389ds
2 - 389ds RFC-2307 Schema
3 - Active Directory
4 - IBM Security Directory Server
5 - IBM Security Directory Server RFC-2307 Schema
6 - IPA
7 - Novell eDirectory RFC-2307 Schema
8 - OpenLDAP RFC-2307 Schema
9 - OpenLDAP Standard Schema
10 - Oracle Unified Directory RFC-2307 Schema
11 - RFC-2307 Schema (Generic)
12 - RHDS
13 - RHDS RFC-2307 Schema
14 - iPlanet
Please select: 9
NOTE:
It is highly recommended to use DNS resolution for LDAP server.
If for some reason you intend to use hosts or plain address disable
DNS usage.
Use DNS (Yes, No) [Yes]:
Available policy method:
1 - Single server
2 - DNS domain LDAP SRV record
3 - Round-robin between multiple hosts
4 - Failover between multiple hosts
Please select: 1
Please enter host address:xxxx
[WARNING] Detected plain IP address 'xxxx', disabling DNS.
NOTE:
It is highly recommended to use secure protocol to access the LDAP
server.
Protocol startTLS is the standard recommended method to do so.
Only in cases in which the startTLS is not supported, fallback to
non standard ldaps protocol.
Use plain for test environments only.
Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
plain
[ INFO ] Connecting to LDAP using 'ldap://<IP-address>:389'
[ INFO ] Connection succeeded
Enter search user DN (for example uid=username,dc=example,dc=com or
leave empty for anonymous): cn=ldapadm,dc=itzgeek,dc=local
Enter search user password:
[ INFO ] Attempting to bind using 'cn=ldapadm,dc=itzgeek,dc=local'
Please enter base DN (dc=itzgeek,dc=local) [dc=itzgeek,dc=local]:
Are you going to use Single Sign-On for Virtual Machines (Yes, No)
[Yes]:
NOTE:
Profile name has to match domain name, otherwise Single Sign-On for
Virtual Machines will not work.
Please specify profile name that will be visible to users
[<Profile name>]
[ INFO ] Stage: Setup validation
NOTE:
It is highly recommended to test drive the configuration before
applying it into engine.
Login sequence is executed automatically, but it is recommended to
also execute Search sequence manually after successful Login sequence.
Please provide credentials to test login flow:
Enter user name: admin
Enter user password:
[ INFO ] Executing login sequence...
Login output:
2019-03-22 13:09:13,234Z INFO
========================================================================
2019-03-22 13:09:13,657Z INFO ============================
Initialization ============================
2019-03-22 13:09:13,658Z INFO
========================================================================
2019-03-22 13:09:13,876Z INFO Loading extension
'xxxx-authn'
<@DATE>,155Z INFO Extension 'xxxx-authn'
loaded
<@DATE>,162Z INFO Loading extension 'xxxx'
<@DATE>,173Z INFO Extension 'xxxx' loaded
<@DATE>,173Z INFO Initializing extension
'xxxx-authn'
<@DATE>,174Z INFO
[ovirt-engine-extension-aaa-ldap.authn::xxxx-authn] Creating LDAP
pool 'authz'
<@DATE>,382Z INFO
[ovirt-engine-extension-aaa-ldap.authn::xxxx-authn] LDAP pool 'authz'
information: vendor='null' version='null'
<@DATE>,383Z INFO
[ovirt-engine-extension-aaa-ldap.authn::xxxx-authn] Creating LDAP
pool 'authn'
<@DATE>,393Z INFO
[ovirt-engine-extension-aaa-ldap.authn::xxxx-authn] LDAP pool 'authn'
information: vendor='null' version='null'
<@DATE>,394Z INFO Extension 'xxxx-authn'
initialized
<@DATE>,395Z INFO Initializing extension
'xxxx'
<@DATE>,396Z INFO
[ovirt-engine-extension-aaa-ldap.authz::xxxx] Creating LDAP pool
'authz'
<@DATE>,406Z INFO
[ovirt-engine-extension-aaa-ldap.authz::xxxx] LDAP pool 'authz'
information: vendor='null' version='null'
<@DATE>,407Z INFO
[ovirt-engine-extension-aaa-ldap.authz::xxxx] Available Namespaces:
[dc=itzgeek,dc=local]
<@DATE>,407Z INFO Extension 'xxxx'
initialized
<@DATE>,408Z INFO Start of enabled extensions list
<@DATE>,408Z INFO Instance name: 'xxxx',
Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.8',
Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.8-1.el7', License:
'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface Version: '0', File:
'/tmp/tmpoArgRM/extensions.d/xxxx.properties', Initialized: 'true'
<@DATE>,408Z INFO Instance name:
'xxxx-authn', Extension name:
'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.8', Notes: 'Display
name: ovirt-engine-extension-aaa-ldap-1.3.8-1.el7', License: 'ASL 2.0', Home:
'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmpoArgRM/extensions.d/xxxx-authn.properties',
Initialized: 'true'
<@DATE>,409Z INFO End of enabled extensions list
<@DATE>,409Z INFO
========================================================================
<@DATE>,409Z INFO ==============================
Execution ===============================
<@DATE>,409Z INFO
========================================================================
<@DATE>,409Z INFO Iteration: 0
<@DATE>,410Z INFO Profile='xxxx'
authn='xxxx-authn' authz='xxxx' mapping='null'
<@DATE>,411Z INFO API:
-->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='xxxx'
user='admin'441Z INFO API:
<--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='xxxx'
result=CREDENTIALS_INVALID
<@DATE>,455Z SEVERE Authn.Result code is:
CREDENTIALS_INVALID
[ ERROR ] Login sequence failed
Please investigate details of the failure (search for lines
containing SEVERE log level).
Select test sequence to execute (Done, Abort, Login, Search)
[Abort]:
[ ERROR ] Failed to execute stage 'Setup validation': Aborted by user
[ INFO ] Stage: Clean up
Log file is available at
/tmp/ovirt-engine-extension-aaa-ldap-setup-<date>.log:
[ INFO ] Stage: Pre-termination
[ INFO ] Stage: Termination

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.