<div dir="ltr"><div><div><div><div><div>Hello Alon,<br><br></div>I have deleted Legacy domain with engine-manage-domain, and I have changed configuration to absolute file name as you can see:<br><br><span class="im">/etc/ovirt-engine/extensions.d/siee-local-authn.properties:</span><br><br><a href="http://ovirt.engine.extension.name">ovirt.engine.extension.name</a> = siee-local-authn<br>ovirt.engine.extension.bindings.method = jbossmodule<br>ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap<br>ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension<br>ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn<br><a href="http://ovirt.engine.aaa.authn.profile.name">ovirt.engine.aaa.authn.profile.name</a> = siee<br>ovirt.engine.aaa.authn.authz.plugin = siee-local-authz<br>config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties<br><br><span class="im">/etc/ovirt-engine/extensions.d/siee-local-authz.properties:</span><br><br><a href="http://ovirt.engine.extension.name">ovirt.engine.extension.name</a> = siee-local-authz<br>ovirt.engine.extension.bindings.method = jbossmodule<br>ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap<br>ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension<br>ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz<br>config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties<br><br></div>I had configured relative file name because the example /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/extensions.d/domain1-authz.properties has a relative file name.<br><br></div>I have done the same: delete engine.log, restart ovirt-engine and try log in and the same error is showed, "<span>General command validation failure."<br><br></span></div><span>Attach engine.log file.<br><br></span></div><span>Thanks,<br><br>Juanjo.<br></span><div><div><div><div><br></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 5, 2014 at 9:52 AM, Alon Bar-Lev <span dir="ltr"><<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Hi!<br>
<br>
You have the following errors:<br>
<br>
2014-12-05 09:32:31,778 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-5) Loading extension 'siee-local-authn'<br>
2014-12-05 09:32:31,819 ERROR [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC service thread 1-5) Could not load extension based on configuration file '/etc/ovirt-engine/extensions.d/siee-local-authn.properties'. Please check the configuration file is valid. Exception message is: Error loading extension 'siee-local-authn': /aaa/siee.properties (No such file or directory)<br>
2014-12-05 09:32:31,823 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-5) Loading extension 'siee-local-authz'<br>
2014-12-05 09:32:31,824 ERROR [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC service thread 1-5) Could not load extension based on configuration file '/etc/ovirt-engine/extensions.d/siee-local-authz.properties'. Please check the configuration file is valid. Exception message is: Error loading extension 'siee-local-authz': /aaa/siee.properties (No such file or directory)<br>
<br>
Per my last message, you should provide absolute file names if you use 3.5.0.<br>
Please see inline comments bellow.<br>
<br>
Also, you are trying to authenticate with the legacy provider:<br>
<br>
2014-12-05 09:33:04,871 ERROR [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher] (ajp--127.0.0.1-8702-5) Failed ldap search server ldap://adserver.siee.local:389 using user juanjo@SIEE.LOCAL due to Authentication Failed. Please verify the username and password.. We should not try the next server<br>
<br>
Can you please use engine-manage-domains to remove the legacy (old) domain, so we reduce confusion?<br>
<br>
Thanks!<br>
<span class=""><br>
----- Original Message -----<br>
> From: "Juan Jose" <<a href="mailto:jj197005@gmail.com">jj197005@gmail.com</a>><br>
> To: "Alon Bar-Lev" <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>><br>
> Cc: "Ondra Machacek" <<a href="mailto:omachace@redhat.com">omachace@redhat.com</a>>, "Yair Zaslavsky" <<a href="mailto:yzaslavs@redhat.com">yzaslavs@redhat.com</a>>, <a href="mailto:users@ovirt.org">users@ovirt.org</a><br>
</span><span class="">> Sent: Friday, December 5, 2014 10:43:01 AM<br>
> Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue<br>
><br>
</span><span class="">> Hello Alon,<br>
><br>
> I have done what you have said. My new configuration files are:<br>
><br>
> /etc/ovirt-engine/extensions.d/siee-local-authn.properties:<br>
><br>
> <a href="http://ovirt.engine.extension.name" target="_blank">ovirt.engine.extension.name</a> = siee-local-authn<br>
> ovirt.engine.extension.bindings.method = jbossmodule<br>
> ovirt.engine.extension.binding.jbossmodule.module =<br>
> org.ovirt.engine-extensions.aaa.ldap<br>
> ovirt.engine.extension.binding.jbossmodule.class =<br>
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension<br>
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn<br>
> <a href="http://ovirt.engine.aaa.authn.profile.name" target="_blank">ovirt.engine.aaa.authn.profile.name</a> = siee<br>
> ovirt.engine.aaa.authn.authz.plugin = siee-local-authz<br>
> config.profile.file.1 = aaa/siee.properties<br>
<br>
</span>should be: /etc/ovirt-engine/extensions.d/aaa/siee.properties in 3.5.0 or can be ../aaa/siee.properties in 3.5.1.<br>
<span class=""><br>
><br>
> /etc/ovirt-engine/extensions.d/siee-local-authz.properties:<br>
><br>
> <a href="http://ovirt.engine.extension.name" target="_blank">ovirt.engine.extension.name</a> = siee-local-authz<br>
> ovirt.engine.extension.bindings.method = jbossmodule<br>
> ovirt.engine.extension.binding.jbossmodule.module =<br>
> org.ovirt.engine-extensions.aaa.ldap<br>
> ovirt.engine.extension.binding.jbossmodule.class =<br>
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension<br>
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz<br>
> config.profile.file.1 = aaa/siee.properties<br>
<br>
</span>should be: /etc/ovirt-engine/extensions.d/aaa/siee.properties in 3.5.0 or can be ../aaa/siee.properties in 3.5.1.<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
><br>
> /etc/ovirt-engine/extensions.d/aaa/siee.properties:<br>
><br>
> include = <ad.properties><br>
><br>
> #<br>
> # Active directory domain name.<br>
> #<br>
> vars.domain = siee.local<br>
><br>
> #<br>
> # Search user and its password.<br>
> #<br>
> vars.user = searcher@${global:vars.domain}<br>
> vars.password = xxxxxxx<br>
><br>
> #<br>
> # Optional DNS servers, if enterprise<br>
> # DNS server cannot resolve the domain srvrecord.<br>
> #<br>
> #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}<br>
><br>
> pool.default.serverset.type = srvrecord<br>
> pool.default.serverset.srvrecord.domain = ${global:vars.domain}<br>
> pool.default.auth.simple.bindDN = ${global:vars.user}<br>
> pool.default.auth.simple.password = ${global:vars.password}<br>
><br>
> # Uncomment if using custom DNS<br>
> #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url<br>
> = ${global:vars.dns}<br>
> #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}<br>
><br>
> # Create keystore, import certificate chain and uncomment<br>
> # if using ssl/tls.<br>
> #pool.default.ssl.startTLS = true<br>
> #pool.default.ssl.truststore.file =<br>
> ${local:_basedir}/${global:vars.domain}.jks<br>
> #pool.default.ssl.truststore.password = changeit<br>
><br>
> After reconfigure my files with ovirt-engine stopped I have started<br>
> ovirt-engine and I have tried to log in. The error persist,<br>
> "General command validation failure." and after that I have stopped<br>
> ovirt-engine again. I attach my engine.log file.<br>
><br>
> Many thanks again,<br>
><br>
> Juanjo.<br>
><br>
><br>
> On Tue, Dec 2, 2014 at 3:46 PM, Alon Bar-Lev <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>> wrote:<br>
><br>
> ><br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "Juan Jose" <<a href="mailto:jj197005@gmail.com">jj197005@gmail.com</a>><br>
> > > To: "Alon Bar-Lev" <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>><br>
> > > Cc: "Ondra Machacek" <<a href="mailto:omachace@redhat.com">omachace@redhat.com</a>>, "Yair Zaslavsky" <<br>
> > <a href="mailto:yzaslavs@redhat.com">yzaslavs@redhat.com</a>>, <a href="mailto:users@ovirt.org">users@ovirt.org</a><br>
> > > Sent: Tuesday, December 2, 2014 3:48:54 PM<br>
> > > Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue<br>
> > ><br>
> > > Hello Alon and everybody,<br>
> > ><br>
> > > I have installed package ovirt-engine-extension-aaa-ldap and configure my<br>
> > > files as the documentation says. The files are:<br>
> > ><br>
> > > /etc/ovirt-engine/extensions.d/siee.local-authn.properties:<br>
> > ><br>
> > > <a href="http://ovirt.engine.extension.name" target="_blank">ovirt.engine.extension.name</a> = siee.local-authn<br>
> > > ovirt.engine.extension.bindings.method = jbossmodule<br>
> > > ovirt.engine.extension.binding.jbossmodule.module =<br>
> > > org.ovirt.engine-extensions.aaa.ldap<br>
> > > ovirt.engine.extension.binding.jbossmodule.class =<br>
> > > org.ovirt.engineextensions.aaa.ldap.AuthnExtension<br>
> > > ovirt.engine.extension.provides =<br>
> > org.ovirt.engine.api.extensions.aaa.Authn<br>
> > > <a href="http://ovirt.engine.aaa.authn.profile.name" target="_blank">ovirt.engine.aaa.authn.profile.name</a> = siee.local<br>
> > > ovirt.engine.aaa.authn.authz.plugin = siee.local-authz<br>
> > > config.profile.file.1 = aaa/siee.local.properties<br>
> ><br>
> > please use absolute file name for 3.5.0 relative will be available in 3.5.1<br>
> ><br>
> > ><br>
> > > /etc/ovirt-engine/extensions.d/siee.local-authz.properties:<br>
> > ><br>
> > > <a href="http://ovirt.engine.extension.name" target="_blank">ovirt.engine.extension.name</a> = siee.local-authz<br>
> > > ovirt.engine.extension.bindings.method = jbossmodule<br>
> > > ovirt.engine.extension.binding.jbossmodule.module =<br>
> > > org.ovirt.engine-extensions.aaa.ldap<br>
> > > ovirt.engine.extension.binding.jbossmodule.class =<br>
> > > org.ovirt.engineextensions.aaa.ldap.AuthzExtension<br>
> > > ovirt.engine.extension.provides =<br>
> > org.ovirt.engine.api.extensions.aaa.Authz<br>
> > > config.profile.file.1 = aaa/siee.local.properties<br>
> ><br>
> > please use absolute file name for 3.5.0 relative will be available in 3.5.1<br>
> ><br>
> ><br>
> > ><br>
> > > /etc/ovirt-engine/extensions.d/aaa/siee.local.properties:<br>
> > ><br>
> > > include = <ad.properties><br>
> > ><br>
> > > #<br>
> > > # Active directory domain name.<br>
> > > #<br>
> > > vars.domain = siee.local<br>
> > ><br>
> > > #<br>
> > > # Search user and its password.<br>
> > > #<br>
> > > vars.user = juanjo@${global:vars.domain}<br>
> > > vars.password = xxxxxxxx<br>
> ><br>
> > this should be dedicate user for search not your private user.<br>
> ><br>
> > ><br>
> > > #<br>
> > > # Optional DNS servers, if enterprise<br>
> > > # DNS server cannot resolve the domain srvrecord.<br>
> > > #<br>
> > > #vars.dns = dns://dc1.${global:vars.domain}<br>
> > dns://dc2.${global:vars.domain}<br>
> > ><br>
> > > pool.default.serverset.type = srvrecord<br>
> > > pool.default.serverset.srvrecord.domain = ${global:vars.domain}<br>
> > > pool.default.auth.simple.bindDN = ${global:vars.user}<br>
> > > pool.default.auth.simple.password = ${global:vars.password}<br>
> > ><br>
> > > # Uncomment if using custom DNS<br>
> > ><br>
> > #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url<br>
> > > = ${global:vars.dns}<br>
> > > #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}<br>
> > ><br>
> > > # Create keystore, import certificate chain and uncomment<br>
> > > # if using ssl/tls.<br>
> > > #pool.default.ssl.startTLS = true<br>
> > > #pool.default.ssl.truststore.file =<br>
> > > ${local:_basedir}/${global:vars.domain}.jks<br>
> > > #pool.default.ssl.truststore.password = changeit<br>
> > ><br>
> > > And after this configuration I restart ovirt-engine service. When I try<br>
> > to<br>
> > > login in administrator portal I can see the error "The user name or<br>
> > > password is incorrect.". In /var/log/ovirt-engine/engine.log I have the<br>
> > > errors:<br>
> > ><br>
> > > 2014-12-02 14:02:21,983 ERROR<br>
> > > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]<br>
> > > (ajp--127.0.0.1-8702-8) Correlation ID: null, Call Stack: null, Custom<br>
> > > Event ID: -1, Message: User juanjo cannot login, please verify the<br>
> > username<br>
> > > and password.<br>
> > > 2014-12-02 14:02:21,991 ERROR<br>
> > > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]<br>
> > > (ajp--127.0.0.1-8702-8) Correlation ID: null, Call Stack: null, Custom<br>
> > > Event ID: -1, Message: User juanjo failed to log in.<br>
> > ><br>
> > > I'm using correct user and password becuase I can login in a Windows<br>
> > client<br>
> > > machine which is inside siee.local domain with this user and its correct<br>
> > > password.<br>
> > ><br>
> > > What do you think it could be the problem?<br>
> > ><br>
> > > If you need more information or I have to configure any other parameters,<br>
> > > please tell me.<br>
> ><br>
> > please attach full engine.log, more correctly, stop engine, remove<br>
> > engine.log start engine, try to login and send log.<br>
> > please make sure you select the "siee.local" domain in dropdown of login<br>
> > screen.<br>
> ><br>
> > when I get the engine.log I will be able to understand who to progress.<br>
> ><br>
> > thanks!<br>
> ><br>
> ><br>
> > ><br>
> > > Many thanks in advanced,<br>
> > ><br>
> > > Juanjo.<br>
> > ><br>
> > ><br>
> > ><br>
> > > On Wed, Nov 26, 2014 at 3:19 PM, Alon Bar-Lev <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>> wrote:<br>
> > ><br>
> > > ><br>
> > > ><br>
> > > > ----- Original Message -----<br>
> > > > > From: "Juan Jose" <<a href="mailto:jj197005@gmail.com">jj197005@gmail.com</a>><br>
> > > > > To: "Alon Bar-Lev" <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>><br>
> > > > > Cc: "Ondra Machacek" <<a href="mailto:omachace@redhat.com">omachace@redhat.com</a>>, "Yair Zaslavsky" <<br>
> > > > <a href="mailto:yzaslavs@redhat.com">yzaslavs@redhat.com</a>>, <a href="mailto:users@ovirt.org">users@ovirt.org</a><br>
> > > > > Sent: Wednesday, November 26, 2014 3:04:14 PM<br>
> > > > > Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue<br>
> > > > ><br>
> > > > > Hello Alon and everybody,<br>
> > > > ><br>
> > > > > Check in my ovirt-engine machine for ovirt-engine-aaa-ldap package<br>
> > and it<br>
> > > > > is not available:<br>
> > > > ><br>
> > > > > yum list "ovirt-engine*"<br>
> > > > > Loaded plugins: fastestmirror, refresh-packagekit, security,<br>
> > versionlock<br>
> > > > > Loading mirror speeds from cached hostfile<br>
> > > > > * base: <a href="http://ftp.udl.es" target="_blank">ftp.udl.es</a><br>
> > > > > * epel: <a href="http://mirror.uv.es" target="_blank">mirror.uv.es</a><br>
> > > > > * extras: <a href="http://ftp.udl.es" target="_blank">ftp.udl.es</a><br>
> > > > > * ovirt-3.5: <a href="http://ftp.nluug.nl" target="_blank">ftp.nluug.nl</a><br>
> > > > > * ovirt-3.5-epel: <a href="http://mirror.uv.es" target="_blank">mirror.uv.es</a><br>
> > > > > * ovirt-3.5-jpackage-6.0-generic: <a href="http://mirror.ibcp.fr" target="_blank">mirror.ibcp.fr</a><br>
> > > > > * ovirt-epel: <a href="http://mirror.uv.es" target="_blank">mirror.uv.es</a><br>
> > > > > * ovirt-jpackage-6.0-generic: <a href="http://mirror.ibcp.fr" target="_blank">mirror.ibcp.fr</a><br>
> > > > > * updates: <a href="http://ftp.udl.es" target="_blank">ftp.udl.es</a><br>
> > > > > Installed Packages<br>
> > > > > ovirt-engine.noarch<br>
> > > > > 3.5.0.1-1.el6 @ovirt-3.5<br>
> > > > > ovirt-engine-backend.noarch<br>
> > > > > 3.5.0.1-1.el6 @ovirt-3.5<br>
> > > > > ovirt-engine-cli.noarch<br>
> > > > > 3.3.0.6-1.el6 @ovirt-3.3.3<br>
> > > > > ovirt-engine-dbscripts.noarch<br>
> > > > > 3.5.0.1-1.el6 @ovirt-3.5<br>
> > > > > ovirt-engine-extensions-api-impl.noarch<br>
> > > > > 3.5.0.1-1.el6 @ovirt-3.5<br>
> > > > > ovirt-engine-jboss-as.x86_64<br>
> > > > > 7.1.1-1.el6 @ovirt-3.5<br>
> > > > > ovirt-engine-lib.noarch<br>
> > > > > 3.5.0.1-1.el6 @ovirt-3.5<br>
> > > > > ovirt-engine-restapi.noarch<br>
> > > > > 3.5.0.1-1.el6 @ovirt-3.5<br>
> > > > > ovirt-engine-sdk-python.noarch<br>
> > > > > 3.5.0.8-1.el6 @ovirt-3.5<br>
> > > > > ovirt-engine-setup.noarch<br>
> > > > > 3.5.0.1-1.el6 @ovirt-3.5<br>
> > > > > ovirt-engine-setup-base.noarch<br>
> > > > > 3.5.0.1-1.el6 @ovirt-3.5<br>
> > > > > ovirt-engine-setup-plugin-ovirt-engine.noarch<br>
> > > > > 3.5.0.1-1.el6 @ovirt-3.5<br>
> > > > > ovirt-engine-setup-plugin-ovirt-engine-common.noarch<br>
> > > > > 3.5.0.1-1.el6 @ovirt-3.5<br>
> > > > > ovirt-engine-setup-plugin-websocket-proxy.noarch<br>
> > > > > 3.5.0.1-1.el6 @ovirt-3.5<br>
> > > > > ovirt-engine-tools.noarch<br>
> > > > > 3.5.0.1-1.el6 @ovirt-3.5<br>
> > > > > ovirt-engine-userportal.noarch<br>
> > > > > 3.5.0.1-1.el6 @ovirt-3.5<br>
> > > > > ovirt-engine-webadmin-portal.noarch<br>
> > > > > 3.5.0.1-1.el6 @ovirt-3.5<br>
> > > > > ovirt-engine-websocket-proxy.noarch<br>
> > > > > 3.5.0.1-1.el6 @ovirt-3.5<br>
> > > > > Available Packages<br>
> > > > > ovirt-engine-cli.noarch<br>
> > > > > 3.5.0.5-1.el6 ovirt-3.5<br>
> > > > > ovirt-engine-dwh.noarch<br>
> > > > > 3.5.0-1.el6 ovirt-3.5<br>
> > > > > ovirt-engine-dwh-setup.noarch<br>
> > > > > 3.5.0-1.el6 ovirt-3.5<br>
> > > > > ovirt-engine-extensions-api-impl-javadoc.noarch<br>
> > > > > 3.5.0.1-1.el6 ovirt-3.5<br>
> > > > > ovirt-engine-reports.noarch<br>
> > > > > 3.5.1-0.1.el6 ovirt-3.5<br>
> > > > > ovirt-engine-reports-setup.noarch<br>
> > > > > 3.5.1-0.1.el6 ovirt-3.5<br>
> > > > > ovirt-engine-sdk-java.noarch<br>
> > > > > 3.5.0.5-1.el6 ovirt-3.5<br>
> > > > > ovirt-engine-sdk-java-javadoc.noarch<br>
> > > > > 3.5.0.5-1.el6 ovirt-3.5<br>
> > > > > ovirt-engine-setup-plugin-allinone.noarch<br>
> > > > ><br>
> > > > > How can I get this package?<br>
> > > ><br>
> > > ><br>
> > > > Thanks for trying!<br>
> > > ><br>
> > > > Package is available at ovirt-3.5-snapshot[1].<br>
> > > ><br>
> > > > [1] <a href="http://resources.ovirt.org/pub/ovirt-3.5-snapshot/" target="_blank">http://resources.ovirt.org/pub/ovirt-3.5-snapshot/</a><br>
> > > ><br>
> > ><br>
> ><br>
><br>
</div></div></blockquote></div><br></div>