<div dir="ltr">Provided the "user role" permissions still same issue <br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek <span dir="ltr"><<a href="mailto:omachace@redhat.com" target="_blank">omachace@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
your user <a href="mailto:nbudoor@abc.net" target="_blank">nbudoor@abc.net</a> doesn't have appropriate permissions to
login.<br>
First you need to login as 'admin@internal' and assign him some
permissions, then you will be able to login.<span class="HOEnZb"><font color="#888888"><br>
<br>
Ondra</font></span><div><div class="h5"><br>
<br>
<div>On 09/23/2015 09:15 AM, Budur Nagaraju
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>HI All,<br>
<br>
</div>
After rectifying this able to search the domain in the
users in UI,<br>
</div>
but unable to login getting the below error ,<br>
<br>
<br>
2015-09-23 12:41:47,482 WARN
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser
failed for user <a href="mailto:nbudoor@abc.net" target="_blank">nbudoor@abc.net</a>.
Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION<br>
<br>
</div>
Thanks,<br>
</div>
Nagaraju<br>
<br>
<div>
<div><br>
<div>
<div><br>
<br>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 23, 2015 at 12:13 PM, Ondra
Machacek <span dir="ltr"><<a href="mailto:omachace@redhat.com" target="_blank">omachace@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi,<br>
<br>
as Alon already said, you have trailing space in your
configuration<br>
<br>
'<a href="http://my.abc.net" target="_blank">my.abc.net</a> ' <-- space at the end<br>
<br>
Please remove this space and try again.<br>
<br>
Ondra
<div>
<div><br>
<br>
<div>On 09/23/2015 05:35 AM, Budur Nagaraju wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>
<div>
<div>
<div>HI Alon,<br>
<br>
</div>
Tried all the options but no luck ,<br>
<br>
</div>
I have copied the logs in the pastebin below
is the link , warning message is that unable
to resolve the DNS ,let me know any help would
I get .<br>
<br>
<a href="http://pastebin.com/7qN9QnHK" target="_blank">http://pastebin.com/7qN9QnHK</a><br>
<br>
</div>
Thanks,<br>
</div>
Nagaraju<br>
<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Sep 22, 2015 at
8:44 PM, Daniel Helgenberger <span dir="ltr"><<a href="mailto:daniel.helgenberger@m-box.de" target="_blank"></a><a href="mailto:daniel.helgenberger@m-box.de" target="_blank">daniel.helgenberger@m-box.de</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Budur,<br>
<br>
I've done this recently. Alon, no offense, but
the docs are not quite strait forward...<br>
<br>
Requirements:<br>
- LDAP server (obviously) - called here <a href="http://ldap.mydomain.com" rel="noreferrer" target="_blank">ldap.mydomain.com</a><br>
- LDAP bind account - called here <a href="mailto:ldap@mydomain.com" target="_blank"></a><a href="mailto:ldap@mydomain.com" target="_blank">ldap@mydomain.com</a>,
password 'Passw@rd'<br>
- At least one existing account in ladp,
called <a href="mailto:user@mydomain.com" target="_blank">user@mydomain.com</a><br>
<br>
Please note, the most common issue will be
DNS.<br>
<br>
I'll describe in short what steps need to be
taken. All this needs to be done on your
engine host. In the end this was quite easy :)<br>
<br>
1. Install the packages:
ovirt-engine-extension-aaa-ldap and
openldap-clients (these are only for testing
your setup)<br>
2. Test if ldap is working in general. (The
extension uses the global catalog at least for
AD, this was news to me):<br>
# ldapsearch -E pr=1024/noprompt -o
ldif-wrap=no -H <a>ldap://</a><a href="http://ldap.mydomain.com:3268/" rel="noreferrer" target="_blank">ldap.mydomain.com:3268/</a>
-x \<br>
-D '<a href="mailto:ldap@mydomain.com" target="_blank">ldap@mydomain.com</a>' -w
Passw@rd -b '' '(userPrincipalName=<a href="mailto:user@mydomian.com" target="_blank"></a><a href="mailto:user@mydomian.com" target="_blank">user@mydomian.com</a>)' cn
userPrincipalName<br>
<br>
If this command does not return details of
the user, do debug your ldap and continue once
this works. Example:<br>
<br>
# extended LDIF<br>
#<br>
# LDAPv3<br>
# base <> with scope subtree<br>
# filter: (userPrincipalName=<a href="mailto:user@mydomain.com" target="_blank"></a><a href="mailto:user@mydomain.com" target="_blank">user@mydomain.com</a>)<br>
# requesting: cn userPrincipalName<br>
# with pagedResults control: size=1024<br>
#<br>
<br>
# Some Name, some-ou, <a href="http://mydomain.com" rel="noreferrer" target="_blank">mydomain.com</a><br>
dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com<br>
cn: Some Name<br>
userPrincipalName: <a href="mailto:user@mydomain.com" target="_blank">user@mydomain.com</a><br>
<br>
# search result<br>
search: 2<br>
result: 0 Success<br>
control: 1.2.840.113556.1.4.319 false
MIQXGSGSGSgEABAA=<br>
pagedresults: cookie=<br>
<br>
# numResponses: 2<br>
# numEntries: 1<br>
<br>
<br>
3. Copy the examples as mentioned from the
readme.<br>
4. You only need to modify
/etc/ovirt-engine/aaa/int.m-box.de.properties;
leave the rest as is.<br>
5. There, set:<br>
<br>
vars.domain = <a href="http://ldap.mydomain.com" rel="noreferrer" target="_blank">ldap.mydomain.com</a><br>
vars.user = ldap@${global:vars.domain}<br>
vars.password = Passw@rd<br>
<br>
6. Restart ovirt engine service<br>
7. Log in as admin@einternal and add user
rights and roles from the new provider<br>
<br>
Hope this helps.<br>
<span><br>
On <a href="tel:22.09.2015%2016" value="+12209201516" target="_blank">22.09.2015
16</a>:46, Budur Nagaraju wrote:<br>
><br>
> below are the three files which I have
modified.<br>
><br>
><br>
> [root@cstlb2 extensions.d]# cat
profile1-authn.properties<br>
</span>> <a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a>
<<a href="http://ovirt.engine.extension.name" target="_blank">http://ovirt.engine.extension.name</a>>
= cloudspin-authn<br>
<span>>
ovirt.engine.extension.bindings.method =
jbossmodule<br>
>
ovirt.engine.extension.binding.jbossmodule.module
=<br>
> org.ovirt.engine-extensions.aaa.ldap<br>
>
ovirt.engine.extension.binding.jbossmodule.class
=<br>
>
org.ovirt.engineextensions.aaa.ldap.AuthnExtension<br>
> ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authn<br>
</span>> <a href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">ovirt.engine.aaa.authn.profile.name</a>
<<a href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">http://ovirt.engine.aaa.authn.profile.name</a>><br>
<span>> = cloudspin<br>
> ovirt.engine.aaa.authn.authz.plugin =
cloudspin-auth<br>
> config.profile.file.1 =
/etc/ovirt-engine/aaa/ldap1.properties<br>
><br>
><br>
> [root@cstlb2 extensions.d]# ls<br>
> profile1-authn.properties
profile1-authz.properties<br>
> [root@cstlb2 extensions.d]# cat
profile1-authz.properties<br>
</span>> <a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a>
<<a href="http://ovirt.engine.extension.name" target="_blank">http://ovirt.engine.extension.name</a>>
= cloudspin-authz<br>
<div>
<div>>
ovirt.engine.extension.bindings.method =
jbossmodule<br>
>
ovirt.engine.extension.binding.jbossmodule.module
=<br>
> org.ovirt.engine-extensions.aaa.ldap<br>
>
ovirt.engine.extension.binding.jbossmodule.class
=<br>
>
org.ovirt.engineextensions.aaa.ldap.AuthzExtension<br>
> ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authz<br>
> config.profile.file.1 =
/etc/ovirt-engine/aaa/ldap1.properties<br>
> [root@cstlb2 extensions.d]#<br>
><br>
><br>
><br>
> [root@cstlb2 aaa]# pwd<br>
> /etc/ovirt-engine/aaa<br>
> [root@cstlb2 aaa]# ls<br>
> ldap1.properties<br>
> [root@cstlb2 aaa]# cat
ldap1.properties<br>
> #<br>
> # Select one<br>
> #<br>
> include = <openldap.properties><br>
> #include = <389ds.properties><br>
> #include = <rhds.properties><br>
> #include = <ipa.properties><br>
> #include = <iplanet.properties><br>
> #include = <rfc2307.properties><br>
> #include =
<rfc2307-openldap.properties><br>
><br>
> #<br>
> # Server<br>
> #<br>
</div>
</div>
> vars.server = <a href="http://my.abc.net" rel="noreferrer" target="_blank">my.abc.net</a> <<a href="http://my.abc.net" rel="noreferrer" target="_blank"></a><a href="http://my.abc.net" target="_blank">http://my.abc.net</a>><br>
<span>><br>
> #<br>
> # Search user and its password.<br>
> #<br>
> vars.user =<br>
>
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net<br>
> vars.password = company<br>
><br>
> pool.default.serverset.single.server =
${global:vars.server}<br>
> pool.default.auth.simple.bindDN =
${global:vars.user}<br>
> pool.default.auth.simple.password =
${global:vars.password}<br>
><br>
> # Create keystore, import certificate
chain and uncomment<br>
> # if using ssl/tls.<br>
> #pool.default.ssl.startTLS = true<br>
> #pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.server}.jks<br>
> #pool.default.ssl.truststore.password =
changeit<br>
> [root@cstlb2 aaa]#<br>
><br>
><br>
><br>
><br>
><br>
><br>
> On Tue, Sep 22, 2015 at 8:07 PM, Alon
Bar-Lev <<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a><br>
</span><span>> <mailto:<a href="mailto:alonbl@redhat.com" target="_blank"></a><a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>>>
wrote:<br>
><br>
><br>
><br>
> ----- Original Message -----<br>
</span><span>> > From: "Budur
Nagaraju" <<a href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a>
<mailto:<a href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a>>><br>
> > To: "Alon Bar-Lev" <<a href="mailto:alonbl@redhat.com" target="_blank"></a><a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>
<mailto:<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>>><br>
> > <a href="mailto:Cc%3Ausers@ovirt.org" target="_blank">Cc:users@ovirt.org</a>
<mailto:<a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>><br>
> > Sent: Tuesday, September 22,
2015 5:35:16 PM<br>
> > Subject: Re: [ovirt-users]
LDAP Authentication<br>
> ><br>
> > its too complicated ,you have
any script or video ?<br>
><br>
> in 3.6 we have a setup script.<br>
> for now:<br>
><br>
> cp -r
/usr/share/ovirt-engine/examples/simple/.
/etc/ovirt-engine/<br>
><br>
> this is written in the README.<br>
><br>
> then customize files at
/etc/ovirt-engine/extnesions.d/*<br>
> /etc/ovirt-engine/aaa/* to match
your setup<br>
><br>
> ><br>
> ><br>
</span><span>> > On Tue, Sep 22,
2015 at 8:00 PM, Alon Bar-Lev <<a href="mailto:alonbl@redhat.com" target="_blank"></a><a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>
<mailto:<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>>>
wrote:<br>
> ><br>
> > ><br>
> > ><br>
> > > ----- Original Message
-----<br>
</span>
<div>
<div>> > > > From: "Budur
Nagaraju" <<a href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a>
<mailto:<a href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a>>><br>
> > > > To: "Alon Bar-Lev"
<<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>
<mailto:<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>>><br>
> > > > <a href="mailto:Cc%3Ausers@ovirt.org" target="_blank"></a><a href="mailto:Cc:users@ovirt.org" target="_blank">Cc:users@ovirt.org</a>
<mailto:<a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>><br>
> > > > Sent: Tuesday,
September 22, 2015 5:24:36 PM<br>
> > > > Subject: Re:
[ovirt-users] LDAP Authentication<br>
> > > ><br>
> > > > HI Alon,<br>
> > > ><br>
> > > > Below is the
configuration which I have done ,but
unable to search the<br>
> > > > users in UI<br>
> > > > can you pls help
me ?<br>
> > ><br>
> > > you need three files,
see the<br>
> > >
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple<br>
> > ><br>
> > > ><br>
> > > ><br>
> > > > [root@cstlb2 aaa]#
cat ldap1.properties<br>
> > > > #<br>
> > > > # Select one<br>
> > > > #<br>
> > > > include =
<openldap.properties><br>
> > > > #include =
<389ds.properties><br>
> > > > #include =
<rhds.properties><br>
> > > > #include =
<ipa.properties><br>
> > > > #include =
<iplanet.properties><br>
> > > > #include =
<rfc2307.properties><br>
> > > > #include =
<rfc2307-openldap.properties><br>
> > > ><br>
> > > > #<br>
> > > > # Server<br>
> > > > #<br>
</div>
</div>
> > > > vars.server =<a href="http://my.abc.net" rel="noreferrer" target="_blank">my.abc.net</a> <<a href="http://my.abc.net" target="_blank"></a><a href="http://my.abc.net" target="_blank">http://my.abc.net</a>><br>
<span>> > > ><br>
> > > > #<br>
> > > > # Search user and
its password.<br>
> > > > #<br>
> > > > vars.user =<br>
> > > ><br>
> > >
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net<br>
> > > > vars.password =
company1<br>
> > > ><br>
> > > >
pool.default.serverset.single.server =
${global:vars.server}<br>
> > > >
pool.default.auth.simple.bindDN =
${global:vars.user}<br>
> > > >
pool.default.auth.simple.password =
${global:vars.password}<br>
> > > ><br>
> > > > # Create keystore,
import certificate chain and uncomment<br>
> > > > # if using ssl/tls.<br>
> > > >
#pool.default.ssl.startTLS = true<br>
> > > >
#pool.default.ssl.truststore.file =<br>
> > > >
${local:_basedir}/${global:vars.server}.jks<br>
> > > >
#pool.default.ssl.truststore.password =
changeit<br>
> > > > [root@cstlb2 aaa]#<br>
> > > ><br>
> > > ><br>
> > > ><br>
</span><span>> > > > On Tue,
Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <<a href="mailto:alonbl@redhat.com" target="_blank"></a><a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>
<mailto:<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>>>
wrote:<br>
> > > ><br>
> > > > ><br>
> > > > ><br>
> > > > > ----- Original
Message -----<br>
</span><span>> > > > > >
From: "Budur Nagaraju" <<a href="mailto:nbudoor@gmail.com" target="_blank"></a><a href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a>
<mailto:<a href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a>>><br>
> > > > > > <a href="mailto:To:users@ovirt.org" target="_blank"></a><a href="mailto:To:users@ovirt.org" target="_blank">To:users@ovirt.org</a>
<mailto:<a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>><br>
> > > > > > Sent:
Tuesday, September 22, 2015 4:34:46 PM<br>
> > > > > > Subject:
[ovirt-users] LDAP Authentication<br>
> > > > > ><br>
> > > > > > HI All,<br>
> > > > > ><br>
> > > > > > Can
someone help me in configuring LDAP
authentication for Ovirt ?<br>
> > > > ><br>
> > > > > Please review:<br>
> > > > ><a href="http://www.ovirt.org/Features/AAA" rel="noreferrer" target="_blank"></a><a href="http://www.ovirt.org/Features/AAA" target="_blank">http://www.ovirt.org/Features/AAA</a><br>
> > > > ><br>
> > > > ><br>
> > ><a href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0" rel="noreferrer" target="_blank">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0</a><br>
> > > > ><br>
> > > ><br>
> > ><br>
> ><br>
><br>
><br>
<br>
</span>--<br>
Daniel Helgenberger<br>
m box bewegtbild GmbH<br>
<br>
P: +49/30/2408781-22<br>
F: +49/30/2408781-10<br>
<br>
ACKERSTR. 19<br>
D-10115 BERLIN<br>
<br>
<br>
<a href="http://www.m-box.de" rel="noreferrer" target="_blank">www.m-box.de</a> <a href="http://www.monkeymen.tv" target="_blank"></a><a href="http://www.monkeymen.tv" target="_blank">www.monkeymen.tv</a><br>
<br>
Geschäftsführer: Martin Retschitzegger /
Michaela Göllner<br>
Handeslregister: Amtsgericht Charlottenburg /
HRB 112767<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
Users mailing list
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a>
<a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>