<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 9, 2017 at 2:22 PM, Richard Neuboeck <span dir="ltr"><<a href="mailto:hawk@tbi.univie.ac.at" target="_blank">hawk@tbi.univie.ac.at</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
I seem to experience the same problem right now and am at a bit of a<br>
loss as to where to dig for some more troubleshooting information. I<br>
would highly appreciate some help.<br>
<br>
Here is what I have and what I did:<br>
<br>
ovirt-engine-4.1.0.4-1.el7.<wbr>centos.noarch<br>
ovirt-engine-extension-aaa-<wbr>ldap-1.3.0-1.el7.noarch<br>
<br>
I executed ovirt-engine-extension-aaa-<wbr>ldap-setup. My LDAP provider<br>
is 389ds (FreeIPA).</blockquote><div><br></div><div>So what's your provider 389ds or FreeIPA?<br><br></div><div>Note that both use differrent unique ID. IPA is using 'ipaUniqueID',<br></div><div>and 389ds is using 'nsuniqueid'. DId you tried both?<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I can successfully run a search and also login<br>
from the setup script.<br>
<br>
After running the setup I rebootet the Engine VM to make sure<br>
everything is restarted.<br>
<br>
In the web UI configuration for 'System Permissions' I'm able to<br>
find users from LDAP but when I try to 'Add' a selected user the UI<br>
shows me this error: 'User admin@internal-authz failed to grant<br>
permission for Role SuperUser on System to User/Group <UNKNOWN>.'.<br>
<br>
In then engine.log the following lines are generated:<br>
2017-03-09 14:02:49,308+01 INFO<br>
[org.ovirt.engine.core.bll.<wbr>AddSystemPermissionCommand]<br>
(org.ovirt.thread.pool-6-<wbr>thread-4)<br>
[1ebae5e0-e5f6-49ba-ac80-<wbr>95266c582893] Running command:<br>
AddSystemPermissionCommand internal: false. Entities affected : ID:<br>
aaa00000-0000-0000-0000-<wbr>123456789aaa Type: SystemAction group<br>
MANIPULATE_PERMISSIONS with role type USER, ID:<br>
aaa00000-0000-0000-0000-<wbr>123456789aaa Type: SystemAction group<br>
ADD_USERS_AND_GROUPS_FROM_<wbr>DIRECTORY with role type USER<br>
2017-03-09 14:02:49,319+01 ERROR<br>
[org.ovirt.engine.core.bll.<wbr>AddSystemPermissionCommand]<br>
(org.ovirt.thread.pool-6-<wbr>thread-4)<br>
[1ebae5e0-e5f6-49ba-ac80-<wbr>95266c582893] Transaction rolled-back for<br>
command 'org.ovirt.engine.core.bll.<wbr>AddSystemPermissionCommand'.<br>
2017-03-09 14:02:49,328+01 ERROR<br>
[org.ovirt.engine.core.dal.<wbr>dbbroker.auditloghandling.<wbr>AuditLogDirector]<br>
(org.ovirt.thread.pool-6-<wbr>thread-4)<br>
[1ebae5e0-e5f6-49ba-ac80-<wbr>95266c582893] EVENT_ID:<br>
USER_ADD_SYSTEM_PERMISSION_<wbr>FAILED(867), Correlation ID:<br>
1ebae5e0-e5f6-49ba-ac80-<wbr>95266c582893, Call Stack: null, Custom Event<br>
ID: -1, Message: User admin@internal-authz failed to grant<br>
permission for Role SuperUser on System to User/Group <UNKNOWN>.<br>
<br>
<br>
So far I've re-run the ldap-setup routine. I made sure all newly<br>
generated files in /etc/ovirt-engine/[aaa|<wbr>extensions.d] are owned by<br>
ovirt:ovirt (instead of root) and have 0600 as permission (instead<br>
of 0644). That didn't change anything.<br>
<br>
I've also found an older bug report but for oVirt 3.5<br>
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1121954" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/<wbr>show_bug.cgi?id=1121954</a><br>
That didn't reveal any new either.<br>
<br>
Any ideas what I could try next?<br>
<br>
Thanks!<br>
Cheers<br>
Richard<br>
<div class="gmail-HOEnZb"><div class="gmail-h5"><br>
<br>
<br>
<br>
On 10/06/2016 04:36 PM, Ondra Machacek wrote:<br>
> On 10/06/2016 01:47 PM, Michael Burch wrote:<br>
>> I'm using the latest ovirt on CentOS7 with the aaa-ldap extension.<br>
>> I can<br>
>> successfully authenticate as an LDAP user. I can also login as<br>
>> admin@internal and search for, find, and select LDAP users but I<br>
>> cannot<br>
>> add permissions for them. Each time I get the error "User<br>
>> admin@internal-authz failed to grant permission for Role UserRole on<br>
>> System to User/Group <UNKNOWN>."<br>
><br>
> This error usually means bad unique attribute used.<br>
><br>
>><br>
>><br>
>> I have no control over the LDAP server, which uses custom<br>
>> objectClasses<br>
>> and uses groupOfNames instead of PosixGroups. I assume I need to set<br>
>> sequence variables to accommodate our group configuration but I'm<br>
>> at a<br>
>> loss as to where to begin. the The config I have is as follows:<br>
>><br>
>><br>
>> include = <rfc2307-generic.properties><br>
>><br>
>> vars.server = <a href="http://labauth.lan.lab.org" rel="noreferrer" target="_blank">labauth.lan.lab.org</a><br>
>><br>
>> pool.authz.auth.type = none<br>
>> pool.default.serverset.type = single<br>
>> pool.default.serverset.single.<wbr>server = ${global:vars.server}<br>
>> pool.default.ssl.startTLS = true<br>
>> pool.default.ssl.insecure = true<br>
>><br>
>> pool.default.connection-<wbr>options.connectTimeoutMillis = 10000<br>
>> pool.default.connection-<wbr>options.responseTimeoutMillis = 90000<br>
>> sequence-init.init.100-my-<wbr>basedn-init-vars = my-basedn-init-vars<br>
>> sequence.my-basedn-init-vars.<wbr>010.description = set baseDN<br>
>> sequence.my-basedn-init-vars.<wbr>010.type = var-set<br>
>> sequence.my-basedn-init-vars.<wbr>010.var-set.variable = simple_baseDN<br>
>> sequence.my-basedn-init-vars.<wbr>010.var-set.value = o=LANLAB<br>
>><br>
>> sequence-init.init.101-my-<wbr>objectclass-init-vars =<br>
>> my-objectclass-init-vars<br>
>> sequence.my-objectclass-init-<wbr>vars.020.description = set objectClass<br>
>> sequence.my-objectclass-init-<wbr>vars.020.type = var-set<br>
>> sequence.my-objectclass-init-<wbr>vars.020.var-set.variable =<br>
>> simple_filterUserObject<br>
>> sequence.my-objectclass-init-<wbr>vars.020.var-set.value =<br>
>> (objectClass=labPerson)(uid=*)<br>
>><br>
>> search.default.search-request.<wbr>derefPolicy = NEVER<br>
>><br>
>> sequence-init.init.900-local-<wbr>init-vars = local-init-vars<br>
>> sequence.local-init-vars.010.<wbr>description = override name space<br>
>> sequence.local-init-vars.010.<wbr>type = var-set<br>
>> sequence.local-init-vars.010.<wbr>var-set.variable =<br>
>> simple_namespaceDefault<br>
>> sequence.local-init-vars.010.<wbr>var-set.value = *<br>
><br>
> What's this^ for? I think it's unusable.<br>
><br>
>><br>
>> sequence.local-init-vars.020.<wbr>description = apply filter to users<br>
>> sequence.local-init-vars.020.<wbr>type = var-set<br>
>> sequence.local-init-vars.020.<wbr>var-set.variable =<br>
>> simple_filterUserObject<br>
>> sequence.local-init-vars.020.<wbr>var-set.value =<br>
>> ${seq:simple_filterUserObject}<wbr>(employeeStatus=3)<br>
>><br>
>> sequence.local-init-vars.030.<wbr>description = apply filter to groups<br>
>> sequence.local-init-vars.030.<wbr>type = var-set<br>
>> sequence.local-init-vars.030.<wbr>var-set.variable =<br>
>> simple_filterGroupObject<br>
>> sequence.local-init-vars.030.<wbr>var-set.value =<br>
>> (objectClass=<wbr>groupOfUniqueNames)<br>
><br>
> This looks as hard to maintain file. I would suggest you to insert<br>
> into this file just following:<br>
><br>
> include = <rfc2307-mycustom.properties><br>
><br>
> vars.server = <a href="http://labauth.lan.lab.org" rel="noreferrer" target="_blank">labauth.lan.lab.org</a><br>
><br>
> pool.authz.auth.type = none<br>
> pool.default.serverset.type = single<br>
> pool.default.serverset.single.<wbr>server = ${global:vars.server}<br>
> pool.default.ssl.startTLS = true<br>
> pool.default.ssl.insecure = true<br>
><br>
> pool.default.connection-<wbr>options.connectTimeoutMillis = 10000<br>
> pool.default.connection-<wbr>options.responseTimeoutMillis = 90000<br>
><br>
> # Set custom base DN<br>
> sequence-init.init.100-my-<wbr>basedn-init-vars = my-basedn-init-vars<br>
> sequence.my-basedn-init-vars.<wbr>010.description = set baseDN<br>
> sequence.my-basedn-init-vars.<wbr>010.type = var-set<br>
> sequence.my-basedn-init-vars.<wbr>010.var-set.variable = simple_baseDN<br>
> sequence.my-basedn-init-vars.<wbr>010.var-set.value = o=LANLAB<br>
><br>
> And then create in directory<br>
> '/usr/share/ovirt-engine-<wbr>extension-aaa-ldap/profiles/' file<br>
> 'rfc2307-mycustom.properties' with content:<br>
><br>
> include = <rfc2307.properties><br>
><br>
> sequence-init.init.100-<wbr>rfc2307-mycustom-init-vars =<br>
> rfc2307-mycustom-init-vars<br>
> sequence.rfc2307-mycustom-<wbr>init-vars.010.description = set unique attr<br>
> sequence.rfc2307-mycustom-<wbr>init-vars.010.type = var-set<br>
> sequence.rfc2307-mycustom-<wbr>init-vars.010.var-set.variable =<br>
> rfc2307_attrsUniqueId<br>
> sequence.rfc2307-mycustom-<wbr>init-vars.010.var-set.value = FIND_THIS_ONE<br>
><br>
> sequence.rfc2307-mycustom-<wbr>init-vars.020.type = var-set<br>
> sequence.rfc2307-mycustom-<wbr>init-vars.020.var-set.variable =<br>
> simple_filterUserObject<br>
> sequence.rfc2307-mycustom-<wbr>init-vars.020.var-set.value =<br>
> (objectClass=labPerson)(<wbr>employeeStatus=3)(${seq:<wbr>simple_attrsUserName}=*)<br>
><br>
><br>
><br>
> The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I<br>
> guess). It can be extended attribute(+,++).<br>
><br>
> $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H<br>
> ldap://<a href="http://labauth.lan.lab.org" rel="noreferrer" target="_blank">labauth.lan.lab.org</a> 'objectClass=labPerson'<br>
><br>
> maybe (or even with two +):<br>
> $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H<br>
> ldap://<a href="http://labauth.lan.lab.org" rel="noreferrer" target="_blank">labauth.lan.lab.org</a> 'objectClass=labPerson' +<br>
><br>
> The question is if even your implementation has unique attribute, does<br>
> it?<br>
><br>
> Also may you share what's your LDAP provider? And maybe if you share<br>
> content of some user it would help as well.<br>
><br>
>><br>
>><br>
>><br>
>><br>
>> ______________________________<wbr>_________________<br>
>> Users mailing list<br>
>> <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
>> <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br>
>><br>
> ______________________________<wbr>_________________<br>
> Users mailing list<br>
> <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
> <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br>
<br>
<br>
</div></div><span class="gmail-HOEnZb"><font color="#888888">--<br>
/dev/null<br>
<br>
</font></span></blockquote></div><br></div></div>