<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 9, 2017 at 2:22 PM, Richard Neuboeck <span dir="ltr">&lt;<a href="mailto:hawk@tbi.univie.ac.at" target="_blank">hawk@tbi.univie.ac.at</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
I seem to experience the same problem right now and am at a bit of a<br>
loss as to where to dig for some more troubleshooting information. I<br>
would highly appreciate some help.<br>
<br>
Here is what I have and what I did:<br>
<br>
ovirt-engine-4.1.0.4-1.el7.<wbr>centos.noarch<br>
ovirt-engine-extension-aaa-<wbr>ldap-1.3.0-1.el7.noarch<br>
<br>
I executed ovirt-engine-extension-aaa-<wbr>ldap-setup. My LDAP provider<br>
is 389ds (FreeIPA).</blockquote><div><br></div><div>So what&#39;s your provider 389ds or FreeIPA?<br><br></div><div>Note that both use differrent unique ID. IPA is using &#39;ipaUniqueID&#39;,<br></div><div>and 389ds is using &#39;nsuniqueid&#39;. DId you tried both?<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I can successfully run a search and also login<br>
from the setup script.<br>
<br>
After running the setup I rebootet the Engine VM to make sure<br>
everything is restarted.<br>
<br>
In the web UI configuration for &#39;System Permissions&#39; I&#39;m able to<br>
find users from LDAP but when I try to &#39;Add&#39; a selected user the UI<br>
shows me this error: &#39;User admin@internal-authz failed to grant<br>
permission for Role SuperUser on System to User/Group &lt;UNKNOWN&gt;.&#39;.<br>
<br>
In then engine.log the following lines are generated:<br>
2017-03-09 14:02:49,308+01 INFO<br>
[org.ovirt.engine.core.bll.<wbr>AddSystemPermissionCommand]<br>
(org.ovirt.thread.pool-6-<wbr>thread-4)<br>
[1ebae5e0-e5f6-49ba-ac80-<wbr>95266c582893] Running command:<br>
AddSystemPermissionCommand internal: false. Entities affected :  ID:<br>
aaa00000-0000-0000-0000-<wbr>123456789aaa Type: SystemAction group<br>
MANIPULATE_PERMISSIONS with role type USER,  ID:<br>
aaa00000-0000-0000-0000-<wbr>123456789aaa Type: SystemAction group<br>
ADD_USERS_AND_GROUPS_FROM_<wbr>DIRECTORY with role type USER<br>
2017-03-09 14:02:49,319+01 ERROR<br>
[org.ovirt.engine.core.bll.<wbr>AddSystemPermissionCommand]<br>
(org.ovirt.thread.pool-6-<wbr>thread-4)<br>
[1ebae5e0-e5f6-49ba-ac80-<wbr>95266c582893] Transaction rolled-back for<br>
command &#39;org.ovirt.engine.core.bll.<wbr>AddSystemPermissionCommand&#39;.<br>
2017-03-09 14:02:49,328+01 ERROR<br>
[org.ovirt.engine.core.dal.<wbr>dbbroker.auditloghandling.<wbr>AuditLogDirector]<br>
(org.ovirt.thread.pool-6-<wbr>thread-4)<br>
[1ebae5e0-e5f6-49ba-ac80-<wbr>95266c582893] EVENT_ID:<br>
USER_ADD_SYSTEM_PERMISSION_<wbr>FAILED(867), Correlation ID:<br>
1ebae5e0-e5f6-49ba-ac80-<wbr>95266c582893, Call Stack: null, Custom Event<br>
ID: -1, Message: User admin@internal-authz failed to grant<br>
permission for Role SuperUser on System to User/Group &lt;UNKNOWN&gt;.<br>
<br>
<br>
So far I&#39;ve re-run the ldap-setup routine. I made sure all newly<br>
generated files in /etc/ovirt-engine/[aaa|<wbr>extensions.d] are owned by<br>
ovirt:ovirt (instead of root) and have 0600 as permission (instead<br>
of 0644). That didn&#39;t change anything.<br>
<br>
I&#39;ve also found an older bug report but for oVirt 3.5<br>
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1121954" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/<wbr>show_bug.cgi?id=1121954</a><br>
That didn&#39;t reveal any new either.<br>
<br>
Any ideas what I could try next?<br>
<br>
Thanks!<br>
Cheers<br>
Richard<br>
<div class="gmail-HOEnZb"><div class="gmail-h5"><br>
<br>
<br>
<br>
On 10/06/2016 04:36 PM, Ondra Machacek wrote:<br>
&gt; On 10/06/2016 01:47 PM, Michael Burch wrote:<br>
&gt;&gt; I&#39;m using the latest ovirt on CentOS7 with the aaa-ldap extension.<br>
&gt;&gt; I can<br>
&gt;&gt; successfully authenticate as an LDAP user. I can also login as<br>
&gt;&gt; admin@internal and search for, find, and select LDAP users but I<br>
&gt;&gt; cannot<br>
&gt;&gt; add permissions for them. Each time I get the error &quot;User<br>
&gt;&gt; admin@internal-authz failed to grant permission for Role UserRole on<br>
&gt;&gt; System to User/Group &lt;UNKNOWN&gt;.&quot;<br>
&gt;<br>
&gt; This error usually means bad unique attribute used.<br>
&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; I have no control over the LDAP server, which uses custom<br>
&gt;&gt; objectClasses<br>
&gt;&gt; and uses groupOfNames instead of PosixGroups. I assume I need to set<br>
&gt;&gt; sequence variables to accommodate our group configuration but I&#39;m<br>
&gt;&gt; at a<br>
&gt;&gt; loss as to where to begin. the The config I have is as follows:<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; include = &lt;rfc2307-generic.properties&gt;<br>
&gt;&gt;<br>
&gt;&gt; vars.server = <a href="http://labauth.lan.lab.org" rel="noreferrer" target="_blank">labauth.lan.lab.org</a><br>
&gt;&gt;<br>
&gt;&gt; pool.authz.auth.type = none<br>
&gt;&gt; pool.default.serverset.type = single<br>
&gt;&gt; pool.default.serverset.single.<wbr>server = ${global:vars.server}<br>
&gt;&gt; pool.default.ssl.startTLS = true<br>
&gt;&gt; pool.default.ssl.insecure = true<br>
&gt;&gt;<br>
&gt;&gt; pool.default.connection-<wbr>options.connectTimeoutMillis = 10000<br>
&gt;&gt; pool.default.connection-<wbr>options.responseTimeoutMillis = 90000<br>
&gt;&gt; sequence-init.init.100-my-<wbr>basedn-init-vars = my-basedn-init-vars<br>
&gt;&gt; sequence.my-basedn-init-vars.<wbr>010.description = set baseDN<br>
&gt;&gt; sequence.my-basedn-init-vars.<wbr>010.type = var-set<br>
&gt;&gt; sequence.my-basedn-init-vars.<wbr>010.var-set.variable = simple_baseDN<br>
&gt;&gt; sequence.my-basedn-init-vars.<wbr>010.var-set.value = o=LANLAB<br>
&gt;&gt;<br>
&gt;&gt; sequence-init.init.101-my-<wbr>objectclass-init-vars =<br>
&gt;&gt; my-objectclass-init-vars<br>
&gt;&gt; sequence.my-objectclass-init-<wbr>vars.020.description = set objectClass<br>
&gt;&gt; sequence.my-objectclass-init-<wbr>vars.020.type = var-set<br>
&gt;&gt; sequence.my-objectclass-init-<wbr>vars.020.var-set.variable =<br>
&gt;&gt; simple_filterUserObject<br>
&gt;&gt; sequence.my-objectclass-init-<wbr>vars.020.var-set.value =<br>
&gt;&gt; (objectClass=labPerson)(uid=*)<br>
&gt;&gt;<br>
&gt;&gt; search.default.search-request.<wbr>derefPolicy = NEVER<br>
&gt;&gt;<br>
&gt;&gt; sequence-init.init.900-local-<wbr>init-vars = local-init-vars<br>
&gt;&gt; sequence.local-init-vars.010.<wbr>description = override name space<br>
&gt;&gt; sequence.local-init-vars.010.<wbr>type = var-set<br>
&gt;&gt; sequence.local-init-vars.010.<wbr>var-set.variable =<br>
&gt;&gt; simple_namespaceDefault<br>
&gt;&gt; sequence.local-init-vars.010.<wbr>var-set.value = *<br>
&gt;<br>
&gt; What&#39;s this^ for? I think it&#39;s unusable.<br>
&gt;<br>
&gt;&gt;<br>
&gt;&gt; sequence.local-init-vars.020.<wbr>description = apply filter to users<br>
&gt;&gt; sequence.local-init-vars.020.<wbr>type = var-set<br>
&gt;&gt; sequence.local-init-vars.020.<wbr>var-set.variable =<br>
&gt;&gt; simple_filterUserObject<br>
&gt;&gt; sequence.local-init-vars.020.<wbr>var-set.value =<br>
&gt;&gt; ${seq:simple_filterUserObject}<wbr>(employeeStatus=3)<br>
&gt;&gt;<br>
&gt;&gt; sequence.local-init-vars.030.<wbr>description = apply filter to groups<br>
&gt;&gt; sequence.local-init-vars.030.<wbr>type = var-set<br>
&gt;&gt; sequence.local-init-vars.030.<wbr>var-set.variable =<br>
&gt;&gt; simple_filterGroupObject<br>
&gt;&gt; sequence.local-init-vars.030.<wbr>var-set.value =<br>
&gt;&gt; (objectClass=<wbr>groupOfUniqueNames)<br>
&gt;<br>
&gt; This looks as hard to maintain file. I would suggest you to insert<br>
&gt; into this file just following:<br>
&gt;<br>
&gt;  include = &lt;rfc2307-mycustom.properties&gt;<br>
&gt;<br>
&gt;  vars.server = <a href="http://labauth.lan.lab.org" rel="noreferrer" target="_blank">labauth.lan.lab.org</a><br>
&gt;<br>
&gt;  pool.authz.auth.type = none<br>
&gt;  pool.default.serverset.type = single<br>
&gt;  pool.default.serverset.single.<wbr>server = ${global:vars.server}<br>
&gt;  pool.default.ssl.startTLS = true<br>
&gt;  pool.default.ssl.insecure = true<br>
&gt;<br>
&gt;  pool.default.connection-<wbr>options.connectTimeoutMillis = 10000<br>
&gt;  pool.default.connection-<wbr>options.responseTimeoutMillis = 90000<br>
&gt;<br>
&gt;  # Set custom base DN<br>
&gt;  sequence-init.init.100-my-<wbr>basedn-init-vars = my-basedn-init-vars<br>
&gt;  sequence.my-basedn-init-vars.<wbr>010.description = set baseDN<br>
&gt;  sequence.my-basedn-init-vars.<wbr>010.type = var-set<br>
&gt;  sequence.my-basedn-init-vars.<wbr>010.var-set.variable = simple_baseDN<br>
&gt;  sequence.my-basedn-init-vars.<wbr>010.var-set.value = o=LANLAB<br>
&gt;<br>
&gt; And then create in directory<br>
&gt; &#39;/usr/share/ovirt-engine-<wbr>extension-aaa-ldap/profiles/&#39; file<br>
&gt; &#39;rfc2307-mycustom.properties&#39; with content:<br>
&gt;<br>
&gt; include = &lt;rfc2307.properties&gt;<br>
&gt;<br>
&gt; sequence-init.init.100-<wbr>rfc2307-mycustom-init-vars =<br>
&gt; rfc2307-mycustom-init-vars<br>
&gt; sequence.rfc2307-mycustom-<wbr>init-vars.010.description = set unique attr<br>
&gt; sequence.rfc2307-mycustom-<wbr>init-vars.010.type = var-set<br>
&gt; sequence.rfc2307-mycustom-<wbr>init-vars.010.var-set.variable =<br>
&gt; rfc2307_attrsUniqueId<br>
&gt; sequence.rfc2307-mycustom-<wbr>init-vars.010.var-set.value = FIND_THIS_ONE<br>
&gt;<br>
&gt; sequence.rfc2307-mycustom-<wbr>init-vars.020.type = var-set<br>
&gt; sequence.rfc2307-mycustom-<wbr>init-vars.020.var-set.variable =<br>
&gt; simple_filterUserObject<br>
&gt; sequence.rfc2307-mycustom-<wbr>init-vars.020.var-set.value =<br>
&gt; (objectClass=labPerson)(<wbr>employeeStatus=3)(${seq:<wbr>simple_attrsUserName}=*)<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I<br>
&gt; guess). It can be extended attribute(+,++).<br>
&gt;<br>
&gt;  $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b &#39;o=LANLAB&#39; -H<br>
&gt; ldap://<a href="http://labauth.lan.lab.org" rel="noreferrer" target="_blank">labauth.lan.lab.org</a> &#39;objectClass=labPerson&#39;<br>
&gt;<br>
&gt;  maybe (or even with two +):<br>
&gt; $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b &#39;o=LANLAB&#39; -H<br>
&gt; ldap://<a href="http://labauth.lan.lab.org" rel="noreferrer" target="_blank">labauth.lan.lab.org</a> &#39;objectClass=labPerson&#39; +<br>
&gt;<br>
&gt; The question is if even your implementation has unique attribute, does<br>
&gt; it?<br>
&gt;<br>
&gt; Also may you share what&#39;s your LDAP provider? And maybe if you share<br>
&gt; content of some user it would help as well.<br>
&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; ______________________________<wbr>_________________<br>
&gt;&gt; Users mailing list<br>
&gt;&gt; <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
&gt;&gt; <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br>
&gt;&gt;<br>
&gt; ______________________________<wbr>_________________<br>
&gt; Users mailing list<br>
&gt; <a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
&gt; <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br>
<br>
<br>
</div></div><span class="gmail-HOEnZb"><font color="#888888">--<br>
/dev/null<br>
<br>
</font></span></blockquote></div><br></div></div>