Ok so before I open a bug ticket I want to confirm I'm not doing any
thing wrong here.
I upgraded to 3.4
now it says "Active: false " on LDAP groups.
Again I tried to add the sysadmin group from the directory server and
set the power user and super user roles on the group
it shows up as "<domain name>/Groups/sysadmin"
I adder the permisions by clicking on the configure link on the top of
the screen and set them in the "System Permissions" tab
I added a user (pmarino) to the system which shows in the "Directory
Group" tab shows "sysadmin groups <domian name>" among
others
however it only shows in the Permissions tab the permissions inherited
by "Everyone" it does not show any permissions inherited by the
sysadmin group.
just to prove it didnt work I logged out and attempted to log back in
as the user (pmarino) it wouldn't let me log in
I logged back in as the internal admin user then I added the SuperUser
permissions directly to the pmarino account and logged back out again.
Now when I logged in as pmarino it gave me the access I expected.
Here is the relevant portion of the engine log
"
2014-08-13 16:00:38,801 INFO
[org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5)
[1e7fa420] Running command: AddGroupCommand internal: false. Entities
affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System
2014-08-13 16:00:38,813 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call
Stack: null, Custom Event ID: -1, Message: User '<domain
name>/Groups/sysadmin' was added successfully to the system.
2014-08-13 16:09:01,352 INFO
[org.ovirt.engine.core.bll.AddSystemPermissionCommand]
(org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command:
AddSystemPermissionCommand internal: false. Entities affected : ID:
aaa00000-0000-0000-0000-123456789aaa Type: System, ID:
aaa00000-0000-0000-0000-123456789aaa Type: System
2014-08-13 16:09:01,371 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID:
75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group
<domain name>/Groups/sysadmin was granted permission for Role
SuperUser on System by admin.
2014-08-13 16:10:40,963 INFO
[org.ovirt.engine.core.bll.AddSystemPermissionCommand]
(org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command:
AddSystemPermissionCommand internal: false. Entities affected : ID:
aaa00000-0000-0000-0000-123456789aaa Type: System, ID:
aaa00000-0000-0000-0000-123456789aaa Type: System
2014-08-13 16:10:40,979 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb,
Call Stack: null, Custom Event ID: -1, Message: User/Group <domain
name>/Groups/sysadmin was granted permission for Role PowerUserRole on
System by admin.
2014-08-13 16:20:53,891 INFO
[org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4)
[58e00be1] Running command: AddUserCommand internal: false. Entities
affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System
2014-08-13 16:20:53,919 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call
Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added
successfully to the system.
2014-08-13 16:35:52,202 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null,
Custom Event ID: -1, Message: User pmarino failed to log in.
2014-08-13 16:35:52,202 WARN
[org.ovirt.engine.core.bll.LoginAdminUserCommand]
(ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed.
Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
2014-08-13 16:39:48,048 INFO
[org.ovirt.engine.core.bll.AddSystemPermissionCommand]
(org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command:
AddSystemPermissionCommand internal: false. Entities affected : ID:
aaa00000-0000-0000-0000-123456789aaa Type: System
2014-08-13 16:39:48,069 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID:
5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group
pmarino was granted permission for Role SuperUser on System by admin.
2014-08-13 16:40:43,357 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom
Event ID: -1, Message: User pmarino logged in.
"
On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs(a)redhat.com> wrote:
----- Original Message -----
> From: "Yair Zaslavsky" <yzaslavs(a)redhat.com>
> To: "Itamar Heim" <iheim(a)redhat.com>
> Cc: users(a)ovirt.org
> Sent: Monday, August 11, 2014 8:13:53 PM
> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
>
> I have checked the codebase of 3.3 -
> the "active" field is used for presentation purpose only.
Presentation wise only - means that it is not used for our permissions calculation , for
example.
> Alon has addressed our plans for this in his previous comments.
> I hope this clarifies more..
>
> Yair
>
>
> ----- Original Message -----
> > From: "Itamar Heim" <iheim(a)redhat.com>
> > To: "Alon Bar-Lev" <alonbl(a)redhat.com>, "Paul Robert
Marino"
> > <prmarino1(a)gmail.com>
> > Cc: users(a)ovirt.org
> > Sent: Sunday, August 10, 2014 11:54:05 PM
> > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> >
> > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
> > >
> > >
> > > ----- Original Message -----
> > >> From: "Paul Robert Marino" <prmarino1(a)gmail.com>
> > >> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > >> Cc: "Maurice James" <mjames(a)media-node.com>,
users(a)ovirt.org
> > >> Sent: Sunday, August 10, 2014 10:43:14 PM
> > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
> > >>
> > >> Sorry for my delayed response to this
> > >>
> > >> I am using ovirt 3.3.
> > >> I am using Kerberos 5, and all of the DNS requirements are in place.
> > >> Finally 389 server is the upstream project for RHDS and one of the
> > >> upstream projects for IPA.
> > >> So I chose to set it as RHDS because its an identical match.
> > >>
> > >> User authentication works just fine my problem is adding roles to
> > >> groups.
> > >> I can assign a role to a group but the group always shows an inactive
> > >> status; however if I assign a role directly to to a user it works
> > >> fine.
> > >> In addition if I drill down into a user it knows what groups in the
> > >> 389 server the user is a member of.
> > >>
> > >> finally I can't see any error in the logs when adding a role to a
group
> > >>
> > >
> > > Please open a bug, I am unsure that it will be addressed before 3.5, as
> > > we
> > > have done major rework for the authentication and authorization to make
> > > it
> > > much more versatile. Even if there will be a fix it will be provided to
> > > 3.4.z.
> > >
> > > It will be best if you want to test this scenario in 3.5 release
> > > candidate
> > > and the new ldap provider, so we can address the issue before 3.5 release
> > > if exists.
> > >
> >
> > could also be one of these fixed in 3.4:
> > 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it
> > does not inherit the group permissions
> > 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to
> > a group indirectly, it does not inherit the group permissions
> >
> > >>
> > >>
> > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl(a)redhat.com>
wrote:
> > >>>
> > >>>
> > >>> ----- Original Message -----
> > >>>> From: "Maurice James" <mjames(a)media-node.com>
> > >>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > >>>> Cc: "Itamar Heim" <iheim(a)redhat.com>,
users(a)ovirt.org
> > >>>> Sent: Saturday, August 9, 2014 3:47:04 AM
> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive
groups
> > >>>>
> > >>>> Does this still require the use of kerberos? Will 389-ds work
on its
> > >>>> own?
> > >>>
> > >>> In 3.5 we introduced pure ldap support[1], obsoleting the
kerberos/ldap
> > >>> mix.
> > >>>
> > >>> It will be great to receive feedback[2].
> > >>>
> > >>> 389ds is not supported directly, I think it is similar to IPA as
it
> > >>> uses
> > >>> 389. Maybe I should rename the profile of ipa to 389 if it works
> > >>> properly.
> > >>>
> > >>> Regards,
> > >>> Alon
> > >>>
> > >>> [1]
> > >>>
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl...
> > >>> [2]
http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
> > >>>
> > >>>>
> > >>>> ----- Original Message -----
> > >>>> From: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > >>>> To: "Itamar Heim" <iheim(a)redhat.com>
> > >>>> Cc: users(a)ovirt.org
> > >>>> Sent: Friday, August 8, 2014 3:45:07 PM
> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive
groups
> > >>>>
> > >>>>
> > >>>>
> > >>>> ----- Original Message -----
> > >>>>> From: "Itamar Heim" <iheim(a)redhat.com>
> > >>>>> To: "Paul Robert Marino"
<prmarino1(a)gmail.com>, users(a)ovirt.org
> > >>>>> Sent: Friday, August 8, 2014 10:37:11 PM
> > >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive
groups
> > >>>>>
> > >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
> > >>>>>> I have ovirt engine running and connected to a 389
server with the
> > >>>>>> memberof plugin enabled and working properly.
> > >>>>>>
> > >>>>>> I can add users and assign them to roles without any
issues.
> > >>>>>>
> > >>>>>> when I look at a user I can see all the LDAP groups
they are a
> > >>>>>> member
> > >>>>>> of.
> > >>>>>>
> > >>>>>> when I run engine-manage-domains -action=validate it
tells me the
> > >>>>>> domain is valid.
> > >>>>>>
> > >>>>>> here is my problem when I try to assign a role to an
LDAP group it
> > >>>>>> looks like it works but in the general tab when under
the group it
> > >>>>>> tells me the status is Inactive.
> > >>>>>>
> > >>>>>> dose any one know how to enable the group?
> > >>>>>> _______________________________________________
> > >>>>>> Users mailing list
> > >>>>>> Users(a)ovirt.org
> > >>>>>>
http://lists.ovirt.org/mailman/listinfo/users
> > >>>>>>
> > >>>>>
> > >>>>> 3.4 or new 3.5 Generic LDAP provider?
> > >>>>
> > >>>>
> > >>>> On case this is 3.5 it is known issue, all groups will be seen
as
> > >>>> inactive,
> > >>>> this field will probably be removed from UI, as groups are no
longer
> > >>>> fetched
> > >>>> periodically.
> > >>>> This field is totally ignored.
> > >>>>
> > >>>> Alon
> > >>>> _______________________________________________
> > >>>> Users mailing list
> > >>>> Users(a)ovirt.org
> > >>>>
http://lists.ovirt.org/mailman/listinfo/users
> > >>>>
> > >>> _______________________________________________
> > >>> Users mailing list
> > >>> Users(a)ovirt.org
> > >>>
http://lists.ovirt.org/mailman/listinfo/users
> > >>
> > > _______________________________________________
> > > Users mailing list
> > > Users(a)ovirt.org
> > >
http://lists.ovirt.org/mailman/listinfo/users
> > >
> >
> > _______________________________________________
> > Users mailing list
> > Users(a)ovirt.org
> >
http://lists.ovirt.org/mailman/listinfo/users
> >
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users