You can create a profile that has the proper permissions to allow what you
are looking for, and then assign that profile to the groups you wish.
I wrote a post on this quite a while back on how to setup oVirt to appear
to be multi-tenant.
Happy to see you don't have an ldap issue :)
groups since Everyone === No-one. -sigh-
On Mon, Jun 11, 2018 at 6:34 AM, Callum Smith <callum(a)well.ox.ac.uk> wrote:
Ah, this appears to be an issue with the proxy - setting up the
spice
proxy as indicated in the guides is causing this issue, and likely will
need support.
https://www.ovirt.org/documentation/admin-guide/chap-Proxies/
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum(a)well.ox.ac.uk
On 11 Jun 2018, at 11:29, Callum Smith <callum(a)well.ox.ac.uk> wrote:
Ok, the user now logs in! This will be a problem for us to now create
group permissions for all 100+ groups since Everyone === No-one. -sigh-
A new issue, when in the VM portal as the LDAP user, i get HTTP basic auth
login prompts, and a "Authorization expired" error, then a page reload.
Nothing in the logs seem to indicate an issue.
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum(a)well.ox.ac.uk
On 11 Jun 2018, at 11:26, Donny Davis <donny(a)fortnebula.com> wrote:
Try giving your user system permissions as a superuser and see if it goes
away.
I wouldn't leave it like that, but it will help isolate your issue. I
don't think you have an ldap issue... the log entry is telling you that
user has no permissions
>The user callum@Biomedical Research Computing is not authorized to
perform login
On Mon, Jun 11, 2018 at 6:23 AM, Callum Smith <callum(a)well.ox.ac.uk>
wrote:
> Dear Donny,
>
> No, though the user shows the permissions inherited from the Everyone
> group:
> <Screen Shot 2018-06-11 at 11.22.42.png>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. callum(a)well.ox.ac.uk
>
> On 11 Jun 2018, at 11:21, Donny Davis <donny(a)fortnebula.com> wrote:
>
> Just a shot in the dark, but after you setup ldap did you go in as the
> default admin and give an ldap account permissions?
>
> On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith <callum(a)well.ox.ac.uk>
> wrote:
>
>> Dear All,
>>
>> Could this be as our LDAP is fairly short on attributes?
>>
>> 2018-06-11 11:00:52,856+01 INFO
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand]
>> (default task-5) [5dff9eb0] Running command: CreateUserSessionCommand
>> internal: false.
>> 2018-06-11 11:00:52,884+01 ERROR [org.ovirt.engine.core.dal.dbb
>> roker.auditloghandling.AuditLogDirector] (default task-5) [5dff9eb0]
>> EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research
>> Computing connecting from '--ipaddr--' failed to log in<UNKNOWN>.
>> 2018-06-11 11:00:52,884+01 ERROR
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet]
>> (default task-5) [] The user callum@Biomedical Research Computing is
>> not authorized to perform login
>>
>> I note that a number of variables are included in this action, but which
>> are required and which are optional is the question:
>>
>>
https://github.com/oVirt/ovirt-engine/blob/master/backend/ma
>> nager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/
>> servlet/SsoPostLoginServlet.java#L88
>>
>> Regards,
>> Callum
>>
>> --
>>
>> Callum Smith
>> Research Computing Core
>> Wellcome Trust Centre for Human Genetics
>> University of Oxford
>> e. callum(a)well.ox.ac.uk
>>
>> On 11 Jun 2018, at 09:35, Callum Smith <callum(a)well.ox.ac.uk> wrote:
>>
>> What would be the next step to help solve this issue? All users
>> authenticating through LDAP get "This user is not authorised to perform
>> authentication".
>>
>> Regards,
>> Callum
>>
>> --
>>
>> Callum Smith
>> Research Computing Core
>> Wellcome Trust Centre for Human Genetics
>> University of Oxford
>> e. callum(a)well.ox.ac.uk
>>
>> On 5 Jun 2018, at 11:42, Callum Smith <callum(a)well.ox.ac.uk> wrote:
>>
>> Ok I spoke too soon, I have resolved the groups, but authentication
>> still isn't working for LDAP users, same error as before (114).
>>
>> Regards,
>> Callum
>>
>> --
>>
>> Callum Smith
>> Research Computing Core
>> Wellcome Trust Centre for Human Genetics
>> University of Oxford
>> e. callum(a)well.ox.ac.uk
>>
>> On 5 Jun 2018, at 10:14, Callum Smith <callum(a)well.ox.ac.uk> wrote:
>>
>> Dear Ondra, all,
>>
>> Managed to solve this once i got my head around the properties file.
>> Conceptually the problem is that users are typically not a member of their
>> primary group in a POSIX scenario, and their primary group is set by the
>> gidNumber of the user's record, with additional group memberships specified
>> by memberUid entries against a posixGroup entry.
>>
>> search.rfc2307-resolve-groups-memberUid.search-request.filter =
>> &(objectClass=posixGroup)(|(memberUid=${seq:_rfc2307_uid_enc
>> oded})(gidNumber=${seq:_rfc2307_gid_encoded}))
>>
>> search.rfc2307-resolve-principal-uid.search-request.attributes = uid,
>> gidNumber
>>
>> sequence.bmrc-resolve-groups.010.description = set dn
>> sequence.bmrc-resolve-groups.010.type = var-set
>> sequence.bmrc-resolve-groups.010.var-set.variable = _rfc2307_dn
>> sequence.bmrc-resolve-groups.010.var-set.value = ${seq:dn}
>> sequence.bmrc-resolve-groups.010.description = resolve uid
>> sequence.bmrc-resolve-groups.020.type = fetch-record
>> sequence.bmrc-resolve-groups.020.fetch-record.search =
>> rfc2307-resolve-principal-uid
>> sequence.bmrc-resolve-groups.020.fetch-record.map.uid.name =
>> _rfc2307_uid
>> sequence.bmrc-resolve-groups.030.description = resolve gid
>> sequence.bmrc-resolve-groups.030.type = fetch-record
>> sequence.bmrc-resolve-groups.030.fetch-record.search =
>> rfc2307-resolve-principal-uid
>> sequence.bmrc-resolve-groups.030.fetch-record.map.gidNumber.name
>> <
http://sequence.bmrc-resolve-groups.030.fetch-record.map.gidnumber.name/>
>> = _rfc2307_gid
>> sequence.bmrc-resolve-groups.040.description = query groups
>> sequence.bmrc-resolve-groups.040.type = search-open
>> sequence.bmrc-resolve-groups.040.search-open.search =
>> rfc2307-resolve-groups-memberUid
>> sequence.bmrc-resolve-groups.040.search-open.variable =
>> queryRFC2307ByMemberUid
>>
>> sequence.rfc2307-resolve-groups.020.call.name = bmrc-resolve-groups
>>
>>
>> Regards,
>> Callum
>>
>> --
>>
>> Callum Smith
>> Research Computing Core
>> Wellcome Trust Centre for Human Genetics
>> University of Oxford
>> e. callum(a)well.ox.ac.uk
>>
>> On 4 Jun 2018, at 15:07, Callum Smith <callum(a)well.ox.ac.uk> wrote:
>>
>> Dear Ondra,
>>
>> I went for openldap-rfc2307 as that best describes our ldap setup. The
>> issue seems to be that the gidNumber is set, but users are not a member of
>> their primary group within the LDAP. So, user's gidNumber represents
>> primary group and posixGroup membership (memberUid) represents their
>> secondary groups. What's the best way to approach this (fix the filters on
>> oVirt end or change the LDAP? This is a question of what is most compliant
>> with standards really).
>>
>> Regards,
>> Callum
>>
>> --
>>
>> Callum Smith
>> Research Computing Core
>> Wellcome Trust Centre for Human Genetics
>> University of Oxford
>> e. callum(a)well.ox.ac.uk
>>
>> On 29 May 2018, at 11:29, Ondra Machacek <omachace(a)redhat.com> wrote:
>>
>> What's you LDAP and what profile did you choose? This looks like you
>> have chosen incorect profile during setup. Are you sure you arent using
>> posix group and using non-posix aaa profile? Sharing a debug log of
>> ovirt-engine-extensions-tool would be helpfull.
>>
>>
>> On Fri, May 25, 2018, 10:04 AM Callum Smith <callum(a)well.ox.ac.uk>
>> wrote:
>>
>>> Dear All,
>>>
>>> I'm having problems getting LDAP running, login works, but I'm
getting
>>> "user is not authorised to perform login" - this is even if i
specify the
>>> UserRole specifically to the LDAP group the user is in.
>>>
>>> 2018-05-25 08:56:16,212+01 INFO
[org.ovirt.engine.core.sso.utils.AuthenticationUtils]
>>> (default task-23) [] User callum@Biomedical Research Computing
>>> successfully logged in with scopes: ovirt-app-admin ovirt-app-api
>>> ovirt-app-portal ovirt-ext=auth:sequence-priority=~
>>> ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search
>>> ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate
>>> ovirt-ext=token:password-access
>>> 2018-05-25 08:56:16,391+01 INFO
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand]
>>> (default task-25) [63e60fe9] Running command: CreateUserSessionCommand
>>> internal: false.
>>> 2018-05-25 08:56:16,430+01 ERROR [org.ovirt.engine.core.dal.dbb
>>> roker.auditloghandling.AuditLogDirector] (default task-25) [63e60fe9]
>>> EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research
>>> Computing connecting from '192.168.65.254' failed to log
in<UNKNOWN>.
>>> 2018-05-25 08:56:16,430+01 ERROR
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet]
>>> (default task-25) [] The user callum@Biomedical Research Computing is
>>> not authorized to perform login
>>>
>>>
>>> on a side note: is it possible to assign permissions to all members of
>>> an LDAP tree where they dont have a common group membership?
>>>
>>> Regards,
>>> Callum
>>>
>>> --
>>>
>>> Callum Smith
>>> Research Computing Core
>>> Wellcome Trust Centre for Human Genetics
>>> University of Oxford
>>> e. callum(a)well.ox.ac.uk
>>>
>>> _______________________________________________
>>> Users mailing list -- users(a)ovirt.org
>>> To unsubscribe send an email to users-leave(a)ovirt.org
>>>
>>
>> _______________________________________________
>> Users mailing list -- users(a)ovirt.org
>> To unsubscribe send an email to users-leave(a)ovirt.org
>> Privacy Statement:
https://www.ovirt.org/site/privacy-policy/
>> oVirt Code of Conduct:
https://www.ovirt.org/communit
>> y/about/community-guidelines/
>> List Archives:
https://lists.ovirt.org/archiv
>> es/list/users(a)ovirt.org/message/NAEUHLW3YMYAP6L44RRS5MCLRU2OTXPZ/
>>
>>
>> _______________________________________________
>> Users mailing list -- users(a)ovirt.org
>> To unsubscribe send an email to users-leave(a)ovirt.org
>> Privacy Statement:
https://www.ovirt.org/site/privacy-policy/
>> oVirt Code of Conduct:
https://www.ovirt.org/communit
>> y/about/community-guidelines/
>> List Archives:
https://lists.ovirt.org/archiv
>> es/list/users(a)ovirt.org/message/2WR4PGLW4Z4PM2UOVN4YZUJHSBRYVMOJ/
>>
>>
>> _______________________________________________
>> Users mailing list -- users(a)ovirt.org
>> To unsubscribe send an email to users-leave(a)ovirt.org
>> Privacy Statement:
https://www.ovirt.org/site/privacy-policy/
>> oVirt Code of Conduct:
https://www.ovirt.org/communit
>> y/about/community-guidelines/
>> List Archives:
https://lists.ovirt.org/archiv
>> es/list/users(a)ovirt.org/message/O7DLMLFEBHLNCE2VCCCNNOXXGGERKAKZ/
>>
>>
>> _______________________________________________
>> Users mailing list -- users(a)ovirt.org
>> To unsubscribe send an email to users-leave(a)ovirt.org
>> Privacy Statement:
https://www.ovirt.org/site/privacy-policy/
>> oVirt Code of Conduct:
https://www.ovirt.org/communit
>> y/about/community-guidelines/
>> List Archives:
https://lists.ovirt.org/archiv
>> es/list/users(a)ovirt.org/message/BNZ5KRXOYYRFZCQIQQU6IJVDNNBDVZSF/
>>
>>
>>
>> _______________________________________________
>> Users mailing list -- users(a)ovirt.org
>> To unsubscribe send an email to users-leave(a)ovirt.org
>> Privacy Statement:
https://www.ovirt.org/site/privacy-policy/
>> oVirt Code of Conduct:
https://www.ovirt.org/communit
>> y/about/community-guidelines/
>> List Archives:
https://lists.ovirt.org/archiv
>> es/list/users(a)ovirt.org/message/EOWAPL6ZQE63S3732NQRH5YVJC26CQDR/
>>
>>
>
>