10:37 a.m.
This is a multi-part message in MIME format.
--------------030403060902070607030005
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Should work well, strange.
The 'warn' message you sent was unsuccessfull login to webadmin as I can
see 'LoginAdminUserCommand', in UserPortal it's 'LoginUserCommand'.
Please try to assign UserRole to some vm to another user in domain if it
will work properly, if not please open bz.
On 09/23/2015 09:29 AM, Budur Nagaraju wrote:
yeah facing issues while logging to the user portal.
On Wed, Sep 23, 2015 at 12:54 PM, Ondra Machacek <omachace(a)redhat.com
<mailto:omachace@redhat.com>> wrote:
With UserRole you can only login to UserPortal, not webadmin. Do
you have this issue when you try to login to UserPortal?
On 09/23/2015 09:22 AM, Budur Nagaraju wrote:
> Provided the "user role" permissions still same issue
>
> On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek
> <omachace(a)redhat.com <mailto:omachace@redhat.com>> wrote:
>
> Hi,
>
> your user nbudoor(a)abc.net <mailto:nbudoor@abc.net> doesn't
> have appropriate permissions to login.
> First you need to login as 'admin@internal' and assign him
> some permissions, then you will be able to login.
>
> Ondra
>
>
> On 09/23/2015 09:15 AM, Budur Nagaraju wrote:
>> HI All,
>>
>> After rectifying this able to search the domain in the
>> users in UI,
>> but unable to login getting the below error ,
>>
>>
>> 2015-09-23 12:41:47,482 WARN
>> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
>> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser
>> failed for user nbudoor(a)abc.net <mailto:nbudoor@abc.net>.
>> Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>>
>> Thanks,
>> Nagaraju
>>
>>
>>
>>
>>
>> On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek
>> <omachace(a)redhat.com <mailto:omachace@redhat.com>> wrote:
>>
>> Hi,
>>
>> as Alon already said, you have trailing space in your
>> configuration
>>
>> 'my.abc.net <http://my.abc.net> ' <-- space at the
end
>>
>> Please remove this space and try again.
>>
>> Ondra
>>
>>
>> On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
>>> HI Alon,
>>>
>>> Tried all the options but no luck ,
>>>
>>> I have copied the logs in the pastebin below is the
>>> link , warning message is that unable to resolve the
>>> DNS ,let me know any help would I get .
>>>
>>> http://pastebin.com/7qN9QnHK
>>>
>>> Thanks,
>>> Nagaraju
>>>
>>>
>>> On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger
>>> <daniel.helgenberger(a)m-box.de
>>> <mailto:daniel.helgenberger@m-box.de>> wrote:
>>>
>>> Hello Budur,
>>>
>>> I've done this recently. Alon, no offense, but the
>>> docs are not quite strait forward...
>>>
>>> Requirements:
>>> - LDAP server (obviously) - called here
>>> ldap.mydomain.com <http://ldap.mydomain.com>
>>> - LDAP bind account - called here
>>> ldap(a)mydomain.com <mailto:ldap@mydomain.com>,
>>> password 'Passw@rd'
>>> - At least one existing account in ladp, called
>>> user(a)mydomain.com <mailto:user@mydomain.com>
>>>
>>> Please note, the most common issue will be DNS.
>>>
>>> I'll describe in short what steps need to be taken.
>>> All this needs to be done on your engine host. In
>>> the end this was quite easy :)
>>>
>>> 1. Install the packages:
>>> ovirt-engine-extension-aaa-ldap and
>>> openldap-clients (these are only for testing your
>>> setup)
>>> 2. Test if ldap is working in general. (The
>>> extension uses the global catalog at least for AD,
>>> this was news to me):
>>> # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no
>>> -H ldap://ldap.mydomain.com:3268/
>>> <http://ldap.mydomain.com:3268/> -x \
>>> -D 'ldap(a)mydomain.com
>>> <mailto:ldap@mydomain.com>' -w Passw@rd -b
''
>>> '(userPrincipalName=user(a)mydomian.com
>>> <mailto:user@mydomian.com>)' cn userPrincipalName
>>>
>>> If this command does not return details of the
>>> user, do debug your ldap and continue once this
>>> works. Example:
>>>
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <> with scope subtree
>>> # filter: (userPrincipalName=user(a)mydomain.com
>>> <mailto:user@mydomain.com>)
>>> # requesting: cn userPrincipalName
>>> # with pagedResults control: size=1024
>>> #
>>>
>>> # Some Name, some-ou, mydomain.com
>>> <http://mydomain.com>
>>> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com
>>> cn: Some Name
>>> userPrincipalName: user(a)mydomain.com
>>> <mailto:user@mydomain.com>
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>> control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=
>>> pagedresults: cookie=
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>>
>>>
>>> 3. Copy the examples as mentioned from the readme.
>>> 4. You only need to modify
>>> /etc/ovirt-engine/aaa/int.m-box.de.properties;
>>> leave the rest as is.
>>> 5. There, set:
>>>
>>> vars.domain = ldap.mydomain.com
>>> <http://ldap.mydomain.com>
>>> vars.user = ldap@${global:vars.domain}
>>> vars.password = Passw@rd
>>>
>>> 6. Restart ovirt engine service
>>> 7. Log in as admin@einternal and add user rights
>>> and roles from the new provider
>>>
>>> Hope this helps.
>>>
>>> On 22.09.2015 16 <tel:22.09.2015%2016>:46, Budur
>>> Nagaraju wrote:
>>> >
>>> > below are the three files which I have modified.
>>> >
>>> >
>>> > [root@cstlb2 extensions.d]# cat
>>> profile1-authn.properties
>>> > ovirt.engine.extension.name
>>> <http://ovirt.engine.extension.name>
>>> <http://ovirt.engine.extension.name> = cloudspin-authn
>>> > ovirt.engine.extension.bindings.method = jbossmodule
>>> > ovirt.engine.extension.binding.jbossmodule.module =
>>> > org.ovirt.engine-extensions.aaa.ldap
>>> > ovirt.engine.extension.binding.jbossmodule.class =
>>> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
>>> > ovirt.engine.extension.provides =
>>> org.ovirt.engine.api.extensions.aaa.Authn
>>> > ovirt.engine.aaa.authn.profile.name
>>> <http://ovirt.engine.aaa.authn.profile.name>
>>> <http://ovirt.engine.aaa.authn.profile.name>
>>> > = cloudspin
>>> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
>>> > config.profile.file.1 =
>>> /etc/ovirt-engine/aaa/ldap1.properties
>>> >
>>> >
>>> > [root@cstlb2 extensions.d]# ls
>>> > profile1-authn.properties profile1-authz.properties
>>> > [root@cstlb2 extensions.d]# cat
>>> profile1-authz.properties
>>> > ovirt.engine.extension.name
>>> <http://ovirt.engine.extension.name>
>>> <http://ovirt.engine.extension.name> = cloudspin-authz
>>> > ovirt.engine.extension.bindings.method = jbossmodule
>>> > ovirt.engine.extension.binding.jbossmodule.module =
>>> > org.ovirt.engine-extensions.aaa.ldap
>>> > ovirt.engine.extension.binding.jbossmodule.class =
>>> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>>> > ovirt.engine.extension.provides =
>>> org.ovirt.engine.api.extensions.aaa.Authz
>>> > config.profile.file.1 =
>>> /etc/ovirt-engine/aaa/ldap1.properties
>>> > [root@cstlb2 extensions.d]#
>>> >
>>> >
>>> >
>>> > [root@cstlb2 aaa]# pwd
>>> > /etc/ovirt-engine/aaa
>>> > [root@cstlb2 aaa]# ls
>>> > ldap1.properties
>>> > [root@cstlb2 aaa]# cat ldap1.properties
>>> > #
>>> > # Select one
>>> > #
>>> > include = <openldap.properties>
>>> > #include = <389ds.properties>
>>> > #include = <rhds.properties>
>>> > #include = <ipa.properties>
>>> > #include = <iplanet.properties>
>>> > #include = <rfc2307.properties>
>>> > #include = <rfc2307-openldap.properties>
>>> >
>>> > #
>>> > # Server
>>> > #
>>> > vars.server = my.abc.net <http://my.abc.net>
>>> <http://my.abc.net>
>>> >
>>> > #
>>> > # Search user and its password.
>>> > #
>>> > vars.user =
>>> >
>>>
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
>>> > vars.password = company
>>> >
>>> > pool.default.serverset.single.server =
>>> ${global:vars.server}
>>> > pool.default.auth.simple.bindDN = ${global:vars.user}
>>> > pool.default.auth.simple.password =
>>> ${global:vars.password}
>>> >
>>> > # Create keystore, import certificate chain and
>>> uncomment
>>> > # if using ssl/tls.
>>> > #pool.default.ssl.startTLS = true
>>> > #pool.default.ssl.truststore.file =
>>> ${local:_basedir}/${global:vars.server}.jks
>>> > #pool.default.ssl.truststore.password = changeit
>>> > [root@cstlb2 aaa]#
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev
>>> <alonbl(a)redhat.com <mailto:alonbl@redhat.com>
>>> > <mailto:alonbl@redhat.com
>>> <mailto:alonbl@redhat.com>>> wrote:
>>> >
>>> >
>>> >
>>> > ----- Original Message -----
>>> > > From: "Budur Nagaraju"
<nbudoor(a)gmail.com
>>> <mailto:nbudoor@gmail.com>
>>> <mailto:nbudoor@gmail.com
<mailto:nbudoor@gmail.com>>>
>>> > > To: "Alon Bar-Lev"
<alonbl(a)redhat.com
>>> <mailto:alonbl@redhat.com>
>>> <mailto:alonbl@redhat.com
<mailto:alonbl@redhat.com>>>
>>> > > Cc:users@ovirt.org
>>> <mailto:Cc:users@ovirt.org> <mailto:users@ovirt.org
>>> <mailto:users@ovirt.org>>
>>> > > Sent: Tuesday, September 22, 2015 5:35:16 PM
>>> > > Subject: Re: [ovirt-users] LDAP Authentication
>>> > >
>>> > > its too complicated ,you have any script or
>>> video ?
>>> >
>>> > in 3.6 we have a setup script.
>>> > for now:
>>> >
>>> > cp -r
>>> /usr/share/ovirt-engine/examples/simple/.
>>> /etc/ovirt-engine/
>>> >
>>> > this is written in the README.
>>> >
>>> > then customize files at
>>> /etc/ovirt-engine/extnesions.d/*
>>> > /etc/ovirt-engine/aaa/* to match your setup
>>> >
>>> > >
>>> > >
>>> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev
>>> <alonbl(a)redhat.com <mailto:alonbl@redhat.com>
>>> <mailto:alonbl@redhat.com
>>> <mailto:alonbl@redhat.com>>> wrote:
>>> > >
>>> > > >
>>> > > >
>>> > > > ----- Original Message -----
>>> > > > > From: "Budur Nagaraju"
<nbudoor(a)gmail.com
>>> <mailto:nbudoor@gmail.com>
>>> <mailto:nbudoor@gmail.com
<mailto:nbudoor@gmail.com>>>
>>> > > > > To: "Alon Bar-Lev"
<alonbl(a)redhat.com
>>> <mailto:alonbl@redhat.com>
>>> <mailto:alonbl@redhat.com
<mailto:alonbl@redhat.com>>>
>>> > > > > Cc:users@ovirt.org
>>> <mailto:Cc:users@ovirt.org> <mailto:users@ovirt.org
>>> <mailto:users@ovirt.org>>
>>> > > > > Sent: Tuesday, September 22, 2015
>>> 5:24:36 PM
>>> > > > > Subject: Re: [ovirt-users] LDAP
>>> Authentication
>>> > > > >
>>> > > > > HI Alon,
>>> > > > >
>>> > > > > Below is the configuration which I
have
>>> done ,but unable to search the
>>> > > > > users in UI
>>> > > > > can you pls help me ?
>>> > > >
>>> > > > you need three files, see the
>>> > > >
>>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
>>> > > >
>>> > > > >
>>> > > > >
>>> > > > > [root@cstlb2 aaa]# cat
ldap1.properties
>>> > > > > #
>>> > > > > # Select one
>>> > > > > #
>>> > > > > include =
<openldap.properties>
>>> > > > > #include = <389ds.properties>
>>> > > > > #include = <rhds.properties>
>>> > > > > #include = <ipa.properties>
>>> > > > > #include =
<iplanet.properties>
>>> > > > > #include =
<rfc2307.properties>
>>> > > > > #include =
<rfc2307-openldap.properties>
>>> > > > >
>>> > > > > #
>>> > > > > # Server
>>> > > > > #
>>> > > > > vars.server =my.abc.net
>>> <http://my.abc.net> <http://my.abc.net>
>>> > > > >
>>> > > > > #
>>> > > > > # Search user and its password.
>>> > > > > #
>>> > > > > vars.user =
>>> > > > >
>>> > > >
>>>
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
>>> > > > > vars.password = company1
>>> > > > >
>>> > > > > pool.default.serverset.single.server
=
>>> ${global:vars.server}
>>> > > > > pool.default.auth.simple.bindDN =
>>> ${global:vars.user}
>>> > > > > pool.default.auth.simple.password =
>>> ${global:vars.password}
>>> > > > >
>>> > > > > # Create keystore, import
certificate
>>> chain and uncomment
>>> > > > > # if using ssl/tls.
>>> > > > > #pool.default.ssl.startTLS = true
>>> > > > > #pool.default.ssl.truststore.file =
>>> > > > >
${local:_basedir}/${global:vars.server}.jks
>>> > > > > #pool.default.ssl.truststore.password
=
>>> changeit
>>> > > > > [root@cstlb2 aaa]#
>>> > > > >
>>> > > > >
>>> > > > >
>>> > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon
>>> Bar-Lev <alonbl(a)redhat.com
>>> <mailto:alonbl@redhat.com>
>>> <mailto:alonbl@redhat.com
>>> <mailto:alonbl@redhat.com>>> wrote:
>>> > > > >
>>> > > > > >
>>> > > > > >
>>> > > > > > ----- Original Message -----
>>> > > > > > > From: "Budur
Nagaraju"
>>> <nbudoor(a)gmail.com <mailto:nbudoor@gmail.com>
>>> <mailto:nbudoor@gmail.com
<mailto:nbudoor@gmail.com>>>
>>> > > > > > > To:users@ovirt.org
>>> <mailto:To:users@ovirt.org> <mailto:users@ovirt.org
>>> <mailto:users@ovirt.org>>
>>> > > > > > > Sent: Tuesday, September
22, 2015
>>> 4:34:46 PM
>>> > > > > > > Subject: [ovirt-users]
LDAP
>>> Authentication
>>> > > > > > >
>>> > > > > > > HI All,
>>> > > > > > >
>>> > > > > > > Can someone help me in
configuring
>>> LDAP authentication for Ovirt ?
>>> > > > > >
>>> > > > > > Please review:
>>> > > > >
>http://www.ovirt.org/Features/AAA
>>> > > > > >
>>> > > > > >
>>> > >
>>>
>https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
>>> > > > > >
>>> > > > >
>>> > > >
>>> > >
>>> >
>>> >
>>>
>>> --
>>> Daniel Helgenberger
>>> m box bewegtbild GmbH
>>>
>>> P: +49/30/2408781-22
>>> F: +49/30/2408781-10
>>>
>>> ACKERSTR. 19
>>> D-10115 BERLIN
>>>
>>>
>>> www.m-box.de <http://www.m-box.de> www.monkeymen.tv
>>> <http://www.monkeymen.tv>
>>>
>>> Geschäftsführer: Martin Retschitzegger / Michaela
>>> Göllner
>>> Handeslregister: Amtsgericht Charlottenburg / HRB
>>> 112767
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users(a)ovirt.org <mailto:Users@ovirt.org>
>>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>
>
--------------030403060902070607030005
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Should work well, strange.<br>
The 'warn' message you sent was unsuccessfull login to webadmin as I
can see 'LoginAdminUserCommand', in UserPortal it's
'LoginUserCommand'.<br>
Please try to assign UserRole to some vm to another user in domain
if it will work properly, if not please open bz.<br>
<br>
<div class="moz-cite-prefix">On 09/23/2015 09:29 AM, Budur Nagaraju
wrote:<br>
</div>
<blockquote
cite="mid:CAHNF9Q-z5Ew2hkHJxBri+f_JS_OPVpwXtqZTOjzydJMWOZNYFQ@mail.gmail.com"
type="cite">
<div dir="ltr">yeah facing issues while logging to the user
portal.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 23, 2015 at 12:54 PM, Ondra
Machacek <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:omachace@redhat.com"
target="_blank">omachace(a)redhat.com</a>&gt;</span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> With UserRole
you can
only login to UserPortal, not webadmin. Do you have this
issue when you try to login to UserPortal?
<div>
<div class="h5"><br>
<br>
<div>On 09/23/2015 09:22 AM, Budur Nagaraju wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Provided the "user role"
permissions
still same issue <br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 23, 2015 at
12:48 PM, Ondra Machacek <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:omachace@redhat.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:omachace@redhat.com">omachace@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
your user <a moz-do-not-send="true"
href="mailto:nbudoor@abc.net"
target="_blank">nbudoor(a)abc.net</a>
doesn't have appropriate permissions to
login.<br>
First you need to login as 'admin@internal'
and assign him some permissions, then you
will be able to login.<span><font
color="#888888"><br>
<br>
Ondra</font></span>
<div>
<div><br>
<br>
<div>On 09/23/2015 09:15 AM, Budur
Nagaraju wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>HI All,<br>
<br>
</div>
After rectifying this able to
search the domain in the users
in UI,<br>
</div>
but unable to login getting the
below error ,<br>
<br>
<br>
2015-09-23 12:41:47,482 WARN
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3)
CanDoAction of action
LoginAdminUser failed for user <a
moz-do-not-send="true"
href="mailto:nbudoor@abc.net"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:nbudoor@abc.net">nbudoor@abc.net</a></a>.
Reasons:
USER_NOT_AUTHORIZED_TO_PERFORM_ACTION<br>
<br>
</div>
Thanks,<br>
</div>
Nagaraju<br>
<br>
<div>
<div><br>
<div>
<div><br>
<br>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep
23, 2015 at 12:13 PM, Ondra
Machacek <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:omachace@redhat.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:omachace@redhat.com">omachace@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000"> Hi,<br>
<br>
as Alon already said, you have
trailing space in your
configuration<br>
<br>
'<a moz-do-not-send="true"
href="http://my.abc.net"
target="_blank">my.abc.net</a>
' <-- space at the end<br>
<br>
Please remove this space and
try again.<br>
<br>
Ondra
<div>
<div><br>
<br>
<div>On 09/23/2015 05:35
AM, Budur Nagaraju
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>
<div>
<div>
<div>HI Alon,<br>
<br>
</div>
Tried all the
options but no
luck ,<br>
<br>
</div>
I have copied the
logs in the
pastebin below is
the link , warning
message is that
unable to resolve
the DNS ,let me
know any help
would I get .<br>
<br>
<a
moz-do-not-send="true"
href="http://pastebin.com/7qN9QnHK" target="_blank"><a
class="moz-txt-link-freetext"
href="http://pastebin.com/7qN9QnHK">http://pastebin.com/7qN9...
<br>
</div>
Thanks,<br>
</div>
Nagaraju<br>
<br>
</div>
<div
class="gmail_extra"><br>
<div
class="gmail_quote">On
Tue, Sep 22, 2015 at
8:44 PM, Daniel
Helgenberger <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:daniel.helgenberger@m-box.de" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:daniel.helgenberger@m-box.de">daniel.helgenberger@m-box.de</a></a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0
0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">Hello
Budur,<br>
<br>
I've done this
recently. Alon, no
offense, but the
docs are not quite
strait forward...<br>
<br>
Requirements:<br>
- LDAP server
(obviously) -
called here <a
moz-do-not-send="true"
href="http://ldap.mydomain.com" rel="noreferrer"
target="_blank">ldap.mydomain.com</a><br>
- LDAP bind
account - called
here <a
moz-do-not-send="true"
href="mailto:ldap@mydomain.com" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:ldap@mydomain.com">ldap@mydomain.com</a></a>,
password
'Passw@rd'<br>
- At least one
existing account
in ladp, called <a
moz-do-not-send="true" href="mailto:user@mydomain.com"
target="_blank"><a class="moz-txt-link-abbreviated"
href="mailto:user@mydomain.com">user@mydomain.com</a></a><br>
<br>
Please note, the
most common issue
will be DNS.<br>
<br>
I'll describe in
short what steps
need to be taken.
All this needs to
be done on your
engine host. In
the end this was
quite easy :)<br>
<br>
1. Install the
packages:
ovirt-engine-extension-aaa-ldap
and
openldap-clients
(these are only
for testing your
setup)<br>
2. Test if ldap is
working in
general. (The
extension uses the
global catalog at
least for AD, this
was news to me):<br>
# ldapsearch -E
pr=1024/noprompt
-o ldif-wrap=no -H
<a
moz-do-not-send="true"><a class="moz-txt-link-freetext"
href="ldap://">ldap://</a></a><a
moz-do-not-send="true" href="http://ldap.mydomain.com:3268/"
rel="noreferrer"
target="_blank">ldap.mydomain.com:3268/</a>
-x \<br>
-D '<a
moz-do-not-send="true"
href="mailto:ldap@mydomain.com" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:ldap@mydomain.com">ldap@mydomain.com</a></a>'
-w Passw@rd -b ''
'(userPrincipalName=<a moz-do-not-send="true"
href="mailto:user@mydomian.com"
target="_blank">user(a)mydomian.com</a>)'
cn
userPrincipalName<br>
<br>
If this command
does not return
details of the
user, do debug
your ldap and
continue once this
works. Example:<br>
<br>
# extended LDIF<br>
#<br>
# LDAPv3<br>
# base <>
with scope subtree<br>
# filter:
(userPrincipalName=<a
moz-do-not-send="true" href="mailto:user@mydomain.com"
target="_blank"><a class="moz-txt-link-abbreviated"
href="mailto:user@mydomain.com">user@mydomain.com</a></a>)<br>
# requesting: cn
userPrincipalName<br>
# with
pagedResults
control: size=1024<br>
#<br>
<br>
# Some Name,
some-ou, <a
moz-do-not-send="true"
href="http://mydomain.com" rel="noreferrer"
target="_blank">mydomain.com</a><br>
dn: CN=Some
Name,OU=some-ou,DC=mydomain,DC=com<br>
cn: Some Name<br>
userPrincipalName:
<a
moz-do-not-send="true"
href="mailto:user@mydomain.com" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:user@mydomain.com">user@mydomain.com</a></a><br>
<br>
# search result<br>
search: 2<br>
result: 0 Success<br>
control:
1.2.840.113556.1.4.319
false
MIQXGSGSGSgEABAA=<br>
pagedresults:
cookie=<br>
<br>
# numResponses: 2<br>
# numEntries: 1<br>
<br>
<br>
3. Copy the
examples as
mentioned from the
readme.<br>
4. You only need
to modify
/etc/ovirt-engine/aaa/int.m-box.de.properties;
leave the rest as
is.<br>
5. There, set:<br>
<br>
vars.domain = <a
moz-do-not-send="true" href="http://ldap.mydomain.com"
rel="noreferrer"
target="_blank">ldap.mydomain.com</a><br>
vars.user =
ldap@${global:vars.domain}<br>
vars.password =
Passw@rd<br>
<br>
6. Restart ovirt
engine service<br>
7. Log in as
admin@einternal
and add user
rights and roles
from the new
provider<br>
<br>
Hope this helps.<br>
<span><br>
On <a
moz-do-not-send="true"
href="tel:22.09.2015%2016" value="+12209201516"
target="_blank">22.09.2015
16</a>:46,
Budur Nagaraju
wrote:<br>
><br>
> below are
the three files
which I have
modified.<br>
><br>
><br>
>
[root@cstlb2
extensions.d]#
cat
profile1-authn.properties<br>
</span>> <a
moz-do-not-send="true"
href="http://ovirt.engine.extension.name" rel="noreferrer"
target="_blank">ovirt.engine.extension.name</a>
<<a
moz-do-not-send="true"
href="http://ovirt.engine.extension.name" target="_blank"><a
class="moz-txt-link-freetext"
href="http://ovirt.engine.extension.name">http://ovirt.engine.extension.name</a></a>>
= cloudspin-authn<br>
<span>>
ovirt.engine.extension.bindings.method
= jbossmodule<br>
>
ovirt.engine.extension.binding.jbossmodule.module
=<br>
>
org.ovirt.engine-extensions.aaa.ldap<br>
>
ovirt.engine.extension.binding.jbossmodule.class
=<br>
>
org.ovirt.engineextensions.aaa.ldap.AuthnExtension<br>
>
ovirt.engine.extension.provides
=
org.ovirt.engine.api.extensions.aaa.Authn<br>
</span>> <a
moz-do-not-send="true"
href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer"
target="_blank">ovirt.engine.aaa.authn.profile.name</a>
<<a
moz-do-not-send="true"
href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer"
target="_blank"><a
class="moz-txt-link-freetext"
href="http://ovirt.engine.aaa.authn.profile.name">http://ovirt.engine.aaa.authn.profile.name</a></a>><br>
<span>> =
cloudspin<br>
>
ovirt.engine.aaa.authn.authz.plugin
= cloudspin-auth<br>
>
config.profile.file.1
=
/etc/ovirt-engine/aaa/ldap1.properties<br>
><br>
><br>
>
[root@cstlb2
extensions.d]#
ls<br>
>
profile1-authn.properties
profile1-authz.properties<br>
>
[root@cstlb2
extensions.d]#
cat
profile1-authz.properties<br>
</span>> <a
moz-do-not-send="true"
href="http://ovirt.engine.extension.name" rel="noreferrer"
target="_blank">ovirt.engine.extension.name</a>
<<a
moz-do-not-send="true"
href="http://ovirt.engine.extension.name" target="_blank"><a
class="moz-txt-link-freetext"
href="http://ovirt.engine.extension.name">http://ovirt.engine.extension.name</a></a>>
= cloudspin-authz<br>
<div>
<div>>
ovirt.engine.extension.bindings.method
= jbossmodule<br>
>
ovirt.engine.extension.binding.jbossmodule.module
=<br>
>
org.ovirt.engine-extensions.aaa.ldap<br>
>
ovirt.engine.extension.binding.jbossmodule.class
=<br>
>
org.ovirt.engineextensions.aaa.ldap.AuthzExtension<br>
>
ovirt.engine.extension.provides
=
org.ovirt.engine.api.extensions.aaa.Authz<br>
>
config.profile.file.1
=
/etc/ovirt-engine/aaa/ldap1.properties<br>
>
[root@cstlb2
extensions.d]#<br>
><br>
><br>
><br>
>
[root@cstlb2
aaa]# pwd<br>
>
/etc/ovirt-engine/aaa<br>
>
[root@cstlb2
aaa]# ls<br>
>
ldap1.properties<br>
>
[root@cstlb2
aaa]# cat
ldap1.properties<br>
> #<br>
> # Select
one<br>
> #<br>
> include =
<openldap.properties><br>
> #include
=
<389ds.properties><br>
> #include
=
<rhds.properties><br>
> #include
=
<ipa.properties><br>
> #include
=
<iplanet.properties><br>
> #include
=
<rfc2307.properties><br>
> #include
=
<rfc2307-openldap.properties><br>
><br>
> #<br>
> # Server<br>
> #<br>
</div>
</div>
> vars.server =
<a
moz-do-not-send="true"
href="http://my.abc.net" rel="noreferrer"
target="_blank">my.abc.net</a>
<<a
moz-do-not-send="true"
href="http://my.abc.net" target="_blank"><a
class="moz-txt-link-freetext"
href="http://my.abc.net">http://my.abc.net</a></a>><br>
<span>><br>
> #<br>
> # Search
user and its
password.<br>
> #<br>
> vars.user =<br>
>
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net<br>
>
vars.password =
company<br>
><br>
>
pool.default.serverset.single.server
=
${global:vars.server}<br>
>
pool.default.auth.simple.bindDN
=
${global:vars.user}<br>
>
pool.default.auth.simple.password
=
${global:vars.password}<br>
><br>
> # Create
keystore, import
certificate
chain and
uncomment<br>
> # if using
ssl/tls.<br>
>
#pool.default.ssl.startTLS
= true<br>
>
#pool.default.ssl.truststore.file
=
${local:_basedir}/${global:vars.server}.jks<br>
>
#pool.default.ssl.truststore.password
= changeit<br>
>
[root@cstlb2
aaa]#<br>
><br>
><br>
><br>
><br>
><br>
><br>
> On Tue, Sep
22, 2015 at 8:07
PM, Alon Bar-Lev
<<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a><br>
</span><span>>
<mailto:<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>>
wrote:<br>
><br>
><br>
><br>
> -----
Original Message
-----<br>
</span><span>>
> From:
"Budur Nagaraju"
<<a
moz-do-not-send="true"
href="mailto:nbudoor@gmail.com" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:nbudoor@gmail.com" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>>><br>
> >
To: "Alon
Bar-Lev" <<a
moz-do-not-send="true" href="mailto:alonbl@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>><br>
> > <a
moz-do-not-send="true" href="mailto:Cc:users@ovirt.org"
target="_blank"><a class="moz-txt-link-abbreviated"
href="mailto:Cc:users@ovirt.org">Cc:users@ovirt.org</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:users@ovirt.org" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:users@ovirt.org">users@ovirt.org</a></a>><br>
> >
Sent: Tuesday,
September 22,
2015 5:35:16 PM<br>
> >
Subject: Re:
[ovirt-users]
LDAP
Authentication<br>
> ><br>
> >
its too
complicated ,you
have any script
or video ?<br>
><br>
> in 3.6
we have a setup
script.<br>
> for
now:<br>
><br>
> cp -r
/usr/share/ovirt-engine/examples/simple/.
/etc/ovirt-engine/<br>
><br>
> this is
written in the
README.<br>
><br>
> then
customize files
at
/etc/ovirt-engine/extnesions.d/*<br>
>
/etc/ovirt-engine/aaa/*
to match your
setup<br>
><br>
> ><br>
> ><br>
</span><span>>
> On Tue,
Sep 22, 2015 at
8:00 PM, Alon
Bar-Lev <<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>>
wrote:<br>
> ><br>
> >
><br>
> >
><br>
> >
> -----
Original Message
-----<br>
</span>
<div>
<div>>
> >
> From:
"Budur
Nagaraju" <<a
moz-do-not-send="true" href="mailto:nbudoor@gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated"
href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>
<mailto:<a
moz-do-not-send="true" href="mailto:nbudoor@gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated"
href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>>><br>
> >
> > To:
"Alon Bar-Lev"
<<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>
<mailto:<a
moz-do-not-send="true" href="mailto:alonbl@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>><br>
> >
> > <a
moz-do-not-send="true" href="mailto:Cc:users@ovirt.org"
target="_blank"><a class="moz-txt-link-abbreviated"
href="mailto:Cc:users@ovirt.org">Cc:users@ovirt.org</a></a>
<mailto:<a
moz-do-not-send="true" href="mailto:users@ovirt.org"
target="_blank"><a class="moz-txt-link-abbreviated"
href="mailto:users@ovirt.org">users@ovirt.org</a></a>><br>
> >
> >
Sent: Tuesday,
September 22,
2015 5:24:36
PM<br>
> >
> >
Subject: Re:
[ovirt-users]
LDAP
Authentication<br>
> >
> ><br>
> >
> > HI
Alon,<br>
> >
> ><br>
> >
> >
Below is the
configuration
which I have
done ,but
unable to
search the<br>
> >
> >
users in UI<br>
> >
> > can
you pls help
me ?<br>
> >
><br>
> >
> you need
three files,
see the<br>
> >
>
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple<br>
> >
><br>
> >
> ><br>
> >
> ><br>
> >
> >
[root@cstlb2
aaa]# cat
ldap1.properties<br>
> >
> > #<br>
> >
> > #
Select one<br>
> >
> > #<br>
> >
> >
include =
<openldap.properties><br>
> >
> >
#include =
<389ds.properties><br>
> >
> >
#include =
<rhds.properties><br>
> >
> >
#include =
<ipa.properties><br>
> >
> >
#include =
<iplanet.properties><br>
> >
> >
#include =
<rfc2307.properties><br>
> >
> >
#include =
<rfc2307-openldap.properties><br>
> >
> ><br>
> >
> > #<br>
> >
> > #
Server<br>
> >
> > #<br>
</div>
</div>
> > >
> vars.server =<a
moz-do-not-send="true" href="http://my.abc.net"
rel="noreferrer"
target="_blank">my.abc.net</a>
<<a
moz-do-not-send="true"
href="http://my.abc.net" target="_blank"><a
class="moz-txt-link-freetext"
href="http://my.abc.net">http://my.abc.net</a></a>><br>
<span>>
> >
><br>
> >
> > #<br>
> >
> > #
Search user and
its password.<br>
> >
> > #<br>
> >
> >
vars.user =<br>
> >
> ><br>
> >
>
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net<br>
> >
> >
vars.password =
company1<br>
> >
> ><br>
> >
> >
pool.default.serverset.single.server
=
${global:vars.server}<br>
> >
> >
pool.default.auth.simple.bindDN
=
${global:vars.user}<br>
> >
> >
pool.default.auth.simple.password
=
${global:vars.password}<br>
> >
> ><br>
> >
> > #
Create keystore,
import
certificate
chain and
uncomment<br>
> >
> > # if
using ssl/tls.<br>
> >
> >
#pool.default.ssl.startTLS
= true<br>
> >
> >
#pool.default.ssl.truststore.file
=<br>
> >
> >
${local:_basedir}/${global:vars.server}.jks<br>
> >
> >
#pool.default.ssl.truststore.password
= changeit<br>
> >
> >
[root@cstlb2
aaa]#<br>
> >
> ><br>
> >
> ><br>
> >
> ><br>
</span><span>>
> >
> On Tue, Sep
22, 2015 at 7:25
PM, Alon Bar-Lev
<<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>>
wrote:<br>
> >
> ><br>
> >
> >
><br>
> >
> >
><br>
> >
> > >
----- Original
Message -----<br>
</span><span>>
> >
> > >
From: "Budur
Nagaraju" <<a
moz-do-not-send="true" href="mailto:nbudoor@gmail.com"
target="_blank"><a class="moz-txt-link-abbreviated"
href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:nbudoor@gmail.com" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>>><br>
> >
> > >
> <a
moz-do-not-send="true"
href="mailto:To:users@ovirt.org" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:To:users@ovirt.org">To:users@ovirt.org</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:users@ovirt.org" target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:users@ovirt.org">users@ovirt.org</a></a>><br>
> >
> > >
> Sent:
Tuesday,
September 22,
2015 4:34:46 PM<br>
> >
> > >
> Subject:
[ovirt-users]
LDAP
Authentication<br>
> >
> > >
><br>
> >
> > >
> HI All,<br>
> >
> > >
><br>
> >
> > >
> Can someone
help me in
configuring LDAP
authentication
for Ovirt ?<br>
> >
> >
><br>
> >
> > >
Please review:<br>
> >
> > ><a
moz-do-not-send="true" href="http://www.ovirt.org/Features/AAA"
target="_blank"><a class="moz-txt-link-freetext"
href="http://www.ovirt.org/Features/AAA">http://www.ovirt.or...
> >
> >
><br>
> >
> >
><br>
> >
><a
moz-do-not-send="true"
href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-l...
target="_blank"><a class="moz-txt-link-freetext"
href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-l...
> >
> >
><br>
> >
> ><br>
> >
><br>
> ><br>
><br>
><br>
<br>
</span>--<br>
Daniel
Helgenberger<br>
m box bewegtbild
GmbH<br>
<br>
P:
+49/30/2408781-22<br>
F:
+49/30/2408781-10<br>
<br>
ACKERSTR. 19<br>
D-10115 BERLIN<br>
<br>
<br>
<a
moz-do-not-send="true"
href="http://www.m-box.de" rel="noreferrer"
target="_blank"><a class="moz-txt-link-abbreviated"
href="http://www.m-box.de">www.m-box.de</a></a>
<a
moz-do-not-send="true"
href="http://www.monkeymen.tv" target="_blank"><a
class="moz-txt-link-abbreviated"
href="http://www.monkeymen.tv">www.monkeymen.tv</a></a><br>
<br>
Geschäftsführer:
Martin
Retschitzegger /
Michaela Göllner<br>
Handeslregister:
Amtsgericht
Charlottenburg /
HRB 112767<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
Users mailing list
<a moz-do-not-send="true" href="mailto:Users@ovirt.org"
target="_blank">Users(a)ovirt.org</a>
<a moz-do-not-send="true"
href="http://lists.ovirt.org/mailman/listinfo/users"
target="_blank">http://lists.ovirt.org/mailman/listinfo/user...
</pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>
--------------030403060902070607030005--