Re: [ovirt-users] LDAP Authentication

This is a multi-part message in MIME format. --------------000106070501090607000604 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Hi, as Alon already said, you have trailing space in your configuration 'my.abc.net ' <-- space at the end Please remove this space and try again. Ondra On 09/23/2015 05:35 AM, Budur Nagaraju wrote: --------------000106070501090607000604 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit <html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hi,<br> <br> as Alon already said, you have trailing space in your configuration<br> <br> 'my.abc.net ' &lt;-- space at the end<br> <br> Please remove this space and try again.<br> <br> Ondra<br> <br> <div class="moz-cite-prefix">On 09/23/2015 05:35 AM, Budur Nagaraju wrote:<br> </div> <blockquote cite="mid:CAHNF9Q_fLL+d3aCLbP44eFW7iyeNfPwCrsdS6sBGkyW5_2Wz7g@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div> <div> <div>HI Alon,<br> <br> </div> Tried all the options but no luck ,<br> <br> </div> I have copied the logs in the pastebin  below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get .<br> <br> <a moz-do-not-send="true" href="http://pastebin.com/7qN9QnHK">http://pastebin.com/7qN9... <br> </div> Thanks,<br> </div> Nagaraju<br> <br> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger <span dir="ltr">&lt;<a moz-do-not-send="true" href="mailto:daniel.helgenberger@m-box.de" target=&quot;_blank&quot;&gt;daniel.helgenberger(a)m-box.de&lt;/a&gt;&amp;gt;&lt;/span&gt; wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Budur,<br> <br> I've done this recently. Alon, no offense, but the docs are not quite strait forward...<br> <br> Requirements:<br>  - LDAP server (obviously) - called here <a moz-do-not-send="true" href="http://ldap.mydomain.com" rel="noreferrer" target="_blank">ldap.mydomain.com</a><br>  - LDAP bind account - called here <a moz-do-not-send="true" href="mailto:ldap@mydomain.com"><a class="moz-txt-link-abbreviated" href="mailto:ldap@mydomain.com">ldap@mydomain.com</a></a>, password 'Passw@rd'<br>  - At least one existing account in ladp, called <a moz-do-not-send="true" href="mailto:user@mydomain.com"><a class="moz-txt-link-abbreviated" href="mailto:user@mydomain.com">user@mydomain.com</a></a><br> <br> Please note, the most common issue will be DNS.<br> <br> I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)<br> <br> 1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup)<br> 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me):<br>   # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a moz-do-not-send="true" href="http://ldap.mydomain.com:3268/" rel="noreferrer" target="_blank">ldap.mydomain.com:3268/</a> -x \<br>       -D '<a moz-do-not-send="true" href="mailto:ldap@mydomain.com">ldap@mydomain.com</a>' -w Passw@rd -b ''  '(userPrincipalName=<a moz-do-not-send="true" href="mailto:user@mydomian.com"><a class="moz-txt-link-abbreviated" href="mailto:user@mydomian.com">user@mydomian.com</a></a>)' cn userPrincipalName<br> <br>   If this command does not return details of the user, do debug your ldap and continue once this works. Example:<br> <br> # extended LDIF<br> #<br> # LDAPv3<br> # base &lt;&gt; with scope subtree<br> # filter: (userPrincipalName=<a moz-do-not-send="true" href="mailto:user@mydomain.com">user@mydomain.com</a>)<br> # requesting: cn userPrincipalName<br> # with pagedResults control: size=1024<br> #<br> <br> # Some Name, some-ou, <a moz-do-not-send="true" href="http://mydomain.com" rel="noreferrer" target="_blank">mydomain.com</a><br> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com<br> cn: Some Name<br> userPrincipalName: <a moz-do-not-send="true" href="mailto:user@mydomain.com">user@mydomain.com</a><br> <br> # search result<br> search: 2<br> result: 0 Success<br> control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=<br> pagedresults: cookie=<br> <br> # numResponses: 2<br> # numEntries: 1<br> <br> <br> 3. Copy the examples as mentioned from the readme.<br> 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is.<br> 5. There, set:<br> <br>   vars.domain = <a moz-do-not-send="true" href="http://ldap.mydomain.com" rel="noreferrer" target="_blank">ldap.mydomain.com</a><br>   vars.user = ldap@${global:vars.domain}<br>   vars.password = Passw@rd<br> <br> 6. Restart ovirt engine service<br> 7. Log in as admin@einternal and add user rights and roles from the new provider<br> <br> Hope this helps.<br> <span class=""><br> On <a moz-do-not-send="true" href="tel:22.09.2015%2016" value="+12209201516">22.09.2015 16</a>:46, Budur Nagaraju wrote:<br> &gt;<br> &gt; below are the three files which I have modified.<br> &gt;<br> &gt;<br> &gt; [root@cstlb2 extensions.d]# cat profile1-authn.properties<br> </span>&gt; <a moz-do-not-send="true" href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> &lt;<a moz-do-not-send="true" href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="http://ovirt.engine.extension.name">http://ovirt.engine.extension.name</a></a>&gt; = cloudspin-authn<br> <span class="">&gt; ovirt.engine.extension.bindings.method = jbossmodule<br> &gt; ovirt.engine.extension.binding.jbossmodule.module =<br> &gt; org.ovirt.engine-extensions.aaa.ldap<br> &gt; ovirt.engine.extension.binding.jbossmodule.class =<br> &gt; org.ovirt.engineextensions.aaa.ldap.AuthnExtension<br> &gt; ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn<br> </span>&gt; <a moz-do-not-send="true" href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">ovirt.engine.aaa.authn.profile.name</a> &lt;<a moz-do-not-send="true" href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">http://ovirt.engine.aaa.authn.profile.name</a>&gt;<br> <span class="">&gt; = cloudspin<br> &gt; ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth<br> &gt; config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties<br> &gt;<br> &gt;<br> &gt; [root@cstlb2 extensions.d]# ls<br> &gt; profile1-authn.properties  profile1-authz.properties<br> &gt; [root@cstlb2 extensions.d]# cat profile1-authz.properties<br> </span>&gt; <a moz-do-not-send="true" href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> &lt;<a moz-do-not-send="true" href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="http://ovirt.engine.extension.name">http://ovirt.engine.extension.name</a></a>&gt; = cloudspin-authz<br> <div> <div class="h5">&gt; ovirt.engine.extension.bindings.method = jbossmodule<br> &gt; ovirt.engine.extension.binding.jbossmodule.module =<br> &gt; org.ovirt.engine-extensions.aaa.ldap<br> &gt; ovirt.engine.extension.binding.jbossmodule.class =<br> &gt; org.ovirt.engineextensions.aaa.ldap.AuthzExtension<br> &gt; ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz<br> &gt; config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties<br> &gt; [root@cstlb2 extensions.d]#<br> &gt;<br> &gt;<br> &gt;<br> &gt; [root@cstlb2 aaa]# pwd<br> &gt; /etc/ovirt-engine/aaa<br> &gt; [root@cstlb2 aaa]# ls<br> &gt; ldap1.properties<br> &gt; [root@cstlb2 aaa]# cat ldap1.properties<br> &gt; #<br> &gt; # Select one<br> &gt; #<br> &gt; include = &lt;openldap.properties&gt;<br> &gt; #include = &lt;389ds.properties&gt;<br> &gt; #include = &lt;rhds.properties&gt;<br> &gt; #include = &lt;ipa.properties&gt;<br> &gt; #include = &lt;iplanet.properties&gt;<br> &gt; #include = &lt;rfc2307.properties&gt;<br> &gt; #include = &lt;rfc2307-openldap.properties&gt;<br> &gt;<br> &gt; #<br> &gt; # Server<br> &gt; #<br> </div> </div> &gt; vars.server = <a moz-do-not-send="true" href="http://my.abc.net" rel="noreferrer" target="_blank">my.abc.net</a> &lt;<a moz-do-not-send="true" href="http://my.abc.net" rel="noreferrer" target="_blank">http://my.abc.net</a>&gt;<br> <span class="">&gt;<br> &gt; #<br> &gt; # Search user and its password.<br> &gt; #<br> &gt; vars.user =<br> &gt; uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net<br> &gt; vars.password = company<br> &gt;<br> &gt; pool.default.serverset.single.server = ${global:vars.server}<br> &gt; pool.default.auth.simple.bindDN = ${global:vars.user}<br> &gt; pool.default.auth.simple.password = ${global:vars.password}<br> &gt;<br> &gt; # Create keystore, import certificate chain and uncomment<br> &gt; # if using ssl/tls.<br> &gt; #pool.default.ssl.startTLS = true<br> &gt; #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks<br> &gt; #pool.default.ssl.truststore.password = changeit<br> &gt; [root@cstlb2 aaa]#<br> &gt;<br> &gt;<br> &gt;<br> &gt;<br> &gt;<br> &gt;<br> &gt; On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev &lt;<a moz-do-not-send="true" href="mailto:alonbl@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a><br> </span><span class="">&gt; &lt;mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>&gt;&gt; wrote:<br> &gt;<br> &gt;<br> &gt;<br> &gt;     ----- Original Message -----<br> </span><span class="">&gt;     &gt; From: "Budur Nagaraju" &lt;<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a> &lt;mailto:<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a>&gt;&gt;<br> &gt;     &gt; To: "Alon Bar-Lev" &lt;<a moz-do-not-send="true" href="mailto:alonbl@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> &lt;mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>&gt;&gt;<br> &gt;     &gt; <a moz-do-not-send="true" href="mailto:Cc%3Ausers@ovirt.org">Cc:users@ovirt.org</a> &lt;mailto:<a moz-do-not-send="true" href="mailto:users@ovirt.org">users@ovirt.org</a>&gt;<br> &gt;     &gt; Sent: Tuesday, September 22, 2015 5:35:16 PM<br> &gt;     &gt; Subject: Re: [ovirt-users] LDAP Authentication<br> &gt;     &gt;<br> &gt;     &gt; its too complicated ,you have any script or video ?<br> &gt;<br> &gt;     in 3.6 we have a setup script.<br> &gt;     for now:<br> &gt;<br> &gt;     cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/<br> &gt;<br> &gt;     this is written in the README.<br> &gt;<br> &gt;     then customize files at /etc/ovirt-engine/extnesions.d/*<br> &gt;     /etc/ovirt-engine/aaa/* to match your setup<br> &gt;<br> &gt;     &gt;<br> &gt;     &gt;<br> </span><span class="">&gt;     &gt; On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev &lt;<a moz-do-not-send="true" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a> &lt;mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>&gt;&gt; wrote:<br> &gt;     &gt;<br> &gt;     &gt; &gt;<br> &gt;     &gt; &gt;<br> &gt;     &gt; &gt; ----- Original Message -----<br> </span> <div> <div class="h5">&gt;     &gt; &gt; &gt; From: "Budur Nagaraju" &lt;<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a> &lt;mailto:<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a>&gt;&gt;<br> &gt;     &gt; &gt; &gt; To: "Alon Bar-Lev" &lt;<a moz-do-not-send="true" href="mailto:alonbl@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> &lt;mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>&gt;&gt;<br> &gt;     &gt; &gt; &gt; <a moz-do-not-send="true" href="mailto:Cc%3Ausers@ovirt.org">Cc:users@ovirt.org</a> &lt;mailto:<a moz-do-not-send="true" href="mailto:users@ovirt.org">users@ovirt.org</a>&gt;<br> &gt;     &gt; &gt; &gt; Sent: Tuesday, September 22, 2015 5:24:36 PM<br> &gt;     &gt; &gt; &gt; Subject: Re: [ovirt-users] LDAP Authentication<br> &gt;     &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt; HI Alon,<br> &gt;     &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt; Below is the configuration which I have done ,but unable to search the<br> &gt;     &gt; &gt; &gt; users in UI<br> &gt;     &gt; &gt; &gt; can you pls help me ?<br> &gt;     &gt; &gt;<br> &gt;     &gt; &gt; you need three files, see the<br> &gt;     &gt; &gt; /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple<br> &gt;     &gt; &gt;<br> &gt;     &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt; [root@cstlb2 aaa]# cat ldap1.properties<br> &gt;     &gt; &gt; &gt; #<br> &gt;     &gt; &gt; &gt; # Select one<br> &gt;     &gt; &gt; &gt; #<br> &gt;     &gt; &gt; &gt; include = &lt;openldap.properties&gt;<br> &gt;     &gt; &gt; &gt; #include = &lt;389ds.properties&gt;<br> &gt;     &gt; &gt; &gt; #include = &lt;rhds.properties&gt;<br> &gt;     &gt; &gt; &gt; #include = &lt;ipa.properties&gt;<br> &gt;     &gt; &gt; &gt; #include = &lt;iplanet.properties&gt;<br> &gt;     &gt; &gt; &gt; #include = &lt;rfc2307.properties&gt;<br> &gt;     &gt; &gt; &gt; #include = &lt;rfc2307-openldap.properties&gt;<br> &gt;     &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt; #<br> &gt;     &gt; &gt; &gt; # Server<br> &gt;     &gt; &gt; &gt; #<br> </div> </div> &gt;     &gt; &gt; &gt; vars.server =<a moz-do-not-send="true" href="http://my.abc.net" rel="noreferrer" target="_blank">my.abc.net</a> &lt;<a moz-do-not-send="true" href="http://my.abc.net" rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="http://my.abc.net">http://my.abc.net</a></a>&gt;<br> <span class="">&gt;     &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt; #<br> &gt;     &gt; &gt; &gt; # Search user and its password.<br> &gt;     &gt; &gt; &gt; #<br> &gt;     &gt; &gt; &gt; vars.user =<br> &gt;     &gt; &gt; &gt;<br> &gt;     &gt; &gt; uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net<br> &gt;     &gt; &gt; &gt; vars.password = company1<br> &gt;     &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt; pool.default.serverset.single.server = ${global:vars.server}<br> &gt;     &gt; &gt; &gt; pool.default.auth.simple.bindDN = ${global:vars.user}<br> &gt;     &gt; &gt; &gt; pool.default.auth.simple.password = ${global:vars.password}<br> &gt;     &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt; # Create keystore, import certificate chain and uncomment<br> &gt;     &gt; &gt; &gt; # if using ssl/tls.<br> &gt;     &gt; &gt; &gt; #pool.default.ssl.startTLS = true<br> &gt;     &gt; &gt; &gt; #pool.default.ssl.truststore.file =<br> &gt;     &gt; &gt; &gt; ${local:_basedir}/${global:vars.server}.jks<br> &gt;     &gt; &gt; &gt; #pool.default.ssl.truststore.password = changeit<br> &gt;     &gt; &gt; &gt; [root@cstlb2 aaa]#<br> &gt;     &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt;<br> </span><span class="">&gt;     &gt; &gt; &gt; On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev &lt;<a moz-do-not-send="true" href="mailto:alonbl@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> &lt;mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>&gt;&gt; wrote:<br> &gt;     &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt; &gt; ----- Original Message -----<br> </span><span class="">&gt;     &gt; &gt; &gt; &gt; &gt; From: "Budur Nagaraju" &lt;<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a> &lt;mailto:<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a>&gt;&gt;<br> &gt;     &gt; &gt; &gt; &gt; &gt; <a moz-do-not-send="true" href="mailto:To%3Ausers@ovirt.org"><a class="moz-txt-link-abbreviated" href="mailto:To:users@ovirt.org">To:users@ovirt.org</a></a> &lt;mailto:<a moz-do-not-send="true" href="mailto:users@ovirt.org">users@ovirt.org</a>&gt;<br> &gt;     &gt; &gt; &gt; &gt; &gt; Sent: Tuesday, September 22, 2015 4:34:46 PM<br> &gt;     &gt; &gt; &gt; &gt; &gt; Subject: [ovirt-users] LDAP Authentication<br> &gt;     &gt; &gt; &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt; &gt; &gt; HI All,<br> &gt;     &gt; &gt; &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt; &gt; &gt; Can someone help me in configuring LDAP authentication for Ovirt ?<br> &gt;     &gt; &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt; &gt; Please review:<br> &gt;     &gt; &gt; &gt; &gt;<a moz-do-not-send="true" href="http://www.ovirt.org/Features/AAA" rel="noreferrer" target="_blank">http://www.ovirt.org/Features/AAA</a>&... &gt;     &gt; &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt; &gt;<br> &gt;     &gt; &gt;<a moz-do-not-send="true" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-l... rel="noreferrer" target="_blank">https://gerrit.ovirt.org/gitweb?p=ovirt-engi... &gt;     &gt; &gt; &gt; &gt;<br> &gt;     &gt; &gt; &gt;<br> &gt;     &gt; &gt;<br> &gt;     &gt;<br> &gt;<br> &gt;<br> <br> </span>--<br> Daniel Helgenberger<br> m box bewegtbild GmbH<br> <br> P: +49/30/2408781-22<br> F: +49/30/2408781-10<br> <br> ACKERSTR. 19<br> D-10115 BERLIN<br> <br> <br> <a moz-do-not-send="true" href="http://www.m-box.de" rel="noreferrer" target="_blank">www.m-box.de</a>  <a moz-do-not-send="true" href="http://www.monkeymen.tv" rel="noreferrer" target="_blank"><a class="moz-txt-link-abbreviated" href="http://www.monkeymen.tv">www.monkeymen.tv</a></a><br> <br> Geschäftsführer: Martin Retschitzegger / Michaela Göllner<br> Handeslregister: Amtsgericht Charlottenburg / HRB 112767<br> </blockquote> </div> <br> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a> <a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://... </pre> </blockquote> <br> </body> </html> --------------000106070501090607000604--