We will also need log of the generic ldap extensin, can you please provide it?
Thanks!
----- Original Message -----
From: "Juan Jose" <jj197005(a)gmail.com>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: "Ondra Machacek" <omachace(a)redhat.com>, "Yair Zaslavsky"
<yzaslavs(a)redhat.com>, users(a)ovirt.org
Sent: Friday, December 5, 2014 1:10:06 PM
Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon,
I have deleted Legacy domain with engine-manage-domain, and I have changed
configuration to absolute file name as you can see:
/etc/ovirt-engine/extensions.d/siee-local-authn.properties:
ovirt.engine.extension.name = siee-local-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = siee
ovirt.engine.aaa.authn.authz.plugin = siee-local-authz
config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties
/etc/ovirt-engine/extensions.d/siee-local-authz.properties:
ovirt.engine.extension.name = siee-local-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/extensions.d/aaa/siee.properties
I had configured relative file name because the example
/usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/extensions.d/domain1-authz.properties
has a relative file name.
I have done the same: delete engine.log, restart ovirt-engine and try log
in and the same error is showed, "General command validation failure."
Attach engine.log file.
Thanks,
Juanjo.
On Fri, Dec 5, 2014 at 9:52 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>
> Hi!
>
> You have the following errors:
>
> 2014-12-05 09:32:31,778 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-5) Loading extension 'siee-local-authn'
> 2014-12-05 09:32:31,819 ERROR
> [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC
> service thread 1-5) Could not load extension based on configuration file
> '/etc/ovirt-engine/extensions.d/siee-local-authn.properties'. Please check
> the configuration file is valid. Exception message is: Error loading
> extension 'siee-local-authn': /aaa/siee.properties (No such file or
> directory)
> 2014-12-05 09:32:31,823 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-5) Loading extension 'siee-local-authz'
> 2014-12-05 09:32:31,824 ERROR
> [org.ovirt.engine.core.utils.extensionsmgr.EngineExtensionsManager] (MSC
> service thread 1-5) Could not load extension based on configuration file
> '/etc/ovirt-engine/extensions.d/siee-local-authz.properties'. Please check
> the configuration file is valid. Exception message is: Error loading
> extension 'siee-local-authz': /aaa/siee.properties (No such file or
> directory)
>
> Per my last message, you should provide absolute file names if you use
> 3.5.0.
> Please see inline comments bellow.
>
> Also, you are trying to authenticate with the legacy provider:
>
> 2014-12-05 09:33:04,871 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> (ajp--127.0.0.1-8702-5) Failed ldap search server
> ldap://adserver.siee.local:389 using user juanjo(a)SIEE.LOCAL due to
> Authentication Failed. Please verify the username and password.. We should
> not try the next server
>
> Can you please use engine-manage-domains to remove the legacy (old)
> domain, so we reduce confusion?
>
> Thanks!
>
> ----- Original Message -----
> > From: "Juan Jose" <jj197005(a)gmail.com>
> > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > Cc: "Ondra Machacek" <omachace(a)redhat.com>, "Yair
Zaslavsky" <
> yzaslavs(a)redhat.com>, users(a)ovirt.org
> > Sent: Friday, December 5, 2014 10:43:01 AM
> > Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
> >
> > Hello Alon,
> >
> > I have done what you have said. My new configuration files are:
> >
> > /etc/ovirt-engine/extensions.d/siee-local-authn.properties:
> >
> > ovirt.engine.extension.name = siee-local-authn
> > ovirt.engine.extension.bindings.method = jbossmodule
> > ovirt.engine.extension.binding.jbossmodule.module =
> > org.ovirt.engine-extensions.aaa.ldap
> > ovirt.engine.extension.binding.jbossmodule.class =
> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> > ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authn
> > ovirt.engine.aaa.authn.profile.name = siee
> > ovirt.engine.aaa.authn.authz.plugin = siee-local-authz
> > config.profile.file.1 = aaa/siee.properties
>
> should be: /etc/ovirt-engine/extensions.d/aaa/siee.properties in 3.5.0 or
> can be ../aaa/siee.properties in 3.5.1.
>
> >
> > /etc/ovirt-engine/extensions.d/siee-local-authz.properties:
> >
> > ovirt.engine.extension.name = siee-local-authz
> > ovirt.engine.extension.bindings.method = jbossmodule
> > ovirt.engine.extension.binding.jbossmodule.module =
> > org.ovirt.engine-extensions.aaa.ldap
> > ovirt.engine.extension.binding.jbossmodule.class =
> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> > ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authz
> > config.profile.file.1 = aaa/siee.properties
>
> should be: /etc/ovirt-engine/extensions.d/aaa/siee.properties in 3.5.0 or
> can be ../aaa/siee.properties in 3.5.1.
>
>
> >
> > /etc/ovirt-engine/extensions.d/aaa/siee.properties:
> >
> > include = <ad.properties>
> >
> > #
> > # Active directory domain name.
> > #
> > vars.domain = siee.local
> >
> > #
> > # Search user and its password.
> > #
> > vars.user = searcher@${global:vars.domain}
> > vars.password = xxxxxxx
> >
> > #
> > # Optional DNS servers, if enterprise
> > # DNS server cannot resolve the domain srvrecord.
> > #
> > #vars.dns = dns://dc1.${global:vars.domain}
> dns://dc2.${global:vars.domain}
> >
> > pool.default.serverset.type = srvrecord
> > pool.default.serverset.srvrecord.domain = ${global:vars.domain}
> > pool.default.auth.simple.bindDN = ${global:vars.user}
> > pool.default.auth.simple.password = ${global:vars.password}
> >
> > # Uncomment if using custom DNS
> >
> #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
> > = ${global:vars.dns}
> > #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
> >
> > # Create keystore, import certificate chain and uncomment
> > # if using ssl/tls.
> > #pool.default.ssl.startTLS = true
> > #pool.default.ssl.truststore.file =
> > ${local:_basedir}/${global:vars.domain}.jks
> > #pool.default.ssl.truststore.password = changeit
> >
> > After reconfigure my files with ovirt-engine stopped I have started
> > ovirt-engine and I have tried to log in. The error persist,
> > "General command validation failure." and after that I have stopped
> > ovirt-engine again. I attach my engine.log file.
> >
> > Many thanks again,
> >
> > Juanjo.
> >
> >
> > On Tue, Dec 2, 2014 at 3:46 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
> >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Juan Jose" <jj197005(a)gmail.com>
> > > > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > > > Cc: "Ondra Machacek" <omachace(a)redhat.com>,
"Yair Zaslavsky" <
> > > yzaslavs(a)redhat.com>, users(a)ovirt.org
> > > > Sent: Tuesday, December 2, 2014 3:48:54 PM
> > > > Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
> > > >
> > > > Hello Alon and everybody,
> > > >
> > > > I have installed package ovirt-engine-extension-aaa-ldap and
> configure my
> > > > files as the documentation says. The files are:
> > > >
> > > > /etc/ovirt-engine/extensions.d/siee.local-authn.properties:
> > > >
> > > > ovirt.engine.extension.name = siee.local-authn
> > > > ovirt.engine.extension.bindings.method = jbossmodule
> > > > ovirt.engine.extension.binding.jbossmodule.module =
> > > > org.ovirt.engine-extensions.aaa.ldap
> > > > ovirt.engine.extension.binding.jbossmodule.class =
> > > > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> > > > ovirt.engine.extension.provides =
> > > org.ovirt.engine.api.extensions.aaa.Authn
> > > > ovirt.engine.aaa.authn.profile.name = siee.local
> > > > ovirt.engine.aaa.authn.authz.plugin = siee.local-authz
> > > > config.profile.file.1 = aaa/siee.local.properties
> > >
> > > please use absolute file name for 3.5.0 relative will be available in
> 3.5.1
> > >
> > > >
> > > > /etc/ovirt-engine/extensions.d/siee.local-authz.properties:
> > > >
> > > > ovirt.engine.extension.name = siee.local-authz
> > > > ovirt.engine.extension.bindings.method = jbossmodule
> > > > ovirt.engine.extension.binding.jbossmodule.module =
> > > > org.ovirt.engine-extensions.aaa.ldap
> > > > ovirt.engine.extension.binding.jbossmodule.class =
> > > > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> > > > ovirt.engine.extension.provides =
> > > org.ovirt.engine.api.extensions.aaa.Authz
> > > > config.profile.file.1 = aaa/siee.local.properties
> > >
> > > please use absolute file name for 3.5.0 relative will be available in
> 3.5.1
> > >
> > >
> > > >
> > > > /etc/ovirt-engine/extensions.d/aaa/siee.local.properties:
> > > >
> > > > include = <ad.properties>
> > > >
> > > > #
> > > > # Active directory domain name.
> > > > #
> > > > vars.domain = siee.local
> > > >
> > > > #
> > > > # Search user and its password.
> > > > #
> > > > vars.user = juanjo@${global:vars.domain}
> > > > vars.password = xxxxxxxx
> > >
> > > this should be dedicate user for search not your private user.
> > >
> > > >
> > > > #
> > > > # Optional DNS servers, if enterprise
> > > > # DNS server cannot resolve the domain srvrecord.
> > > > #
> > > > #vars.dns = dns://dc1.${global:vars.domain}
> > > dns://dc2.${global:vars.domain}
> > > >
> > > > pool.default.serverset.type = srvrecord
> > > > pool.default.serverset.srvrecord.domain = ${global:vars.domain}
> > > > pool.default.auth.simple.bindDN = ${global:vars.user}
> > > > pool.default.auth.simple.password = ${global:vars.password}
> > > >
> > > > # Uncomment if using custom DNS
> > > >
> > >
> #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
> > > > = ${global:vars.dns}
> > > > #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
> > > >
> > > > # Create keystore, import certificate chain and uncomment
> > > > # if using ssl/tls.
> > > > #pool.default.ssl.startTLS = true
> > > > #pool.default.ssl.truststore.file =
> > > > ${local:_basedir}/${global:vars.domain}.jks
> > > > #pool.default.ssl.truststore.password = changeit
> > > >
> > > > And after this configuration I restart ovirt-engine service. When I
> try
> > > to
> > > > login in administrator portal I can see the error "The user name
or
> > > > password is incorrect.". In /var/log/ovirt-engine/engine.log I
have
> the
> > > > errors:
> > > >
> > > > 2014-12-02 14:02:21,983 ERROR
> > > >
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> > > > (ajp--127.0.0.1-8702-8) Correlation ID: null, Call Stack: null,
> Custom
> > > > Event ID: -1, Message: User juanjo cannot login, please verify the
> > > username
> > > > and password.
> > > > 2014-12-02 14:02:21,991 ERROR
> > > >
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> > > > (ajp--127.0.0.1-8702-8) Correlation ID: null, Call Stack: null,
> Custom
> > > > Event ID: -1, Message: User juanjo failed to log in.
> > > >
> > > > I'm using correct user and password becuase I can login in a
Windows
> > > client
> > > > machine which is inside siee.local domain with this user and its
> correct
> > > > password.
> > > >
> > > > What do you think it could be the problem?
> > > >
> > > > If you need more information or I have to configure any other
> parameters,
> > > > please tell me.
> > >
> > > please attach full engine.log, more correctly, stop engine, remove
> > > engine.log start engine, try to login and send log.
> > > please make sure you select the "siee.local" domain in dropdown
of
> login
> > > screen.
> > >
> > > when I get the engine.log I will be able to understand who to progress.
> > >
> > > thanks!
> > >
> > >
> > > >
> > > > Many thanks in advanced,
> > > >
> > > > Juanjo.
> > > >
> > > >
> > > >
> > > > On Wed, Nov 26, 2014 at 3:19 PM, Alon Bar-Lev
<alonbl(a)redhat.com>
> wrote:
> > > >
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Juan Jose" <jj197005(a)gmail.com>
> > > > > > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > > > > > Cc: "Ondra Machacek" <omachace(a)redhat.com>,
"Yair Zaslavsky" <
> > > > > yzaslavs(a)redhat.com>, users(a)ovirt.org
> > > > > > Sent: Wednesday, November 26, 2014 3:04:14 PM
> > > > > > Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5
issue
> > > > > >
> > > > > > Hello Alon and everybody,
> > > > > >
> > > > > > Check in my ovirt-engine machine for ovirt-engine-aaa-ldap
> package
> > > and it
> > > > > > is not available:
> > > > > >
> > > > > > yum list "ovirt-engine*"
> > > > > > Loaded plugins: fastestmirror, refresh-packagekit,
security,
> > > versionlock
> > > > > > Loading mirror speeds from cached hostfile
> > > > > > * base: ftp.udl.es
> > > > > > * epel: mirror.uv.es
> > > > > > * extras: ftp.udl.es
> > > > > > * ovirt-3.5: ftp.nluug.nl
> > > > > > * ovirt-3.5-epel: mirror.uv.es
> > > > > > * ovirt-3.5-jpackage-6.0-generic: mirror.ibcp.fr
> > > > > > * ovirt-epel: mirror.uv.es
> > > > > > * ovirt-jpackage-6.0-generic: mirror.ibcp.fr
> > > > > > * updates: ftp.udl.es
> > > > > > Installed Packages
> > > > > > ovirt-engine.noarch
> > > > > > 3.5.0.1-1.el6 @ovirt-3.5
> > > > > > ovirt-engine-backend.noarch
> > > > > > 3.5.0.1-1.el6 @ovirt-3.5
> > > > > > ovirt-engine-cli.noarch
> > > > > > 3.3.0.6-1.el6 @ovirt-3.3.3
> > > > > > ovirt-engine-dbscripts.noarch
> > > > > > 3.5.0.1-1.el6 @ovirt-3.5
> > > > > > ovirt-engine-extensions-api-impl.noarch
> > > > > > 3.5.0.1-1.el6 @ovirt-3.5
> > > > > > ovirt-engine-jboss-as.x86_64
> > > > > > 7.1.1-1.el6 @ovirt-3.5
> > > > > > ovirt-engine-lib.noarch
> > > > > > 3.5.0.1-1.el6 @ovirt-3.5
> > > > > > ovirt-engine-restapi.noarch
> > > > > > 3.5.0.1-1.el6 @ovirt-3.5
> > > > > > ovirt-engine-sdk-python.noarch
> > > > > > 3.5.0.8-1.el6 @ovirt-3.5
> > > > > > ovirt-engine-setup.noarch
> > > > > > 3.5.0.1-1.el6 @ovirt-3.5
> > > > > > ovirt-engine-setup-base.noarch
> > > > > > 3.5.0.1-1.el6 @ovirt-3.5
> > > > > > ovirt-engine-setup-plugin-ovirt-engine.noarch
> > > > > > 3.5.0.1-1.el6 @ovirt-3.5
> > > > > > ovirt-engine-setup-plugin-ovirt-engine-common.noarch
> > > > > > 3.5.0.1-1.el6 @ovirt-3.5
> > > > > > ovirt-engine-setup-plugin-websocket-proxy.noarch
> > > > > > 3.5.0.1-1.el6 @ovirt-3.5
> > > > > > ovirt-engine-tools.noarch
> > > > > > 3.5.0.1-1.el6 @ovirt-3.5
> > > > > > ovirt-engine-userportal.noarch
> > > > > > 3.5.0.1-1.el6 @ovirt-3.5
> > > > > > ovirt-engine-webadmin-portal.noarch
> > > > > > 3.5.0.1-1.el6 @ovirt-3.5
> > > > > > ovirt-engine-websocket-proxy.noarch
> > > > > > 3.5.0.1-1.el6 @ovirt-3.5
> > > > > > Available Packages
> > > > > > ovirt-engine-cli.noarch
> > > > > > 3.5.0.5-1.el6 ovirt-3.5
> > > > > > ovirt-engine-dwh.noarch
> > > > > > 3.5.0-1.el6 ovirt-3.5
> > > > > > ovirt-engine-dwh-setup.noarch
> > > > > > 3.5.0-1.el6 ovirt-3.5
> > > > > > ovirt-engine-extensions-api-impl-javadoc.noarch
> > > > > > 3.5.0.1-1.el6 ovirt-3.5
> > > > > > ovirt-engine-reports.noarch
> > > > > > 3.5.1-0.1.el6 ovirt-3.5
> > > > > > ovirt-engine-reports-setup.noarch
> > > > > > 3.5.1-0.1.el6 ovirt-3.5
> > > > > > ovirt-engine-sdk-java.noarch
> > > > > > 3.5.0.5-1.el6 ovirt-3.5
> > > > > > ovirt-engine-sdk-java-javadoc.noarch
> > > > > > 3.5.0.5-1.el6 ovirt-3.5
> > > > > > ovirt-engine-setup-plugin-allinone.noarch
> > > > > >
> > > > > > How can I get this package?
> > > > >
> > > > >
> > > > > Thanks for trying!
> > > > >
> > > > > Package is available at ovirt-3.5-snapshot[1].
> > > > >
> > > > > [1]
http://resources.ovirt.org/pub/ovirt-3.5-snapshot/
> > > > >
> > > >
> > >
> >
>