9:08 a.m.
Trying to get oVirt to use LDAP for user authentication. It seems to bind, but when I test
it (Login Flow and Search) before applying the settings, I get the message below (I can
confirm the credentials ARE valid). I also tried to set it up manually and still get the
same result. I'm using the same information on Bugzilla and it works fine. I've
seen similar threads here but without much answers. Anyone have any good links or docs I
can view to get this set up?
oVirt Node Version: 4.3.3.6-1.el7
API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
profile='mydomain.com' result=CREDENTIALS_INVALID
10:03 a.m.
I had a similar issue, my LDAP guy said oVirt engine was asking for
uidObject which our ldap didn't provide and
gave me this config addition to make to the
/etc/ovirt-engine/aaa/MY.DOMAIN.properties file so it would
use inetOrgPerson instead
# override default ldap filter. defaults found at
#
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/prof...
sequence.openldap-init-vars.040.var-set.value =
(objectClass=inetOrgPerson)(${seq:simple_attrsUserName}=*)
On Tue, Sep 3, 2019 at 10:10 AM Rick A <racevedo(a)lenovo.com> wrote:
Trying to get oVirt to use LDAP for user authentication. It seems to bind,
but when I test it (Login Flow and Search) before applying the settings, I
get the message below (I can confirm the credentials ARE valid). I also
tried to set it up manually and still get the same result. I'm using the
same information on Bugzilla and it works fine. I've seen similar threads
here but without much answers. Anyone have any good links or docs I can
view to get this set up?
oVirt Node Version: 4.3.3.6-1.el7
API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='
mydomain.com' result=CREDENTIALS_INVALID
_______________________________________________
Users mailing list -- users(a)ovirt.org
To unsubscribe send an email to users-leave(a)ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct:
https://www.ovirt.org/community/about/community-guidelines/
List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/C4ZQYTRO3WV...
11:23 a.m.
thanks for the reply. That doesn't seem to work for me either. Strange part is if
apply the settings anyway and I use a wildcard "*" in ovirt when searching for
users, it lists users in a specific OU only even though it's set to search
DC=domain,DC=com
2:58 a.m.
Can you please share the debug log from the
ovirt-engine-extensions-test-tool?
On 04/09/2019 18:23, Rick A wrote:
> thanks for the reply. That doesn't seem to work for me either. Strange part is
if apply the settings anyway and I use a wildcard "*" in ovirt when searching
for users, it lists users in a specific OU only even though it's set to search
DC=domain,DC=com
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
> List Archives:
https://lists.ovirt.org/archives/list/users@ovirt.org/message/LFWJ4MGBF2R...
>
10:16 a.m.
I got a little further.
When testing after the setup, I get a Credential Invalid error until I added what Edward
previously suggested except I had to use "Person" instead of
"inetOrgPerson" because my LDAP server doesn't provide uidObject as well.
Line added to /etc/ovirt-engine/aaa/MYDOMAIN.com.properties:
sequence.openldap-init-vars.040.var-set.value = (objectClass=Person)
Once I did that and restarted the service, ovirt-engine-extensions-tool gives me the
following below. Not sure why it won't pull the principle record.
2019-09-06 10:50:15,032-04 INFO
========================================================================
2019-09-06 10:50:15,032-04 INFO ============================== Execution
===============================
2019-09-06 10:50:15,032-04 INFO
========================================================================
2019-09-06 10:50:15,033-04 INFO Iteration: 0
2019-09-06 10:50:15,033-04 INFO Profile='MYDOMAIN.com'
authn='MYDOMAIN.com-authn' authz='MYDOMAIN.com' mapping='null'
2019-09-06 10:50:15,034-04 INFO API:
-->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='MYDOMAIN.com'
user='MYUSERNAME'
Password:
2019-09-06 10:50:18,822-04 INFO API:
<--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='MYDOMAIN.com'
result=SUCCESS
2019-09-06 10:50:18,824-04 INFO --- Begin AuthRecord ---
2019-09-06 10:50:18,824-04 INFO --- End AuthRecord ---
2019-09-06 10:50:18,825-04 INFO API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
principal='null'
2019-09-06 10:50:18,837-04 SEVERE Cannot locate principal 'null'
10:07 a.m.
I finally got this to work so I'm posting what I did in case it may help someone else
in the future. Hopefully the format of this site won't make it hard to read.
- Thanks to Edward Berger who got me to the right direction and providing this link:
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/prof...
- Also Thanks to Ondra Machacek for advising to use the ovirt-engine-extensions-tool
All changes are made on /etc/ovirt-engine/aaa/MYDOMAIN.com.properties
- Once I added this line:
sequence.openldap-init-vars.040.var-set.value =
(objectClass=Person)(${seq:simple_attrsUserName}=*)
- I was getting this error:
-->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='null'
2019-09-06 10:50:18,837-04 SEVERE Cannot locate principal 'null'
- So then I changed the Principal map from "uid" to "cn" by adding
this line:
attrmap.map-principal-record.attr.PrincipalRecord_PRINCIPAL.map = cn
- After that, it pulled the user principal name, but then when trying to add a user in the
web interface, it would fail with this error:
ERROR: null value in column "external_id" violates not-null constraint
- So I mapped the PrincipalRecord_ID to the user mail attribute figuring that would be
fine since emails are mostly unique anyway,by adding the following line:
attrmap.map-principal-record.attr.PrincipalRecord_ID.map = mail
My configuration: /etc/ovirt-engine/aaa/MYDOMAIN.com.properties
include = <openldap.properties>
vars.server = SERVERNAME.MYDOMAIN.com
vars.user = LDAPuser(a)MYDOMAIN.com
vars.password = USER PASSWORD
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = single
pool.default.serverset.single.server = ${global:vars.server}
attrmap.map-principal-record.attr.PrincipalRecord_PRINCIPAL.map = cn
attrmap.map-principal-record.attr.PrincipalRecord_ID.map = mail
sequence.openldap-init-vars.010.description = set base dn
sequence.openldap-init-vars.010.type = var-set
sequence.openldap-init-vars.010.var-set.variable = simple_attrsBaseDN
sequence.openldap-init-vars.010.var-set.value = DC=MYDOMAIN,DC=com
sequence.openldap-init-vars.020.var-set.value = cn
sequence.openldap-init-vars.040.var-set.value =
(objectClass=Person)(${seq:simple_attrsUserName}=*)
1884
days inactive
1890
days old
5 comments
3 participants
participants (3)
-
Edward Berger -
Ondra Machacek -
Rick A