
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Sunday, September 21, 2014 6:00:48 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon,
Following Alon's advice, I added authz-company.properties file to the configuration directory. Then OpenLDAP users can searched from oVirt Web admin. and I could add it's users to the portal successfully.
But I have another problem. These OpenLDAP users that I added can not login to ovirt web user portal.
User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as "First Name") Password: (I specified it as OpenLDAP's userPassword for "Fumihide") Domain: rxc05271.com (I selected instead of "internal")
?
1. What error do you get at ui? 2. Please look at engine.log while attempting to login, if you see something helpful. 3. Please make sure that the following is a success: $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN> uid=<LOGIN_NAME> 4. If working please modify /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in --- <file-handler name="ENGINE" autoflush="true"> - <level name="INFO"/> - <level name="FINEST"/> <snip> + <logger category="org.ovirt.engineextensions.aaa.ldap"> + <level name="FINEST"/> + </logger> <logger category="org.ovirt.engine.core.bll"> --- Restart engine, attempt login, send me the output.
Please advice me, it's so thanksfull.
Fumihide Tani
(2014/09/21 17:13), Alon Bar-Lev wrote:
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Sunday, September 21, 2014 11:11:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon
Very thanks for your help. My problem was solved and the AAA is working now. I could add LDAP user. :) Great. Can you please send me a patch or modified README to make it better?
Alon
Fumihide Tani
(2014/09/21 16:19), Alon Bar-Lev wrote:
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Fumihide Tani" <RXC05271@nifty.com> Cc: users@ovirt.org Sent: Sunday, September 21, 2014 10:19:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi,
You need to create authz extension as well (authz-company). The configuration you provided is establishing authentication only (authn) which refer to authz-company but you did not add it.
The terms are: 1. authn - who the user is. 2. authz - what user is permitted. 3. profile - combination of the two.
----------------------------- # vi /etc/ovirt-engine/extensions.d/authz-company.properties ovirt.engine.extension.name = authz-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension Sorry: org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties --------------------------------------------------
Regards, Alon