10:24 a.m.
This is a multi-part message in MIME format.
--------------030008040602000200080603
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
With UserRole you can only login to UserPortal, not webadmin. Do you
have this issue when you try to login to UserPortal?
On 09/23/2015 09:22 AM, Budur Nagaraju wrote:
Provided the "user role" permissions still same issue
On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek <omachace(a)redhat.com
<mailto:omachace@redhat.com>> wrote:
Hi,
your user nbudoor(a)abc.net <mailto:nbudoor@abc.net> doesn't have
appropriate permissions to login.
First you need to login as 'admin@internal' and assign him some
permissions, then you will be able to login.
Ondra
On 09/23/2015 09:15 AM, Budur Nagaraju wrote:
> HI All,
>
> After rectifying this able to search the domain in the users in UI,
> but unable to login getting the below error ,
>
>
> 2015-09-23 12:41:47,482 WARN
> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser
> failed for user nbudoor(a)abc.net <mailto:nbudoor@abc.net>.
> Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>
> Thanks,
> Nagaraju
>
>
>
>
>
> On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek
> <omachace(a)redhat.com <mailto:omachace@redhat.com>> wrote:
>
> Hi,
>
> as Alon already said, you have trailing space in your
> configuration
>
> 'my.abc.net <http://my.abc.net> ' <-- space at the end
>
> Please remove this space and try again.
>
> Ondra
>
>
> On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
>> HI Alon,
>>
>> Tried all the options but no luck ,
>>
>> I have copied the logs in the pastebin below is the link ,
>> warning message is that unable to resolve the DNS ,let me
>> know any help would I get .
>>
>> http://pastebin.com/7qN9QnHK
>>
>> Thanks,
>> Nagaraju
>>
>>
>> On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger
>> <daniel.helgenberger(a)m-box.de
>> <mailto:daniel.helgenberger@m-box.de>> wrote:
>>
>> Hello Budur,
>>
>> I've done this recently. Alon, no offense, but the docs
>> are not quite strait forward...
>>
>> Requirements:
>> - LDAP server (obviously) - called here
>> ldap.mydomain.com <http://ldap.mydomain.com>
>> - LDAP bind account - called here ldap(a)mydomain.com
>> <mailto:ldap@mydomain.com>, password 'Passw@rd'
>> - At least one existing account in ladp, called
>> user(a)mydomain.com <mailto:user@mydomain.com>
>>
>> Please note, the most common issue will be DNS.
>>
>> I'll describe in short what steps need to be taken. All
>> this needs to be done on your engine host. In the end
>> this was quite easy :)
>>
>> 1. Install the packages: ovirt-engine-extension-aaa-ldap
>> and openldap-clients (these are only for testing your setup)
>> 2. Test if ldap is working in general. (The extension
>> uses the global catalog at least for AD, this was news
>> to me):
>> # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H
>> ldap://ldap.mydomain.com:3268/
>> <http://ldap.mydomain.com:3268/> -x \
>> -D 'ldap(a)mydomain.com
<mailto:ldap@mydomain.com>'
>> -w Passw@rd -b '' '(userPrincipalName=user(a)mydomian.com
>> <mailto:user@mydomian.com>)' cn userPrincipalName
>>
>> If this command does not return details of the user,
>> do debug your ldap and continue once this works. Example:
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <> with scope subtree
>> # filter: (userPrincipalName=user(a)mydomain.com
>> <mailto:user@mydomain.com>)
>> # requesting: cn userPrincipalName
>> # with pagedResults control: size=1024
>> #
>>
>> # Some Name, some-ou, mydomain.com <http://mydomain.com>
>> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com
>> cn: Some Name
>> userPrincipalName: user(a)mydomain.com
>> <mailto:user@mydomain.com>
>>
>> # search result
>> search: 2
>> result: 0 Success
>> control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=
>> pagedresults: cookie=
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>>
>> 3. Copy the examples as mentioned from the readme.
>> 4. You only need to modify
>> /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the
>> rest as is.
>> 5. There, set:
>>
>> vars.domain = ldap.mydomain.com <http://ldap.mydomain.com>
>> vars.user = ldap@${global:vars.domain}
>> vars.password = Passw@rd
>>
>> 6. Restart ovirt engine service
>> 7. Log in as admin@einternal and add user rights and
>> roles from the new provider
>>
>> Hope this helps.
>>
>> On 22.09.2015 16 <tel:22.09.2015%2016>:46, Budur
>> Nagaraju wrote:
>> >
>> > below are the three files which I have modified.
>> >
>> >
>> > [root@cstlb2 extensions.d]# cat profile1-authn.properties
>> > ovirt.engine.extension.name
>> <http://ovirt.engine.extension.name>
>> <http://ovirt.engine.extension.name> = cloudspin-authn
>> > ovirt.engine.extension.bindings.method = jbossmodule
>> > ovirt.engine.extension.binding.jbossmodule.module =
>> > org.ovirt.engine-extensions.aaa.ldap
>> > ovirt.engine.extension.binding.jbossmodule.class =
>> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
>> > ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Authn
>> > ovirt.engine.aaa.authn.profile.name
>> <http://ovirt.engine.aaa.authn.profile.name>
>> <http://ovirt.engine.aaa.authn.profile.name>
>> > = cloudspin
>> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
>> > config.profile.file.1 =
>> /etc/ovirt-engine/aaa/ldap1.properties
>> >
>> >
>> > [root@cstlb2 extensions.d]# ls
>> > profile1-authn.properties profile1-authz.properties
>> > [root@cstlb2 extensions.d]# cat profile1-authz.properties
>> > ovirt.engine.extension.name
>> <http://ovirt.engine.extension.name>
>> <http://ovirt.engine.extension.name> = cloudspin-authz
>> > ovirt.engine.extension.bindings.method = jbossmodule
>> > ovirt.engine.extension.binding.jbossmodule.module =
>> > org.ovirt.engine-extensions.aaa.ldap
>> > ovirt.engine.extension.binding.jbossmodule.class =
>> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>> > ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Authz
>> > config.profile.file.1 =
>> /etc/ovirt-engine/aaa/ldap1.properties
>> > [root@cstlb2 extensions.d]#
>> >
>> >
>> >
>> > [root@cstlb2 aaa]# pwd
>> > /etc/ovirt-engine/aaa
>> > [root@cstlb2 aaa]# ls
>> > ldap1.properties
>> > [root@cstlb2 aaa]# cat ldap1.properties
>> > #
>> > # Select one
>> > #
>> > include = <openldap.properties>
>> > #include = <389ds.properties>
>> > #include = <rhds.properties>
>> > #include = <ipa.properties>
>> > #include = <iplanet.properties>
>> > #include = <rfc2307.properties>
>> > #include = <rfc2307-openldap.properties>
>> >
>> > #
>> > # Server
>> > #
>> > vars.server = my.abc.net <http://my.abc.net>
>> <http://my.abc.net>
>> >
>> > #
>> > # Search user and its password.
>> > #
>> > vars.user =
>> >
>>
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
>> > vars.password = company
>> >
>> > pool.default.serverset.single.server =
>> ${global:vars.server}
>> > pool.default.auth.simple.bindDN = ${global:vars.user}
>> > pool.default.auth.simple.password =
>> ${global:vars.password}
>> >
>> > # Create keystore, import certificate chain and uncomment
>> > # if using ssl/tls.
>> > #pool.default.ssl.startTLS = true
>> > #pool.default.ssl.truststore.file =
>> ${local:_basedir}/${global:vars.server}.jks
>> > #pool.default.ssl.truststore.password = changeit
>> > [root@cstlb2 aaa]#
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev
>> <alonbl(a)redhat.com <mailto:alonbl@redhat.com>
>> > <mailto:alonbl@redhat.com
<mailto:alonbl@redhat.com>>> wrote:
>> >
>> >
>> >
>> > ----- Original Message -----
>> > > From: "Budur Nagaraju" <nbudoor(a)gmail.com
>> <mailto:nbudoor@gmail.com> <mailto:nbudoor@gmail.com
>> <mailto:nbudoor@gmail.com>>>
>> > > To: "Alon Bar-Lev" <alonbl(a)redhat.com
>> <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com
>> <mailto:alonbl@redhat.com>>>
>> > > Cc:users@ovirt.org <mailto:Cc%3Ausers@ovirt.org>
>> <mailto:users@ovirt.org <mailto:users@ovirt.org>>
>> > > Sent: Tuesday, September 22, 2015 5:35:16 PM
>> > > Subject: Re: [ovirt-users] LDAP Authentication
>> > >
>> > > its too complicated ,you have any script or video ?
>> >
>> > in 3.6 we have a setup script.
>> > for now:
>> >
>> > cp -r /usr/share/ovirt-engine/examples/simple/.
>> /etc/ovirt-engine/
>> >
>> > this is written in the README.
>> >
>> > then customize files at
>> /etc/ovirt-engine/extnesions.d/*
>> > /etc/ovirt-engine/aaa/* to match your setup
>> >
>> > >
>> > >
>> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev
>> <alonbl(a)redhat.com <mailto:alonbl@redhat.com>
>> <mailto:alonbl@redhat.com
<mailto:alonbl@redhat.com>>>
>> wrote:
>> > >
>> > > >
>> > > >
>> > > > ----- Original Message -----
>> > > > > From: "Budur Nagaraju"
<nbudoor(a)gmail.com
>> <mailto:nbudoor@gmail.com> <mailto:nbudoor@gmail.com
>> <mailto:nbudoor@gmail.com>>>
>> > > > > To: "Alon Bar-Lev"
<alonbl(a)redhat.com
>> <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com
>> <mailto:alonbl@redhat.com>>>
>> > > > > Cc:users@ovirt.org
>> <mailto:Cc:users@ovirt.org> <mailto:users@ovirt.org
>> <mailto:users@ovirt.org>>
>> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM
>> > > > > Subject: Re: [ovirt-users] LDAP
Authentication
>> > > > >
>> > > > > HI Alon,
>> > > > >
>> > > > > Below is the configuration which I have done
>> ,but unable to search the
>> > > > > users in UI
>> > > > > can you pls help me ?
>> > > >
>> > > > you need three files, see the
>> > > >
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
>> > > >
>> > > > >
>> > > > >
>> > > > > [root@cstlb2 aaa]# cat ldap1.properties
>> > > > > #
>> > > > > # Select one
>> > > > > #
>> > > > > include = <openldap.properties>
>> > > > > #include = <389ds.properties>
>> > > > > #include = <rhds.properties>
>> > > > > #include = <ipa.properties>
>> > > > > #include = <iplanet.properties>
>> > > > > #include = <rfc2307.properties>
>> > > > > #include =
<rfc2307-openldap.properties>
>> > > > >
>> > > > > #
>> > > > > # Server
>> > > > > #
>> > > > > vars.server =my.abc.net
<http://my.abc.net>
>> <http://my.abc.net>
>> > > > >
>> > > > > #
>> > > > > # Search user and its password.
>> > > > > #
>> > > > > vars.user =
>> > > > >
>> > > >
>>
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
>> > > > > vars.password = company1
>> > > > >
>> > > > > pool.default.serverset.single.server =
>> ${global:vars.server}
>> > > > > pool.default.auth.simple.bindDN =
>> ${global:vars.user}
>> > > > > pool.default.auth.simple.password =
>> ${global:vars.password}
>> > > > >
>> > > > > # Create keystore, import certificate chain
>> and uncomment
>> > > > > # if using ssl/tls.
>> > > > > #pool.default.ssl.startTLS = true
>> > > > > #pool.default.ssl.truststore.file =
>> > > > > ${local:_basedir}/${global:vars.server}.jks
>> > > > > #pool.default.ssl.truststore.password =
changeit
>> > > > > [root@cstlb2 aaa]#
>> > > > >
>> > > > >
>> > > > >
>> > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon
Bar-Lev
>> <alonbl(a)redhat.com <mailto:alonbl@redhat.com>
>> <mailto:alonbl@redhat.com
<mailto:alonbl@redhat.com>>>
>> wrote:
>> > > > >
>> > > > > >
>> > > > > >
>> > > > > > ----- Original Message -----
>> > > > > > > From: "Budur Nagaraju"
<nbudoor(a)gmail.com
>> <mailto:nbudoor@gmail.com> <mailto:nbudoor@gmail.com
>> <mailto:nbudoor@gmail.com>>>
>> > > > > > > To:users@ovirt.org
>> <mailto:To:users@ovirt.org> <mailto:users@ovirt.org
>> <mailto:users@ovirt.org>>
>> > > > > > > Sent: Tuesday, September 22, 2015
4:34:46 PM
>> > > > > > > Subject: [ovirt-users] LDAP
Authentication
>> > > > > > >
>> > > > > > > HI All,
>> > > > > > >
>> > > > > > > Can someone help me in configuring
LDAP
>> authentication for Ovirt ?
>> > > > > >
>> > > > > > Please review:
>> > > > > >http://www.ovirt.org/Features/AAA
>> > > > > >
>> > > > > >
>> > >
>>
>https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>> >
>>
>> --
>> Daniel Helgenberger
>> m box bewegtbild GmbH
>>
>> P: +49/30/2408781-22
>> F: +49/30/2408781-10
>>
>> ACKERSTR. 19
>> D-10115 BERLIN
>>
>>
>> www.m-box.de <http://www.m-box.de> www.monkeymen.tv
>> <http://www.monkeymen.tv>
>>
>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org <mailto:Users@ovirt.org>
>> http://lists.ovirt.org/mailman/listinfo/users
>
>
--------------030008040602000200080603
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
With UserRole you can only login to UserPortal, not webadmin. Do you
have this issue when you try to login to UserPortal?<br>
<br>
<div class="moz-cite-prefix">On 09/23/2015 09:22 AM, Budur Nagaraju
wrote:<br>
</div>
<blockquote
cite="mid:CAHNF9Q99WKUBJXbXn_SMR8JUgexSc4g6=p41cFZmnSwMuYSR_g@mail.gmail.com"
type="cite">
<div dir="ltr">Provided the "user role" permissions still
same
issue <br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 23, 2015 at 12:48 PM, Ondra
Machacek <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:omachace@redhat.com"
target="_blank">omachace(a)redhat.com</a>&gt;</span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
your user <a moz-do-not-send="true"
href="mailto:nbudoor@abc.net"
target="_blank">nbudoor(a)abc.net</a>
doesn't have appropriate permissions to login.<br>
First you need to login as 'admin@internal' and assign him
some permissions, then you will be able to login.<span
class="HOEnZb"><font
color="#888888"><br>
<br>
Ondra</font></span>
<div>
<div class="h5"><br>
<br>
<div>On 09/23/2015 09:15 AM, Budur Nagaraju wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>HI All,<br>
<br>
</div>
After rectifying this able to search the
domain in the users in UI,<br>
</div>
but unable to login getting the below error ,<br>
<br>
<br>
2015-09-23 12:41:47,482 WARN
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) CanDoAction of action
LoginAdminUser failed for user <a
moz-do-not-send="true"
href="mailto:nbudoor@abc.net"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:nbudoor@abc.net">nbudoor@abc.net</a></a>.
Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION<br>
<br>
</div>
Thanks,<br>
</div>
Nagaraju<br>
<br>
<div>
<div><br>
<div>
<div><br>
<br>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 23, 2015 at
12:13 PM, Ondra Machacek <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:omachace@redhat.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:omachace@redhat.com">omachace@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
as Alon already said, you have trailing
space in your configuration<br>
<br>
'<a moz-do-not-send="true"
href="http://my.abc.net"
target="_blank">my.abc.net</a>
' <-- space at the end<br>
<br>
Please remove this space and try again.<br>
<br>
Ondra
<div>
<div><br>
<br>
<div>On 09/23/2015 05:35 AM, Budur
Nagaraju wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>
<div>
<div>
<div>HI Alon,<br>
<br>
</div>
Tried all the options but no
luck ,<br>
<br>
</div>
I have copied the logs in the
pastebin below is the link ,
warning message is that unable
to resolve the DNS ,let me know
any help would I get .<br>
<br>
<a moz-do-not-send="true"
href="http://pastebin.com/7qN9QnHK"
target="_blank">http://pastebin.com/7qN9QnHK</a><br...
<br>
</div>
Thanks,<br>
</div>
Nagaraju<br>
<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Sep
22, 2015 at 8:44 PM, Daniel
Helgenberger <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:daniel.helgenberger@m-box.de"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:daniel.helgenberger@m-box.de">daniel.helgenberger@m-box.de</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">Hello
Budur,<br>
<br>
I've done this recently. Alon,
no offense, but the docs are not
quite strait forward...<br>
<br>
Requirements:<br>
- LDAP server (obviously) -
called here <a
moz-do-not-send="true"
href="http://ldap.mydomain.com"
rel="noreferrer"
target="_blank">ldap.mydomain.com</a><br>
- LDAP bind account - called
here <a moz-do-not-send="true"
href="mailto:ldap@mydomain.com"
target="_blank">ldap(a)mydomain.com</a>,
password 'Passw@rd'<br>
- At least one existing account
in ladp, called <a
moz-do-not-send="true"
href="mailto:user@mydomain.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:user@mydomain.com">user@mydomain.com</a></a><br>
<br>
Please note, the most common
issue will be DNS.<br>
<br>
I'll describe in short what
steps need to be taken. All this
needs to be done on your engine
host. In the end this was quite
easy :)<br>
<br>
1. Install the packages:
ovirt-engine-extension-aaa-ldap
and openldap-clients (these are
only for testing your setup)<br>
2. Test if ldap is working in
general. (The extension uses the
global catalog at least for AD,
this was news to me):<br>
# ldapsearch -E
pr=1024/noprompt -o ldif-wrap=no
-H <a
moz-do-not-send="true">ldap://</a><a
moz-do-not-send="true"
href="http://ldap.mydomain.com:3268/"
rel="noreferrer"
target="_blank">ldap.mydomain.com:3268/</a>
-x \<br>
-D '<a
moz-do-not-send="true"
href="mailto:ldap@mydomain.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:ldap@mydomain.com">ldap@mydomain.com</a></a>'
-w Passw@rd -b ''
'(userPrincipalName=<a
moz-do-not-send="true"
href="mailto:user@mydomian.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:user@mydomian.com">user@mydomian.com</a></a>)'
cn userPrincipalName<br>
<br>
If this command does not
return details of the user, do
debug your ldap and continue
once this works. Example:<br>
<br>
# extended LDIF<br>
#<br>
# LDAPv3<br>
# base <> with scope
subtree<br>
# filter: (userPrincipalName=<a
moz-do-not-send="true"
href="mailto:user@mydomain.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:user@mydomain.com">user@mydomain.com</a></a>)<br>
# requesting: cn
userPrincipalName<br>
# with pagedResults control:
size=1024<br>
#<br>
<br>
# Some Name, some-ou, <a
moz-do-not-send="true"
href="http://mydomain.com"
rel="noreferrer"
target="_blank">mydomain.com</a><br>
dn: CN=Some
Name,OU=some-ou,DC=mydomain,DC=com<br>
cn: Some Name<br>
userPrincipalName: <a
moz-do-not-send="true"
href="mailto:user@mydomain.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:user@mydomain.com">user@mydomain.com</a></a><br>
<br>
# search result<br>
search: 2<br>
result: 0 Success<br>
control: 1.2.840.113556.1.4.319
false MIQXGSGSGSgEABAA=<br>
pagedresults: cookie=<br>
<br>
# numResponses: 2<br>
# numEntries: 1<br>
<br>
<br>
3. Copy the examples as
mentioned from the readme.<br>
4. You only need to modify
/etc/ovirt-engine/aaa/int.m-box.de.properties;
leave the rest as is.<br>
5. There, set:<br>
<br>
vars.domain = <a
moz-do-not-send="true"
href="http://ldap.mydomain.com"
rel="noreferrer"
target="_blank">ldap.mydomain.com</a><br>
vars.user =
ldap@${global:vars.domain}<br>
vars.password = Passw@rd<br>
<br>
6. Restart ovirt engine service<br>
7. Log in as admin@einternal and
add user rights and roles from
the new provider<br>
<br>
Hope this helps.<br>
<span><br>
On <a moz-do-not-send="true"
href="tel:22.09.2015%2016"
value="+12209201516"
target="_blank">22.09.2015
16</a>:46, Budur Nagaraju
wrote:<br>
><br>
> below are the three files
which I have modified.<br>
><br>
><br>
> [root@cstlb2
extensions.d]# cat
profile1-authn.properties<br>
</span>> <a
moz-do-not-send="true"
href="http://ovirt.engine.extension.name"
rel="noreferrer"
target="_blank">ovirt.engine.extension.name</a>
<<a moz-do-not-send="true"
href="http://ovirt.engine.extension.name"
target="_blank">http://ovirt.engine.extension.name</a>>
= cloudspin-authn<br>
<span>>
ovirt.engine.extension.bindings.method
= jbossmodule<br>
>
ovirt.engine.extension.binding.jbossmodule.module
=<br>
>
org.ovirt.engine-extensions.aaa.ldap<br>
>
ovirt.engine.extension.binding.jbossmodule.class
=<br>
>
org.ovirt.engineextensions.aaa.ldap.AuthnExtension<br>
>
ovirt.engine.extension.provides
=
org.ovirt.engine.api.extensions.aaa.Authn<br>
</span>> <a
moz-do-not-send="true"
href="http://ovirt.engine.aaa.authn.profile.name"
rel="noreferrer"
target="_blank">ovirt.engine.aaa.authn.profile.name</a>
<<a moz-do-not-send="true"
href="http://ovirt.engine.aaa.authn.profile.name"
rel="noreferrer"
target="_blank">http://ovirt.engine.aaa.authn.profile.name</a>><br>
<span>> = cloudspin<br>
>
ovirt.engine.aaa.authn.authz.plugin
= cloudspin-auth<br>
> config.profile.file.1 =
/etc/ovirt-engine/aaa/ldap1.properties<br>
><br>
><br>
> [root@cstlb2
extensions.d]# ls<br>
>
profile1-authn.properties
profile1-authz.properties<br>
> [root@cstlb2
extensions.d]# cat
profile1-authz.properties<br>
</span>> <a
moz-do-not-send="true"
href="http://ovirt.engine.extension.name"
rel="noreferrer"
target="_blank">ovirt.engine.extension.name</a>
<<a moz-do-not-send="true"
href="http://ovirt.engine.extension.name"
target="_blank">http://ovirt.engine.extension.name</a>>
= cloudspin-authz<br>
<div>
<div>>
ovirt.engine.extension.bindings.method
= jbossmodule<br>
>
ovirt.engine.extension.binding.jbossmodule.module
=<br>
>
org.ovirt.engine-extensions.aaa.ldap<br>
>
ovirt.engine.extension.binding.jbossmodule.class
=<br>
>
org.ovirt.engineextensions.aaa.ldap.AuthzExtension<br>
>
ovirt.engine.extension.provides
=
org.ovirt.engine.api.extensions.aaa.Authz<br>
> config.profile.file.1 =
/etc/ovirt-engine/aaa/ldap1.properties<br>
> [root@cstlb2
extensions.d]#<br>
><br>
><br>
><br>
> [root@cstlb2 aaa]# pwd<br>
> /etc/ovirt-engine/aaa<br>
> [root@cstlb2 aaa]# ls<br>
> ldap1.properties<br>
> [root@cstlb2 aaa]# cat
ldap1.properties<br>
> #<br>
> # Select one<br>
> #<br>
> include =
<openldap.properties><br>
> #include =
<389ds.properties><br>
> #include =
<rhds.properties><br>
> #include =
<ipa.properties><br>
> #include =
<iplanet.properties><br>
> #include =
<rfc2307.properties><br>
> #include =
<rfc2307-openldap.properties><br>
><br>
> #<br>
> # Server<br>
> #<br>
</div>
</div>
> vars.server = <a
moz-do-not-send="true"
href="http://my.abc.net"
rel="noreferrer"
target="_blank">my.abc.net</a>
<<a moz-do-not-send="true"
href="http://my.abc.net"
target="_blank">http://my.abc.net</a>><br>
<span>><br>
> #<br>
> # Search user and its
password.<br>
> #<br>
> vars.user =<br>
>
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net<br>
> vars.password = company<br>
><br>
>
pool.default.serverset.single.server
= ${global:vars.server}<br>
>
pool.default.auth.simple.bindDN
= ${global:vars.user}<br>
>
pool.default.auth.simple.password
= ${global:vars.password}<br>
><br>
> # Create keystore, import
certificate chain and
uncomment<br>
> # if using ssl/tls.<br>
>
#pool.default.ssl.startTLS =
true<br>
>
#pool.default.ssl.truststore.file
=
${local:_basedir}/${global:vars.server}.jks<br>
>
#pool.default.ssl.truststore.password
= changeit<br>
> [root@cstlb2 aaa]#<br>
><br>
><br>
><br>
><br>
><br>
><br>
> On Tue, Sep 22, 2015 at
8:07 PM, Alon Bar-Lev <<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a><br>
</span><span>>
<mailto:<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>>
wrote:<br>
><br>
><br>
><br>
> ----- Original
Message -----<br>
</span><span>> >
From:
"Budur Nagaraju" <<a
moz-do-not-send="true"
href="mailto:nbudoor@gmail.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:nbudoor@gmail.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>>><br>
> > To: "Alon
Bar-Lev" <<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>><br>
> > <a
moz-do-not-send="true"
href="mailto:Cc%3Ausers@ovirt.org"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:Cc:users@ovirt.org">Cc:users@ovirt.org</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:users@ovirt.org"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:users@ovirt.org">users@ovirt.org</a></a>><br>
> > Sent: Tuesday,
September 22, 2015 5:35:16 PM<br>
> > Subject: Re:
[ovirt-users] LDAP
Authentication<br>
> ><br>
> > its too
complicated ,you have any
script or video ?<br>
><br>
> in 3.6 we have a
setup script.<br>
> for now:<br>
><br>
> cp -r
/usr/share/ovirt-engine/examples/simple/.
/etc/ovirt-engine/<br>
><br>
> this is written in
the README.<br>
><br>
> then customize files
at
/etc/ovirt-engine/extnesions.d/*<br>
>
/etc/ovirt-engine/aaa/* to
match your setup<br>
><br>
> ><br>
> ><br>
</span><span>> > On
Tue, Sep 22, 2015 at 8:00 PM,
Alon Bar-Lev <<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>>
wrote:<br>
> ><br>
> > ><br>
> > ><br>
> > > -----
Original Message -----<br>
</span>
<div>
<div>> > >
>
From: "Budur Nagaraju"
<<a
moz-do-not-send="true"
href="mailto:nbudoor@gmail.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:nbudoor@gmail.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>>><br>
> > > > To:
"Alon Bar-Lev" <<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>><br>
> > > > <a
moz-do-not-send="true"
href="mailto:Cc:users@ovirt.org"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:Cc:users@ovirt.org">Cc:users@ovirt.org</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:users@ovirt.org"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:users@ovirt.org">users@ovirt.org</a></a>><br>
> > > >
Sent: Tuesday, September 22,
2015 5:24:36 PM<br>
> > > >
Subject: Re: [ovirt-users]
LDAP Authentication<br>
> > >
><br>
> > > > HI
Alon,<br>
> > >
><br>
> > > >
Below is the configuration
which I have done ,but
unable to search the<br>
> > > >
users in UI<br>
> > > > can
you pls help me ?<br>
> > ><br>
> > > you need
three files, see the<br>
> > >
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple<br>
> > ><br>
> > >
><br>
> > >
><br>
> > > >
[root@cstlb2 aaa]# cat
ldap1.properties<br>
> > > >
#<br>
> > > > #
Select one<br>
> > > >
#<br>
> > > >
include =
<openldap.properties><br>
> > > >
#include =
<389ds.properties><br>
> > > >
#include =
<rhds.properties><br>
> > > >
#include =
<ipa.properties><br>
> > > >
#include =
<iplanet.properties><br>
> > > >
#include =
<rfc2307.properties><br>
> > > >
#include =
<rfc2307-openldap.properties><br>
> > >
><br>
> > > >
#<br>
> > > > #
Server<br>
> > > >
#<br>
</div>
</div>
> > > >
vars.server =<a
moz-do-not-send="true"
href="http://my.abc.net"
rel="noreferrer"
target="_blank">my.abc.net</a>
<<a moz-do-not-send="true"
href="http://my.abc.net"
target="_blank">http://my.abc.net</a>><br>
<span>> > >
><br>
> > > >
#<br>
> > > > #
Search user and its password.<br>
> > > >
#<br>
> > > >
vars.user =<br>
> > >
><br>
> > >
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net<br>
> > > >
vars.password = company1<br>
> > >
><br>
> > > >
pool.default.serverset.single.server
= ${global:vars.server}<br>
> > > >
pool.default.auth.simple.bindDN
= ${global:vars.user}<br>
> > > >
pool.default.auth.simple.password
= ${global:vars.password}<br>
> > >
><br>
> > > > #
Create keystore, import
certificate chain and
uncomment<br>
> > > > # if
using ssl/tls.<br>
> > > >
#pool.default.ssl.startTLS =
true<br>
> > > >
#pool.default.ssl.truststore.file
=<br>
> > > >
${local:_basedir}/${global:vars.server}.jks<br>
> > > >
#pool.default.ssl.truststore.password
= changeit<br>
> > > >
[root@cstlb2 aaa]#<br>
> > >
><br>
> > >
><br>
> > >
><br>
</span><span>> >
>
> On Tue, Sep 22, 2015 at
7:25 PM, Alon Bar-Lev <<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:alonbl@redhat.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>>
wrote:<br>
> > >
><br>
> > > >
><br>
> > > >
><br>
> > > >
>
----- Original Message -----<br>
</span><span>> >
>
> > > From: "Budur
Nagaraju" <<a
moz-do-not-send="true"
href="mailto:nbudoor@gmail.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:nbudoor@gmail.com"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>>><br>
> > > >
>
> <a
moz-do-not-send="true"
href="mailto:To:users@ovirt.org"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:To:users@ovirt.org">To:users@ovirt.org</a></a>
<mailto:<a
moz-do-not-send="true"
href="mailto:users@ovirt.org"
target="_blank"><a
class="moz-txt-link-abbreviated"
href="mailto:users@ovirt.org">users@ovirt.org</a></a>><br>
> > > >
>
> Sent: Tuesday, September
22, 2015 4:34:46 PM<br>
> > > >
>
> Subject: [ovirt-users]
LDAP Authentication<br>
> > > >
>
><br>
> > > >
>
> HI All,<br>
> > > >
>
><br>
> > > >
>
> Can someone help me in
configuring LDAP
authentication for Ovirt ?<br>
> > > >
><br>
> > > >
>
Please review:<br>
> > > >
><a
moz-do-not-send="true"
href="http://www.ovirt.org/Features/AAA"
target="_blank"><a
class="moz-txt-link-freetext"
href="http://www.ovirt.org/Features/AAA">http://www.ovirt.or...
> > > >
><br>
> > > >
><br>
> > ><a
moz-do-not-send="true"
href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-l...
rel="noreferrer"
target="_blank"><a
class="moz-txt-link-freetext"
href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-l...
> > > >
><br>
> > >
><br>
> > ><br>
> ><br>
><br>
><br>
<br>
</span>--<br>
Daniel Helgenberger<br>
m box bewegtbild GmbH<br>
<br>
P: +49/30/2408781-22<br>
F: +49/30/2408781-10<br>
<br>
ACKERSTR. 19<br>
D-10115 BERLIN<br>
<br>
<br>
<a moz-do-not-send="true"
href="http://www.m-box.de"
rel="noreferrer"
target="_blank">www.m-box.de</a>
<a moz-do-not-send="true"
href="http://www.monkeymen.tv"
target="_blank">www.monkeymen.tv</a><br>
<br>
Geschäftsführer: Martin
Retschitzegger / Michaela
Göllner<br>
Handeslregister: Amtsgericht
Charlottenburg / HRB 112767<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
Users mailing list
<a moz-do-not-send="true" href="mailto:Users@ovirt.org"
target="_blank">Users(a)ovirt.org</a>
<a moz-do-not-send="true"
href="http://lists.ovirt.org/mailman/listinfo/users"
target="_blank">http://lists.ovirt.org/mailman/listinfo/user...
</pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>
--------------030008040602000200080603--