Re: [ovirt-users] Can not configure with simple LDAP.

You need to add the following: + <logger category="org.ovirt.engineextensions.aaa.ldap"> + <level name="FINEST"/> + </logger> <logger category="org.ovirt.engine.core.bll"> Look at the + lines, please add these (without the +) just before: <logger category="org.ovirt.engine.core.bll"> Thanks! ----- Original Message ----- > From: "Fumihide Tani" <RXC05271(a)nifty.com&gt; > To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; > Cc: users(a)ovirt.org > Sent: Monday, September 22, 2014 1:10:57 PM > Subject: Re: [ovirt-users] Can not configure with simple LDAP. > > (2014/09/22 15:00), Alon Bar-Lev wrote: >> ----- Original Message ----- >>> From: "Fumihide Tani" <RXC05271(a)nifty.com&gt; >>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>> Cc: users(a)ovirt.org >>> Sent: Monday, September 22, 2014 4:16:17 AM >>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>> >>> (2014/09/22 0:16), Alon Bar-Lev wrote: >>>> ----- Original Message ----- >>>>> From: "Fumihide Tani" <RXC05271(a)nifty.com&gt; >>>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>>>> Cc: users(a)ovirt.org >>>>> Sent: Sunday, September 21, 2014 6:00:48 PM >>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>> >>>>> Hi, Alon, >>>>> >>>>> Following Alon's advice, I added authz-company.properties file to the >>>>> configuration directory. >>>>> Then OpenLDAP users can searched from oVirt Web admin. and I could add >>>>> it's >>>>> users >>>>> to the portal successfully. >>>>> >>>>> But I have another problem. >>>>> These OpenLDAP users that I added can not login to ovirt web user >>>>> portal. >>>>> >>>>> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as >>>>> "First >>>>> Name") >>>>> Password: (I specified it as OpenLDAP's userPassword for "Fumihide") >>>>> Domain: rxc05271.com (I selected instead of "internal") >>>>> >>>>> ? >>>> 1. What error do you get at ui? >>> "The user name or password is incorrect." >>> >>>> 2. Please look at engine.log while attempting to login, if you see >>>> something helpful. >>> 2014-09-22 09:53:27,669 INFO >>> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] >>> (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication >>> profile "rxc05271.com" because the authentication failed. >>> 2014-09-22 09:53:27,685 ERROR >>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom >>> Event >>> ID: -1, Message: User Fumihide cannot login, please verify the username >>> and >>> password. >>> 2014-09-22 09:53:27,693 ERROR >>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom >>> Event >>> ID: -1, Message: User Fumihide failed to log in. >>> 2014-09-22 09:53:27,693 WARN >>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] >>> (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. >>> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD >>> >>>> 3. Please make sure that the following is a success: >>>> $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN> >>>> uid=<LOGIN_NAME> >>> [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D >>> "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x >>> '(uid=tani)' >>> Enter LDAP Password: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <dc=rxc05271,dc=com> with scope subtree >>> # filter: (uid=tani) >>> # requesting: ALL >>> # >>> >>> # tani, Users, rxc05271.com >>> dn: uid=tani,ou=Users,dc=rxc05271,dc=com >>> objectClass: inetOrgPerson >>> objectClass: uidObject >>> uid: tani >>> cn: Fumihide Tani >>> givenName: Fumihide >>> mail: tani(a)rxc05271.com >>> sn: Tani >>> userPassword:: a3VtaXRhbg== >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: 1 >>> [root@ovirt ~]# >>> >>>> 4. If working please modify >>>> /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in >>>> --- >>>> <file-handler name="ENGINE" autoflush="true"> >>>> - <level name="INFO"/> >>>> - <level name="FINEST"/> >>>> <snip> >>>> + <logger category="org.ovirt.engineextensions.aaa.ldap"> >>>> + <level name="FINEST"/> >>>> + </logger> >>>> <logger category="org.ovirt.engine.core.bll"> >>>> --- >>>> Restart engine, attempt login, send me the output. >>> 2014-09-22 10:03:57,517 INFO >>> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] >>> (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication >>> profile "rxc05271.com" because the authentication failed. >>> 2014-09-22 10:03:57,534 ERROR >>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom >>> Event >>> ID: -1, Message: User Fumihide cannot login, please verify the username >>> and >>> password. >>> 2014-09-22 10:03:57,545 ERROR >>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom >>> Event >>> ID: -1, Message: User Fumihide failed to log in. >>> 2014-09-22 10:03:57,545 WARN >>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] >>> (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. >>> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD >>> >>> (logger level is not changed to FINEST? outputs is same as above.) >>> >> I had a mistake above... the file-handler level should be set to finest. >> >> <file-handler name="ENGINE" autoflush="true"> >> <level name="FINEST"/> >> >> can you confirm? >> or best send me the engine.xml.in file and I can see what's wrong. >> >> thanks! > I set file-handler's level name to "FINEST". but outputs are same as before. > I attached the ovirt-engine.xml.in > > Regards, > >> >>> Thanks, >>> Fumihide Tani >>> >>> >>>>> Please advice me, it's so thanksfull. >>>>> >>>>> Fumihide Tani >>>>> >>>>> >>>>> (2014/09/21 17:13), Alon Bar-Lev wrote: >>>>>> ----- Original Message ----- >>>>>>> From: "Fumihide Tani" <RXC05271(a)nifty.com&gt; >>>>>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>>>>>> Cc: users(a)ovirt.org >>>>>>> Sent: Sunday, September 21, 2014 11:11:11 AM >>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>>>> >>>>>>> Hi, Alon >>>>>>> >>>>>>> Very thanks for your help. >>>>>>> My problem was solved and the AAA is working now. >>>>>>> I could add LDAP user. :) >>>>>> Great. >>>>>> Can you please send me a patch or modified README to make it better? >>>>>> >>>>>> Alon >>>>>> >>>>>>> Fumihide Tani >>>>>>> >>>>>>> (2014/09/21 16:19), Alon Bar-Lev wrote: >>>>>>>> ----- Original Message ----- >>>>>>>>> From: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>>>>>>>> To: "Fumihide Tani" <RXC05271(a)nifty.com&gt; >>>>>>>>> Cc: users(a)ovirt.org >>>>>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM >>>>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> You need to create authz extension as well (authz-company). >>>>>>>>> The configuration you provided is establishing authentication only >>>>>>>>> (authn) >>>>>>>>> which refer to authz-company but you did not add it. >>>>>>>>> >>>>>>>>> The terms are: >>>>>>>>> 1. authn - who the user is. >>>>>>>>> 2. authz - what user is permitted. >>>>>>>>> 3. profile - combination of the two. >>>>>>>>> >>>>>>>>> ----------------------------- >>>>>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties >>>>>>>>> ovirt.engine.extension.name = authz-company >>>>>>>>> ovirt.engine.extension.bindings.method = jbossmodule >>>>>>>>> ovirt.engine.extension.binding.jbossmodule.module = >>>>>>>>> org.ovirt.engine-extensions.aaa.ldap >>>>>>>>> ovirt.engine.extension.binding.jbossmodule.class = >>>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension >>>>>>>> Sorry: >>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension >>>>>>>>> ovirt.engine.extension.provides = >>>>>>>>> org.ovirt.engine.api.extensions.aaa.Authz >>>>>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties >>>>>>>>> -------------------------------------------------- >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Alon >>> >