Re: [ovirt-users] Can not configure with simple LDAP.

22 Sep 2014

      Hi, Alon,

I modified ovirt-engine.xml.in and restarted ovirt-engine.
Attached is the modified ovirt-engine.xml.in.
The engine.log outputs are fllowing: (Unfortunately it became the same result.)

-----
2014-09-22 19:48:11,245 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed.
2014-09-22 19:48:11,257 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password.
2014-09-22 19:48:11,265 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in.
2014-09-22 19:48:11,266 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
-----

As a cause of fail to OpenLDAP user login,
I suspect that the my openldap password encryption method setting not meet with the ovirt.
Is there any method to verify?

Thanks,

(2014/09/22 19:15), Alon Bar-Lev wrote:
> You need to add the following:
>
> +       <logger category="org.ovirt.engineextensions.aaa.ldap">
> +        <level name="FINEST"/>
> +       </logger>
>          <logger category="org.ovirt.engine.core.bll">
>
> Look at the + lines, please add these (without the  +) just before: <logger category="org.ovirt.engine.core.bll">
>
> Thanks!
>
> ----- Original Message -----
>> From: "Fumihide Tani" <RXC05271@nifty.com>
>> To: "Alon Bar-Lev" <alonbl@redhat.com>
>> Cc: users@ovirt.org
>> Sent: Monday, September 22, 2014 1:10:57 PM
>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
>>
>> (2014/09/22 15:00), Alon Bar-Lev wrote:
>>> ----- Original Message -----
>>>> From: "Fumihide Tani" <RXC05271@nifty.com>
>>>> To: "Alon Bar-Lev" <alonbl@redhat.com>
>>>> Cc: users@ovirt.org
>>>> Sent: Monday, September 22, 2014 4:16:17 AM
>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
>>>>
>>>> (2014/09/22 0:16), Alon Bar-Lev wrote:
>>>>> ----- Original Message -----
>>>>>> From: "Fumihide Tani" <RXC05271@nifty.com>
>>>>>> To: "Alon Bar-Lev" <alonbl@redhat.com>
>>>>>> Cc: users@ovirt.org
>>>>>> Sent: Sunday, September 21, 2014 6:00:48 PM
>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
>>>>>>
>>>>>> Hi, Alon,
>>>>>>
>>>>>> Following Alon's advice, I added authz-company.properties file to the
>>>>>> configuration directory.
>>>>>> Then OpenLDAP users can searched from oVirt Web admin. and I could add
>>>>>> it's
>>>>>> users
>>>>>> to the portal successfully.
>>>>>>
>>>>>> But I have another problem.
>>>>>> These OpenLDAP users that I added can not login to ovirt web user
>>>>>> portal.
>>>>>>
>>>>>> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as
>>>>>> "First
>>>>>> Name")
>>>>>> Password: (I specified it as OpenLDAP's userPassword for "Fumihide")
>>>>>> Domain: rxc05271.com (I selected instead of "internal")
>>>>>>
>>>>>> ?
>>>>> 1. What error do you get at ui?
>>>> "The user name or password is incorrect."
>>>>
>>>>> 2. Please look at engine.log while attempting to login, if you see
>>>>> something helpful.
>>>> 2014-09-22 09:53:27,669 INFO
>>>> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
>>>> (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication
>>>> profile "rxc05271.com" because the authentication failed.
>>>> 2014-09-22 09:53:27,685 ERROR
>>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>>> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom
>>>> Event
>>>> ID: -1, Message: User Fumihide cannot login, please verify the username
>>>> and
>>>> password.
>>>> 2014-09-22 09:53:27,693 ERROR
>>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>>> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom
>>>> Event
>>>> ID: -1, Message: User Fumihide failed to log in.
>>>> 2014-09-22 09:53:27,693 WARN
>>>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
>>>> (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed.
>>>> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
>>>>
>>>>> 3. Please make sure that the following is a success:
>>>>> $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN>
>>>>> uid=<LOGIN_NAME>
>>>> [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D
>>>> "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x
>>>> '(uid=tani)'
>>>> Enter LDAP Password:
>>>> # extended LDIF
>>>> #
>>>> # LDAPv3
>>>> # base <dc=rxc05271,dc=com> with scope subtree
>>>> # filter: (uid=tani)
>>>> # requesting: ALL
>>>> #
>>>>
>>>> # tani, Users, rxc05271.com
>>>> dn: uid=tani,ou=Users,dc=rxc05271,dc=com
>>>> objectClass: inetOrgPerson
>>>> objectClass: uidObject
>>>> uid: tani
>>>> cn: Fumihide Tani
>>>> givenName: Fumihide
>>>> mail: tani@rxc05271.com
>>>> sn: Tani
>>>> userPassword:: a3VtaXRhbg==
>>>>
>>>> # search result
>>>> search: 2
>>>> result: 0 Success
>>>>
>>>> # numResponses: 2
>>>> # numEntries: 1
>>>> [root@ovirt ~]#
>>>>
>>>>> 4. If working please modify
>>>>> /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in
>>>>> ---
>>>>>           <file-handler name="ENGINE" autoflush="true">
>>>>> -        <level name="INFO"/>
>>>>> -        <level name="FINEST"/>
>>>>> <snip>
>>>>> +       <logger category="org.ovirt.engineextensions.aaa.ldap">
>>>>> +        <level name="FINEST"/>
>>>>> +       </logger>
>>>>>            <logger category="org.ovirt.engine.core.bll">
>>>>> ---
>>>>> Restart engine, attempt login, send me the output.
>>>> 2014-09-22 10:03:57,517 INFO
>>>> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
>>>> (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication
>>>> profile "rxc05271.com" because the authentication failed.
>>>> 2014-09-22 10:03:57,534 ERROR
>>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>>> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom
>>>> Event
>>>> ID: -1, Message: User Fumihide cannot login, please verify the username
>>>> and
>>>> password.
>>>> 2014-09-22 10:03:57,545 ERROR
>>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>>> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom
>>>> Event
>>>> ID: -1, Message: User Fumihide failed to log in.
>>>> 2014-09-22 10:03:57,545 WARN
>>>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
>>>> (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed.
>>>> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
>>>>
>>>> (logger level is not changed to FINEST? outputs is same as above.)
>>>>
>>> I had a mistake above... the file-handler level should be set to finest.
>>>
>>> <file-handler name="ENGINE" autoflush="true">
>>>       <level name="FINEST"/>
>>>
>>> can you confirm?
>>> or best send me the engine.xml.in file and I can see what's wrong.
>>>
>>> thanks!
>> I set file-handler's level name to "FINEST". but outputs are same as before.
>> I attached the ovirt-engine.xml.in
>>
>> Regards,
>>
>>>
>>>> Thanks,
>>>> Fumihide Tani
>>>>
>>>>
>>>>>> Please advice me, it's so thanksfull.
>>>>>>
>>>>>> Fumihide Tani
>>>>>>
>>>>>>
>>>>>> (2014/09/21 17:13), Alon Bar-Lev wrote:
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Fumihide Tani" <RXC05271@nifty.com>
>>>>>>>> To: "Alon Bar-Lev" <alonbl@redhat.com>
>>>>>>>> Cc: users@ovirt.org
>>>>>>>> Sent: Sunday, September 21, 2014 11:11:11 AM
>>>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
>>>>>>>>
>>>>>>>> Hi, Alon
>>>>>>>>
>>>>>>>> Very thanks for your help.
>>>>>>>> My problem was solved and the AAA is working now.
>>>>>>>> I could add LDAP user. :)
>>>>>>> Great.
>>>>>>> Can you please send me a patch or modified README to make it better?
>>>>>>>
>>>>>>> Alon
>>>>>>>
>>>>>>>> Fumihide Tani
>>>>>>>>
>>>>>>>> (2014/09/21 16:19), Alon Bar-Lev wrote:
>>>>>>>>> ----- Original Message -----
>>>>>>>>>> From: "Alon Bar-Lev" <alonbl@redhat.com>
>>>>>>>>>> To: "Fumihide Tani" <RXC05271@nifty.com>
>>>>>>>>>> Cc: users@ovirt.org
>>>>>>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM
>>>>>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
>>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> You need to create authz extension as well (authz-company).
>>>>>>>>>> The configuration you provided is establishing authentication only
>>>>>>>>>> (authn)
>>>>>>>>>> which refer to authz-company but you did not add it.
>>>>>>>>>>
>>>>>>>>>> The terms are:
>>>>>>>>>> 1. authn - who the user is.
>>>>>>>>>> 2. authz - what user is permitted.
>>>>>>>>>> 3. profile - combination of the two.
>>>>>>>>>>
>>>>>>>>>> -----------------------------
>>>>>>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties
>>>>>>>>>> ovirt.engine.extension.name = authz-company
>>>>>>>>>> ovirt.engine.extension.bindings.method = jbossmodule
>>>>>>>>>> ovirt.engine.extension.binding.jbossmodule.module =
>>>>>>>>>> org.ovirt.engine-extensions.aaa.ldap
>>>>>>>>>> ovirt.engine.extension.binding.jbossmodule.class =
>>>>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
>>>>>>>>> Sorry:
>>>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>>>>>>>>>> ovirt.engine.extension.provides =
>>>>>>>>>> org.ovirt.engine.api.extensions.aaa.Authz
>>>>>>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties
>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Alon
>>>>
>>
>