Hi Ondra, I assigned permissions to an LDAP group and it just needed me to remove that group and re-add it for it to authorize again. Yes, the UPN is user@domain in our case. Not a big deal, but is there a plan to change the display name? I get confused looks and questions when people log in. All working now, many thanks once again for all your help! Cheers, Cam On Mon, Oct 17, 2016 at 10:06 AM, Ondra Machacek <omachace@redhat.com> wrote:
Hi Cam,
this is OK, because we use user principal name(UPN)[1] for the 'username' field of the oVirt. So the result username will consist of UPN@authz-extension, so if your user's UPN is 'user@domain' and you will name your authz extension as 'domain', then the result username will be 'user@domain@domain'.
The problem, that you can't get authorized is that you didn't assigned any permissions to your user.
[1] https://msdn.microsoft.com/en-us/library/ms680857(v=vs.85).aspx
On 10/14/2016 04:30 PM, cmc wrote:
Hi Ondra,
It manages to authenticate, but appends the domain again once I'm logged in, for instance, if I log in as user 'cam', it will log me in, and display the login name in the top right corner as 'cam@domain.com@domain.com <http://domain.com>' (this shows up in the log as well: it shows me logging in as cam@domain.com <mailto:cam@domain.com>, but then returns an error as user cam@domain.com@domain.com <http://domain.com> is not authorized). My thought was that something done earlier when I was playing around with sssd, kerberos and AD is doing this, though I have removed these packages and run authconfig to remove sssd. Any ideas?
Cheers,
Cam
On Thu, Oct 13, 2016 at 2:04 PM, cmc <iucounu@gmail.com <mailto:iucounu@gmail.com>> wrote:
Hi Ondra,
That is good to know that we don't need Kerberos - it complicates things a lot.
I think the errors might be the options I'd selected during the setup. I was thrown a bit that it passed all the internal tests provided by the setup script, but failed on the web GUI. When I've seen 'unspecified GSS failure' and 'peer not authenticated' it's usually been due to Kerberos (though admittedly these are just generic errors). So I tried the Redhat guide for SSO at:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterp rise_Virtualization/3.6/html/Administration_Guide/Configuri ng_LDAP_and_Kerberos_for_Single_Sign-on.html <https://access.redhat.com/documentation/en-US/Red_Hat_Enter prise_Virtualization/3.6/html/Administration_Guide/Configuri ng_LDAP_and_Kerberos_for_Single_Sign-on.html>
which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink to the Apache config it says to create, as it results in internal server errors in Apache. It uses an SPN for Apache in the keytab.
Now that you've confirmed that it can actually work without any need for the Kerberos stuff, I will start afresh from a clean setup and apply what I've learnt during this process.
I'll try it out and let you know either way.
Many thanks for all the help!
Kind regards,
Cam
Yes, you really do not need anything kerberos related to securely bind to AD via LDAP simple bind over TLS/SSL. This is really strange to me what errors you are getting, but you probably configured apache (or something else?) to require keytab, but you don't have to, and you can remove that configuration.
Thanks,
Cam
Thanks,
Cam
_______________________________________________
Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>> <mailto:Users@ovirt.org <mailto:Users@ovirt.org> <mailto:Users@ovirt.org <mailto:Users@ovirt.org>>>
http://lists.ovirt.org/mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users> <http://lists.ovirt.org/mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>
<http://lists.ovirt.org/mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users> <http://lists.ovirt.org/mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users>>>