Hello,
I'm running oVirt Engine, OpenLDAP and BIND on same machine. and running oVirt
host (hypervisor) on another machine.
I tried to configure OpenLDAP using ovirt-engine-extension-aaa-ldap, but No
LDAP users can search and add from Web Admin Portal.
CentOS release 6.5 (Final)
ovirt-engine.noarch 3.5.0-0.0.master.20140821064931.gitb794d66.el6
ovirt-engine-extension-aaa-ldap.noarch
0.0.0-0.0.master.20140904095149.gitc7bd415.el6
openldap-clients.x86_64 2.4.23-34.el6_5.1
openldap-servers.x86_64 2.4.23-34.el6_5.1
cyrus-sasl-gssapi.x86_64 2.1.23-13.el6_3.1
bind.x86_64 32:9.8.2-0.23.rc1.el6_5.1
My setup procedures:
-------------------------------------------------------------------------------
# yum -y install openldap-servers openldap-clients
# yum -y install cyrus-sasl-gssapi
-------------------------------------------------------------------------------
# rm -rf /etc/openldap/slapd.d
# rm -rf /var/lib/ldap/*
-------------------------------------------------------------------------------
(Copy slapd.conf template)
# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
-------------------------------------------------------------------------------
# vi /etc/openldap/slapd.conf
....(snip)....
# remove comment out
moduleload memberof.la
....(snip)....
# modify value
by dn.exact="cn=Manager,dc=rxc05271,dc=com" read
....(snip)....
# add next two lines right under "database definitions"
authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=Manager,dc=rxc05271,dc=com"
....(snip)....
# modify value
suffix "dc=rxc05271,dc=com"
....(snip)....
# modify value
rootdn "cn=Manager,dc=rxc05271,dc=com"
....(snip)....
# remove comment out
rootpw secret
....(snip)....
# add next line to end of the file
overlay memberof
loglevel 4
-------------------------------------------------------------------------------
(Enabling SSL/TLS)
# vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes
-------------------------------------------------------------------------------
(Enabling OpenLDAP log output)
# echo "local4.* /var/log/ldap.log" > /etc/rsyslog.d/ldaplog.conf
# service rsyslog restart
-------------------------------------------------------------------------------
# service slapd start
# chkconfig slapd on
-------------------------------------------------------------------------------
# vi ldapconfig.ldif
dn: dc=rxc05271,dc=com
objectClass: dcObject
objectClass: organization
dc: rxc05271
o: RXC05271
dn: ou=Groups,dc=rxc05271,dc=com
objectclass: organizationalUnit
ou: Groups
dn: ou=Users,dc=rxc05271,dc=com
objectclass: organizationalUnit
ou: Users
dn: uid=tani,ou=Users,dc=rxc05271,dc=com
objectclass: inetOrgPerson
objectclass: uidObject
uid: tani
cn: Tani
givenName: Fumihide
mail: tani(a)rxc05271.com
sn: 0
dn: cn=Power-Users,ou=Groups,dc=rxc05271,dc=com
objectclass: groupOfNames
cn: Power-Users
member: uid=tani,ou=Users,dc=rxc05271,dc=com
-------------------------------------------------------------------------------
# ldapadd -x -D "cn=Manager,dc=rxc05271,dc=com" -w secret -f ldapconfig.ldif
-------------------------------------------------------------------------------
# vi setsasl.ldif
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,noplain,minssf=1
-
-------------------------------------------------------------------------------
# ldapmodify -x -D "cn=Manager,dc=rxc05271,dc=com" -w secret -f setsasl.ldif
-------------------------------------------------------------------------------
# ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=tani)" -b dc=rxc05271,dc=com
memberOf
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
version: 1
dn: uid=tani,ou=Users,dc=rxc05271,dc=com
memberOf: cn=Power-Users,ou=Groups,dc=rxc05271,dc=com
-------------------------------------------------------------------------------
# yum install ovirt-engine-extension-aaa-ldap
-------------------------------------------------------------------------------
# vi /etc/ovirt-engine/extensions.d/authn-company.properties
ovirt.engine.extension.name = authn-company
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name =
rxc05271.com
ovirt.engine.aaa.authn.authz.plugin = authz-company
config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties
-------------------------------------------------------------------------------
# vi /etc/ovirt-engine/aaa/rxc05271.properties
include = <openldap.properties>
vars.user = cn=Manager,dc=rxc05271,dc=com
vars.password = 12345678
vars.server =
ldap.rxc05271.com
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = /etc/openldap/certs/ldap.jks
pool.default.ssl.truststore.password = 12345678
pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
-------------------------------------------------------------------------------
(Add DNS records)
# vi /var/named/rxc05271.com.db
(snip)
ldap IN A 192.168.0.5
_ldap._tcp.rxc05271.com. IN SRV 10 0 389
ovirt.rxc05271.com.
# vi /var/named/0.168.192.in-addr.arpa.db
(snip)
5 IN PTR
ldap.rxc05271.com.
# service named restart
-------------------------------------------------------------------------------
# service ovirt-engine restart
-------------------------------------------------------------------------------
(ldap.log outputs after ovirt-engine restart)
[root@ovirt ~]# cat /var/log/ldap.log
Sep 21 14:33:20 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:20 ovirt slapd[19276]: connection_get(18)
Sep 21 14:33:20 ovirt slapd[19276]: connection_get(17)
Sep 21 14:33:20 ovirt slapd[19276]: connection_get(19)
Sep 21 14:33:20 ovirt slapd[19276]: connection_get(20)
Sep 21 14:33:20 ovirt slapd[19276]: connection_get(21)
Sep 21 14:33:20 ovirt slapd[19276]: connection_get(23)
Sep 21 14:33:20 ovirt slapd[19276]: connection_get(22)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:25 ovirt slapd[19276]: ==> bdb_bind: dn: cn=Manager,dc=rxc05271,dc=com
Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched=""
text=""
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17)
Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17)
Sep 21 14:33:25 ovirt slapd[19276]: ==> bdb_bind: dn: cn=Manager,dc=rxc05271,dc=com
Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched=""
text=""
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18)
Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18)
Sep 21 14:33:25 ovirt slapd[19276]: ==> bdb_bind: dn: cn=Manager,dc=rxc05271,dc=com
Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched=""
text=""
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19)
Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19)
Sep 21 14:33:25 ovirt slapd[19276]: ==> bdb_bind: dn: cn=Manager,dc=rxc05271,dc=com
Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched=""
text=""
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:25 ovirt slapd[19276]: SRCH "" 0 0
Sep 21 14:33:25 ovirt slapd[19276]: 1 0 0
Sep 21 14:33:25 ovirt slapd[19276]: filter: (objectClass=*)
Sep 21 14:33:25 ovirt slapd[19276]: attrs:
Sep 21 14:33:25 ovirt slapd[19276]: *
Sep 21 14:33:25 ovirt slapd[19276]: +
Sep 21 14:33:25 ovirt slapd[19276]: altServer
Sep 21 14:33:25 ovirt slapd[19276]: changelog
Sep 21 14:33:25 ovirt slapd[19276]: firstChangeNumber
Sep 21 14:33:25 ovirt slapd[19276]: lastChangeNumber
Sep 21 14:33:25 ovirt slapd[19276]: lastPurgedChangeNumber
Sep 21 14:33:25 ovirt slapd[19276]: namingContexts
Sep 21 14:33:25 ovirt slapd[19276]: subschemaSubentry
Sep 21 14:33:25 ovirt slapd[19276]: supportedAuthPasswordSchemes
Sep 21 14:33:25 ovirt slapd[19276]: supportedControl
Sep 21 14:33:25 ovirt slapd[19276]: supportedExtension
Sep 21 14:33:25 ovirt slapd[19276]: supportedFeatures
Sep 21 14:33:25 ovirt slapd[19276]: supportedLDAPVersion
Sep 21 14:33:25 ovirt slapd[19276]: supportedSASLMechanisms
Sep 21 14:33:25 ovirt slapd[19276]: vendorName
Sep 21 14:33:25 ovirt slapd[19276]: vendorVersion
Sep 21 14:33:25 ovirt slapd[19276]:
Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched=""
text=""
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(20)
Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20)
Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched=""
text=""
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21)
Sep 21 14:33:26 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21)
Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched=""
text=""
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22)
Sep 21 14:33:26 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22)
Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched=""
text=""
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23)
Sep 21 14:33:26 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23)
Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched=""
text=""
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20)
Sep 21 14:33:26 ovirt slapd[19276]: SRCH "" 0 0
Sep 21 14:33:26 ovirt slapd[19276]: 1 0 0
Sep 21 14:33:26 ovirt slapd[19276]: filter: (objectClass=*)
Sep 21 14:33:26 ovirt slapd[19276]: attrs:
Sep 21 14:33:26 ovirt slapd[19276]: *
Sep 21 14:33:26 ovirt slapd[19276]: +
Sep 21 14:33:26 ovirt slapd[19276]: altServer
Sep 21 14:33:26 ovirt slapd[19276]: changelog
Sep 21 14:33:26 ovirt slapd[19276]: firstChangeNumber
Sep 21 14:33:26 ovirt slapd[19276]: lastChangeNumber
Sep 21 14:33:26 ovirt slapd[19276]: lastPurgedChangeNumber
Sep 21 14:33:26 ovirt slapd[19276]: namingContexts
Sep 21 14:33:26 ovirt slapd[19276]: subschemaSubentry
Sep 21 14:33:26 ovirt slapd[19276]: supportedAuthPasswordSchemes
Sep 21 14:33:26 ovirt slapd[19276]: supportedControl
Sep 21 14:33:26 ovirt slapd[19276]: supportedExtension
Sep 21 14:33:26 ovirt slapd[19276]: supportedFeatures
Sep 21 14:33:26 ovirt slapd[19276]: supportedLDAPVersion
Sep 21 14:33:26 ovirt slapd[19276]: supportedSASLMechanisms
Sep 21 14:33:26 ovirt slapd[19276]: vendorName
Sep 21 14:33:26 ovirt slapd[19276]: vendorVersion
Sep 21 14:33:26 ovirt slapd[19276]:
Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched=""
text=""
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(17)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(17)
Sep 21 14:33:26 ovirt slapd[19276]: SRCH "" 0 0
Sep 21 14:33:26 ovirt slapd[19276]: 0 0 0
Sep 21 14:33:26 ovirt slapd[19276]: filter: (&(objectClass=*))
Sep 21 14:33:26 ovirt slapd[19276]: attrs:
Sep 21 14:33:26 ovirt slapd[19276]: namingContexts
Sep 21 14:33:26 ovirt slapd[19276]:
Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched=""
text=""
-------------------------------------------------------------------------------
(engine.log outputs after ovirt-engine restart)
# cat /var/log/ovirt-engine/engine.log | grep extensions
2014-09-21 14:33:25,591 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service
thread 1-15) Creating LDAP pool 'authz' for 'authn-company'
2014-09-21 14:33:25,962 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service
thread 1-15) Creating LDAP pool 'authn' for 'authn-company'
2014-09-21 14:33:26,195 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-15) Start of enabled extensions list
2014-09-21 14:33:26,196 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-15) Instance name: 'builtin-authn-internal', Extension name:
'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License:
'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
Project', Build interface Version: '0', File: 'N/A', Initialized:
'true'
2014-09-21 14:33:26,196 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-15) Instance name: 'authn-company', Extension name:
'aaa.ldap.authn', Version: '0.0.0_master', Notes: 'Display name:
ovirt-engine-extension-aaa-ldap-0.0.0-0.0.master.20140904095149.gitc7bd415.el6',
License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
Project', Build interface Version: '0', File:
'/etc/ovirt-engine/extensions.d/authn-company.properties', Initialized:
'true'
2014-09-21 14:33:26,197 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-15) Instance name: 'internal', Extension name: 'Internal
Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL
2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface Version: '0', File: 'N/A', Initialized: 'true'
2014-09-21 14:33:26,197 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-15) End of enabled extensions list
-------------------------------------------------------------------------------
I could not find out any erros in engine.log as well as ldap.log.
And I can not search add ldap users from Web Admin Portal.
Click "Users" tab, then click "Add".
I can select "internal (internal)" only on [Add Users and Groups] in
"Search"
field.
I do not know where the cause is. I'm missing another settings required?
Thanks,
Fumihide Tani