8:45 a.m.
----- Original Message -----
From: "Keith Mitchell" <kamitch(a)cisco.com>
To: "Itamar Heim" <iheim(a)redhat.com>
Cc: users(a)ovirt.org, "Juan Antonio Hernandez Fernandez"
<jhernand(a)redhat.com>, "Yair Zaslavsky" <yzaslavs(a)redhat.com>
Sent: Sunday, March 3, 2013 7:15:16 AM
Subject: Re: [Users] webadmin login issues with AD
On 3/2/13 11:57 PM, Itamar Heim wrote:
> On 03/03/2013 06:41, Keith Mitchell wrote:
>> On 3/2/13 2:51 PM, Itamar Heim wrote:
>>> On 01/03/2013 18:54, Keith Mitchell wrote:
>>>>
>>>> I'm trying to get rhevm 3.1 (which seems to be pretty much ovirt
>>>> 3.1
>>>> from what I can tell) authenticating against our active
>>>> directory
>>>> infrastructure bu am having some difficulty that I don't quite
>>>> understand and was hoping someone may know what is happening.
>>>>
>>>> The server where rhevm/ovirt is running is a RHEL6 based server
>>>> that has
>>>> NIS configured (with user home directories mounted via
>>>> nfs/automounter). The userids in nis match the userids in our
>>>> ActiveDirectory server (in fact the passwords should match too
>>>> since
>>>> there is a sync between the two).
>>>>
>>>> I added the Activedirectory server into ovirt (through
>>>> rhevm-manage-domains) and it is added/validated successfully. As
>>>> the
>>>> local admin user I can go in and search agains the active
>>>> directory, add
>>>> permissions, etc.
>>>>
>>>> But... If I try to log into the webadmin/user portals with one
>>>> of the
>>>> active directory accounts it seems to hang... and I noticed that
>>>> it
>>>> seems to be trying to mount the home directory of a bunch of
>>>> users via
>>>> the automounter (perhaps its trying to mount everyones home
>>>> directory...
>>>> can't tell). This takes a super long time since the home
>>>> directories
>>>> are all across the world and nfs access to some of these
>>>> filesystems is
>>>> really slow... i'm not sure it will ever complete... certainly
>>>> not
>>>> before the user gives up.
Hi,
Currently, both search of users in specific domain + login perform both authentication +
authorization check + running ldap queries (
authorization is a part of the login).
It seems really odd to me that login takes you quite some time, and search of users/groups
does not.
What other info can you provide about the user you try to login to? Did you give
permissions to many entities?
>>>>
>>>> Anyone know what would cause this? I wouldn't think this should
>>>> happen. I was thinking it should just authenticate the password
>>>> and
>>>> then look at the permissions granted inside overt/rhevm.
>>>
>>> there is no need for the engine (rhev) machine to be part of the
>>> AD
>>> domain for AD authentication to work, and i don't see why this
>>> should
>>> happen.
>>> yair/juan - thoughts?
>>>
>> Turns out the home directory mounting thing had nothing to do with
>> my
>> login issues or ovirt... The home directory issue was due to an
>> issue
>> with mod_dnssd (part of apache) in RHEL6.
>>
>> But even after fixing that, I still have login issues. Whenever I
>> try
>> to authenticate against active directory the webadmin/user gui
>> seems to
>> hang. I've looked at the network trace and it looks like the
>> active
>> directory authentication succeeded without issue, but the login
>> screen
>> just hangs.
>>
>> I can log in with the local admin user fine and I don't see
>> anything in
>> the engine.log files. Perhaps there may be some debug I can turn
>> on to
>> help identify what it is doing?
>>
>>
>>
>
> does the rest api works for an AD user?
> (user@domain is the user name format. url is http://xxx/api)
That seems to hang too.