22 Sep
2014
22 Sep
'14
3:16 a.m.
(2014/09/22 0:16), Alon Bar-Lev wrote: > > ----- Original Message ----- >> From: "Fumihide Tani" <RXC05271@nifty.com> >> To: "Alon Bar-Lev" <alonbl@redhat.com> >> Cc: users@ovirt.org >> Sent: Sunday, September 21, 2014 6:00:48 PM >> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >> >> Hi, Alon, >> >> Following Alon's advice, I added authz-company.properties file to the >> configuration directory. >> Then OpenLDAP users can searched from oVirt Web admin. and I could add it's >> users >> to the portal successfully. >> >> But I have another problem. >> These OpenLDAP users that I added can not login to ovirt web user portal. >> >> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as "First >> Name") >> Password: (I specified it as OpenLDAP's userPassword for "Fumihide") >> Domain: rxc05271.com (I selected instead of "internal") >> >> ? > 1. What error do you get at ui? "The user name or password is incorrect." > > 2. Please look at engine.log while attempting to login, if you see something helpful. 2014-09-22 09:53:27,669 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed. 2014-09-22 09:53:27,685 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 09:53:27,693 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 09:53:27,693 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD > > 3. Please make sure that the following is a success: > $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN> uid=<LOGIN_NAME> [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x '(uid=tani)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=rxc05271,dc=com> with scope subtree # filter: (uid=tani) # requesting: ALL # # tani, Users, rxc05271.com dn: uid=tani,ou=Users,dc=rxc05271,dc=com objectClass: inetOrgPerson objectClass: uidObject uid: tani cn: Fumihide Tani givenName: Fumihide mail: tani@rxc05271.com sn: Tani userPassword:: a3VtaXRhbg== # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ovirt ~]# > > 4. If working please modify /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in > --- > <file-handler name="ENGINE" autoflush="true"> > - <level name="INFO"/> > - <level name="FINEST"/> > <snip> > + <logger category="org.ovirt.engineextensions.aaa.ldap"> > + <level name="FINEST"/> > + </logger> > <logger category="org.ovirt.engine.core.bll"> > --- > Restart engine, attempt login, send me the output. 2014-09-22 10:03:57,517 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed. 2014-09-22 10:03:57,534 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 10:03:57,545 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 10:03:57,545 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD (logger level is not changed to FINEST? outputs is same as above.) Thanks, Fumihide Tani >> Please advice me, it's so thanksfull. >> >> Fumihide Tani >> >> >> (2014/09/21 17:13), Alon Bar-Lev wrote: >>> ----- Original Message ----- >>>> From: "Fumihide Tani" <RXC05271@nifty.com> >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> >>>> Cc: users@ovirt.org >>>> Sent: Sunday, September 21, 2014 11:11:11 AM >>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>> >>>> Hi, Alon >>>> >>>> Very thanks for your help. >>>> My problem was solved and the AAA is working now. >>>> I could add LDAP user. :) >>> Great. >>> Can you please send me a patch or modified README to make it better? >>> >>> Alon >>> >>>> Fumihide Tani >>>> >>>> (2014/09/21 16:19), Alon Bar-Lev wrote: >>>>> ----- Original Message ----- >>>>>> From: "Alon Bar-Lev" <alonbl@redhat.com> >>>>>> To: "Fumihide Tani" <RXC05271@nifty.com> >>>>>> Cc: users@ovirt.org >>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM >>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>>> >>>>>> Hi, >>>>>> >>>>>> You need to create authz extension as well (authz-company). >>>>>> The configuration you provided is establishing authentication only >>>>>> (authn) >>>>>> which refer to authz-company but you did not add it. >>>>>> >>>>>> The terms are: >>>>>> 1. authn - who the user is. >>>>>> 2. authz - what user is permitted. >>>>>> 3. profile - combination of the two. >>>>>> >>>>>> ----------------------------- >>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties >>>>>> ovirt.engine.extension.name = authz-company >>>>>> ovirt.engine.extension.bindings.method = jbossmodule >>>>>> ovirt.engine.extension.binding.jbossmodule.module = >>>>>> org.ovirt.engine-extensions.aaa.ldap >>>>>> ovirt.engine.extension.binding.jbossmodule.class = >>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension >>>>> Sorry: >>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension >>>>>> ovirt.engine.extension.provides = >>>>>> org.ovirt.engine.api.extensions.aaa.Authz >>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties >>>>>> -------------------------------------------------- >>>>>> >>>>>> Regards, >>>>>> Alon >>>> >> >> >