4:16 a.m.
(2014/09/22 0:16), Alon Bar-Lev wrote:
----- Original Message -----
> From: "Fumihide Tani" <RXC05271(a)nifty.com>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> Cc: users(a)ovirt.org
> Sent: Sunday, September 21, 2014 6:00:48 PM
> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
>
> Hi, Alon,
>
> Following Alon's advice, I added authz-company.properties file to the
> configuration directory.
> Then OpenLDAP users can searched from oVirt Web admin. and I could add it's
> users
> to the portal successfully.
>
> But I have another problem.
> These OpenLDAP users that I added can not login to ovirt web user portal.
>
> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as
"First
> Name")
> Password: (I specified it as OpenLDAP's userPassword for "Fumihide")
> Domain: rxc05271.com (I selected instead of "internal")
>
> ?
1. What error do you get at ui?
"The user name or password is incorrect."
2. Please look at engine.log while attempting to login, if you see something helpful.
2014-09-22 09:53:27,669 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
(ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication profile
"rxc05271.com" because the authentication failed.
2014-09-22 09:53:27,685 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1,
Message: User Fumihide cannot login, please verify the username and password.
2014-09-22 09:53:27,693 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1,
Message: User Fumihide failed to log in.
2014-09-22 09:53:27,693 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
(ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed.
Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
3. Please make sure that the following is a success:
$ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN>
uid=<LOGIN_NAME>
[root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D
"uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x
'(uid=tani)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=rxc05271,dc=com> with scope subtree
# filter: (uid=tani)
# requesting: ALL
#
# tani, Users, rxc05271.com
dn: uid=tani,ou=Users,dc=rxc05271,dc=com
objectClass: inetOrgPerson
objectClass: uidObject
uid: tani
cn: Fumihide Tani
givenName: Fumihide
mail: tani(a)rxc05271.com
sn: Tani
userPassword:: a3VtaXRhbg==
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@ovirt ~]#
4. If working please modify
/usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in
---
<file-handler name="ENGINE" autoflush="true">
- <level name="INFO"/>
- <level name="FINEST"/>
<snip>
+ <logger category="org.ovirt.engineextensions.aaa.ldap">
+ <level name="FINEST"/>
+ </logger>
<logger category="org.ovirt.engine.core.bll">
---
Restart engine, attempt login, send me the output.
2014-09-22 10:03:57,517 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
(ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication profile
"rxc05271.com" because the authentication failed.
2014-09-22 10:03:57,534 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event ID: -1,
Message: User Fumihide cannot login, please verify the username and password.
2014-09-22 10:03:57,545 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event ID: -1,
Message: User Fumihide failed to log in.
2014-09-22 10:03:57,545 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
(ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed.
Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
(logger level is not changed to FINEST? outputs is same as above.)
Thanks,
Fumihide Tani
> Please advice me, it's so thanksfull.
>
> Fumihide Tani
>
>
> (2014/09/21 17:13), Alon Bar-Lev wrote:
>> ----- Original Message -----
>>> From: "Fumihide Tani" <RXC05271(a)nifty.com>
>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>> Cc: users(a)ovirt.org
>>> Sent: Sunday, September 21, 2014 11:11:11 AM
>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
>>>
>>> Hi, Alon
>>>
>>> Very thanks for your help.
>>> My problem was solved and the AAA is working now.
>>> I could add LDAP user. :)
>> Great.
>> Can you please send me a patch or modified README to make it better?
>>
>> Alon
>>
>>> Fumihide Tani
>>>
>>> (2014/09/21 16:19), Alon Bar-Lev wrote:
>>>> ----- Original Message -----
>>>>> From: "Alon Bar-Lev" <alonbl(a)redhat.com>
>>>>> To: "Fumihide Tani" <RXC05271(a)nifty.com>
>>>>> Cc: users(a)ovirt.org
>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM
>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
>>>>>
>>>>> Hi,
>>>>>
>>>>> You need to create authz extension as well (authz-company).
>>>>> The configuration you provided is establishing authentication only
>>>>> (authn)
>>>>> which refer to authz-company but you did not add it.
>>>>>
>>>>> The terms are:
>>>>> 1. authn - who the user is.
>>>>> 2. authz - what user is permitted.
>>>>> 3. profile - combination of the two.
>>>>>
>>>>> -----------------------------
>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties
>>>>> ovirt.engine.extension.name = authz-company
>>>>> ovirt.engine.extension.bindings.method = jbossmodule
>>>>> ovirt.engine.extension.binding.jbossmodule.module =
>>>>> org.ovirt.engine-extensions.aaa.ldap
>>>>> ovirt.engine.extension.binding.jbossmodule.class =
>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
>>>> Sorry:
>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>>>>> ovirt.engine.extension.provides =
>>>>> org.ovirt.engine.api.extensions.aaa.Authz
>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties
>>>>> --------------------------------------------------
>>>>>
>>>>> Regards,
>>>>> Alon
>>>
>
>