----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Wednesday, August 13, 2014 11:47:40 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says "Active: false " on LDAP groups.
Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as "<domain name>/Groups/sysadmin" I adder the permisions by clicking on the configure link on the top of the screen and set them in the "System Permissions" tab
Sounds good so far. I assume also you see the permissiosn in the permissions sub tab when you click the group.
I added a user (pmarino) to the system which shows in the "Directory Group" tab shows "sysadmin groups <domian name>" among others however it only shows in the Permissions tab the permissions inherited by "Everyone" it does not show any permissions inherited by the sysadmin group.
This is not good - I mean, should have worked.
just to prove it didnt work I logged out and attempted to log back in as the user (pmarino) it wouldn't let me log in
I logged back in as the internal admin user then I added the SuperUser permissions directly to the pmarino account and logged back out again. Now when I logged in as pmarino it gave me the access I expected.
Can I please ask you to provide some database info ? It will be awesome if you can provide the following SQL queries results - select group_ids, groups from users where username ilike '%pmarino%'; In addition, please perform - select id, name from ad_groups; Thanks for your help. P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the bugs) should have fixed your issue as well.
Here is the relevant portion of the engine log " 2014-08-13 16:00:38,801 INFO [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) [1e7fa420] Running command: AddGroupCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:00:38,813 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call Stack: null, Custom Event ID: -1, Message: User '<domain name>/Groups/sysadmin' was added successfully to the system. 2014-08-13 16:09:01,352 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:09:01,371 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role SuperUser on System by admin. 2014-08-13 16:10:40,963 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:10:40,979 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role PowerUserRole on System by admin. 2014-08-13 16:20:53,891 INFO [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4) [58e00be1] Running command: AddUserCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:20:53,919 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added successfully to the system. 2014-08-13 16:35:52,202 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino failed to log in. 2014-08-13 16:35:52,202 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2014-08-13 16:39:48,048 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:39:48,069 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID: 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group pmarino was granted permission for Role SuperUser on System by admin. 2014-08-13 16:40:43,357 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino logged in.
"
On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Monday, August 11, 2014 8:13:53 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
I have checked the codebase of 3.3 - the "active" field is used for presentation purpose only.
Presentation wise only - means that it is not used for our permissions calculation , for example.
Alon has addressed our plans for this in his previous comments. I hope this clarifies more..
Yair
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, "Paul Robert Marino" <prmarino1@gmail.com> Cc: users@ovirt.org Sent: Sunday, August 10, 2014 11:54:05 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org Sent: Sunday, August 10, 2014 10:43:14 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Sorry for my delayed response to this
I am using ovirt 3.3. I am using Kerberos 5, and all of the DNS requirements are in place. Finally 389 server is the upstream project for RHDS and one of the upstream projects for IPA. So I chose to set it as RHDS because its an identical match.
User authentication works just fine my problem is adding roles to groups. I can assign a role to a group but the group always shows an inactive status; however if I assign a role directly to to a user it works fine. In addition if I drill down into a user it knows what groups in the 389 server the user is a member of.
finally I can't see any error in the logs when adding a role to a group
Please open a bug, I am unsure that it will be addressed before 3.5, as we have done major rework for the authentication and authorization to make it much more versatile. Even if there will be a fix it will be provided to 3.4.z.
It will be best if you want to test this scenario in 3.5 release candidate and the new ldap provider, so we can address the issue before 3.5 release if exists.
could also be one of these fixed in 3.4: 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it does not inherit the group permissions 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to a group indirectly, it does not inherit the group permissions
On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> wrote: > > > ----- Original Message ----- >> From: "Maurice James" <mjames@media-node.com> >> To: "Alon Bar-Lev" <alonbl@redhat.com> >> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org >> Sent: Saturday, August 9, 2014 3:47:04 AM >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> Does this still require the use of kerberos? Will 389-ds work on >> its >> own? > > In 3.5 we introduced pure ldap support[1], obsoleting the > kerberos/ldap > mix. > > It will be great to receive feedback[2]. > > 389ds is not supported directly, I think it is similar to IPA as it > uses > 389. Maybe I should rename the profile of ipa to 389 if it works > properly. > > Regards, > Alon > > [1] > http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... > [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html > >> >> ----- Original Message ----- >> From: "Alon Bar-Lev" <alonbl@redhat.com> >> To: "Itamar Heim" <iheim@redhat.com> >> Cc: users@ovirt.org >> Sent: Friday, August 8, 2014 3:45:07 PM >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> >> >> ----- Original Message ----- >>> From: "Itamar Heim" <iheim@redhat.com> >>> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org >>> Sent: Friday, August 8, 2014 10:37:11 PM >>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>> >>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: >>>> I have ovirt engine running and connected to a 389 server with >>>> the >>>> memberof plugin enabled and working properly. >>>> >>>> I can add users and assign them to roles without any issues. >>>> >>>> when I look at a user I can see all the LDAP groups they are a >>>> member >>>> of. >>>> >>>> when I run engine-manage-domains -action=validate it tells me >>>> the >>>> domain is valid. >>>> >>>> here is my problem when I try to assign a role to an LDAP group >>>> it >>>> looks like it works but in the general tab when under the group >>>> it >>>> tells me the status is Inactive. >>>> >>>> dose any one know how to enable the group? >>>> _______________________________________________ >>>> Users mailing list >>>> Users@ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> >>> >>> 3.4 or new 3.5 Generic LDAP provider? >> >> >> On case this is 3.5 it is known issue, all groups will be seen as >> inactive, >> this field will probably be removed from UI, as groups are no >> longer >> fetched >> periodically. >> This field is totally ignored. >> >> Alon >> _______________________________________________ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users