Re: [ovirt-users] Extension aaa: No search for principal

Friday, 11 September 2015

sorry, forgot one:

On 11.09.2015 12:48, Alon Bar-Lev wrote:
...
 Hi!

 Thank you for the information, for some reason the administrator user cannot be resolved
to userPrincipalName during login, is it specific for Administrator or any user?
This is the default domain administrator account witch exits in any 
forest. But just in case I created a new domain user just for the 
purpose; same outcome

...

 Can you please attach the extension configuration for both authn/authz as well?

 I will also need debug log with ALL level, see [1] for instructions.

 Thanks!
 Alon

 [1]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...

 ----- Original Message -----
> From: "Daniel Helgenberger" <daniel.helgenberger(a)m-box.de&gt;
> To: Users(a)ovirt.org
> Sent: Friday, September 11, 2015 1:28:10 PM
> Subject: [ovirt-users] Extension aaa: No search for principal
>
> Hello,
>
> I am stuck in configuring ovirt-engine-extension-aaa-ldap with AD for
> ovirt 3.5.4. I am following the [readme.md] and so far it was quite
> strait forward:
>> include = <ad.properties>
>>
>> #
>> # Active directory domain name.
>> #
>> vars.domain = int.corp.de
>>
>> #
>> # Search user and its password.
>> #
>> vars.user = bind@${global:vars.domain}
>> vars.password = [redacted]
>>
>> #
>> # Optional DNS servers, if enterprise
>> # DNS server cannot resolve the domain srvrecord.
>> #
>> #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
>>
>> pool.default.serverset.type = srvrecord
>> pool.default.serverset.srvrecord.domain = ${global:vars.domain}
>> pool.default.auth.simple.bindDN = ${global:vars.user}
>> pool.default.auth.simple.password = ${global:vars.password}
>>
>> # Uncomment if using custom DNS
>> #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
>> = ${global:vars.dns}
>> #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
>>
>> # Create keystore, import certificate chain and uncomment
>> # if using ssl/tls.
>> #pool.default.ssl.startTLS = true
>> #pool.default.ssl.truststore.file =
>> ${local:_basedir}/${global:vars.domain}.jks
>> #pool.default.ssl.truststore.password = changeit
>
>
>
> The config seems to work; at least the domain and binddn part. I can
> browse and add users to ovirt as suggested in step (3). All quotes are
> from engine.log:
>
>> 2015-09-11 11:54:50,261 INFO
>> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
>> (org.ovirt.thread.pool-8-thread-24) [73bff0e9] Running command:
>> AddSystemPermissionCommand internal: false. Entities affected :  ID:
>> aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
>> MANIPULATE_PERMISSIONS with role type USER,  ID:
>> aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
>> ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
>> 2015-09-11 11:54:50,268 INFO
>> [org.ovirt.engine.core.bll.aaa.AddUserCommand]
>> (org.ovirt.thread.pool-8-thread-24) [21867e72] Running command:
>> AddUserCommand internal: true. Entities affected :  ID:
>> aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
>> MANIPULATE_USERS with role type ADMIN
>> 2015-09-11 11:54:50,301 INFO
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 21867e72,
>> Call Stack: null, Custom Event ID: -1, Message: User 'Administrator' was
>> added successfully to the system.
>> 2015-09-11 11:54:50,379 INFO
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 73bff0e9,
>> Call Stack: null, Custom Event ID: -1, Message: User/Group Administrator
>> was granted permission for Role SuperUser on System by admin@internal.
>
> Yet, when loging in as a user administrator I get:
>
>> {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
>>
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
>> Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
>>
java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=No
>> search for principal &#39;administrator(a)int.corp.com&#39;}
>
> Followed by a java stack trace.
> I did not find any configurable search path.
>
> The config seems to load:
>> 2015-09-11 12:01:34,897 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Loading extension 'builtin-authn-internal'
>> 2015-09-11 12:01:34,903 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Extension 'builtin-authn-internal' loaded
>> 2015-09-11 12:01:34,905 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Loading extension 'internal'
>> 2015-09-11 12:01:34,907 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Extension 'internal' loaded
>> 2015-09-11 12:01:34,919 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Loading extension 'corp-authn'
>> 2015-09-11 12:01:34,967 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Extension 'corp-authn' loaded
>> 2015-09-11 12:01:34,971 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Loading extension 'corp-authz'
>> 2015-09-11 12:01:34,981 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Extension 'corp-authz' loaded
>> 2015-09-11 12:01:34,982 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Initializing extension 'corp-authn'
>> 2015-09-11 12:01:34,983 INFO
>> [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2)
>> [ovirt-engine-extension-aaa-ldap.authn::corp-authn] Creating LDAP pool
>> 'authz'
>> 2015-09-11 12:01:35,120 INFO
>> [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2)
>> [ovirt-engine-extension-aaa-ldap.authn::corp-authn] Creating LDAP pool
>> 'authn'
>> 2015-09-11 12:01:35,159 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Extension 'corp-authn' initialized
>> 2015-09-11 12:01:35,160 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Initializing extension 'builtin-authn-internal'
>> 2015-09-11 12:01:35,161 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Extension 'builtin-authn-internal' initialized
>> 2015-09-11 12:01:35,162 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Initializing extension 'corp-authz'
>> 2015-09-11 12:01:35,162 INFO
>> [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2)
>> [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Creating LDAP pool
>> 'authz'
>> 2015-09-11 12:01:35,185 INFO
>> [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2)
>> [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Creating LDAP pool
>> 'gc'
>> 2015-09-11 12:01:35,222 INFO
>> [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread
>> 1-2) [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Available
>> Namespaces: [DC=int,DC=corp,DC=de]
>> 2015-09-11 12:01:35,223 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Extension 'corp-authz' initialized
>> 2015-09-11 12:01:35,224 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Initializing extension 'internal'
>> 2015-09-11 12:01:35,224 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Extension 'internal' initialized
>> 2015-09-11 12:01:35,225 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Start of enabled extensions list
>> 2015-09-11 12:01:35,225 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Instance name: 'corp-authn', Extension name:
>> 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2', Notes:
'Display
>> name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL
2.0',
>> Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface
>> Version: '0',  File:
>> '/etc/ovirt-engine/extensions.d/corp-authn.properties', Initialized:
>> 'true'
>> 2015-09-11 12:01:35,227 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Instance name: 'builtin-authn-internal', Extension name:
>> 'Internal Authn (Built-in)', Version: 'N/A', Notes: '',
License: 'ASL
>> 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
Project', Build
>> interface Version: '0',  File: 'N/A', Initialized:
'true'
>> 2015-09-11 12:01:35,228 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Instance name: 'corp-authz', Extension name:
>> 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2', Notes:
'Display
>> name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL
2.0',
>> Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface
>> Version: '0',  File:
>> '/etc/ovirt-engine/extensions.d/corp-authz.properties', Initialized:
>> 'true'
>> 2015-09-11 12:01:35,230 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) Instance name: 'internal', Extension name: 'Internal
Authz
>> (Built-in)', Version: 'N/A', Notes: '', License: 'ASL
2.0', Home:
>> 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface
>> Version: '0',  File: 'N/A', Initialized: 'true'
>> 2015-09-11 12:01:35,231 INFO
>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>> thread 1-2) End of enabled extensions list
>
> Versions:
> ovirt engine 3.5.4
> AD: Windows Server 2012r2
>
> Please let me know if you need further logs.
>
> Thanks,
>
> [readme.md]
> https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README
> --
>
> Daniel Helgenberger
> m box bewegtbild GmbH
>
> P: +49/30/2408781-22
> F: +49/30/2408781-10
>
> ACKERSTR. 19
> D-10115 BERLIN
>
>
> www.m-box.de www.monkeymen.tv
>
> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

-- 
Daniel Helgenberger
m box bewegtbild GmbH

P: +49/30/2408781-22
F: +49/30/2408781-10

ACKERSTR. 19
D-10115 BERLIN

www.m-box.de  www.monkeymen.tv

Geschäftsführer: Martin Retschitzegger / Michaela Göllner
Handeslregister: Amtsgericht Charlottenburg / HRB 112767

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Re: [ovirt-users] Extension aaa: No search for principal