Hi!
Thank you for the information, for some reason the administrator user cannot be resolved to userPrincipalName during login, is it specific for Administrator or any user? This is the default domain administrator account witch exits in any forest. But just in case I created a new domain user just for the
sorry, forgot one: On 11.09.2015 12:48, Alon Bar-Lev wrote: purpose; same outcome
Can you please attach the extension configuration for both authn/authz as well?
I will also need debug log with ALL level, see [1] for instructions.
Thanks! Alon
[1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob...
----- Original Message -----
From: "Daniel Helgenberger" <daniel.helgenberger@m-box.de> To: Users@ovirt.org Sent: Friday, September 11, 2015 1:28:10 PM Subject: [ovirt-users] Extension aaa: No search for principal
Hello,
I am stuck in configuring ovirt-engine-extension-aaa-ldap with AD for ovirt 3.5.4. I am following the [readme.md] and so far it was quite strait forward:
include = <ad.properties>
# # Active directory domain name. # vars.domain = int.corp.de
# # Search user and its password. # vars.user = bind@${global:vars.domain} vars.password = [redacted]
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks #pool.default.ssl.truststore.password = changeit
The config seems to work; at least the domain and binddn part. I can browse and add users to ovirt as suggested in step (3). All quotes are from engine.log:
2015-09-11 11:54:50,261 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-8-thread-24) [73bff0e9] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_PERMISSIONS with role type USER, ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER 2015-09-11 11:54:50,268 INFO [org.ovirt.engine.core.bll.aaa.AddUserCommand] (org.ovirt.thread.pool-8-thread-24) [21867e72] Running command: AddUserCommand internal: true. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_USERS with role type ADMIN 2015-09-11 11:54:50,301 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 21867e72, Call Stack: null, Custom Event ID: -1, Message: User 'Administrator' was added successfully to the system. 2015-09-11 11:54:50,379 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 73bff0e9, Call Stack: null, Custom Event ID: -1, Message: User/Group Administrator was granted permission for Role SuperUser on System by admin@internal.
Yet, when loging in as a user administrator I get:
{Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=No search for principal 'administrator@int.corp.com'}
Followed by a java stack trace. I did not find any configurable search path.
The config seems to load:
2015-09-11 12:01:34,897 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Loading extension 'builtin-authn-internal' 2015-09-11 12:01:34,903 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'builtin-authn-internal' loaded 2015-09-11 12:01:34,905 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Loading extension 'internal' 2015-09-11 12:01:34,907 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'internal' loaded 2015-09-11 12:01:34,919 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Loading extension 'corp-authn' 2015-09-11 12:01:34,967 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'corp-authn' loaded 2015-09-11 12:01:34,971 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Loading extension 'corp-authz' 2015-09-11 12:01:34,981 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'corp-authz' loaded 2015-09-11 12:01:34,982 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Initializing extension 'corp-authn' 2015-09-11 12:01:34,983 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authn::corp-authn] Creating LDAP pool 'authz' 2015-09-11 12:01:35,120 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authn::corp-authn] Creating LDAP pool 'authn' 2015-09-11 12:01:35,159 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'corp-authn' initialized 2015-09-11 12:01:35,160 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Initializing extension 'builtin-authn-internal' 2015-09-11 12:01:35,161 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'builtin-authn-internal' initialized 2015-09-11 12:01:35,162 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Initializing extension 'corp-authz' 2015-09-11 12:01:35,162 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Creating LDAP pool 'authz' 2015-09-11 12:01:35,185 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Creating LDAP pool 'gc' 2015-09-11 12:01:35,222 INFO [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Available Namespaces: [DC=int,DC=corp,DC=de] 2015-09-11 12:01:35,223 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'corp-authz' initialized 2015-09-11 12:01:35,224 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Initializing extension 'internal' 2015-09-11 12:01:35,224 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'internal' initialized 2015-09-11 12:01:35,225 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Start of enabled extensions list 2015-09-11 12:01:35,225 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'corp-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/corp-authn.properties', Initialized: 'true' 2015-09-11 12:01:35,227 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'builtin-authn-internal', Extension name: 'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2015-09-11 12:01:35,228 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'corp-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/corp-authz.properties', Initialized: 'true' 2015-09-11 12:01:35,230 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'internal', Extension name: 'Internal Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2015-09-11 12:01:35,231 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) End of enabled extensions list
Versions: ovirt engine 3.5.4 AD: Windows Server 2012r2
Please let me know if you need further logs.
Thanks,
[readme.md] https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README --
Daniel Helgenberger m box bewegtbild GmbH
P: +49/30/2408781-22 F: +49/30/2408781-10
ACKERSTR. 19 D-10115 BERLIN
www.m-box.de www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767 _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Daniel Helgenberger m box bewegtbild GmbH P: +49/30/2408781-22 F: +49/30/2408781-10 ACKERSTR. 19 D-10115 BERLIN www.m-box.de www.monkeymen.tv Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767