Thanks Ondra :)

With the command:

su - postgres -c "psql -t engine -c \"insert into permissions values ('0000001b-001b-001b-001b-00000000029f', '00000000-0000-0000-0000-000000000001', 'fdfc627c-d875-11e0-90f0-83df133b58cc', 'aaa00000-0000-0000-0000-123456789aaa', 1);\""

I get:

ERROR: duplicate key value violates unique constraint "idx_combined_ad_role_object"
DETAIL: Key (ad_element_id, role_id, object_id)=(fdfc627c-d875-11e0-90f0-83df133b58cc, 00000000-0000-0000-0000-000000000001, aaa00000-0000-0000-0000-123456789aaa) already exists.

History

261 yum install ovirt-engine-extension-aaa-ldap
262 cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties /etc/ovirt-engine/
263 cd /etc/ovirt-engine/
264 ll
265 vim profile1.properties
266 ll
267 cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/
268 cd cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/
269 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/
270 ll
271 cp /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/
272 cd /etc/ovirt-engine/extensions.d/
273 ll
274 find / -type f -iname profile1.properties
275 cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/ad/aaa/profile1.properties /etc/ovirt-engine/aaa/
276 find / -type f -iname profile1.properties
277 vim /etc/ovirt-engine/aaa/profile1.properties
278 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
279 chmod 600 /etc/ovirt-engine/aaa/profile1.properties
280 systemctl restart ovirt-engine
281 vim /etc/ovirt-engine/extensions.d/profile1-authn.properties
282 cd /usr/share/
283 ls
284 cd ovirt-engine-aaa-ldap
285 ls
286 cd ovirt-engine-extension-aaa-ldap/
287 ls
288 cd examples/
289 ls
290 cd ad
291 ls
292 cd extensions.d/
293 ls
294 vim profile1-authn.properties
295 pwd
296 cd ..
297 pwd
298 cd ..
299 ls
300 cd simple
301 ls
302 cd aaa/
303 ls
304 vim profile1.properties
305 pwd
306 rm -rf /etc/ovirt-engine/aaa/profile1.properties
307 cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/profile1.properties /etc/ovirt-engine/aaa/
308 vim /etc/ovirt-engine/aaa/profile1.properties
309 history
310 chown ovirt:ovirt /etc/ovirt-engine/aaa/profile1.properties
311 chmod 600 /etc/ovirt-engine/aaa/profile1.properties
312 systemctl restart ovirt-engine
313 updatedb
314 locate domain1-authn.properties
315 history
316 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/aaa/
317 ll
318 cd /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/
319 ls
320 cd extensions.d/
321 ls
322 pwd
323 cd /etc/ovirt-engine/extensions.d/
324 ls
325 cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/ /etc/ovirt-engine/extensions.d/
326   cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/
327 rm -rf /etc/ovirt-engine/extensions.d/profile1-authn.properties
328 rm -rf /etc/ovirt-engine/extensions.d/profile1-authz.properties
329   cp -r /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple/extensions.d/* /etc/ovirt-engine/extensions.d/
330 ll
331 history
332 chown ovirt:ovirt /etc/ovirt-engine/extensions.d/*
333 chmod 600 /etc/ovirt-engine/extensions.d/*
334 ll
335 cd extensions.d/
336 ll
337 cd
338 engine-config -s SASL_QOP=auth
339 systemctl restart ovirt-engine
340 engine-manage-domains add --domain=udistritaloas.edu.co --provider=ipa --user=admin --ldap-servers=freeipa.udistritaloas.edu.co
341 systemctl restart ovirt-engine
342 engine-manage-domains list
343 history
344 cd /etc/ovirt-engine/extensions.d/
345 ll
346 rm -rf internal-authn.properties
347 rm -rf internal-authz.properties
348 rm -rf profile1-authn.properties
349 rm -rf profile1-authz.properties
350 history
351 cd /etc/ovirt-engine/aaa/
352 ll
353 rm -rf profile1.properties
354 vim internal.properties
355 systemctl restart ovirt-engine
356 ovirt-aaa-jdbc-tool user edit admin --account-valid-to="2100-01-01 00:00:00Z"
357 ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to="2100-01-01 00:00:00Z"
358 engine-config -s AdminPassword=interactive
359 ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to="2100-01-01 00:00:00Z"
360 systemctl restart ovirt-engine
361 exit
362 cd /etc/ovirt-engine/aaa/
363 ll
364 vim internal.properties
365 /etc/ovirt-engine/extensions.d/
366 cd /etc/ovirt-engine/extensions.d/
367 ll
368 cd extensions.d/
369 ll
370 pwd
371 ll
372 cd ..
373 ll
374 cd ..
375 ll
376 cd /etc/ovirt-engine/extensions.d/
377 ll
378 cd extensions.d/
379 ll
380 pwd
381 ll
382 cd ..
383 ll
384 systemctl restart ovirt-engine.service
385 ovirt-aaa-jdbc-tool user edit admin --account-valid-to="2100-01-01 00:00:00Z"
386 ovirt-aaa-jdbc-tool user password-reset admin --password-valid-to="2100-01-01 00:00:00Z"
387 systemctl restart ovirt-engine.service
388 ovirt-aaa-jdbc-tool user password-reset admin@internal --password-valid-to="2100-01-01 00:00:00Z"
389 yum install -y ovirt-engine-extension-aaa-jdbc
390 engine-setup
391 ovirt-aaa-jdbc-tool user show admin
392 ovirt-aaa-jdbc-tool settings show
393 cd /var/log
394 ll
395 cd ovirt-engine
396 ll
397 tail -f n 100 ui.log
398 ll
399 tail -f -n engine.log
400 tail -f -n 1000 engine.log
401 tail -n 5000 engine.log | grep admin@internal
402 ovirt-aaa-jdbc-tool user show admin
403 ovirt-aaa-jdbc-tool user show admin@internal
404 ovirt-aaa-jdbc-tool query --what=user
405 engine-config -s AdminPassword=interactive
406 vim /etc/ovirt-engine/extension.d/internal-authn.properties
407 vim /etc/ovirt-engine/extensions.d/internal-authn.properties
408 cd /etc/ovirt-engine/extensions.d/
409 ll
410 vim /etc/ovirt-engine/aaa/internal.properties
411 cd /etc/ovirt-engine/aaa/
412 ll
413 vim internal.properties
414 pwd
415 ovirt-aaa-jdbc-tool user add julian     --attribute=firstName=Julian     --attribute=lastName=Tete     --attribute=email=danteconrad14@gmail.com
416 ovirt-aaa-jdbc-tool user password-reset julian --password-valid-to="2025-08-15 10:30:00Z"
417 history
418 tail -n 5000 engine.log | grep admin@internal
419 tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin@internal
420 ovirt-aaa-jdbc-tool user edit admin --account-valid-from="2015-10-01 00:00:00Z"
421 ovirt-aaa-jdbc-tool user password-reset admin --force --password-valid-to="2100-01-01 00:00:00Z"
422 systemctl restart ovirt-engine.service
423 history
424 ovirt-aaa-jdbc-tool query --what=user
425 updatedb
426 locate internal
427 yum install -y ovirt-engine-cli
428 cd /opt
429 cd /opt/

2016-06-20 13:24 GMT-05:00 Ondra Machacek <omachace@redhat.com>:

On 06/20/2016 06:36 PM, Julián Tete wrote:

oVirt: 3.6.2

Trying to use:

https://github.com/machacekondra/ovirt-engine-kerbldap-migration

First use:

engine-manage-domains add --domain=udistritaloas.edu.co
<http://udistritaloas.edu.co> --provider=ipa --user=admin
--ldap-servers=freeipa.udistritaloas.edu.co
<http://freeipa.udistritaloas.edu.co>

The domain was added, but a I can't access to the webadmin portal :/

I get the message:

"User is not authorized to perform this action."

In ovirt-cli

[401] - Unauthorized

tail -n 5000 /var/log/ovirt-engine/engine.log | grep admin@internal

2016-06-20 10:52:22,835 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-32) [] Correlation ID: null, Call Stack: null, Custom
Event ID: -1, Message: User admin@internal failed to log in.
2016-06-20 10:52:22,836 WARN
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (default task-32)
[] CanDoAction of action 'LoginAdminUser' failed for user
admin@internal. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
2016-06-20 11:00:37,679 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-3) [] Correlation ID: null, Call Stack: null, Custom Event
ID: -1, Message: User admin@internal failed to log in.
2016-06-20 11:00:37,679 WARN
[org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-3) []
CanDoAction of action 'LoginUser' failed for user admin@internal.
Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
2016-06-20 11:01:04,016 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(default task-4) [] Correlation ID: null, Call Stack: null, Custom Event
ID: -1, Message: User admin@internal failed to log in.
2016-06-20 11:01:04,016 WARN
[org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-4) []
CanDoAction of action 'LoginUser' failed for user admin@internal.
Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION

I am little bit lost, what was your steps, to get into this state, but it looks that your admin@internal user was removed SuperUser permissions, I am really not sure how could you achieve that, but to fix it please run following command:

$ su - postgres -c "psql -t engine -c \"insert into permissions values ('0000001b-001b-001b-001b-00000000029f', '00000000-0000-0000-0000-000000000001', 'fdfc627c-d875-11e0-90f0-83df133b58cc', 'aaa00000-0000-0000-0000-123456789aaa', 1);\""

This command will add your admin@internal SuperUser permissions on system.

Can you please describe what have you done a bit more, so we can understand the problem?

Thanks.

Properties of Internal domain:

cat /etc/ovirt-engine/aaa/internal.properties

ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
internal-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine.extension.aaa.jdbc
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name
<http://ovirt.engine.aaa.authn.profile.name> = internal
ovirt.engine.aaa.authn.authz.plugin = internal-authz
config.datasource.file = /etc/ovirt-engine/aaa/internal.properties

cat /etc/ovirt-engine/extensions.d/internal-authn.properties

ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
internal-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine.extension.aaa.jdbc
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name
<http://ovirt.engine.aaa.authn.profile.name> = internal
ovirt.engine.aaa.authn.authz.plugin = internal-authz
config.datasource.file = /etc/ovirt-engine/aaa/internal.properties

cat /etc/ovirt-engine/extensions.d/internal-authz.properties

ovirt.engine.extension.name <http://ovirt.engine.extension.name> =

internal-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine.extension.aaa.jdbc
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.datasource.file = /etc/ovirt-engine/aaa/internal.properties

Properties of admin@internal user:

ovirt-aaa-jdbc-tool user show admin

-- User admin(fdfc627c-d875-11e0-90f0-83df133b58cc) --
Namespace: *
Name: admin
ID: fdfc627c-d875-11e0-90f0-83df133b58cc
Display Name:
Email:
First Name: admin
Last Name:
Department:
Title:
Description:
Account Disabled: false
Account Unlocked At: 1970-01-01 00:00:00Z
Account Valid From: 2015-10-01 00:00:00Z
Account Valid To: 2100-01-01 00:00:00Z
Account Without Password: false
Last successful Login At: 2016-06-20 16:01:03Z
Last unsuccessful Login At: 2016-06-19 16:53:07Z
Password Valid To: 2100-01-01 00:00:00Z

¿ Can I assign privilegies to the user ? ¿ Any idea ?

_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users