Re: [ovirt-users] Can not configure with simple LDAP.

22 Sep 2014

----- Original Message -----
> From: "Fumihide Tani" <RXC05271@nifty.com>
> To: "Alon Bar-Lev" <alonbl@redhat.com>
> Cc: users@ovirt.org
> Sent: Monday, September 22, 2014 4:16:17 AM
> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
> 
> (2014/09/22 0:16), Alon Bar-Lev wrote:
> >
> > ----- Original Message -----
> >> From: "Fumihide Tani" <RXC05271@nifty.com>
> >> To: "Alon Bar-Lev" <alonbl@redhat.com>
> >> Cc: users@ovirt.org
> >> Sent: Sunday, September 21, 2014 6:00:48 PM
> >> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
> >>
> >> Hi, Alon,
> >>
> >> Following Alon's advice, I added authz-company.properties file to the
> >> configuration directory.
> >> Then OpenLDAP users can searched from oVirt Web admin. and I could add
> >> it's
> >> users
> >> to the portal successfully.
> >>
> >> But I have another problem.
> >> These OpenLDAP users that I added can not login to ovirt web user portal.
> >>
> >> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as
> >> "First
> >> Name")
> >> Password: (I specified it as OpenLDAP's userPassword for "Fumihide")
> >> Domain: rxc05271.com (I selected instead of "internal")
> >>
> >> ?
> > 1. What error do you get at ui?
> 
> "The user name or password is incorrect."
> 
> >
> > 2. Please look at engine.log while attempting to login, if you see
> > something helpful.
> 
> 2014-09-22 09:53:27,669 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
> (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication
> profile "rxc05271.com" because the authentication failed.
> 2014-09-22 09:53:27,685 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event
> ID: -1, Message: User Fumihide cannot login, please verify the username and
> password.
> 2014-09-22 09:53:27,693 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event
> ID: -1, Message: User Fumihide failed to log in.
> 2014-09-22 09:53:27,693 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
> (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed.
> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
> 
> >
> > 3. Please make sure that the following is a success:
> > $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN>
> > uid=<LOGIN_NAME>
> 
> [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D
> "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x
> '(uid=tani)'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=rxc05271,dc=com> with scope subtree
> # filter: (uid=tani)
> # requesting: ALL
> #
> 
> # tani, Users, rxc05271.com
> dn: uid=tani,ou=Users,dc=rxc05271,dc=com
> objectClass: inetOrgPerson
> objectClass: uidObject
> uid: tani
> cn: Fumihide Tani
> givenName: Fumihide
> mail: tani@rxc05271.com
> sn: Tani
> userPassword:: a3VtaXRhbg==
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> [root@ovirt ~]#
> 
> >
> > 4. If working please modify
> > /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in
> > ---
> >         <file-handler name="ENGINE" autoflush="true">
> > -        <level name="INFO"/>
> > -        <level name="FINEST"/>
> > <snip>
> > +       <logger category="org.ovirt.engineextensions.aaa.ldap">
> > +        <level name="FINEST"/>
> > +       </logger>
> >          <logger category="org.ovirt.engine.core.bll">
> > ---
> > Restart engine, attempt login, send me the output.
> 
> 2014-09-22 10:03:57,517 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
> (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication
> profile "rxc05271.com" because the authentication failed.
> 2014-09-22 10:03:57,534 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event
> ID: -1, Message: User Fumihide cannot login, please verify the username and
> password.
> 2014-09-22 10:03:57,545 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event
> ID: -1, Message: User Fumihide failed to log in.
> 2014-09-22 10:03:57,545 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
> (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed.
> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
> 
> (logger level is not changed to FINEST? outputs is same as above.)
> 

I had a mistake above... the file-handler level should be set to finest.

<file-handler name="ENGINE" autoflush="true">
    <level name="FINEST"/>

can you confirm?
or best send me the engine.xml.in file and I can see what's wrong.

thanks!

> Thanks,
> Fumihide Tani
> 
> 
> >> Please advice me, it's so thanksfull.
> >>
> >> Fumihide Tani
> >>
> >>
> >> (2014/09/21 17:13), Alon Bar-Lev wrote:
> >>> ----- Original Message -----
> >>>> From: "Fumihide Tani" <RXC05271@nifty.com>
> >>>> To: "Alon Bar-Lev" <alonbl@redhat.com>
> >>>> Cc: users@ovirt.org
> >>>> Sent: Sunday, September 21, 2014 11:11:11 AM
> >>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
> >>>>
> >>>> Hi, Alon
> >>>>
> >>>> Very thanks for your help.
> >>>> My problem was solved and the AAA is working now.
> >>>> I could add LDAP user. :)
> >>> Great.
> >>> Can you please send me a patch or modified README to make it better?
> >>>
> >>> Alon
> >>>
> >>>> Fumihide Tani
> >>>>
> >>>> (2014/09/21 16:19), Alon Bar-Lev wrote:
> >>>>> ----- Original Message -----
> >>>>>> From: "Alon Bar-Lev" <alonbl@redhat.com>
> >>>>>> To: "Fumihide Tani" <RXC05271@nifty.com>
> >>>>>> Cc: users@ovirt.org
> >>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM
> >>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
> >>>>>>
> >>>>>> Hi,
> >>>>>>
> >>>>>> You need to create authz extension as well (authz-company).
> >>>>>> The configuration you provided is establishing authentication only
> >>>>>> (authn)
> >>>>>> which refer to authz-company but you did not add it.
> >>>>>>
> >>>>>> The terms are:
> >>>>>> 1. authn - who the user is.
> >>>>>> 2. authz - what user is permitted.
> >>>>>> 3. profile - combination of the two.
> >>>>>>
> >>>>>> -----------------------------
> >>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties
> >>>>>> ovirt.engine.extension.name = authz-company
> >>>>>> ovirt.engine.extension.bindings.method = jbossmodule
> >>>>>> ovirt.engine.extension.binding.jbossmodule.module =
> >>>>>> org.ovirt.engine-extensions.aaa.ldap
> >>>>>> ovirt.engine.extension.binding.jbossmodule.class =
> >>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> >>>>> Sorry:
> >>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> >>>>>> ovirt.engine.extension.provides =
> >>>>>> org.ovirt.engine.api.extensions.aaa.Authz
> >>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties
> >>>>>> --------------------------------------------------
> >>>>>>
> >>>>>> Regards,
> >>>>>> Alon
> >>>>
> >>
> >>
> >
> 
> 
> 