Re: [ovirt-users] Can not configure with simple LDAP.

Monday, 22 September 2014

----- Original Message -----
...
 From: "Fumihide Tani" <RXC05271(a)nifty.com&gt;
 To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt;
 Cc: users(a)ovirt.org
 Sent: Monday, September 22, 2014 4:16:17 AM
 Subject: Re: [ovirt-users] Can not configure with simple LDAP.

 (2014/09/22 0:16), Alon Bar-Lev wrote:
 >
 > ----- Original Message -----
 >> From: "Fumihide Tani" <RXC05271(a)nifty.com&gt;
 >> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt;
 >> Cc: users(a)ovirt.org
 >> Sent: Sunday, September 21, 2014 6:00:48 PM
 >> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
 >>
 >> Hi, Alon,
 >>
 >> Following Alon's advice, I added authz-company.properties file to the
 >> configuration directory.
 >> Then OpenLDAP users can searched from oVirt Web admin. and I could add
 >> it's
 >> users
 >> to the portal successfully.
 >>
 >> But I have another problem.
 >> These OpenLDAP users that I added can not login to ovirt web user portal.
 >>
 >> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as
 >> "First
 >> Name")
 >> Password: (I specified it as OpenLDAP's userPassword for
"Fumihide")
 >> Domain: rxc05271.com (I selected instead of "internal")
 >>
 >> ?
 > 1. What error do you get at ui?

 "The user name or password is incorrect."

 >
 > 2. Please look at engine.log while attempting to login, if you see
 > something helpful.

 2014-09-22 09:53:27,669 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
 (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication
 profile "rxc05271.com" because the authentication failed.
 2014-09-22 09:53:27,685 ERROR
 [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
 (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event
 ID: -1, Message: User Fumihide cannot login, please verify the username and
 password.
 2014-09-22 09:53:27,693 ERROR
 [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
 (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event
 ID: -1, Message: User Fumihide failed to log in.
 2014-09-22 09:53:27,693 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
 (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed.
 Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD

 >
 > 3. Please make sure that the following is a success:
 > $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN>
 > uid=<LOGIN_NAME>

 [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D
 "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x
 '(uid=tani)'
 Enter LDAP Password:
 # extended LDIF
 #
 # LDAPv3
 # base <dc=rxc05271,dc=com> with scope subtree
 # filter: (uid=tani)
 # requesting: ALL
 #

 # tani, Users, rxc05271.com
 dn: uid=tani,ou=Users,dc=rxc05271,dc=com
 objectClass: inetOrgPerson
 objectClass: uidObject
 uid: tani
 cn: Fumihide Tani
 givenName: Fumihide
 mail: tani(a)rxc05271.com
 sn: Tani
 userPassword:: a3VtaXRhbg==

 # search result
 search: 2
 result: 0 Success

 # numResponses: 2
 # numEntries: 1
 [root@ovirt ~]#

 >
 > 4. If working please modify
 > /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in
 > ---
 >         <file-handler name="ENGINE" autoflush="true">
 > -        <level name="INFO"/>
 > -        <level name="FINEST"/>
 > <snip>
 > +       <logger category="org.ovirt.engineextensions.aaa.ldap">
 > +        <level name="FINEST"/>
 > +       </logger>
 >          <logger category="org.ovirt.engine.core.bll">
 > ---
 > Restart engine, attempt login, send me the output.

 2014-09-22 10:03:57,517 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
 (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication
 profile "rxc05271.com" because the authentication failed.
 2014-09-22 10:03:57,534 ERROR
 [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
 (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event
 ID: -1, Message: User Fumihide cannot login, please verify the username and
 password.
 2014-09-22 10:03:57,545 ERROR
 [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
 (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event
 ID: -1, Message: User Fumihide failed to log in.
 2014-09-22 10:03:57,545 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
 (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed.
 Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD

 (logger level is not changed to FINEST? outputs is same as above.)

I had a mistake above... the file-handler level should be set to finest.

<file-handler name="ENGINE" autoflush="true">
    <level name="FINEST"/>

can you confirm?
or best send me the engine.xml.in file and I can see what's wrong.

thanks!

...
 Thanks,
 Fumihide Tani

 >> Please advice me, it's so thanksfull.
 >>
 >> Fumihide Tani
 >>
 >>
 >> (2014/09/21 17:13), Alon Bar-Lev wrote:
 >>> ----- Original Message -----
 >>>> From: "Fumihide Tani" <RXC05271(a)nifty.com&gt;
 >>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt;
 >>>> Cc: users(a)ovirt.org
 >>>> Sent: Sunday, September 21, 2014 11:11:11 AM
 >>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
 >>>>
 >>>> Hi, Alon
 >>>>
 >>>> Very thanks for your help.
 >>>> My problem was solved and the AAA is working now.
 >>>> I could add LDAP user. :)
 >>> Great.
 >>> Can you please send me a patch or modified README to make it better?
 >>>
 >>> Alon
 >>>
 >>>> Fumihide Tani
 >>>>
 >>>> (2014/09/21 16:19), Alon Bar-Lev wrote:
 >>>>> ----- Original Message -----
 >>>>>> From: "Alon Bar-Lev" <alonbl(a)redhat.com&gt;
 >>>>>> To: "Fumihide Tani" <RXC05271(a)nifty.com&gt;
 >>>>>> Cc: users(a)ovirt.org
 >>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM
 >>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
 >>>>>>
 >>>>>> Hi,
 >>>>>>
 >>>>>> You need to create authz extension as well (authz-company).
 >>>>>> The configuration you provided is establishing authentication
only
 >>>>>> (authn)
 >>>>>> which refer to authz-company but you did not add it.
 >>>>>>
 >>>>>> The terms are:
 >>>>>> 1. authn - who the user is.
 >>>>>> 2. authz - what user is permitted.
 >>>>>> 3. profile - combination of the two.
 >>>>>>
 >>>>>> -----------------------------
 >>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties
 >>>>>> ovirt.engine.extension.name = authz-company
 >>>>>> ovirt.engine.extension.bindings.method = jbossmodule
 >>>>>> ovirt.engine.extension.binding.jbossmodule.module =
 >>>>>> org.ovirt.engine-extensions.aaa.ldap
 >>>>>> ovirt.engine.extension.binding.jbossmodule.class =
 >>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
 >>>>> Sorry:
 >>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
 >>>>>> ovirt.engine.extension.provides =
 >>>>>> org.ovirt.engine.api.extensions.aaa.Authz
 >>>>>> config.profile.file.1 =
/etc/ovirt-engine/aaa/rxc05271.properties
 >>>>>> --------------------------------------------------
 >>>>>>
 >>>>>> Regards,
 >>>>>> Alon
 >>>>
 >>
 >>
 >

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Re: [ovirt-users] Can not configure with simple LDAP.