Provided the "user role" permissions still same issue
On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek <omachace(a)redhat.com>
wrote:
Hi,
your user nbudoor(a)abc.net doesn't have appropriate permissions to login.
First you need to login as 'admin@internal' and assign him some
permissions, then you will be able to login.
Ondra
On 09/23/2015 09:15 AM, Budur Nagaraju wrote:
HI All,
After rectifying this able to search the domain in the users in UI,
but unable to login getting the below error ,
2015-09-23 12:41:47,482 WARN
[org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
(ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for
user nbudoor(a)abc.net. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
Thanks,
Nagaraju
On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek <omachace(a)redhat.com>
wrote:
> Hi,
>
> as Alon already said, you have trailing space in your configuration
>
> 'my.abc.net ' <-- space at the end
>
> Please remove this space and try again.
>
> Ondra
>
>
> On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
>
> HI Alon,
>
> Tried all the options but no luck ,
>
> I have copied the logs in the pastebin below is the link , warning
> message is that unable to resolve the DNS ,let me know any help would I get
> .
>
>
http://pastebin.com/7qN9QnHK
>
> Thanks,
> Nagaraju
>
>
> On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger <
> <daniel.helgenberger@m-box.de>daniel.helgenberger(a)m-box.de> wrote:
>
>> Hello Budur,
>>
>> I've done this recently. Alon, no offense, but the docs are not quite
>> strait forward...
>>
>> Requirements:
>> - LDAP server (obviously) - called here
ldap.mydomain.com
>> - LDAP bind account - called here <ldap@mydomain.com>ldap(a)mydomain.com,
>> password 'Passw@rd'
>> - At least one existing account in ladp, called user(a)mydomain.com
>>
>> Please note, the most common issue will be DNS.
>>
>> I'll describe in short what steps need to be taken. All this needs to be
>> done on your engine host. In the end this was quite easy :)
>>
>> 1. Install the packages: ovirt-engine-extension-aaa-ldap and
>> openldap-clients (these are only for testing your setup)
>> 2. Test if ldap is working in general. (The extension uses the global
>> catalog at least for AD, this was news to me):
>> # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://
>> ldap.mydomain.com:3268/ -x \
>> -D 'ldap(a)mydomain.com' -w Passw@rd -b ''
'(userPrincipalName=
>> <user@mydomian.com>user(a)mydomian.com)' cn userPrincipalName
>>
>> If this command does not return details of the user, do debug your
>> ldap and continue once this works. Example:
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <> with scope subtree
>> # filter: (userPrincipalName= <user@mydomain.com>user(a)mydomain.com)
>> # requesting: cn userPrincipalName
>> # with pagedResults control: size=1024
>> #
>>
>> # Some Name, some-ou,
mydomain.com
>> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com
>> cn: Some Name
>> userPrincipalName: user(a)mydomain.com
>>
>> # search result
>> search: 2
>> result: 0 Success
>> control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=
>> pagedresults: cookie=
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>>
>> 3. Copy the examples as mentioned from the readme.
>> 4. You only need to modify
>> /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is.
>> 5. There, set:
>>
>> vars.domain =
ldap.mydomain.com
>> vars.user = ldap@${global:vars.domain}
>> vars.password = Passw@rd
>>
>> 6. Restart ovirt engine service
>> 7. Log in as admin@einternal and add user rights and roles from the new
>> provider
>>
>> Hope this helps.
>>
>> On 22.09.2015 16 <22.09.2015%2016>:46, Budur Nagaraju wrote:
>> >
>> > below are the three files which I have modified.
>> >
>> >
>> > [root@cstlb2 extensions.d]# cat profile1-authn.properties
>> > ovirt.engine.extension.name <
http://ovirt.engine.extension.name> =
>> cloudspin-authn
>> > ovirt.engine.extension.bindings.method = jbossmodule
>> > ovirt.engine.extension.binding.jbossmodule.module =
>> > org.ovirt.engine-extensions.aaa.ldap
>> > ovirt.engine.extension.binding.jbossmodule.class =
>> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
>> > ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Authn
>> > ovirt.engine.aaa.authn.profile.name <
>>
http://ovirt.engine.aaa.authn.profile.name>
>> > = cloudspin
>> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
>> >
>> >
>> > [root@cstlb2 extensions.d]# ls
>> > profile1-authn.properties profile1-authz.properties
>> > [root@cstlb2 extensions.d]# cat profile1-authz.properties
>> > ovirt.engine.extension.name <
http://ovirt.engine.extension.name> =
>> cloudspin-authz
>> > ovirt.engine.extension.bindings.method = jbossmodule
>> > ovirt.engine.extension.binding.jbossmodule.module =
>> > org.ovirt.engine-extensions.aaa.ldap
>> > ovirt.engine.extension.binding.jbossmodule.class =
>> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>> > ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Authz
>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
>> > [root@cstlb2 extensions.d]#
>> >
>> >
>> >
>> > [root@cstlb2 aaa]# pwd
>> > /etc/ovirt-engine/aaa
>> > [root@cstlb2 aaa]# ls
>> > ldap1.properties
>> > [root@cstlb2 aaa]# cat ldap1.properties
>> > #
>> > # Select one
>> > #
>> > include = <openldap.properties>
>> > #include = <389ds.properties>
>> > #include = <rhds.properties>
>> > #include = <ipa.properties>
>> > #include = <iplanet.properties>
>> > #include = <rfc2307.properties>
>> > #include = <rfc2307-openldap.properties>
>> >
>> > #
>> > # Server
>> > #
>> > vars.server =
my.abc.net <
<
http://my.abc.net>http://my.abc.net>
>> >
>> > #
>> > # Search user and its password.
>> > #
>> > vars.user =
>> >
>>
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
>> > vars.password = company
>> >
>> > pool.default.serverset.single.server = ${global:vars.server}
>> > pool.default.auth.simple.bindDN = ${global:vars.user}
>> > pool.default.auth.simple.password = ${global:vars.password}
>> >
>> > # Create keystore, import certificate chain and uncomment
>> > # if using ssl/tls.
>> > #pool.default.ssl.startTLS = true
>> > #pool.default.ssl.truststore.file =
>> ${local:_basedir}/${global:vars.server}.jks
>> > #pool.default.ssl.truststore.password = changeit
>> > [root@cstlb2 aaa]#
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <alonbl(a)redhat.com
>> > <mailto: <alonbl@redhat.com>alonbl(a)redhat.com>> wrote:
>> >
>> >
>> >
>> > ----- Original Message -----
>> > > From: "Budur Nagaraju" <nbudoor(a)gmail.com <mailto:
>> nbudoor(a)gmail.com>>
>> > > To: "Alon Bar-Lev" <
<alonbl@redhat.com>alonbl(a)redhat.com
>> <mailto:alonbl@redhat.com>>
>> > > Cc:users@ovirt.org <mailto:users@ovirt.org>
>> > > Sent: Tuesday, September 22, 2015 5:35:16 PM
>> > > Subject: Re: [ovirt-users] LDAP Authentication
>> > >
>> > > its too complicated ,you have any script or video ?
>> >
>> > in 3.6 we have a setup script.
>> > for now:
>> >
>> > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
>> >
>> > this is written in the README.
>> >
>> > then customize files at /etc/ovirt-engine/extnesions.d/*
>> > /etc/ovirt-engine/aaa/* to match your setup
>> >
>> > >
>> > >
>> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <
>> <alonbl@redhat.com>alonbl(a)redhat.com <mailto:alonbl@redhat.com>>
wrote:
>> > >
>> > > >
>> > > >
>> > > > ----- Original Message -----
>> > > > > From: "Budur Nagaraju" <nbudoor(a)gmail.com
<mailto:
>> nbudoor(a)gmail.com>>
>> > > > > To: "Alon Bar-Lev" <alonbl(a)redhat.com
<mailto:
>> alonbl(a)redhat.com>>
>> > > > > <Cc%3Ausers@ovirt.org>Cc:users@ovirt.org
<mailto:
>> users(a)ovirt.org>
>> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM
>> > > > > Subject: Re: [ovirt-users] LDAP Authentication
>> > > > >
>> > > > > HI Alon,
>> > > > >
>> > > > > Below is the configuration which I have done ,but unable
to
>> search the
>> > > > > users in UI
>> > > > > can you pls help me ?
>> > > >
>> > > > you need three files, see the
>> > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
>> > > >
>> > > > >
>> > > > >
>> > > > > [root@cstlb2 aaa]# cat ldap1.properties
>> > > > > #
>> > > > > # Select one
>> > > > > #
>> > > > > include = <openldap.properties>
>> > > > > #include = <389ds.properties>
>> > > > > #include = <rhds.properties>
>> > > > > #include = <ipa.properties>
>> > > > > #include = <iplanet.properties>
>> > > > > #include = <rfc2307.properties>
>> > > > > #include = <rfc2307-openldap.properties>
>> > > > >
>> > > > > #
>> > > > > # Server
>> > > > > #
>> > > > > vars.server =my.abc.net < <
http://my.abc.net>
>>
http://my.abc.net>
>> > > > >
>> > > > > #
>> > > > > # Search user and its password.
>> > > > > #
>> > > > > vars.user =
>> > > > >
>> > > >
>>
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
>> > > > > vars.password = company1
>> > > > >
>> > > > > pool.default.serverset.single.server =
${global:vars.server}
>> > > > > pool.default.auth.simple.bindDN = ${global:vars.user}
>> > > > > pool.default.auth.simple.password =
${global:vars.password}
>> > > > >
>> > > > > # Create keystore, import certificate chain and
uncomment
>> > > > > # if using ssl/tls.
>> > > > > #pool.default.ssl.startTLS = true
>> > > > > #pool.default.ssl.truststore.file =
>> > > > > ${local:_basedir}/${global:vars.server}.jks
>> > > > > #pool.default.ssl.truststore.password = changeit
>> > > > > [root@cstlb2 aaa]#
>> > > > >
>> > > > >
>> > > > >
>> > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <
>> <alonbl@redhat.com>alonbl(a)redhat.com <mailto:alonbl@redhat.com>>
wrote:
>> > > > >
>> > > > > >
>> > > > > >
>> > > > > > ----- Original Message -----
>> > > > > > > From: "Budur Nagaraju" <
<nbudoor(a)gmail.com>
>> nbudoor(a)gmail.com <mailto:nbudoor@gmail.com>>
>> > > > > > > <To:users@ovirt.org>To:users@ovirt.org
<mailto:
>> users(a)ovirt.org>
>> > > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM
>> > > > > > > Subject: [ovirt-users] LDAP Authentication
>> > > > > > >
>> > > > > > > HI All,
>> > > > > > >
>> > > > > > > Can someone help me in configuring LDAP
authentication
>> for Ovirt ?
>> > > > > >
>> > > > > > Please review:
>> > > > > > <
http://www.ovirt.org/Features/AAA>
>>
http://www.ovirt.org/Features/AAA
>> > > > > >
>> > > > > >
>> > > >
>>
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>> >
>>
>> --
>> Daniel Helgenberger
>> m box bewegtbild GmbH
>>
>> P: +49/30/2408781-22
>> F: +49/30/2408781-10
>>
>> ACKERSTR. 19
>> D-10115 BERLIN
>>
>>
>>
www.m-box.de <
http://www.monkeymen.tv>www.monkeymen.tv
>>
>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>>
>
>
>
> _______________________________________________
> Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users
>
>
>