This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --qKUkRRsJKPkPGLV9qaud4bBRD5cEbiBoQ Content-Type: multipart/mixed; boundary="QeOaACIuVvOH7wmPKPM0PSkjJqc0I1b8T"; protected-headers="v1" From: Richard Neuboeck <hawk@tbi.univie.ac.at> To: Ondra Machacek <omachace@redhat.com>, users <users@ovirt.org> Message-ID: <fc8ab02e-6353-43f9-5133-decb2d39495f@tbi.univie.ac.at> Subject: Re: [ovirt-users] Unable to add permissions for LDAP users References: <SN1PR10MB071807A20FF1DCCB62983C19D5C70@SN1PR10MB0718.namprd10.prod.outlook.com> <32d6b45e-b3b2-eeae-1b7b-87af2d9c3bbd@redhat.com> In-Reply-To: <32d6b45e-b3b2-eeae-1b7b-87af2d9c3bbd@redhat.com> --QeOaACIuVvOH7wmPKPM0PSkjJqc0I1b8T Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hi, I seem to experience the same problem right now and am at a bit of a loss as to where to dig for some more troubleshooting information. I would highly appreciate some help. Here is what I have and what I did: ovirt-engine-4.1.0.4-1.el7.centos.noarch ovirt-engine-extension-aaa-ldap-1.3.0-1.el7.noarch I executed ovirt-engine-extension-aaa-ldap-setup. My LDAP provider is 389ds (FreeIPA). I can successfully run a search and also login from the setup script. After running the setup I rebootet the Engine VM to make sure everything is restarted. In the web UI configuration for 'System Permissions' I'm able to find users from LDAP but when I try to 'Add' a selected user the UI shows me this error: 'User admin@internal-authz failed to grant permission for Role SuperUser on System to User/Group <UNKNOWN>.'. In then engine.log the following lines are generated: 2017-03-09 14:02:49,308+01 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-4) [1ebae5e0-e5f6-49ba-ac80-95266c582893] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_PERMISSIONS with role type USER, ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER 2017-03-09 14:02:49,319+01 ERROR [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-4) [1ebae5e0-e5f6-49ba-ac80-95266c582893] Transaction rolled-back for command 'org.ovirt.engine.core.bll.AddSystemPermissionCommand'. 2017-03-09 14:02:49,328+01 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-6-thread-4) [1ebae5e0-e5f6-49ba-ac80-95266c582893] EVENT_ID: USER_ADD_SYSTEM_PERMISSION_FAILED(867), Correlation ID: 1ebae5e0-e5f6-49ba-ac80-95266c582893, Call Stack: null, Custom Event ID: -1, Message: User admin@internal-authz failed to grant permission for Role SuperUser on System to User/Group <UNKNOWN>. So far I've re-run the ldap-setup routine. I made sure all newly generated files in /etc/ovirt-engine/[aaa|extensions.d] are owned by ovirt:ovirt (instead of root) and have 0600 as permission (instead of 0644). That didn't change anything. I've also found an older bug report but for oVirt 3.5 https://bugzilla.redhat.com/show_bug.cgi?id=3D1121954 That didn't reveal any new either. Any ideas what I could try next? Thanks! Cheers Richard On 10/06/2016 04:36 PM, Ondra Machacek wrote:
I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can successfully authenticate as an LDAP user. I can also login as admin@internal and search for, find, and select LDAP users but I cannot add permissions for them. Each time I get the error "User admin@internal-authz failed to grant permission for Role UserRole on System to User/Group <UNKNOWN>." =20 This error usually means bad unique attribute used. =20
I have no control over the LDAP server, which uses custom objectClasses and uses groupOfNames instead of PosixGroups. I assume I need to set sequence variables to accommodate our group configuration but I'm at a loss as to where to begin. the The config I have is as follows:
include =3D <rfc2307-generic.properties>
vars.server =3D labauth.lan.lab.org
pool.authz.auth.type =3D none pool.default.serverset.type =3D single pool.default.serverset.single.server =3D ${global:vars.server} pool.default.ssl.startTLS =3D true pool.default.ssl.insecure =3D true
pool.default.connection-options.connectTimeoutMillis =3D 10000 pool.default.connection-options.responseTimeoutMillis =3D 90000 sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-vars sequence.my-basedn-init-vars.010.description =3D set baseDN sequence.my-basedn-init-vars.010.type =3D var-set sequence.my-basedn-init-vars.010.var-set.variable =3D simple_baseDN sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB
sequence-init.init.101-my-objectclass-init-vars =3D my-objectclass-init-vars sequence.my-objectclass-init-vars.020.description =3D set objectClass sequence.my-objectclass-init-vars.020.type =3D var-set sequence.my-objectclass-init-vars.020.var-set.variable =3D simple_filterUserObject sequence.my-objectclass-init-vars.020.var-set.value =3D (objectClass=3DlabPerson)(uid=3D*)
search.default.search-request.derefPolicy =3D NEVER
sequence-init.init.900-local-init-vars =3D local-init-vars sequence.local-init-vars.010.description =3D override name space sequence.local-init-vars.010.type =3D var-set sequence.local-init-vars.010.var-set.variable =3D simple_namespaceDefault sequence.local-init-vars.010.var-set.value =3D * =20 What's this^ for? I think it's unusable. =20
sequence.local-init-vars.020.description =3D apply filter to users sequence.local-init-vars.020.type =3D var-set sequence.local-init-vars.020.var-set.variable =3D simple_filterUserObject sequence.local-init-vars.020.var-set.value =3D ${seq:simple_filterUserObject}(employeeStatus=3D3)
sequence.local-init-vars.030.description =3D apply filter to groups sequence.local-init-vars.030.type =3D var-set sequence.local-init-vars.030.var-set.variable =3D simple_filterGroupObject sequence.local-init-vars.030.var-set.value =3D (objectClass=3DgroupOfUniqueNames) =20 This looks as hard to maintain file. I would suggest you to insert into this file just following: =20 include =3D <rfc2307-mycustom.properties> =20 vars.server =3D labauth.lan.lab.org =20
On 10/06/2016 01:47 PM, Michael Burch wrote: pool.authz.auth.type =3D none pool.default.serverset.type =3D single pool.default.serverset.single.server =3D ${global:vars.server} pool.default.ssl.startTLS =3D true pool.default.ssl.insecure =3D true =20 pool.default.connection-options.connectTimeoutMillis =3D 10000 pool.default.connection-options.responseTimeoutMillis =3D 90000 =20 # Set custom base DN sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-vars sequence.my-basedn-init-vars.010.description =3D set baseDN sequence.my-basedn-init-vars.010.type =3D var-set sequence.my-basedn-init-vars.010.var-set.variable =3D simple_baseDN sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB =20 And then create in directory '/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file 'rfc2307-mycustom.properties' with content: =20 include =3D <rfc2307.properties> =20 sequence-init.init.100-rfc2307-mycustom-init-vars =3D rfc2307-mycustom-init-vars sequence.rfc2307-mycustom-init-vars.010.description =3D set unique attr=
sequence.rfc2307-mycustom-init-vars.010.type =3D var-set sequence.rfc2307-mycustom-init-vars.010.var-set.variable =3D rfc2307_attrsUniqueId sequence.rfc2307-mycustom-init-vars.010.var-set.value =3D FIND_THIS_ONE=
=20 sequence.rfc2307-mycustom-init-vars.020.type =3D var-set sequence.rfc2307-mycustom-init-vars.020.var-set.variable =3D simple_filterUserObject sequence.rfc2307-mycustom-init-vars.020.var-set.value =3D (objectClass=3DlabPerson)(employeeStatus=3D3)(${seq:simple_attrsUserNam= e}=3D*) =20 =20 =20 The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I guess). It can be extended attribute(+,++). =20 $ LDAPTLS_REQCERT=3Dnever ldapsearch -ZZ -x -b 'o=3DLANLAB' -H ldap://labauth.lan.lab.org 'objectClass=3DlabPerson' =20 maybe (or even with two +): $ LDAPTLS_REQCERT=3Dnever ldapsearch -ZZ -x -b 'o=3DLANLAB' -H ldap://labauth.lan.lab.org 'objectClass=3DlabPerson' + =20 The question is if even your implementation has unique attribute, does it? =20 Also may you share what's your LDAP provider? And maybe if you share content of some user it would help as well. =20
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--=20 /dev/null --QeOaACIuVvOH7wmPKPM0PSkjJqc0I1b8T-- --qKUkRRsJKPkPGLV9qaud4bBRD5cEbiBoQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJYwVcPAAoJEA7XCanqEVqIPl8QAIQFBRHbiGNiFao6ajVRmsxv GaEOdE/1etNOcKEy8c39SmF0bQD6KYUNqUBnJ01Pgmfn65+QfzgjnloUcWrckB6x 2xooYVj8H7IO1HJbRXFjpP++XiJNxxkptJcDNGdnhojjcslNAd1Y970J+OrU5XCI lIvbSSLnwl5HM9Eu7lOdcB3KYPmmBh4g+N0WWVVEv06IGRm3uMgdeoXvG7wx7Sv/ EqL+oDuDXNy0127btyi8I4LCGYzNpnh3XOwTvcDgbWBK51CAgPsNvHg1opLPaWPI q2rPQpdKFui99KG5i7sWh33BVNWn1jX5qZPGYj3cLq9y6NkIEHX9k0cTiktcWkn5 sWYlFvsA3tTMj4WUjqefJiIakmQ8Y4EeTncY1QLcnEZHx3ltlU0bEtPkafh891G2 l3vgcnL5gc1Q5cPpZhfSngVg5GBYNrUwiqtsQJYNp5UWnWgRu5l8U3dMkKw87krf 4YtlGu9iMLvaOVGI1S8NrldpKBQ+nmAzfV3GOeKBztTizpmuyxgue9j6gkQL331d dRBHfZfDWX2Lq6GqbDlkALTn7pbC1DzB5us8BPuEk6J8HSVwhPb9lz2vIBhq+ors 08/YrWSyjY4/a85tHoPEjurbmXZcDobaidkBSg1HpBCthCsX217/ujKCaFiPpvDg vzJlHQWA92qIejXYi58d =tlBm -----END PGP SIGNATURE----- --qKUkRRsJKPkPGLV9qaud4bBRD5cEbiBoQ--