Not sure what adds crlf to your file... please use *NIX editor, please use dos2unix to remove these, Per our previous discussion, you should modify: <file-handler name="ENGINE" autoflush="true"> <level name="INFO"/> Into: <file-handler name="ENGINE" autoflush="true"> <level name="FINEST"/> You should see a difference. Thanks! ----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 2:36:05 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon,
I modified ovirt-engine.xml.in and restarted ovirt-engine. Attached is the modified ovirt-engine.xml.in. The engine.log outputs are fllowing: (Unfortunately it became the same result.)
----- 2014-09-22 19:48:11,245 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed. 2014-09-22 19:48:11,257 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 19:48:11,265 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 19:48:11,266 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD -----
As a cause of fail to OpenLDAP user login, I suspect that the my openldap password encryption method setting not meet with the ovirt. Is there any method to verify?
Thanks,
(2014/09/22 19:15), Alon Bar-Lev wrote:
You need to add the following:
+ <logger category="org.ovirt.engineextensions.aaa.ldap"> + <level name="FINEST"/> + </logger> <logger category="org.ovirt.engine.core.bll">
Look at the + lines, please add these (without the +) just before: <logger category="org.ovirt.engine.core.bll">
Thanks!
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 1:10:57 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
(2014/09/22 15:00), Alon Bar-Lev wrote:
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 4:16:17 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
(2014/09/22 0:16), Alon Bar-Lev wrote:
----- Original Message ----- > From: "Fumihide Tani" <RXC05271@nifty.com> > To: "Alon Bar-Lev" <alonbl@redhat.com> > Cc: users@ovirt.org > Sent: Sunday, September 21, 2014 6:00:48 PM > Subject: Re: [ovirt-users] Can not configure with simple LDAP. > > Hi, Alon, > > Following Alon's advice, I added authz-company.properties file to the > configuration directory. > Then OpenLDAP users can searched from oVirt Web admin. and I could add > it's > users > to the portal successfully. > > But I have another problem. > These OpenLDAP users that I added can not login to ovirt web user > portal. > > User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as > "First > Name") > Password: (I specified it as OpenLDAP's userPassword for "Fumihide") > Domain: rxc05271.com (I selected instead of "internal") > > ? 1. What error do you get at ui? "The user name or password is incorrect."
2. Please look at engine.log while attempting to login, if you see something helpful. 2014-09-22 09:53:27,669 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed. 2014-09-22 09:53:27,685 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 09:53:27,693 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 09:53:27,693 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
3. Please make sure that the following is a success: $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN> uid=<LOGIN_NAME> [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x '(uid=tani)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=rxc05271,dc=com> with scope subtree # filter: (uid=tani) # requesting: ALL #
# tani, Users, rxc05271.com dn: uid=tani,ou=Users,dc=rxc05271,dc=com objectClass: inetOrgPerson objectClass: uidObject uid: tani cn: Fumihide Tani givenName: Fumihide mail: tani@rxc05271.com sn: Tani userPassword:: a3VtaXRhbg==
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@ovirt ~]#
4. If working please modify /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in --- <file-handler name="ENGINE" autoflush="true"> - <level name="INFO"/> - <level name="FINEST"/> <snip> + <logger category="org.ovirt.engineextensions.aaa.ldap"> + <level name="FINEST"/> + </logger> <logger category="org.ovirt.engine.core.bll"> --- Restart engine, attempt login, send me the output. 2014-09-22 10:03:57,517 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed. 2014-09-22 10:03:57,534 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 10:03:57,545 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 10:03:57,545 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
(logger level is not changed to FINEST? outputs is same as above.)
I had a mistake above... the file-handler level should be set to finest.
<file-handler name="ENGINE" autoflush="true"> <level name="FINEST"/>
can you confirm? or best send me the engine.xml.in file and I can see what's wrong.
thanks! I set file-handler's level name to "FINEST". but outputs are same as before. I attached the ovirt-engine.xml.in
Regards,
Thanks, Fumihide Tani
> Please advice me, it's so thanksfull. > > Fumihide Tani > > > (2014/09/21 17:13), Alon Bar-Lev wrote: >> ----- Original Message ----- >>> From: "Fumihide Tani" <RXC05271@nifty.com> >>> To: "Alon Bar-Lev" <alonbl@redhat.com> >>> Cc: users@ovirt.org >>> Sent: Sunday, September 21, 2014 11:11:11 AM >>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>> >>> Hi, Alon >>> >>> Very thanks for your help. >>> My problem was solved and the AAA is working now. >>> I could add LDAP user. :) >> Great. >> Can you please send me a patch or modified README to make it better? >> >> Alon >> >>> Fumihide Tani >>> >>> (2014/09/21 16:19), Alon Bar-Lev wrote: >>>> ----- Original Message ----- >>>>> From: "Alon Bar-Lev" <alonbl@redhat.com> >>>>> To: "Fumihide Tani" <RXC05271@nifty.com> >>>>> Cc: users@ovirt.org >>>>> Sent: Sunday, September 21, 2014 10:19:11 AM >>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>> >>>>> Hi, >>>>> >>>>> You need to create authz extension as well (authz-company). >>>>> The configuration you provided is establishing authentication only >>>>> (authn) >>>>> which refer to authz-company but you did not add it. >>>>> >>>>> The terms are: >>>>> 1. authn - who the user is. >>>>> 2. authz - what user is permitted. >>>>> 3. profile - combination of the two. >>>>> >>>>> ----------------------------- >>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties >>>>> ovirt.engine.extension.name = authz-company >>>>> ovirt.engine.extension.bindings.method = jbossmodule >>>>> ovirt.engine.extension.binding.jbossmodule.module = >>>>> org.ovirt.engine-extensions.aaa.ldap >>>>> ovirt.engine.extension.binding.jbossmodule.class = >>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension >>>> Sorry: >>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension >>>>> ovirt.engine.extension.provides = >>>>> org.ovirt.engine.api.extensions.aaa.Authz >>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties >>>>> -------------------------------------------------- >>>>> >>>>> Regards, >>>>> Alon