Re: [ovirt-users] Can not configure with simple LDAP.

From: "Fumihide Tani" <RXC05271(a)nifty.com&gt; To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; Cc: users(a)ovirt.org Sent: Monday, September 22, 2014 2:36:05 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP. Hi, Alon, I modified ovirt-engine.xml.in and restarted ovirt-engine. Attached is the modified ovirt-engine.xml.in. The engine.log outputs are fllowing: (Unfortunately it became the same result.) ----- 2014-09-22 19:48:11,245 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed. 2014-09-22 19:48:11,257 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 19:48:11,265 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 19:48:11,266 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD ----- As a cause of fail to OpenLDAP user login, I suspect that the my openldap password encryption method setting not meet with the ovirt. Is there any method to verify? Thanks, (2014/09/22 19:15), Alon Bar-Lev wrote: > You need to add the following: > > + <logger category="org.ovirt.engineextensions.aaa.ldap"> > + <level name="FINEST"/> > + </logger> > <logger category="org.ovirt.engine.core.bll"> > > Look at the + lines, please add these (without the +) just before: <logger > category="org.ovirt.engine.core.bll"> > > Thanks! > > ----- Original Message ----- >> From: "Fumihide Tani" <RXC05271(a)nifty.com&gt; >> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >> Cc: users(a)ovirt.org >> Sent: Monday, September 22, 2014 1:10:57 PM >> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >> >> (2014/09/22 15:00), Alon Bar-Lev wrote: >>> ----- Original Message ----- >>>> From: "Fumihide Tani" <RXC05271(a)nifty.com&gt; >>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>>> Cc: users(a)ovirt.org >>>> Sent: Monday, September 22, 2014 4:16:17 AM >>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>> >>>> (2014/09/22 0:16), Alon Bar-Lev wrote: >>>>> ----- Original Message ----- >>>>>> From: "Fumihide Tani" <RXC05271(a)nifty.com&gt; >>>>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>>>>> Cc: users(a)ovirt.org >>>>>> Sent: Sunday, September 21, 2014 6:00:48 PM >>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>>> >>>>>> Hi, Alon, >>>>>> >>>>>> Following Alon's advice, I added authz-company.properties file to the >>>>>> configuration directory. >>>>>> Then OpenLDAP users can searched from oVirt Web admin. and I could add >>>>>> it's >>>>>> users >>>>>> to the portal successfully. >>>>>> >>>>>> But I have another problem. >>>>>> These OpenLDAP users that I added can not login to ovirt web user >>>>>> portal. >>>>>> >>>>>> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as >>>>>> "First >>>>>> Name") >>>>>> Password: (I specified it as OpenLDAP's userPassword for "Fumihide") >>>>>> Domain: rxc05271.com (I selected instead of "internal") >>>>>> >>>>>> ? >>>>> 1. What error do you get at ui? >>>> "The user name or password is incorrect." >>>> >>>>> 2. Please look at engine.log while attempting to login, if you see >>>>> something helpful. >>>> 2014-09-22 09:53:27,669 INFO >>>> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] >>>> (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication >>>> profile "rxc05271.com" because the authentication failed. >>>> 2014-09-22 09:53:27,685 ERROR >>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>>> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom >>>> Event >>>> ID: -1, Message: User Fumihide cannot login, please verify the username >>>> and >>>> password. >>>> 2014-09-22 09:53:27,693 ERROR >>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>>> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom >>>> Event >>>> ID: -1, Message: User Fumihide failed to log in. >>>> 2014-09-22 09:53:27,693 WARN >>>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] >>>> (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. >>>> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD >>>> >>>>> 3. Please make sure that the following is a success: >>>>> $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN> >>>>> uid=<LOGIN_NAME> >>>> [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D >>>> "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x >>>> '(uid=tani)' >>>> Enter LDAP Password: >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base <dc=rxc05271,dc=com> with scope subtree >>>> # filter: (uid=tani) >>>> # requesting: ALL >>>> # >>>> >>>> # tani, Users, rxc05271.com >>>> dn: uid=tani,ou=Users,dc=rxc05271,dc=com >>>> objectClass: inetOrgPerson >>>> objectClass: uidObject >>>> uid: tani >>>> cn: Fumihide Tani >>>> givenName: Fumihide >>>> mail: tani(a)rxc05271.com >>>> sn: Tani >>>> userPassword:: a3VtaXRhbg== >>>> >>>> # search result >>>> search: 2 >>>> result: 0 Success >>>> >>>> # numResponses: 2 >>>> # numEntries: 1 >>>> [root@ovirt ~]# >>>> >>>>> 4. If working please modify >>>>> /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in >>>>> --- >>>>> <file-handler name="ENGINE" autoflush="true"> >>>>> - <level name="INFO"/> >>>>> - <level name="FINEST"/> >>>>> <snip> >>>>> + <logger category="org.ovirt.engineextensions.aaa.ldap"> >>>>> + <level name="FINEST"/> >>>>> + </logger> >>>>> <logger category="org.ovirt.engine.core.bll"> >>>>> --- >>>>> Restart engine, attempt login, send me the output. >>>> 2014-09-22 10:03:57,517 INFO >>>> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] >>>> (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication >>>> profile "rxc05271.com" because the authentication failed. >>>> 2014-09-22 10:03:57,534 ERROR >>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>>> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom >>>> Event >>>> ID: -1, Message: User Fumihide cannot login, please verify the username >>>> and >>>> password. >>>> 2014-09-22 10:03:57,545 ERROR >>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>>> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom >>>> Event >>>> ID: -1, Message: User Fumihide failed to log in. >>>> 2014-09-22 10:03:57,545 WARN >>>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] >>>> (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. >>>> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD >>>> >>>> (logger level is not changed to FINEST? outputs is same as above.) >>>> >>> I had a mistake above... the file-handler level should be set to finest. >>> >>> <file-handler name="ENGINE" autoflush="true"> >>> <level name="FINEST"/> >>> >>> can you confirm? >>> or best send me the engine.xml.in file and I can see what's wrong. >>> >>> thanks! >> I set file-handler's level name to "FINEST". but outputs are same as >> before. >> I attached the ovirt-engine.xml.in >> >> Regards, >> >>> >>>> Thanks, >>>> Fumihide Tani >>>> >>>> >>>>>> Please advice me, it's so thanksfull. >>>>>> >>>>>> Fumihide Tani >>>>>> >>>>>> >>>>>> (2014/09/21 17:13), Alon Bar-Lev wrote: >>>>>>> ----- Original Message ----- >>>>>>>> From: "Fumihide Tani" <RXC05271(a)nifty.com&gt; >>>>>>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>>>>>>> Cc: users(a)ovirt.org >>>>>>>> Sent: Sunday, September 21, 2014 11:11:11 AM >>>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>>>>> >>>>>>>> Hi, Alon >>>>>>>> >>>>>>>> Very thanks for your help. >>>>>>>> My problem was solved and the AAA is working now. >>>>>>>> I could add LDAP user. :) >>>>>>> Great. >>>>>>> Can you please send me a patch or modified README to make it better? >>>>>>> >>>>>>> Alon >>>>>>> >>>>>>>> Fumihide Tani >>>>>>>> >>>>>>>> (2014/09/21 16:19), Alon Bar-Lev wrote: >>>>>>>>> ----- Original Message ----- >>>>>>>>>> From: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>>>>>>>>> To: "Fumihide Tani" <RXC05271(a)nifty.com&gt; >>>>>>>>>> Cc: users(a)ovirt.org >>>>>>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM >>>>>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> You need to create authz extension as well (authz-company). >>>>>>>>>> The configuration you provided is establishing authentication only >>>>>>>>>> (authn) >>>>>>>>>> which refer to authz-company but you did not add it. >>>>>>>>>> >>>>>>>>>> The terms are: >>>>>>>>>> 1. authn - who the user is. >>>>>>>>>> 2. authz - what user is permitted. >>>>>>>>>> 3. profile - combination of the two. >>>>>>>>>> >>>>>>>>>> ----------------------------- >>>>>>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties >>>>>>>>>> ovirt.engine.extension.name = authz-company >>>>>>>>>> ovirt.engine.extension.bindings.method = jbossmodule >>>>>>>>>> ovirt.engine.extension.binding.jbossmodule.module = >>>>>>>>>> org.ovirt.engine-extensions.aaa.ldap >>>>>>>>>> ovirt.engine.extension.binding.jbossmodule.class = >>>>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension >>>>>>>>> Sorry: >>>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension >>>>>>>>>> ovirt.engine.extension.provides = >>>>>>>>>> org.ovirt.engine.api.extensions.aaa.Authz >>>>>>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties >>>>>>>>>> -------------------------------------------------- >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Alon >>>> >> >