[ovirt-users] Re: LDAP Authentication issues

Yes, in process of trying to fix/identify things - need to undo this. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. callum(a)well.ox.ac.uk On 11 Jun 2018, at 11:48, Donny Davis <donny(a)fortnebula.com&gt; wrote: did you add system permissions to the everyone group? On Mon, Jun 11, 2018 at 6:42 AM, Callum Smith <callum(a)well.ox.ac.uk&gt; wrote: > Happy for you to link me a guide, googlefu is failing me. > > How do i get around this "It's not allowed to remove system permissions > assigned to built-in Everyone group" - to remove permissions erroneously > added. > > Regards, > Callum > > -- > > Callum Smith > Research Computing Core > Wellcome Trust Centre for Human Genetics > University of Oxford > e. callum(a)well.ox.ac.uk > > On 11 Jun 2018, at 11:38, Donny Davis <donny(a)fortnebula.com&gt; wrote: > > You can create a profile that has the proper permissions to allow what > you are looking for, and then assign that profile to the groups you wish. > I wrote a post on this quite a while back on how to setup oVirt to appear > to be multi-tenant. > > Happy to see you don't have an ldap issue :) > > >This will be a problem for us to now create group permissions for all > 100+ groups since Everyone === No-one. -sigh- > > > On Mon, Jun 11, 2018 at 6:34 AM, Callum Smith <callum(a)well.ox.ac.uk&gt; > wrote: > >> Ah, this appears to be an issue with the proxy - setting up the spice >> proxy as indicated in the guides is causing this issue, and likely will >> need support. >> >> https://www.ovirt.org/documentation/admin-guide/chap-Proxies/ >> >> Regards, >> Callum >> >> -- >> >> Callum Smith >> Research Computing Core >> Wellcome Trust Centre for Human Genetics >> University of Oxford >> e. callum(a)well.ox.ac.uk >> >> On 11 Jun 2018, at 11:29, Callum Smith <callum(a)well.ox.ac.uk&gt; wrote: >> >> Ok, the user now logs in! This will be a problem for us to now create >> group permissions for all 100+ groups since Everyone === No-one. -sigh- >> >> A new issue, when in the VM portal as the LDAP user, i get HTTP basic >> auth login prompts, and a "Authorization expired" error, then a page >> reload. Nothing in the logs seem to indicate an issue. >> >> Regards, >> Callum >> >> -- >> >> Callum Smith >> Research Computing Core >> Wellcome Trust Centre for Human Genetics >> University of Oxford >> e. callum(a)well.ox.ac.uk >> >> On 11 Jun 2018, at 11:26, Donny Davis <donny(a)fortnebula.com&gt; wrote: >> >> Try giving your user system permissions as a superuser and see if it >> goes away. >> >> I wouldn't leave it like that, but it will help isolate your issue. I >> don't think you have an ldap issue... the log entry is telling you that >> user has no permissions >> >The user callum@Biomedical Research Computing is not authorized to >> perform login >> >> On Mon, Jun 11, 2018 at 6:23 AM, Callum Smith <callum(a)well.ox.ac.uk&gt; >> wrote: >> >>> Dear Donny, >>> >>> No, though the user shows the permissions inherited from the Everyone >>> group: >>> <Screen Shot 2018-06-11 at 11.22.42.png> >>> Regards, >>> Callum >>> >>> -- >>> >>> Callum Smith >>> Research Computing Core >>> Wellcome Trust Centre for Human Genetics >>> University of Oxford >>> e. callum(a)well.ox.ac.uk >>> >>> On 11 Jun 2018, at 11:21, Donny Davis <donny(a)fortnebula.com&gt; wrote: >>> >>> Just a shot in the dark, but after you setup ldap did you go in as the >>> default admin and give an ldap account permissions? >>> >>> On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith <callum(a)well.ox.ac.uk&gt; >>> wrote: >>> >>>> Dear All, >>>> >>>> Could this be as our LDAP is fairly short on attributes? >>>> >>>> 2018-06-11 11:00:52,856+01 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] >>>> (default task-5) [5dff9eb0] Running command: CreateUserSessionCommand >>>> internal: false. >>>> 2018-06-11 11:00:52,884+01 ERROR [org.ovirt.engine.core.dal.dbb >>>> roker.auditloghandling.AuditLogDirector] (default task-5) [5dff9eb0] >>>> EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research >>>> Computing connecting from '--ipaddr--' failed to log in<UNKNOWN>. >>>> 2018-06-11 11:00:52,884+01 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] >>>> (default task-5) [] The user callum@Biomedical Research Computing is >>>> not authorized to perform login >>>> >>>> I note that a number of variables are included in this action, but >>>> which are required and which are optional is the question: >>>> >>>> https://github.com/oVirt/ovirt-engine/blob/master/backend/ma >>>> nager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/se >>>> rvlet/SsoPostLoginServlet.java#L88 >>>> >>>> Regards, >>>> Callum >>>> >>>> -- >>>> >>>> Callum Smith >>>> Research Computing Core >>>> Wellcome Trust Centre for Human Genetics >>>> University of Oxford >>>> e. callum(a)well.ox.ac.uk >>>> >>>> On 11 Jun 2018, at 09:35, Callum Smith <callum(a)well.ox.ac.uk&gt; wrote: >>>> >>>> What would be the next step to help solve this issue? All users >>>> authenticating through LDAP get "This user is not authorised to perform >>>> authentication". >>>> >>>> Regards, >>>> Callum >>>> >>>> -- >>>> >>>> Callum Smith >>>> Research Computing Core >>>> Wellcome Trust Centre for Human Genetics >>>> University of Oxford >>>> e. callum(a)well.ox.ac.uk >>>> >>>> On 5 Jun 2018, at 11:42, Callum Smith <callum(a)well.ox.ac.uk&gt; wrote: >>>> >>>> Ok I spoke too soon, I have resolved the groups, but authentication >>>> still isn't working for LDAP users, same error as before (114). >>>> >>>> Regards, >>>> Callum >>>> >>>> -- >>>> >>>> Callum Smith >>>> Research Computing Core >>>> Wellcome Trust Centre for Human Genetics >>>> University of Oxford >>>> e. callum(a)well.ox.ac.uk >>>> >>>> On 5 Jun 2018, at 10:14, Callum Smith <callum(a)well.ox.ac.uk&gt; wrote: >>>> >>>> Dear Ondra, all, >>>> >>>> Managed to solve this once i got my head around the properties file. >>>> Conceptually the problem is that users are typically not a member of their >>>> primary group in a POSIX scenario, and their primary group is set by the >>>> gidNumber of the user's record, with additional group memberships specified >>>> by memberUid entries against a posixGroup entry. >>>> >>>> search.rfc2307-resolve-groups-memberUid.search-request.filter = >>>> &(objectClass=posixGroup)(|(memberUid=${seq:_rfc2307_uid_enc >>>> oded})(gidNumber=${seq:_rfc2307_gid_encoded})) >>>> >>>> search.rfc2307-resolve-principal-uid.search-request.attributes = uid, >>>> gidNumber >>>> >>>> sequence.bmrc-resolve-groups.010.description = set dn >>>> sequence.bmrc-resolve-groups.010.type = var-set >>>> sequence.bmrc-resolve-groups.010.var-set.variable = _rfc2307_dn >>>> sequence.bmrc-resolve-groups.010.var-set.value = ${seq:dn} >>>> sequence.bmrc-resolve-groups.010.description = resolve uid >>>> sequence.bmrc-resolve-groups.020.type = fetch-record >>>> sequence.bmrc-resolve-groups.020.fetch-record.search = >>>> rfc2307-resolve-principal-uid >>>> sequence.bmrc-resolve-groups.020.fetch-record.map.uid.name = >>>> _rfc2307_uid >>>> sequence.bmrc-resolve-groups.030.description = resolve gid >>>> sequence.bmrc-resolve-groups.030.type = fetch-record >>>> sequence.bmrc-resolve-groups.030.fetch-record.search = >>>> rfc2307-resolve-principal-uid >>>> sequence.bmrc-resolve-groups.030.fetch-record.map.gidNumber.name >>>> <http://sequence.bmrc-resolve-groups.030.fetch-record.map.gidnumber.name/> >>>> = _rfc2307_gid >>>> sequence.bmrc-resolve-groups.040.description = query groups >>>> sequence.bmrc-resolve-groups.040.type = search-open >>>> sequence.bmrc-resolve-groups.040.search-open.search = >>>> rfc2307-resolve-groups-memberUid >>>> sequence.bmrc-resolve-groups.040.search-open.variable = >>>> queryRFC2307ByMemberUid >>>> >>>> sequence.rfc2307-resolve-groups.020.call.name = bmrc-resolve-groups >>>> >>>> >>>> Regards, >>>> Callum >>>> >>>> -- >>>> >>>> Callum Smith >>>> Research Computing Core >>>> Wellcome Trust Centre for Human Genetics >>>> University of Oxford >>>> e. callum(a)well.ox.ac.uk >>>> >>>> On 4 Jun 2018, at 15:07, Callum Smith <callum(a)well.ox.ac.uk&gt; wrote: >>>> >>>> Dear Ondra, >>>> >>>> I went for openldap-rfc2307 as that best describes our ldap setup. The >>>> issue seems to be that the gidNumber is set, but users are not a member of >>>> their primary group within the LDAP. So, user's gidNumber represents >>>> primary group and posixGroup membership (memberUid) represents their >>>> secondary groups. What's the best way to approach this (fix the filters on >>>> oVirt end or change the LDAP? This is a question of what is most compliant >>>> with standards really). >>>> >>>> Regards, >>>> Callum >>>> >>>> -- >>>> >>>> Callum Smith >>>> Research Computing Core >>>> Wellcome Trust Centre for Human Genetics >>>> University of Oxford >>>> e. callum(a)well.ox.ac.uk >>>> >>>> On 29 May 2018, at 11:29, Ondra Machacek <omachace(a)redhat.com&gt; wrote: >>>> >>>> What's you LDAP and what profile did you choose? This looks like you >>>> have chosen incorect profile during setup. Are you sure you arent using >>>> posix group and using non-posix aaa profile? Sharing a debug log of >>>> ovirt-engine-extensions-tool would be helpfull. >>>> >>>> >>>> On Fri, May 25, 2018, 10:04 AM Callum Smith <callum(a)well.ox.ac.uk&gt; >>>> wrote: >>>> >>>>> Dear All, >>>>> >>>>> I'm having problems getting LDAP running, login works, but I'm >>>>> getting "user is not authorised to perform login" - this is even if i >>>>> specify the UserRole specifically to the LDAP group the user is in. >>>>> >>>>> 2018-05-25 08:56:16,212+01 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] >>>>> (default task-23) [] User callum@Biomedical Research Computing >>>>> successfully logged in with scopes: ovirt-app-admin ovirt-app-api >>>>> ovirt-app-portal ovirt-ext=auth:sequence-priority=~ >>>>> ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search >>>>> ovirt-ext=token-info:public-authz-search >>>>> ovirt-ext=token-info:validate ovirt-ext=token:password-access >>>>> 2018-05-25 08:56:16,391+01 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] >>>>> (default task-25) [63e60fe9] Running command: CreateUserSessionCommand >>>>> internal: false. >>>>> 2018-05-25 08:56:16,430+01 ERROR [org.ovirt.engine.core.dal.dbb >>>>> roker.auditloghandling.AuditLogDirector] (default task-25) >>>>> [63e60fe9] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical >>>>> Research Computing connecting from '192.168.65.254' failed to log >>>>> in<UNKNOWN>. >>>>> 2018-05-25 08:56:16,430+01 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] >>>>> (default task-25) [] The user callum@Biomedical Research Computing >>>>> is not authorized to perform login >>>>> >>>>> >>>>> on a side note: is it possible to assign permissions to all members >>>>> of an LDAP tree where they dont have a common group membership? >>>>> >>>>> Regards, >>>>> Callum >>>>> >>>>> -- >>>>> >>>>> Callum Smith >>>>> Research Computing Core >>>>> Wellcome Trust Centre for Human Genetics >>>>> University of Oxford >>>>> e. callum(a)well.ox.ac.uk >>>>> >>>>> _______________________________________________ >>>>> Users mailing list -- users(a)ovirt.org >>>>> To unsubscribe send an email to users-leave(a)ovirt.org >>>>> >>>> >>>> _______________________________________________ >>>> Users mailing list -- users(a)ovirt.org >>>> To unsubscribe send an email to users-leave(a)ovirt.org >>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>> oVirt Code of Conduct: https://www.ovirt.org/communit >>>> y/about/community-guidelines/ >>>> List Archives: https://lists.ovirt.org/archiv >>>> es/list/users(a)ovirt.org/message/NAEUHLW3YMYAP6L44RRS5MCLRU2OTXPZ/ >>>> >>>> >>>> _______________________________________________ >>>> Users mailing list -- users(a)ovirt.org >>>> To unsubscribe send an email to users-leave(a)ovirt.org >>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>> oVirt Code of Conduct: https://www.ovirt.org/communit >>>> y/about/community-guidelines/ >>>> List Archives: https://lists.ovirt.org/archiv >>>> es/list/users(a)ovirt.org/message/2WR4PGLW4Z4PM2UOVN4YZUJHSBRYVMOJ/ >>>> >>>> >>>> _______________________________________________ >>>> Users mailing list -- users(a)ovirt.org >>>> To unsubscribe send an email to users-leave(a)ovirt.org >>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>> oVirt Code of Conduct: https://www.ovirt.org/communit >>>> y/about/community-guidelines/ >>>> List Archives: https://lists.ovirt.org/archiv >>>> es/list/users(a)ovirt.org/message/O7DLMLFEBHLNCE2VCCCNNOXXGGERKAKZ/ >>>> >>>> >>>> _______________________________________________ >>>> Users mailing list -- users(a)ovirt.org >>>> To unsubscribe send an email to users-leave(a)ovirt.org >>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>> oVirt Code of Conduct: https://www.ovirt.org/communit >>>> y/about/community-guidelines/ >>>> List Archives: https://lists.ovirt.org/archiv >>>> es/list/users(a)ovirt.org/message/BNZ5KRXOYYRFZCQIQQU6IJVDNNBDVZSF/ >>>> >>>> >>>> >>>> _______________________________________________ >>>> Users mailing list -- users(a)ovirt.org >>>> To unsubscribe send an email to users-leave(a)ovirt.org >>>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>>> oVirt Code of Conduct: https://www.ovirt.org/communit >>>> y/about/community-guidelines/ >>>> List Archives: https://lists.ovirt.org/archiv >>>> es/list/users(a)ovirt.org/message/EOWAPL6ZQE63S3732NQRH5YVJC26CQDR/ >>>> >>>> >>> >>> >> >> >> > >