1:26 p.m.
Try giving your user system permissions as a superuser and see if it goes
away.
I wouldn't leave it like that, but it will help isolate your issue. I don't
think you have an ldap issue... the log entry is telling you that user has
no permissions
The user callum@Biomedical Research Computing is not authorized to
perform
login
On Mon, Jun 11, 2018 at 6:23 AM, Callum Smith <callum(a)well.ox.ac.uk> wrote:
Dear Donny,
No, though the user shows the permissions inherited from the Everyone
group:
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum(a)well.ox.ac.uk
On 11 Jun 2018, at 11:21, Donny Davis <donny(a)fortnebula.com> wrote:
Just a shot in the dark, but after you setup ldap did you go in as the
default admin and give an ldap account permissions?
On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith <callum(a)well.ox.ac.uk>
wrote:
> Dear All,
>
> Could this be as our LDAP is fairly short on attributes?
>
> 2018-06-11 11:00:52,856+01 INFO
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand]
> (default task-5) [5dff9eb0] Running command: CreateUserSessionCommand
> internal: false.
> 2018-06-11 11:00:52,884+01 ERROR [org.ovirt.engine.core.dal.dbb
> roker.auditloghandling.AuditLogDirector] (default task-5) [5dff9eb0]
> EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research
> Computing connecting from '--ipaddr--' failed to log in<UNKNOWN>.
> 2018-06-11 11:00:52,884+01 ERROR
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet]
> (default task-5) [] The user callum@Biomedical Research Computing is not
> authorized to perform login
>
> I note that a number of variables are included in this action, but which
> are required and which are optional is the question:
>
> https://github.com/oVirt/ovirt-engine/blob/master/backend/
> manager/modules/aaa/src/main/java/org/ovirt/engine/core/
> aaa/servlet/SsoPostLoginServlet.java#L88
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. callum(a)well.ox.ac.uk
>
> On 11 Jun 2018, at 09:35, Callum Smith <callum(a)well.ox.ac.uk> wrote:
>
> What would be the next step to help solve this issue? All users
> authenticating through LDAP get "This user is not authorised to perform
> authentication".
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. callum(a)well.ox.ac.uk
>
> On 5 Jun 2018, at 11:42, Callum Smith <callum(a)well.ox.ac.uk> wrote:
>
> Ok I spoke too soon, I have resolved the groups, but authentication still
> isn't working for LDAP users, same error as before (114).
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. callum(a)well.ox.ac.uk
>
> On 5 Jun 2018, at 10:14, Callum Smith <callum(a)well.ox.ac.uk> wrote:
>
> Dear Ondra, all,
>
> Managed to solve this once i got my head around the properties file.
> Conceptually the problem is that users are typically not a member of their
> primary group in a POSIX scenario, and their primary group is set by the
> gidNumber of the user's record, with additional group memberships specified
> by memberUid entries against a posixGroup entry.
>
> search.rfc2307-resolve-groups-memberUid.search-request.filter =
> &(objectClass=posixGroup)(|(memberUid=${seq:_rfc2307_uid_enc
> oded})(gidNumber=${seq:_rfc2307_gid_encoded}))
>
> search.rfc2307-resolve-principal-uid.search-request.attributes = uid,
> gidNumber
>
> sequence.bmrc-resolve-groups.010.description = set dn
> sequence.bmrc-resolve-groups.010.type = var-set
> sequence.bmrc-resolve-groups.010.var-set.variable = _rfc2307_dn
> sequence.bmrc-resolve-groups.010.var-set.value = ${seq:dn}
> sequence.bmrc-resolve-groups.010.description = resolve uid
> sequence.bmrc-resolve-groups.020.type = fetch-record
> sequence.bmrc-resolve-groups.020.fetch-record.search =
> rfc2307-resolve-principal-uid
> sequence.bmrc-resolve-groups.020.fetch-record.map.uid.name = _rfc2307_uid
> sequence.bmrc-resolve-groups.030.description = resolve gid
> sequence.bmrc-resolve-groups.030.type = fetch-record
> sequence.bmrc-resolve-groups.030.fetch-record.search =
> rfc2307-resolve-principal-uid
> sequence.bmrc-resolve-groups.030.fetch-record.map.gidNumber.name
> <http://sequence.bmrc-resolve-groups.030.fetch-record.map.gidnumber.name/>
> = _rfc2307_gid
> sequence.bmrc-resolve-groups.040.description = query groups
> sequence.bmrc-resolve-groups.040.type = search-open
> sequence.bmrc-resolve-groups.040.search-open.search =
> rfc2307-resolve-groups-memberUid
> sequence.bmrc-resolve-groups.040.search-open.variable =
> queryRFC2307ByMemberUid
>
> sequence.rfc2307-resolve-groups.020.call.name = bmrc-resolve-groups
>
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. callum(a)well.ox.ac.uk
>
> On 4 Jun 2018, at 15:07, Callum Smith <callum(a)well.ox.ac.uk> wrote:
>
> Dear Ondra,
>
> I went for openldap-rfc2307 as that best describes our ldap setup. The
> issue seems to be that the gidNumber is set, but users are not a member of
> their primary group within the LDAP. So, user's gidNumber represents
> primary group and posixGroup membership (memberUid) represents their
> secondary groups. What's the best way to approach this (fix the filters on
> oVirt end or change the LDAP? This is a question of what is most compliant
> with standards really).
>
> Regards,
> Callum
>
> --
>
> Callum Smith
> Research Computing Core
> Wellcome Trust Centre for Human Genetics
> University of Oxford
> e. callum(a)well.ox.ac.uk
>
> On 29 May 2018, at 11:29, Ondra Machacek <omachace(a)redhat.com> wrote:
>
> What's you LDAP and what profile did you choose? This looks like you have
> chosen incorect profile during setup. Are you sure you arent using posix
> group and using non-posix aaa profile? Sharing a debug log of
> ovirt-engine-extensions-tool would be helpfull.
>
>
> On Fri, May 25, 2018, 10:04 AM Callum Smith <callum(a)well.ox.ac.uk> wrote:
>
>> Dear All,
>>
>> I'm having problems getting LDAP running, login works, but I'm getting
>> "user is not authorised to perform login" - this is even if i specify
the
>> UserRole specifically to the LDAP group the user is in.
>>
>> 2018-05-25 08:56:16,212+01 INFO
[org.ovirt.engine.core.sso.utils.AuthenticationUtils]
>> (default task-23) [] User callum@Biomedical Research Computing
>> successfully logged in with scopes: ovirt-app-admin ovirt-app-api
>> ovirt-app-portal ovirt-ext=auth:sequence-priority=~
>> ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search
>> ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate
>> ovirt-ext=token:password-access
>> 2018-05-25 08:56:16,391+01 INFO
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand]
>> (default task-25) [63e60fe9] Running command: CreateUserSessionCommand
>> internal: false.
>> 2018-05-25 08:56:16,430+01 ERROR [org.ovirt.engine.core.dal.dbb
>> roker.auditloghandling.AuditLogDirector] (default task-25) [63e60fe9]
>> EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research
>> Computing connecting from '192.168.65.254' failed to log
in<UNKNOWN>.
>> 2018-05-25 08:56:16,430+01 ERROR
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet]
>> (default task-25) [] The user callum@Biomedical Research Computing is
>> not authorized to perform login
>>
>>
>> on a side note: is it possible to assign permissions to all members of
>> an LDAP tree where they dont have a common group membership?
>>
>> Regards,
>> Callum
>>
>> --
>>
>> Callum Smith
>> Research Computing Core
>> Wellcome Trust Centre for Human Genetics
>> University of Oxford
>> e. callum(a)well.ox.ac.uk
>>
>> _______________________________________________
>> Users mailing list -- users(a)ovirt.org
>> To unsubscribe send an email to users-leave(a)ovirt.org
>>
>
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/communit
> y/about/community-guidelines/
> List Archives: https://lists.ovirt.org/archiv
> es/list/users(a)ovirt.org/message/NAEUHLW3YMYAP6L44RRS5MCLRU2OTXPZ/
>
>
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/communit
> y/about/community-guidelines/
> List Archives: https://lists.ovirt.org/archiv
> es/list/users(a)ovirt.org/message/2WR4PGLW4Z4PM2UOVN4YZUJHSBRYVMOJ/
>
>
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/communit
> y/about/community-guidelines/
> List Archives: https://lists.ovirt.org/archiv
> es/list/users(a)ovirt.org/message/O7DLMLFEBHLNCE2VCCCNNOXXGGERKAKZ/
>
>
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/communit
> y/about/community-guidelines/
> List Archives: https://lists.ovirt.org/archiv
> es/list/users(a)ovirt.org/message/BNZ5KRXOYYRFZCQIQQU6IJVDNNBDVZSF/
>
>
>
> _______________________________________________
> Users mailing list -- users(a)ovirt.org
> To unsubscribe send an email to users-leave(a)ovirt.org
> Privacy Statement: https://www.ovirt.org/site/privacy-policy/
> oVirt Code of Conduct: https://www.ovirt.org/communit
> y/about/community-guidelines/
> List Archives: https://lists.ovirt.org/archiv
> es/list/users(a)ovirt.org/message/EOWAPL6ZQE63S3732NQRH5YVJC26CQDR/
>
>
