Re: [ovirt-users] Unable to add permissions for LDAP users

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --2LvNVti3HDOn1MhIrbe5B2snDhjNOnQPn Content-Type: multipart/mixed; boundary="cUgn38JlIV4VKxpoXvonH2a8Rp00918Nu"; protected-headers="v1" From: Richard Neuboeck <hawk@tbi.univie.ac.at> To: users <users@ovirt.org> Message-ID: <ce3a6463-b08d-6af6-8adc-66f236ce0bed@tbi.univie.ac.at> Subject: Re: [ovirt-users] Unable to add permissions for LDAP users References: <71057a13-ee3d-aba0-b005-9fcbc906f375@tbi.univie.ac.at> In-Reply-To: <71057a13-ee3d-aba0-b005-9fcbc906f375@tbi.univie.ac.at> --cUgn38JlIV4VKxpoXvonH2a8Rp00918Nu Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 03/10/2017 09:46 AM, Ondra Machacek wrote:

So what's your provider 389ds or FreeIPA? =20 Note that both use differrent unique ID. IPA is using 'ipaUniqueID', and 389ds is using 'nsuniqueid'. DId you tried both?

Thanks for pointing that out! It works perfectly if I use IPA. I didn't know they have different identifiers (though it might have been obvious to me since there is a separate IPA option...). I clung to the thought that FreeIPA uses 389ds internally. Thanks a lot! Richard

=20 I can successfully run a search and also login from the setup script. =20 After running the setup I rebootet the Engine VM to make sure everything is restarted. =20 In the web UI configuration for 'System Permissions' I'm able to find users from LDAP but when I try to 'Add' a selected user the UI=

shows me this error: 'User admin@internal-authz failed to grant permission for Role SuperUser on System to User/Group <UNKNOWN>.'. =20 In then engine.log the following lines are generated: 2017-03-09 14:02:49,308+01 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-4) [1ebae5e0-e5f6-49ba-ac80-95266c582893] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID=

:

aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_PERMISSIONS with role type USER, ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER 2017-03-09 14:02:49,319+01 ERROR [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-4) [1ebae5e0-e5f6-49ba-ac80-95266c582893] Transaction rolled-back for command 'org.ovirt.engine.core.bll.AddSystemPermissionCommand'. 2017-03-09 14:02:49,328+01 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirect=

or]

(org.ovirt.thread.pool-6-thread-4) [1ebae5e0-e5f6-49ba-ac80-95266c582893] EVENT_ID: USER_ADD_SYSTEM_PERMISSION_FAILED(867), Correlation ID: 1ebae5e0-e5f6-49ba-ac80-95266c582893, Call Stack: null, Custom Even=

t

ID: -1, Message: User admin@internal-authz failed to grant permission for Role SuperUser on System to User/Group <UNKNOWN>. =20 =20 So far I've re-run the ldap-setup routine. I made sure all newly generated files in /etc/ovirt-engine/[aaa|extensions.d] are owned b=

y

ovirt:ovirt (instead of root) and have 0600 as permission (instead of 0644). That didn't change anything. =20 I've also found an older bug report but for oVirt 3.5 https://bugzilla.redhat.com/show_bug.cgi?id=3D1121954 <https://bugzilla.redhat.com/show_bug.cgi?id=3D1121954> That didn't reveal any new either. =20 Any ideas what I could try next? =20 Thanks! Cheers Richard =20 =20 =20 =20 On 10/06/2016 04:36 PM, Ondra Machacek wrote: > On 10/06/2016 01:47 PM, Michael Burch wrote: >> I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. >> I can >> successfully authenticate as an LDAP user. I can also login as >> admin@internal and search for, find, and select LDAP users but I=

>> cannot >> add permissions for them. Each time I get the error "User >> admin@internal-authz failed to grant permission for Role UserRole on >> System to User/Group <UNKNOWN>." > > This error usually means bad unique attribute used. > >> >> >> I have no control over the LDAP server, which uses custom >> objectClasses >> and uses groupOfNames instead of PosixGroups. I assume I need to set >> sequence variables to accommodate our group configuration but I'=

m

>> at a >> loss as to where to begin. the The config I have is as follows: >> >> >> include =3D <rfc2307-generic.properties> >> >> vars.server =3D labauth.lan.lab.org <http://labauth.lan.lab.org>=

>> >> pool.authz.auth.type =3D none >> pool.default.serverset.type =3D single >> pool.default.serverset.single.server =3D ${global:vars.server} >> pool.default.ssl.startTLS =3D true >> pool.default.ssl.insecure =3D true >> >> pool.default.connection-options.connectTimeoutMillis =3D 10000 >> pool.default.connection-options.responseTimeoutMillis =3D 90000 >> sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-va=

rs

>> sequence.my-basedn-init-vars.010.description =3D set baseDN >> sequence.my-basedn-init-vars.010.type =3D var-set >> sequence.my-basedn-init-vars.010.var-set.variable =3D simple_bas=

eDN

>> sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB >> >> sequence-init.init.101-my-objectclass-init-vars =3D >> my-objectclass-init-vars >> sequence.my-objectclass-init-vars.020.description =3D set objectClass >> sequence.my-objectclass-init-vars.020.type =3D var-set >> sequence.my-objectclass-init-vars.020.var-set.variable =3D >> simple_filterUserObject >> sequence.my-objectclass-init-vars.020.var-set.value =3D >> (objectClass=3DlabPerson)(uid=3D*) >> >> search.default.search-request.derefPolicy =3D NEVER >> >> sequence-init.init.900-local-init-vars =3D local-init-vars >> sequence.local-init-vars.010.description =3D override name space=

>> sequence.local-init-vars.010.type =3D var-set >> sequence.local-init-vars.010.var-set.variable =3D >> simple_namespaceDefault >> sequence.local-init-vars.010.var-set.value =3D * > > What's this^ for? I think it's unusable. > >> >> sequence.local-init-vars.020.description =3D apply filter to use=

rs

>> sequence.local-init-vars.020.type =3D var-set >> sequence.local-init-vars.020.var-set.variable =3D >> simple_filterUserObject >> sequence.local-init-vars.020.var-set.value =3D >> ${seq:simple_filterUserObject}(employeeStatus=3D3) >> >> sequence.local-init-vars.030.description =3D apply filter to gro=

ups

>> sequence.local-init-vars.030.type =3D var-set >> sequence.local-init-vars.030.var-set.variable =3D >> simple_filterGroupObject >> sequence.local-init-vars.030.var-set.value =3D >> (objectClass=3DgroupOfUniqueNames) > > This looks as hard to maintain file. I would suggest you to inser=

t

> into this file just following: > > include =3D <rfc2307-mycustom.properties> > > vars.server =3D labauth.lan.lab.org <http://labauth.lan.lab.org>=

> > pool.authz.auth.type =3D none > pool.default.serverset.type =3D single > pool.default.serverset.single.server =3D ${global:vars.server} > pool.default.ssl.startTLS =3D true > pool.default.ssl.insecure =3D true > > pool.default.connection-options.connectTimeoutMillis =3D 10000 > pool.default.connection-options.responseTimeoutMillis =3D 90000 > > # Set custom base DN > sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-va=

rs

> sequence.my-basedn-init-vars.010.description =3D set baseDN > sequence.my-basedn-init-vars.010.type =3D var-set > sequence.my-basedn-init-vars.010.var-set.variable =3D simple_bas=

eDN

> sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB > > And then create in directory > '/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file > 'rfc2307-mycustom.properties' with content: > > include =3D <rfc2307.properties> > > sequence-init.init.100-rfc2307-mycustom-init-vars =3D > rfc2307-mycustom-init-vars > sequence.rfc2307-mycustom-init-vars.010.description =3D set unique attr > sequence.rfc2307-mycustom-init-vars.010.type =3D var-set > sequence.rfc2307-mycustom-init-vars.010.var-set.variable =3D > rfc2307_attrsUniqueId > sequence.rfc2307-mycustom-init-vars.010.var-set.value =3D FIND_THIS_ONE > > sequence.rfc2307-mycustom-init-vars.020.type =3D var-set > sequence.rfc2307-mycustom-init-vars.020.var-set.variable =3D > simple_filterUserObject > sequence.rfc2307-mycustom-init-vars.020.var-set.value =3D > (objectClass=3DlabPerson)(employeeStatus=3D3)(${seq:simple_attrsUse=

rName}=3D*)

> > > > The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I > guess). It can be extended attribute(+,++). > > $ LDAPTLS_REQCERT=3Dnever ldapsearch -ZZ -x -b 'o=3DLANLAB' -H > ldap://labauth.lan.lab.org <http://labauth.lan.lab.org> 'objectClass=3DlabPerson' > > maybe (or even with two +): > $ LDAPTLS_REQCERT=3Dnever ldapsearch -ZZ -x -b 'o=3DLANLAB' -H > ldap://labauth.lan.lab.org <http://labauth.lan.lab.org> 'objectClass=3DlabPerson' + > > The question is if even your implementation has unique attribute, does > it? > > Also may you share what's your LDAP provider? And maybe if you share > content of some user it would help as well. > >> >> >> >> >> _______________________________________________ >> Users mailing list >> Users@ovirt.org <mailto:Users@ovirt.org> >> http://lists.ovirt.org/mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users> >> > _______________________________________________ > Users mailing list > Users@ovirt.org <mailto:Users@ovirt.org> > http://lists.ovirt.org/mailman/listinfo/users <http://lists.ovirt.org/mailman/listinfo/users> =20 =20 -- /dev/null =20 =20

--=20 /dev/null --cUgn38JlIV4VKxpoXvonH2a8Rp00918Nu-- --2LvNVti3HDOn1MhIrbe5B2snDhjNOnQPn Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJYwnegAAoJEA7XCanqEVqIODIQAM4IumlowJYvAoH/+vVTaUT1 pxzYVsOFYHhs32f1in9aqJ37esa1CXngUcB1gHm1QcBixq1FEH1iVEF1Iy22nyXM gNoOh4R7meoUzqpdlcqYpdTdo3F3v6KgWDRuz9yxH912MZzheXA9BGZ0qhdbQH3S a1eo2UHNm6wpyS+6CCgUirM8fbrjdb6aTGTuXNQ1px3GaqFFHkQvlWPlENatSxGw G3IqVoPHhuDNsFDyF6dG6oF2iTbQdzlvk84x3aOztX/nGnxV1dY00/73qEp+8aXK 0krTp0hjiGI0uRiOHChl0DSUuO9VvlTmmqjxYCN1z2ZYHZkMaK590v6YtXmT42tM VRIsqt6J5HpyLLiQWmCNPPkXf/s7iuG1zAmO+fi4vd5x6gQlW7ao6lLFFRqB8dVr FuJyv7DW6PcBNjNiG0zCLbGb431t2MK9AaSxF+qb8KmTluDBqQ2trdijM43J+3Jk /ptoXfpSzWmX2HkDLuaJL0NeQ6F5vqGUZRgu9IkXS2RAvQwLXflm/cvMKsj32EkZ 39gF5k1ViYAdtk9YUwBObor6uxnb0UpdrvZyA5dUEHsYaP6Yw+hVNqi0tloTN9wL Q+J6CdHK+lRkRppddoEdSmnAtBqhN5/woZEqrBZ1E1jFRUw7KTefbaeUpDbpWQvS 0csSL7D0IScsBJE2kLSA =73cu -----END PGP SIGNATURE----- --2LvNVti3HDOn1MhIrbe5B2snDhjNOnQPn--