----- Original Message -----
From: "Keith Mitchell" <kamitch@cisco.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: users@ovirt.org, "Juan Antonio Hernandez Fernandez" <jhernand@redhat.com>, "Itamar Heim" <iheim@redhat.com> Sent: Sunday, March 3, 2013 1:48:27 PM Subject: Re: [Users] webadmin login issues with AD
On 3/3/13 1:45 AM, Yair Zaslavsky wrote:
----- Original Message -----
From: "Keith Mitchell" <kamitch@cisco.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org, "Juan Antonio Hernandez Fernandez" <jhernand@redhat.com>, "Yair Zaslavsky" <yzaslavs@redhat.com> Sent: Sunday, March 3, 2013 7:15:16 AM Subject: Re: [Users] webadmin login issues with AD
On 3/2/13 11:57 PM, Itamar Heim wrote:
On 03/03/2013 06:41, Keith Mitchell wrote:
On 3/2/13 2:51 PM, Itamar Heim wrote:
On 01/03/2013 18:54, Keith Mitchell wrote: > I'm trying to get rhevm 3.1 (which seems to be pretty much > ovirt > 3.1 > from what I can tell) authenticating against our active > directory > infrastructure bu am having some difficulty that I don't quite > understand and was hoping someone may know what is happening. > > The server where rhevm/ovirt is running is a RHEL6 based > server > that has > NIS configured (with user home directories mounted via > nfs/automounter). The userids in nis match the userids in our > ActiveDirectory server (in fact the passwords should match too > since > there is a sync between the two). > > I added the Activedirectory server into ovirt (through > rhevm-manage-domains) and it is added/validated successfully. > As > the > local admin user I can go in and search agains the active > directory, add > permissions, etc. > > But... If I try to log into the webadmin/user portals with one > of the > active directory accounts it seems to hang... and I noticed > that > it > seems to be trying to mount the home directory of a bunch of > users via > the automounter (perhaps its trying to mount everyones home > directory... > can't tell). This takes a super long time since the home > directories > are all across the world and nfs access to some of these > filesystems is > really slow... i'm not sure it will ever complete... certainly > not > before the user gives up. Hi, Currently, both search of users in specific domain + login perform both authentication + authorization check + running ldap queries ( authorization is a part of the login). It seems really odd to me that login takes you quite some time, and search of users/groups does not. What other info can you provide about the user you try to login to? Did you give permissions to many entities?
At the moment there is just one AD account in the permissions and that is my AD account. At first I added "Domain Users" to the permissions, but I took that out and just stuck in my user account to see if that helped. In ovirt, my account is part of the System (i.e. top-level) and is give then SuperUser privilege, just like the local admin account.
My account is just a user account (no admin rights in the AD domain). I am a member of quite a few groups on the AD domain but I wouldn't think ovirt would care about that or need to query each group I am a member of.
Please elaborate on "quite a few groups" - actually this is a well known issue. I was afraid you might have permissions on "too many objects" or that the account is a member of too many groups. However, being a member of too many groups should have caused the search to be slow/hang as well.
Ultimately I was hoping to add the domain users group into the permissions to let anyone in the domain have access :)
I used wireshark to sniff for the LDAP packets instead of just the kerberos packets and during the "hang" it is sending constant ldap packets back and forth.
Looks like its doing bind request, then it succeeds and then there is a SASL-GSSAPI exchange followed by a connection close (i.e. FIN packet) and then it starts all over again. Everything is encrypted so its difficult to see anything in the packets.
On this particular sniff, the packets went back and forth for 10 minutes and then they stopped and when I looked it had logged me into the GUI. I don't usually wait that long. I have on occasion just left the window up and sometimes it would eventually log me in and sometimes it never logged me in... in the never cases the login window just stays there spinning until I reload the web page... perhaps something timed out and it gave up before the exchange finished.
Are there any debugs I can turn on in ovirt to have it spit out what its doing?
Hi, you can look at the following link - http://docs.oracle.com/javase/jndi/tutorial/ldap/security/sasl.html we support changing sasl_qop. You can use engine-config to do that. engine-config -s sasl_qop=auth will change Quality of Propetction to be only at authentication. Please let us know if using that you will be able to see the ldap queries (i.e - have them plain and not encrypted) Thanks, Yair