Re: [ovirt-users] Can not configure with simple LDAP.

22 Sep 2014

      (2014/09/22 15:00), Alon Bar-Lev wrote:
>
> ----- Original Message -----
>> From: "Fumihide Tani" <RXC05271@nifty.com>
>> To: "Alon Bar-Lev" <alonbl@redhat.com>
>> Cc: users@ovirt.org
>> Sent: Monday, September 22, 2014 4:16:17 AM
>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
>>
>> (2014/09/22 0:16), Alon Bar-Lev wrote:
>>> ----- Original Message -----
>>>> From: "Fumihide Tani" <RXC05271@nifty.com>
>>>> To: "Alon Bar-Lev" <alonbl@redhat.com>
>>>> Cc: users@ovirt.org
>>>> Sent: Sunday, September 21, 2014 6:00:48 PM
>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
>>>>
>>>> Hi, Alon,
>>>>
>>>> Following Alon's advice, I added authz-company.properties file to the
>>>> configuration directory.
>>>> Then OpenLDAP users can searched from oVirt Web admin. and I could add
>>>> it's
>>>> users
>>>> to the portal successfully.
>>>>
>>>> But I have another problem.
>>>> These OpenLDAP users that I added can not login to ovirt web user portal.
>>>>
>>>> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as
>>>> "First
>>>> Name")
>>>> Password: (I specified it as OpenLDAP's userPassword for "Fumihide")
>>>> Domain: rxc05271.com (I selected instead of "internal")
>>>>
>>>> ?
>>> 1. What error do you get at ui?
>> "The user name or password is incorrect."
>>
>>> 2. Please look at engine.log while attempting to login, if you see
>>> something helpful.
>> 2014-09-22 09:53:27,669 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
>> (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication
>> profile "rxc05271.com" because the authentication failed.
>> 2014-09-22 09:53:27,685 ERROR
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event
>> ID: -1, Message: User Fumihide cannot login, please verify the username and
>> password.
>> 2014-09-22 09:53:27,693 ERROR
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event
>> ID: -1, Message: User Fumihide failed to log in.
>> 2014-09-22 09:53:27,693 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
>> (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed.
>> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
>>
>>> 3. Please make sure that the following is a success:
>>> $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN>
>>> uid=<LOGIN_NAME>
>> [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D
>> "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x
>> '(uid=tani)'
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <dc=rxc05271,dc=com> with scope subtree
>> # filter: (uid=tani)
>> # requesting: ALL
>> #
>>
>> # tani, Users, rxc05271.com
>> dn: uid=tani,ou=Users,dc=rxc05271,dc=com
>> objectClass: inetOrgPerson
>> objectClass: uidObject
>> uid: tani
>> cn: Fumihide Tani
>> givenName: Fumihide
>> mail: tani@rxc05271.com
>> sn: Tani
>> userPassword:: a3VtaXRhbg==
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>> [root@ovirt ~]#
>>
>>> 4. If working please modify
>>> /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in
>>> ---
>>>          <file-handler name="ENGINE" autoflush="true">
>>> -        <level name="INFO"/>
>>> -        <level name="FINEST"/>
>>> <snip>
>>> +       <logger category="org.ovirt.engineextensions.aaa.ldap">
>>> +        <level name="FINEST"/>
>>> +       </logger>
>>>           <logger category="org.ovirt.engine.core.bll">
>>> ---
>>> Restart engine, attempt login, send me the output.
>> 2014-09-22 10:03:57,517 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
>> (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication
>> profile "rxc05271.com" because the authentication failed.
>> 2014-09-22 10:03:57,534 ERROR
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event
>> ID: -1, Message: User Fumihide cannot login, please verify the username and
>> password.
>> 2014-09-22 10:03:57,545 ERROR
>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event
>> ID: -1, Message: User Fumihide failed to log in.
>> 2014-09-22 10:03:57,545 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
>> (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed.
>> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
>>
>> (logger level is not changed to FINEST? outputs is same as above.)
>>
> I had a mistake above... the file-handler level should be set to finest.
>
> <file-handler name="ENGINE" autoflush="true">
>      <level name="FINEST"/>
>
> can you confirm?
> or best send me the engine.xml.in file and I can see what's wrong.
>
> thanks!

I set file-handler's level name to "FINEST". but outputs are same as before.
I attached the ovirt-engine.xml.in

Regards,

>
>
>> Thanks,
>> Fumihide Tani
>>
>>
>>>> Please advice me, it's so thanksfull.
>>>>
>>>> Fumihide Tani
>>>>
>>>>
>>>> (2014/09/21 17:13), Alon Bar-Lev wrote:
>>>>> ----- Original Message -----
>>>>>> From: "Fumihide Tani" <RXC05271@nifty.com>
>>>>>> To: "Alon Bar-Lev" <alonbl@redhat.com>
>>>>>> Cc: users@ovirt.org
>>>>>> Sent: Sunday, September 21, 2014 11:11:11 AM
>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
>>>>>>
>>>>>> Hi, Alon
>>>>>>
>>>>>> Very thanks for your help.
>>>>>> My problem was solved and the AAA is working now.
>>>>>> I could add LDAP user. :)
>>>>> Great.
>>>>> Can you please send me a patch or modified README to make it better?
>>>>>
>>>>> Alon
>>>>>
>>>>>> Fumihide Tani
>>>>>>
>>>>>> (2014/09/21 16:19), Alon Bar-Lev wrote:
>>>>>>> ----- Original Message -----
>>>>>>>> From: "Alon Bar-Lev" <alonbl@redhat.com>
>>>>>>>> To: "Fumihide Tani" <RXC05271@nifty.com>
>>>>>>>> Cc: users@ovirt.org
>>>>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM
>>>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> You need to create authz extension as well (authz-company).
>>>>>>>> The configuration you provided is establishing authentication only
>>>>>>>> (authn)
>>>>>>>> which refer to authz-company but you did not add it.
>>>>>>>>
>>>>>>>> The terms are:
>>>>>>>> 1. authn - who the user is.
>>>>>>>> 2. authz - what user is permitted.
>>>>>>>> 3. profile - combination of the two.
>>>>>>>>
>>>>>>>> -----------------------------
>>>>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties
>>>>>>>> ovirt.engine.extension.name = authz-company
>>>>>>>> ovirt.engine.extension.bindings.method = jbossmodule
>>>>>>>> ovirt.engine.extension.binding.jbossmodule.module =
>>>>>>>> org.ovirt.engine-extensions.aaa.ldap
>>>>>>>> ovirt.engine.extension.binding.jbossmodule.class =
>>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
>>>>>>> Sorry:
>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>>>>>>>> ovirt.engine.extension.provides =
>>>>>>>> org.ovirt.engine.api.extensions.aaa.Authz
>>>>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties
>>>>>>>> --------------------------------------------------
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Alon
>>>>
>>
>>