Re: [ovirt-users] Can not configure with simple LDAP.

----- Original Message ----- > From: "Fumihide Tani" <RXC05271(a)nifty.com&gt; > To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; > Cc: users(a)ovirt.org > Sent: Monday, September 22, 2014 4:16:17 AM > Subject: Re: [ovirt-users] Can not configure with simple LDAP. > > (2014/09/22 0:16), Alon Bar-Lev wrote: >> ----- Original Message ----- >>> From: "Fumihide Tani" <RXC05271(a)nifty.com&gt; >>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>> Cc: users(a)ovirt.org >>> Sent: Sunday, September 21, 2014 6:00:48 PM >>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>> >>> Hi, Alon, >>> >>> Following Alon's advice, I added authz-company.properties file to the >>> configuration directory. >>> Then OpenLDAP users can searched from oVirt Web admin. and I could add >>> it's >>> users >>> to the portal successfully. >>> >>> But I have another problem. >>> These OpenLDAP users that I added can not login to ovirt web user portal. >>> >>> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as >>> "First >>> Name") >>> Password: (I specified it as OpenLDAP's userPassword for "Fumihide") >>> Domain: rxc05271.com (I selected instead of "internal") >>> >>> ? >> 1. What error do you get at ui? > "The user name or password is incorrect." > >> 2. Please look at engine.log while attempting to login, if you see >> something helpful. > 2014-09-22 09:53:27,669 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] > (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication > profile "rxc05271.com" because the authentication failed. > 2014-09-22 09:53:27,685 ERROR > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event > ID: -1, Message: User Fumihide cannot login, please verify the username and > password. > 2014-09-22 09:53:27,693 ERROR > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event > ID: -1, Message: User Fumihide failed to log in. > 2014-09-22 09:53:27,693 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] > (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. > Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD > >> 3. Please make sure that the following is a success: >> $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN> >> uid=<LOGIN_NAME> > [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D > "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x > '(uid=tani)' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=rxc05271,dc=com> with scope subtree > # filter: (uid=tani) > # requesting: ALL > # > > # tani, Users, rxc05271.com > dn: uid=tani,ou=Users,dc=rxc05271,dc=com > objectClass: inetOrgPerson > objectClass: uidObject > uid: tani > cn: Fumihide Tani > givenName: Fumihide > mail: tani(a)rxc05271.com > sn: Tani > userPassword:: a3VtaXRhbg== > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > [root@ovirt ~]# > >> 4. If working please modify >> /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in >> --- >> <file-handler name="ENGINE" autoflush="true"> >> - <level name="INFO"/> >> - <level name="FINEST"/> >> <snip> >> + <logger category="org.ovirt.engineextensions.aaa.ldap"> >> + <level name="FINEST"/> >> + </logger> >> <logger category="org.ovirt.engine.core.bll"> >> --- >> Restart engine, attempt login, send me the output. > 2014-09-22 10:03:57,517 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] > (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication > profile "rxc05271.com" because the authentication failed. > 2014-09-22 10:03:57,534 ERROR > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event > ID: -1, Message: User Fumihide cannot login, please verify the username and > password. > 2014-09-22 10:03:57,545 ERROR > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event > ID: -1, Message: User Fumihide failed to log in. > 2014-09-22 10:03:57,545 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] > (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. > Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD > > (logger level is not changed to FINEST? outputs is same as above.) > I had a mistake above... the file-handler level should be set to finest. <file-handler name="ENGINE" autoflush="true"> <level name="FINEST"/> can you confirm? or best send me the engine.xml.in file and I can see what's wrong. thanks!

> Thanks, > Fumihide Tani > > >>> Please advice me, it's so thanksfull. >>> >>> Fumihide Tani >>> >>> >>> (2014/09/21 17:13), Alon Bar-Lev wrote: >>>> ----- Original Message ----- >>>>> From: "Fumihide Tani" <RXC05271(a)nifty.com&gt; >>>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>>>> Cc: users(a)ovirt.org >>>>> Sent: Sunday, September 21, 2014 11:11:11 AM >>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>> >>>>> Hi, Alon >>>>> >>>>> Very thanks for your help. >>>>> My problem was solved and the AAA is working now. >>>>> I could add LDAP user. :) >>>> Great. >>>> Can you please send me a patch or modified README to make it better? >>>> >>>> Alon >>>> >>>>> Fumihide Tani >>>>> >>>>> (2014/09/21 16:19), Alon Bar-Lev wrote: >>>>>> ----- Original Message ----- >>>>>>> From: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>>>>>> To: "Fumihide Tani" <RXC05271(a)nifty.com&gt; >>>>>>> Cc: users(a)ovirt.org >>>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM >>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> You need to create authz extension as well (authz-company). >>>>>>> The configuration you provided is establishing authentication only >>>>>>> (authn) >>>>>>> which refer to authz-company but you did not add it. >>>>>>> >>>>>>> The terms are: >>>>>>> 1. authn - who the user is. >>>>>>> 2. authz - what user is permitted. >>>>>>> 3. profile - combination of the two. >>>>>>> >>>>>>> ----------------------------- >>>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties >>>>>>> ovirt.engine.extension.name = authz-company >>>>>>> ovirt.engine.extension.bindings.method = jbossmodule >>>>>>> ovirt.engine.extension.binding.jbossmodule.module = >>>>>>> org.ovirt.engine-extensions.aaa.ldap >>>>>>> ovirt.engine.extension.binding.jbossmodule.class = >>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension >>>>>> Sorry: >>>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension >>>>>>> ovirt.engine.extension.provides = >>>>>>> org.ovirt.engine.api.extensions.aaa.Authz >>>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties >>>>>>> -------------------------------------------------- >>>>>>> >>>>>>> Regards, >>>>>>> Alon >>> > >