Re: [ovirt-users] Can not configure with simple LDAP.

From: "Fumihide Tani" <RXC05271(a)nifty.com&gt; To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; Cc: users(a)ovirt.org Sent: Monday, September 22, 2014 1:10:57 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP. (2014/09/22 15:00), Alon Bar-Lev wrote: > > ----- Original Message ----- >> From: "Fumihide Tani" <RXC05271(a)nifty.com&gt; >> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >> Cc: users(a)ovirt.org >> Sent: Monday, September 22, 2014 4:16:17 AM >> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >> >> (2014/09/22 0:16), Alon Bar-Lev wrote: >>> ----- Original Message ----- >>>> From: "Fumihide Tani" <RXC05271(a)nifty.com&gt; >>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>>> Cc: users(a)ovirt.org >>>> Sent: Sunday, September 21, 2014 6:00:48 PM >>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>> >>>> Hi, Alon, >>>> >>>> Following Alon's advice, I added authz-company.properties file to the >>>> configuration directory. >>>> Then OpenLDAP users can searched from oVirt Web admin. and I could add >>>> it's >>>> users >>>> to the portal successfully. >>>> >>>> But I have another problem. >>>> These OpenLDAP users that I added can not login to ovirt web user >>>> portal. >>>> >>>> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as >>>> "First >>>> Name") >>>> Password: (I specified it as OpenLDAP's userPassword for "Fumihide") >>>> Domain: rxc05271.com (I selected instead of "internal") >>>> >>>> ? >>> 1. What error do you get at ui? >> "The user name or password is incorrect." >> >>> 2. Please look at engine.log while attempting to login, if you see >>> something helpful. >> 2014-09-22 09:53:27,669 INFO >> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] >> (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication >> profile "rxc05271.com" because the authentication failed. >> 2014-09-22 09:53:27,685 ERROR >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom >> Event >> ID: -1, Message: User Fumihide cannot login, please verify the username >> and >> password. >> 2014-09-22 09:53:27,693 ERROR >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom >> Event >> ID: -1, Message: User Fumihide failed to log in. >> 2014-09-22 09:53:27,693 WARN >> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] >> (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. >> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD >> >>> 3. Please make sure that the following is a success: >>> $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN> >>> uid=<LOGIN_NAME> >> [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D >> "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x >> '(uid=tani)' >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <dc=rxc05271,dc=com> with scope subtree >> # filter: (uid=tani) >> # requesting: ALL >> # >> >> # tani, Users, rxc05271.com >> dn: uid=tani,ou=Users,dc=rxc05271,dc=com >> objectClass: inetOrgPerson >> objectClass: uidObject >> uid: tani >> cn: Fumihide Tani >> givenName: Fumihide >> mail: tani(a)rxc05271.com >> sn: Tani >> userPassword:: a3VtaXRhbg== >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> [root@ovirt ~]# >> >>> 4. If working please modify >>> /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in >>> --- >>> <file-handler name="ENGINE" autoflush="true"> >>> - <level name="INFO"/> >>> - <level name="FINEST"/> >>> <snip> >>> + <logger category="org.ovirt.engineextensions.aaa.ldap"> >>> + <level name="FINEST"/> >>> + </logger> >>> <logger category="org.ovirt.engine.core.bll"> >>> --- >>> Restart engine, attempt login, send me the output. >> 2014-09-22 10:03:57,517 INFO >> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] >> (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication >> profile "rxc05271.com" because the authentication failed. >> 2014-09-22 10:03:57,534 ERROR >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom >> Event >> ID: -1, Message: User Fumihide cannot login, please verify the username >> and >> password. >> 2014-09-22 10:03:57,545 ERROR >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom >> Event >> ID: -1, Message: User Fumihide failed to log in. >> 2014-09-22 10:03:57,545 WARN >> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] >> (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. >> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD >> >> (logger level is not changed to FINEST? outputs is same as above.) >> > I had a mistake above... the file-handler level should be set to finest. > > <file-handler name="ENGINE" autoflush="true"> > <level name="FINEST"/> > > can you confirm? > or best send me the engine.xml.in file and I can see what's wrong. > > thanks! I set file-handler's level name to "FINEST". but outputs are same as before. I attached the ovirt-engine.xml.in Regards, > > >> Thanks, >> Fumihide Tani >> >> >>>> Please advice me, it's so thanksfull. >>>> >>>> Fumihide Tani >>>> >>>> >>>> (2014/09/21 17:13), Alon Bar-Lev wrote: >>>>> ----- Original Message ----- >>>>>> From: "Fumihide Tani" <RXC05271(a)nifty.com&gt; >>>>>> To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>>>>> Cc: users(a)ovirt.org >>>>>> Sent: Sunday, September 21, 2014 11:11:11 AM >>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>>> >>>>>> Hi, Alon >>>>>> >>>>>> Very thanks for your help. >>>>>> My problem was solved and the AAA is working now. >>>>>> I could add LDAP user. :) >>>>> Great. >>>>> Can you please send me a patch or modified README to make it better? >>>>> >>>>> Alon >>>>> >>>>>> Fumihide Tani >>>>>> >>>>>> (2014/09/21 16:19), Alon Bar-Lev wrote: >>>>>>> ----- Original Message ----- >>>>>>>> From: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; >>>>>>>> To: "Fumihide Tani" <RXC05271(a)nifty.com&gt; >>>>>>>> Cc: users(a)ovirt.org >>>>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM >>>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> You need to create authz extension as well (authz-company). >>>>>>>> The configuration you provided is establishing authentication only >>>>>>>> (authn) >>>>>>>> which refer to authz-company but you did not add it. >>>>>>>> >>>>>>>> The terms are: >>>>>>>> 1. authn - who the user is. >>>>>>>> 2. authz - what user is permitted. >>>>>>>> 3. profile - combination of the two. >>>>>>>> >>>>>>>> ----------------------------- >>>>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties >>>>>>>> ovirt.engine.extension.name = authz-company >>>>>>>> ovirt.engine.extension.bindings.method = jbossmodule >>>>>>>> ovirt.engine.extension.binding.jbossmodule.module = >>>>>>>> org.ovirt.engine-extensions.aaa.ldap >>>>>>>> ovirt.engine.extension.binding.jbossmodule.class = >>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension >>>>>>> Sorry: >>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension >>>>>>>> ovirt.engine.extension.provides = >>>>>>>> org.ovirt.engine.api.extensions.aaa.Authz >>>>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties >>>>>>>> -------------------------------------------------- >>>>>>>> >>>>>>>> Regards, >>>>>>>> Alon >>>> >> >>