
22 Sep
2014
22 Sep
'14
1:15 p.m.
You need to add the following: + <logger category="org.ovirt.engineextensions.aaa.ldap"> + <level name="FINEST"/> + </logger> <logger category="org.ovirt.engine.core.bll"> Look at the + lines, please add these (without the +) just before: <logger category="org.ovirt.engine.core.bll"> Thanks! ----- Original Message ----- > From: "Fumihide Tani" <RXC05271@nifty.com> > To: "Alon Bar-Lev" <alonbl@redhat.com> > Cc: users@ovirt.org > Sent: Monday, September 22, 2014 1:10:57 PM > Subject: Re: [ovirt-users] Can not configure with simple LDAP. > > (2014/09/22 15:00), Alon Bar-Lev wrote: > > > > ----- Original Message ----- > >> From: "Fumihide Tani" <RXC05271@nifty.com> > >> To: "Alon Bar-Lev" <alonbl@redhat.com> > >> Cc: users@ovirt.org > >> Sent: Monday, September 22, 2014 4:16:17 AM > >> Subject: Re: [ovirt-users] Can not configure with simple LDAP. > >> > >> (2014/09/22 0:16), Alon Bar-Lev wrote: > >>> ----- Original Message ----- > >>>> From: "Fumihide Tani" <RXC05271@nifty.com> > >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> > >>>> Cc: users@ovirt.org > >>>> Sent: Sunday, September 21, 2014 6:00:48 PM > >>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. > >>>> > >>>> Hi, Alon, > >>>> > >>>> Following Alon's advice, I added authz-company.properties file to the > >>>> configuration directory. > >>>> Then OpenLDAP users can searched from oVirt Web admin. and I could add > >>>> it's > >>>> users > >>>> to the portal successfully. > >>>> > >>>> But I have another problem. > >>>> These OpenLDAP users that I added can not login to ovirt web user > >>>> portal. > >>>> > >>>> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as > >>>> "First > >>>> Name") > >>>> Password: (I specified it as OpenLDAP's userPassword for "Fumihide") > >>>> Domain: rxc05271.com (I selected instead of "internal") > >>>> > >>>> ? > >>> 1. What error do you get at ui? > >> "The user name or password is incorrect." > >> > >>> 2. Please look at engine.log while attempting to login, if you see > >>> something helpful. > >> 2014-09-22 09:53:27,669 INFO > >> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] > >> (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication > >> profile "rxc05271.com" because the authentication failed. > >> 2014-09-22 09:53:27,685 ERROR > >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > >> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom > >> Event > >> ID: -1, Message: User Fumihide cannot login, please verify the username > >> and > >> password. > >> 2014-09-22 09:53:27,693 ERROR > >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > >> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom > >> Event > >> ID: -1, Message: User Fumihide failed to log in. > >> 2014-09-22 09:53:27,693 WARN > >> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] > >> (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. > >> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD > >> > >>> 3. Please make sure that the following is a success: > >>> $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN> > >>> uid=<LOGIN_NAME> > >> [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D > >> "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x > >> '(uid=tani)' > >> Enter LDAP Password: > >> # extended LDIF > >> # > >> # LDAPv3 > >> # base <dc=rxc05271,dc=com> with scope subtree > >> # filter: (uid=tani) > >> # requesting: ALL > >> # > >> > >> # tani, Users, rxc05271.com > >> dn: uid=tani,ou=Users,dc=rxc05271,dc=com > >> objectClass: inetOrgPerson > >> objectClass: uidObject > >> uid: tani > >> cn: Fumihide Tani > >> givenName: Fumihide > >> mail: tani@rxc05271.com > >> sn: Tani > >> userPassword:: a3VtaXRhbg== > >> > >> # search result > >> search: 2 > >> result: 0 Success > >> > >> # numResponses: 2 > >> # numEntries: 1 > >> [root@ovirt ~]# > >> > >>> 4. If working please modify > >>> /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in > >>> --- > >>> <file-handler name="ENGINE" autoflush="true"> > >>> - <level name="INFO"/> > >>> - <level name="FINEST"/> > >>> <snip> > >>> + <logger category="org.ovirt.engineextensions.aaa.ldap"> > >>> + <level name="FINEST"/> > >>> + </logger> > >>> <logger category="org.ovirt.engine.core.bll"> > >>> --- > >>> Restart engine, attempt login, send me the output. > >> 2014-09-22 10:03:57,517 INFO > >> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] > >> (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication > >> profile "rxc05271.com" because the authentication failed. > >> 2014-09-22 10:03:57,534 ERROR > >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > >> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom > >> Event > >> ID: -1, Message: User Fumihide cannot login, please verify the username > >> and > >> password. > >> 2014-09-22 10:03:57,545 ERROR > >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > >> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom > >> Event > >> ID: -1, Message: User Fumihide failed to log in. > >> 2014-09-22 10:03:57,545 WARN > >> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] > >> (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. > >> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD > >> > >> (logger level is not changed to FINEST? outputs is same as above.) > >> > > I had a mistake above... the file-handler level should be set to finest. > > > > <file-handler name="ENGINE" autoflush="true"> > > <level name="FINEST"/> > > > > can you confirm? > > or best send me the engine.xml.in file and I can see what's wrong. > > > > thanks! > > I set file-handler's level name to "FINEST". but outputs are same as before. > I attached the ovirt-engine.xml.in > > Regards, > > > > > > >> Thanks, > >> Fumihide Tani > >> > >> > >>>> Please advice me, it's so thanksfull. > >>>> > >>>> Fumihide Tani > >>>> > >>>> > >>>> (2014/09/21 17:13), Alon Bar-Lev wrote: > >>>>> ----- Original Message ----- > >>>>>> From: "Fumihide Tani" <RXC05271@nifty.com> > >>>>>> To: "Alon Bar-Lev" <alonbl@redhat.com> > >>>>>> Cc: users@ovirt.org > >>>>>> Sent: Sunday, September 21, 2014 11:11:11 AM > >>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. > >>>>>> > >>>>>> Hi, Alon > >>>>>> > >>>>>> Very thanks for your help. > >>>>>> My problem was solved and the AAA is working now. > >>>>>> I could add LDAP user. :) > >>>>> Great. > >>>>> Can you please send me a patch or modified README to make it better? > >>>>> > >>>>> Alon > >>>>> > >>>>>> Fumihide Tani > >>>>>> > >>>>>> (2014/09/21 16:19), Alon Bar-Lev wrote: > >>>>>>> ----- Original Message ----- > >>>>>>>> From: "Alon Bar-Lev" <alonbl@redhat.com> > >>>>>>>> To: "Fumihide Tani" <RXC05271@nifty.com> > >>>>>>>> Cc: users@ovirt.org > >>>>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM > >>>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. > >>>>>>>> > >>>>>>>> Hi, > >>>>>>>> > >>>>>>>> You need to create authz extension as well (authz-company). > >>>>>>>> The configuration you provided is establishing authentication only > >>>>>>>> (authn) > >>>>>>>> which refer to authz-company but you did not add it. > >>>>>>>> > >>>>>>>> The terms are: > >>>>>>>> 1. authn - who the user is. > >>>>>>>> 2. authz - what user is permitted. > >>>>>>>> 3. profile - combination of the two. > >>>>>>>> > >>>>>>>> ----------------------------- > >>>>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties > >>>>>>>> ovirt.engine.extension.name = authz-company > >>>>>>>> ovirt.engine.extension.bindings.method = jbossmodule > >>>>>>>> ovirt.engine.extension.binding.jbossmodule.module = > >>>>>>>> org.ovirt.engine-extensions.aaa.ldap > >>>>>>>> ovirt.engine.extension.binding.jbossmodule.class = > >>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension > >>>>>>> Sorry: > >>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension > >>>>>>>> ovirt.engine.extension.provides = > >>>>>>>> org.ovirt.engine.api.extensions.aaa.Authz > >>>>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties > >>>>>>>> -------------------------------------------------- > >>>>>>>> > >>>>>>>> Regards, > >>>>>>>> Alon > >>>> > >> > >> > >