----- Original Message -----
From: "Juan Jose" <jj197005@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, "Yair Zaslavsky" <yzaslavs@redhat.com> Sent: Wednesday, December 10, 2014 12:30:34 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon and Yair,
Many thanks for your help, finally It works properly. My problem, after last Alon indications was that my user "Juanjo" was defined with SuperUser role in the previous domain configuration. I have loggen in with admin user from internal and I have removed old configuration and I have configured my user "Juanjo" with all administrators roles in folder "Permission" and I can log in in administration portal without problems and it works properly.
My final configuration I have is an emulated *AD based on Samba 4* and the final configuration files are:
Good! So samba is not emulating active directory entirely :) But good to know it is working. Please also checkout group membership.
ovirt-engine-extension-aaa-ldap.noarch 1.0.1-0.0.master.20141209141731.git0437701.el6
this fix for samba ad will be released in 1.0.1.
*/etc/ovirt-engine/extensions.d/siee-local-authn.properties*:
ovirt.engine.extension.name = siee-local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee ovirt.engine.aaa.authn.authz.plugin = siee-local-authz config.profile.file.1 = /etc/ovirt-engine/aaa/siee.properties
*/etc/ovirt-engine/extensions.d/siee-local-authz.properties*:
ovirt.engine.extension.name = siee-local-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/siee.properties
*/etc/ovirt-engine/aaa/siee.properties*:
include = <ad.properties>
# # Active directory domain name. # vars.domain = siee.local
# # Search user and its password. # vars.user = searcher@${global:vars.domain} vars.password = xxxx
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks #pool.default.ssl.truststore.password = changeit
You should enable SSL for production use... as you do not want passwords to be transmitted in clear. Not sure how you install ssl on the samba ldap... but once you do, follow the README instructions[1] [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;...
*/etc/krb5.conf*:
You are not using kerberos, so there is no reason to configure it for setup to work.
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = SIEE.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = no default_tkt_enctypes = arcfour-hmac-md5 udp_preference_limit = 1
#[realms]
#[domain_realm] # .siee.local = SIEE.LOCAL # siee.local = SIEE.LOCAL
Many thanks again to everybody,
Juanjo.
On Tue, Dec 9, 2014 at 5:31 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Juan Jose" <jj197005@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, "Yair Zaslavsky" < yzaslavs@redhat.com> Sent: Tuesday, December 9, 2014 5:42:56 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
Hello Alon,
In my firsts e-mails I had already said that I have an emulation of AD based on Samba 4. I have tested the last version ov ovirt-engine-extension-aaa-ldap package and I think the problem is the same although the error is "User is not authorized to perform this action".
I attach the enginle.log.
USER_NOT_AUTHORIZED_TO_PERFORM_ACTION means user is not superuser or can manage objects as far as I know.
I see siee0@siee.local is trying to login which is CN=siee0 siee0,CN=Users,DC=siee,DC=local
Login succeeds.
I do not see any groups it belongs to.
Are you sure you added this user role within the webadmin or that user belongs to groups that were added to engine with such roles?
In case that the new oVirt version 3.5 doesn't work with an AD emulation based on Samba 4, is it possible to do user authentication with an
OpenLDAP
directly with this 3.5 version?, if it is so, could you give me the link to the documentation to configure OpenLDAP authentication?
Sure, just use the /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple copy recursive into /etc/ovirt-engine, then modify /etc/ovirt-engine/aaa/ldap1.properties set vars.server, vars.user, vars.password.
Until 3.5.1 you should also /etc/ovirt-engine/extensions.d/domain1*.properties and replace ../aaa to /etc/ovirt-engine/aaa
Many thanks in advanced,
Juanjo.
On Tue, Dec 9, 2014 at 3:16 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Juan Jose" <jj197005@gmail.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, December 9, 2014 3:59:33 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue
We start over...
This is not active directory... it is samba.
Attribute(name=vendorName, values={'Samba Team (http://samba.org)'})
Only now I realized this, maybe you mentioned it earlier not sure.
Of course this was never tested, so probably not working.
I see that samba does not return a list of extended operations, I
workaround this and we can see what's else differ from active
will directory.
Can you please checkout the following rpm[1]?
[1]
http://jenkins.ovirt.org/job/ovirt-engine-extension-aaa-ldap_master_create-r...