On Thu, Mar 9, 2017 at 2:22 PM, Richard Neuboeck <hawk@tbi.univie.ac.at> wrote:
Hi,

I seem to experience the same problem right now and am at a bit of a
loss as to where to dig for some more troubleshooting information. I
would highly appreciate some help.

Here is what I have and what I did:

ovirt-engine-4.1.0.4-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-1.3.0-1.el7.noarch

I executed ovirt-engine-extension-aaa-ldap-setup. My LDAP provider
is 389ds (FreeIPA).

So what's your provider 389ds or FreeIPA?

Note that both use differrent unique ID. IPA is using 'ipaUniqueID',
and 389ds is using 'nsuniqueid'. DId you tried both?
 
I can successfully run a search and also login
from the setup script.

After running the setup I rebootet the Engine VM to make sure
everything is restarted.

In the web UI configuration for 'System Permissions' I'm able to
find users from LDAP but when I try to 'Add' a selected user the UI
shows me this error: 'User admin@internal-authz failed to grant
permission for Role SuperUser on System to User/Group <UNKNOWN>.'.

In then engine.log the following lines are generated:
2017-03-09 14:02:49,308+01 INFO
[org.ovirt.engine.core.bll.AddSystemPermissionCommand]
(org.ovirt.thread.pool-6-thread-4)
[1ebae5e0-e5f6-49ba-ac80-95266c582893] Running command:
AddSystemPermissionCommand internal: false. Entities affected :  ID:
aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
MANIPULATE_PERMISSIONS with role type USER,  ID:
aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
2017-03-09 14:02:49,319+01 ERROR
[org.ovirt.engine.core.bll.AddSystemPermissionCommand]
(org.ovirt.thread.pool-6-thread-4)
[1ebae5e0-e5f6-49ba-ac80-95266c582893] Transaction rolled-back for
command 'org.ovirt.engine.core.bll.AddSystemPermissionCommand'.
2017-03-09 14:02:49,328+01 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(org.ovirt.thread.pool-6-thread-4)
[1ebae5e0-e5f6-49ba-ac80-95266c582893] EVENT_ID:
USER_ADD_SYSTEM_PERMISSION_FAILED(867), Correlation ID:
1ebae5e0-e5f6-49ba-ac80-95266c582893, Call Stack: null, Custom Event
ID: -1, Message: User admin@internal-authz failed to grant
permission for Role SuperUser on System to User/Group <UNKNOWN>.


So far I've re-run the ldap-setup routine. I made sure all newly
generated files in /etc/ovirt-engine/[aaa|extensions.d] are owned by
ovirt:ovirt (instead of root) and have 0600 as permission (instead
of 0644). That didn't change anything.

I've also found an older bug report but for oVirt 3.5
https://bugzilla.redhat.com/show_bug.cgi?id=1121954
That didn't reveal any new either.

Any ideas what I could try next?

Thanks!
Cheers
Richard




On 10/06/2016 04:36 PM, Ondra Machacek wrote:
> On 10/06/2016 01:47 PM, Michael Burch wrote:
>> I'm using the latest ovirt on CentOS7 with the aaa-ldap extension.
>> I can
>> successfully authenticate as an LDAP user. I can also login as
>> admin@internal and search for, find, and select LDAP users but I
>> cannot
>> add permissions for them. Each time I get the error "User
>> admin@internal-authz failed to grant permission for Role UserRole on
>> System to User/Group <UNKNOWN>."
>
> This error usually means bad unique attribute used.
>
>>
>>
>> I have no control over the LDAP server, which uses custom
>> objectClasses
>> and uses groupOfNames instead of PosixGroups. I assume I need to set
>> sequence variables to accommodate our group configuration but I'm
>> at a
>> loss as to where to begin. the The config I have is as follows:
>>
>>
>> include = <rfc2307-generic.properties>
>>
>> vars.server = labauth.lan.lab.org
>>
>> pool.authz.auth.type = none
>> pool.default.serverset.type = single
>> pool.default.serverset.single.server = ${global:vars.server}
>> pool.default.ssl.startTLS = true
>> pool.default.ssl.insecure = true
>>
>> pool.default.connection-options.connectTimeoutMillis = 10000
>> pool.default.connection-options.responseTimeoutMillis = 90000
>> sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
>> sequence.my-basedn-init-vars.010.description = set baseDN
>> sequence.my-basedn-init-vars.010.type = var-set
>> sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
>> sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
>>
>> sequence-init.init.101-my-objectclass-init-vars =
>> my-objectclass-init-vars
>> sequence.my-objectclass-init-vars.020.description = set objectClass
>> sequence.my-objectclass-init-vars.020.type = var-set
>> sequence.my-objectclass-init-vars.020.var-set.variable =
>> simple_filterUserObject
>> sequence.my-objectclass-init-vars.020.var-set.value =
>> (objectClass=labPerson)(uid=*)
>>
>> search.default.search-request.derefPolicy = NEVER
>>
>> sequence-init.init.900-local-init-vars = local-init-vars
>> sequence.local-init-vars.010.description = override name space
>> sequence.local-init-vars.010.type = var-set
>> sequence.local-init-vars.010.var-set.variable =
>> simple_namespaceDefault
>> sequence.local-init-vars.010.var-set.value = *
>
> What's this^ for? I think it's unusable.
>
>>
>> sequence.local-init-vars.020.description = apply filter to users
>> sequence.local-init-vars.020.type = var-set
>> sequence.local-init-vars.020.var-set.variable =
>> simple_filterUserObject
>> sequence.local-init-vars.020.var-set.value =
>> ${seq:simple_filterUserObject}(employeeStatus=3)
>>
>> sequence.local-init-vars.030.description = apply filter to groups
>> sequence.local-init-vars.030.type = var-set
>> sequence.local-init-vars.030.var-set.variable =
>> simple_filterGroupObject
>> sequence.local-init-vars.030.var-set.value =
>> (objectClass=groupOfUniqueNames)
>
> This looks as hard to maintain file. I would suggest you to insert
> into this file just following:
>
>  include = <rfc2307-mycustom.properties>
>
>  vars.server = labauth.lan.lab.org
>
>  pool.authz.auth.type = none
>  pool.default.serverset.type = single
>  pool.default.serverset.single.server = ${global:vars.server}
>  pool.default.ssl.startTLS = true
>  pool.default.ssl.insecure = true
>
>  pool.default.connection-options.connectTimeoutMillis = 10000
>  pool.default.connection-options.responseTimeoutMillis = 90000
>
>  # Set custom base DN
>  sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
>  sequence.my-basedn-init-vars.010.description = set baseDN
>  sequence.my-basedn-init-vars.010.type = var-set
>  sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
>  sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
>
> And then create in directory
> '/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file
> 'rfc2307-mycustom.properties' with content:
>
> include = <rfc2307.properties>
>
> sequence-init.init.100-rfc2307-mycustom-init-vars =
> rfc2307-mycustom-init-vars
> sequence.rfc2307-mycustom-init-vars.010.description = set unique attr
> sequence.rfc2307-mycustom-init-vars.010.type = var-set
> sequence.rfc2307-mycustom-init-vars.010.var-set.variable =
> rfc2307_attrsUniqueId
> sequence.rfc2307-mycustom-init-vars.010.var-set.value = FIND_THIS_ONE
>
> sequence.rfc2307-mycustom-init-vars.020.type = var-set
> sequence.rfc2307-mycustom-init-vars.020.var-set.variable =
> simple_filterUserObject
> sequence.rfc2307-mycustom-init-vars.020.var-set.value =
> (objectClass=labPerson)(employeeStatus=3)(${seq:simple_attrsUserName}=*)
>
>
>
> The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I
> guess). It can be extended attribute(+,++).
>
>  $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H
> ldap://labauth.lan.lab.org 'objectClass=labPerson'
>
>  maybe (or even with two +):
> $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H
> ldap://labauth.lan.lab.org 'objectClass=labPerson' +
>
> The question is if even your implementation has unique attribute, does
> it?
>
> Also may you share what's your LDAP provider? And maybe if you share
> content of some user it would help as well.
>
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
> _______________________________________________
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users


--
/dev/null