On 11 Jun 2018, at 11:26, Donny Davis <donny@fortnebula.com> wrote:
Try giving your user system permissions as a superuser and see if it goes away.
I wouldn't leave it like that, but it will help isolate your issue. I don't think you have an ldap issue... the log entry is telling you that user has no permissions>The user callum@Biomedical Research Computing is not authorized to perform login
On Mon, Jun 11, 2018 at 6:23 AM, Callum Smith <callum@well.ox.ac.uk> wrote:
Dear Donny,
No, though the user shows the permissions inherited from the Everyone group:<Screen Shot 2018-06-11 at 11.22.42.png>
Regards,Callum
--
Callum SmithResearch Computing Core
On 11 Jun 2018, at 11:21, Donny Davis <donny@fortnebula.com> wrote:
Just a shot in the dark, but after you setup ldap did you go in as the default admin and give an ldap account permissions?
On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith <callum@well.ox.ac.uk> wrote:
Dear All,
Could this be as our LDAP is fairly short on attributes?
2018-06-11 11:00:52,856+01 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5) [5dff9eb0] Running command: CreateUserSessionCommand internal: false. 2018-06-11 11:00:52,884+01 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLo gDirector] (default task-5) [5dff9eb0] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research Computing connecting from '--ipaddr--' failed to log in<UNKNOWN>. 2018-06-11 11:00:52,884+01 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-5) [] The user callum@Biomedical Research Computing is not authorized to perform login
I note that a number of variables are included in this action, but which are required and which are optional is the question:
Regards,Callum
--
Callum SmithResearch Computing Core
On 11 Jun 2018, at 09:35, Callum Smith <callum@well.ox.ac.uk> wrote:
List Archives: https://lists.ovirt.org/archivWhat would be the next step to help solve this issue? All users authenticating through LDAP get "This user is not authorised to perform authentication".______________________________
Regards,Callum
--
Callum SmithResearch Computing Core
On 5 Jun 2018, at 11:42, Callum Smith <callum@well.ox.ac.uk> wrote:
Ok I spoke too soon, I have resolved the groups, but authentication still isn't working for LDAP users, same error as before (114).______________________________
Regards,Callum
--
Callum SmithResearch Computing Core
On 5 Jun 2018, at 10:14, Callum Smith <callum@well.ox.ac.uk> wrote:
Dear Ondra, all,______________________________
Managed to solve this once i got my head around the properties file. Conceptually the problem is that users are typically not a member of their primary group in a POSIX scenario, and their primary group is set by the gidNumber of the user's record, with additional group memberships specified by memberUid entries against a posixGroup entry.
search.rfc2307-resolve-groups-memberUid.search-request.filte r = &(objectClass=posixGroup)(|(me mberUid=${seq:_rfc2307_uid_enc oded})(gidNumber=${seq:_rfc230 7_gid_encoded}))
search.rfc2307-resolve-principal-uid.search-request.attribut es = uid, gidNumber
sequence.bmrc-resolve-groups.010.description = set dn sequence.bmrc-resolve-groups.010.type = var-set sequence.bmrc-resolve-groups.010.var-set.variable = _rfc2307_dn sequence.bmrc-resolve-groups.010.var-set.value = ${seq:dn} sequence.bmrc-resolve-groups.010.description = resolve uid sequence.bmrc-resolve-groups.020.type = fetch-record sequence.bmrc-resolve-groups.020.fetch-record.search = rfc2307-resolve-principal-uid sequence.bmrc-resolve-groups.020.fetch-record.map.uid.name = _rfc2307_uidsequence.bmrc-resolve-groups.030.description = resolve gid sequence.bmrc-resolve-groups.030.type = fetch-record sequence.bmrc-resolve-groups.030.fetch-record.search = rfc2307-resolve-principal-uid sequence.bmrc-resolve-groups.040.description = query groups sequence.bmrc-resolve-groups.040.type = search-open sequence.bmrc-resolve-groups.040.search-open.search = rfc2307-resolve-groups-memberU id sequence.bmrc-resolve-groups.040.search-open.variable = queryRFC2307ByMemberUid
sequence.rfc2307-resolve-groups.020.call.name = bmrc-resolve-groups
Regards,Callum
--
Callum SmithResearch Computing Core
On 4 Jun 2018, at 15:07, Callum Smith <callum@well.ox.ac.uk> wrote:
Dear Ondra,______________________________
I went for openldap-rfc2307 as that best describes our ldap setup. The issue seems to be that the gidNumber is set, but users are not a member of their primary group within the LDAP. So, user's gidNumber represents primary group and posixGroup membership (memberUid) represents their secondary groups. What's the best way to approach this (fix the filters on oVirt end or change the LDAP? This is a question of what is most compliant with standards really).
Regards,Callum
--
Callum SmithResearch Computing Core
On 29 May 2018, at 11:29, Ondra Machacek <omachace@redhat.com> wrote:
What's you LDAP and what profile did you choose? This looks like you have chosen incorect profile during setup. Are you sure you arent using posix group and using non-posix aaa profile? Sharing a debug log of ovirt-engine-extensions-tool would be helpfull.
On Fri, May 25, 2018, 10:04 AM Callum Smith <callum@well.ox.ac.uk> wrote:
Dear All,______________________________
I'm having problems getting LDAP running, login works, but I'm getting "user is not authorised to perform login" - this is even if i specify the UserRole specifically to the LDAP group the user is in.
2018-05-25 08:56:16,212+01 INFO [org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-23) [] User callum@Biomedical Research Computing successfully logged in with scopes: ovirt-app-admin ovirt-app-api ovirt-app-portal ovirt-ext=auth:sequence-priori ty=~ ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-sea rch ovirt-ext=token-info:public-au thz-search ovirt-ext=token-info:validate ovirt-ext=token:password-acces s 2018-05-25 08:56:16,391+01 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-25) [63e60fe9] Running command: CreateUserSessionCommand internal: false. 2018-05-25 08:56:16,430+01 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLo gDirector] (default task-25) [63e60fe9] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research Computing connecting from '192.168.65.254' failed to log in<UNKNOWN>. 2018-05-25 08:56:16,430+01 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-25) [] The user callum@Biomedical Research Computing is not authorized to perform login
on a side note: is it possible to assign permissions to all members of an LDAP tree where they dont have a common group membership?
Regards,Callum
--
Callum SmithResearch Computing Core
_________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
_________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/messag e/NAEUHLW3YMYAP6L44RRS5MCLRU2O TXPZ/
_________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/messag e/2WR4PGLW4Z4PM2UOVN4YZUJHSBRY VMOJ/
_________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/messag e/O7DLMLFEBHLNCE2VCCCNNOXXGGER KAKZ/
_________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
es/list/users@ovirt.org/messag e/BNZ5KRXOYYRFZCQIQQU6IJVDNNBD VZSF/
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/messag e/EOWAPL6ZQE63S3732NQRH5YVJC26 CQDR/