1:48 p.m.
Hi!
Thank you for the information, for some reason the administrator user cannot be resolved
to userPrincipalName during login, is it specific for Administrator or any user?
Can you please attach the extension configuration for both authn/authz as well?
I will also need debug log with ALL level, see [1] for instructions.
Thanks!
Alon
[1]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=b...
----- Original Message -----
From: "Daniel Helgenberger"
<daniel.helgenberger(a)m-box.de>
To: Users(a)ovirt.org
Sent: Friday, September 11, 2015 1:28:10 PM
Subject: [ovirt-users] Extension aaa: No search for principal
Hello,
I am stuck in configuring ovirt-engine-extension-aaa-ldap with AD for
ovirt 3.5.4. I am following the [readme.md] and so far it was quite
strait forward:
> include = <ad.properties>
>
> #
> # Active directory domain name.
> #
> vars.domain = int.corp.de
>
> #
> # Search user and its password.
> #
> vars.user = bind@${global:vars.domain}
> vars.password = [redacted]
>
> #
> # Optional DNS servers, if enterprise
> # DNS server cannot resolve the domain srvrecord.
> #
> #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
>
> pool.default.serverset.type = srvrecord
> pool.default.serverset.srvrecord.domain = ${global:vars.domain}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> # Uncomment if using custom DNS
> #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
> = ${global:vars.dns}
> #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
>
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file =
> ${local:_basedir}/${global:vars.domain}.jks
> #pool.default.ssl.truststore.password = changeit
The config seems to work; at least the domain and binddn part. I can
browse and add users to ovirt as suggested in step (3). All quotes are
from engine.log:
> 2015-09-11 11:54:50,261 INFO
> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
> (org.ovirt.thread.pool-8-thread-24) [73bff0e9] Running command:
> AddSystemPermissionCommand internal: false. Entities affected : ID:
> aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
> MANIPULATE_PERMISSIONS with role type USER, ID:
> aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
> ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
> 2015-09-11 11:54:50,268 INFO
> [org.ovirt.engine.core.bll.aaa.AddUserCommand]
> (org.ovirt.thread.pool-8-thread-24) [21867e72] Running command:
> AddUserCommand internal: true. Entities affected : ID:
> aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
> MANIPULATE_USERS with role type ADMIN
> 2015-09-11 11:54:50,301 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 21867e72,
> Call Stack: null, Custom Event ID: -1, Message: User 'Administrator' was
> added successfully to the system.
> 2015-09-11 11:54:50,379 INFO
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 73bff0e9,
> Call Stack: null, Custom Event ID: -1, Message: User/Group Administrator
> was granted permission for Role SuperUser on System by admin@internal.
Yet, when loging in as a user administrator I get:
> {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
>
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
> Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
>
java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=No
> search for principal 'administrator(a)int.corp.com'}
Followed by a java stack trace.
I did not find any configurable search path.
The config seems to load:
> 2015-09-11 12:01:34,897 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Loading extension 'builtin-authn-internal'
> 2015-09-11 12:01:34,903 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Extension 'builtin-authn-internal' loaded
> 2015-09-11 12:01:34,905 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Loading extension 'internal'
> 2015-09-11 12:01:34,907 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Extension 'internal' loaded
> 2015-09-11 12:01:34,919 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Loading extension 'corp-authn'
> 2015-09-11 12:01:34,967 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Extension 'corp-authn' loaded
> 2015-09-11 12:01:34,971 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Loading extension 'corp-authz'
> 2015-09-11 12:01:34,981 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Extension 'corp-authz' loaded
> 2015-09-11 12:01:34,982 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Initializing extension 'corp-authn'
> 2015-09-11 12:01:34,983 INFO
> [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2)
> [ovirt-engine-extension-aaa-ldap.authn::corp-authn] Creating LDAP pool
> 'authz'
> 2015-09-11 12:01:35,120 INFO
> [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2)
> [ovirt-engine-extension-aaa-ldap.authn::corp-authn] Creating LDAP pool
> 'authn'
> 2015-09-11 12:01:35,159 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Extension 'corp-authn' initialized
> 2015-09-11 12:01:35,160 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Initializing extension 'builtin-authn-internal'
> 2015-09-11 12:01:35,161 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Extension 'builtin-authn-internal' initialized
> 2015-09-11 12:01:35,162 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Initializing extension 'corp-authz'
> 2015-09-11 12:01:35,162 INFO
> [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2)
> [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Creating LDAP pool
> 'authz'
> 2015-09-11 12:01:35,185 INFO
> [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2)
> [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Creating LDAP pool
> 'gc'
> 2015-09-11 12:01:35,222 INFO
> [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread
> 1-2) [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Available
> Namespaces: [DC=int,DC=corp,DC=de]
> 2015-09-11 12:01:35,223 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Extension 'corp-authz' initialized
> 2015-09-11 12:01:35,224 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Initializing extension 'internal'
> 2015-09-11 12:01:35,224 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Extension 'internal' initialized
> 2015-09-11 12:01:35,225 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Start of enabled extensions list
> 2015-09-11 12:01:35,225 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Instance name: 'corp-authn', Extension name:
> 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2', Notes:
'Display
> name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0',
> Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface
> Version: '0', File:
> '/etc/ovirt-engine/extensions.d/corp-authn.properties', Initialized:
> 'true'
> 2015-09-11 12:01:35,227 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Instance name: 'builtin-authn-internal', Extension name:
> 'Internal Authn (Built-in)', Version: 'N/A', Notes: '',
License: 'ASL
> 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project',
Build
> interface Version: '0', File: 'N/A', Initialized: 'true'
> 2015-09-11 12:01:35,228 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Instance name: 'corp-authz', Extension name:
> 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2', Notes:
'Display
> name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0',
> Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface
> Version: '0', File:
> '/etc/ovirt-engine/extensions.d/corp-authz.properties', Initialized:
> 'true'
> 2015-09-11 12:01:35,230 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) Instance name: 'internal', Extension name: 'Internal Authz
> (Built-in)', Version: 'N/A', Notes: '', License: 'ASL
2.0', Home:
> 'http://www.ovirt.org', Author 'The oVirt Project', Build interface
> Version: '0', File: 'N/A', Initialized: 'true'
> 2015-09-11 12:01:35,231 INFO
> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> thread 1-2) End of enabled extensions list
Versions:
ovirt engine 3.5.4
AD: Windows Server 2012r2
Please let me know if you need further logs.
Thanks,
[readme.md]
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README
--
Daniel Helgenberger
m box bewegtbild GmbH
P: +49/30/2408781-22
F: +49/30/2408781-10
ACKERSTR. 19
D-10115 BERLIN
www.m-box.de www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner
Handeslregister: Amtsgericht Charlottenburg / HRB 112767
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users