Hello, I am stuck in configuring ovirt-engine-extension-aaa-ldap with AD for ovirt 3.5.4. I am following the [readme.md] and so far it was quite strait forward:
include = <ad.properties>
# # Active directory domain name. # vars.domain = int.corp.de
# # Search user and its password. # vars.user = bind@${global:vars.domain} vars.password = [redacted]
# # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks #pool.default.ssl.truststore.password = changeit
The config seems to work; at least the domain and binddn part. I can browse and add users to ovirt as suggested in step (3). All quotes are from engine.log:
2015-09-11 11:54:50,261 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-8-thread-24) [73bff0e9] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_PERMISSIONS with role type USER, ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER 2015-09-11 11:54:50,268 INFO [org.ovirt.engine.core.bll.aaa.AddUserCommand] (org.ovirt.thread.pool-8-thread-24) [21867e72] Running command: AddUserCommand internal: true. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_USERS with role type ADMIN 2015-09-11 11:54:50,301 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 21867e72, Call Stack: null, Custom Event ID: -1, Message: User 'Administrator' was added successfully to the system. 2015-09-11 11:54:50,379 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 73bff0e9, Call Stack: null, Custom Event ID: -1, Message: User/Group Administrator was granted permission for Role SuperUser on System by admin@internal.
Yet, when loging in as a user administrator I get:
{Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=No search for principal 'administrator@int.corp.com'}
Followed by a java stack trace. I did not find any configurable search path. The config seems to load:
2015-09-11 12:01:34,897 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Loading extension 'builtin-authn-internal' 2015-09-11 12:01:34,903 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'builtin-authn-internal' loaded 2015-09-11 12:01:34,905 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Loading extension 'internal' 2015-09-11 12:01:34,907 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'internal' loaded 2015-09-11 12:01:34,919 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Loading extension 'corp-authn' 2015-09-11 12:01:34,967 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'corp-authn' loaded 2015-09-11 12:01:34,971 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Loading extension 'corp-authz' 2015-09-11 12:01:34,981 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'corp-authz' loaded 2015-09-11 12:01:34,982 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Initializing extension 'corp-authn' 2015-09-11 12:01:34,983 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authn::corp-authn] Creating LDAP pool 'authz' 2015-09-11 12:01:35,120 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authn::corp-authn] Creating LDAP pool 'authn' 2015-09-11 12:01:35,159 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'corp-authn' initialized 2015-09-11 12:01:35,160 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Initializing extension 'builtin-authn-internal' 2015-09-11 12:01:35,161 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'builtin-authn-internal' initialized 2015-09-11 12:01:35,162 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Initializing extension 'corp-authz' 2015-09-11 12:01:35,162 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Creating LDAP pool 'authz' 2015-09-11 12:01:35,185 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Creating LDAP pool 'gc' 2015-09-11 12:01:35,222 INFO [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Available Namespaces: [DC=int,DC=corp,DC=de] 2015-09-11 12:01:35,223 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'corp-authz' initialized 2015-09-11 12:01:35,224 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Initializing extension 'internal' 2015-09-11 12:01:35,224 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'internal' initialized 2015-09-11 12:01:35,225 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Start of enabled extensions list 2015-09-11 12:01:35,225 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'corp-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/corp-authn.properties', Initialized: 'true' 2015-09-11 12:01:35,227 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'builtin-authn-internal', Extension name: 'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2015-09-11 12:01:35,228 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'corp-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/corp-authz.properties', Initialized: 'true' 2015-09-11 12:01:35,230 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'internal', Extension name: 'Internal Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2015-09-11 12:01:35,231 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) End of enabled extensions list
Versions: ovirt engine 3.5.4 AD: Windows Server 2012r2 Please let me know if you need further logs. Thanks, [readme.md] https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README -- Daniel Helgenberger m box bewegtbild GmbH P: +49/30/2408781-22 F: +49/30/2408781-10 ACKERSTR. 19 D-10115 BERLIN www.m-box.de www.monkeymen.tv Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767