1:28 p.m.
Hello,
I am stuck in configuring ovirt-engine-extension-aaa-ldap with AD for
ovirt 3.5.4. I am following the [readme.md] and so far it was quite
strait forward:
include = <ad.properties>
#
# Active directory domain name.
#
vars.domain = int.corp.de
#
# Search user and its password.
#
vars.user = bind@${global:vars.domain}
vars.password = [redacted]
#
# Optional DNS servers, if enterprise
# DNS server cannot resolve the domain srvrecord.
#
#vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
# Uncomment if using custom DNS
#pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url =
${global:vars.dns}
#pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks
#pool.default.ssl.truststore.password = changeit
The config seems to work; at least the domain and binddn part. I can
browse and add users to ovirt as suggested in step (3). All quotes are
from engine.log:
2015-09-11 11:54:50,261 INFO
[org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-8-thread-24)
[73bff0e9] Running command: AddSystemPermissionCommand internal: false. Entities affected
: ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
MANIPULATE_PERMISSIONS with role type USER, ID: aaa00000-0000-0000-0000-123456789aaa
Type: SystemAction group ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
2015-09-11 11:54:50,268 INFO [org.ovirt.engine.core.bll.aaa.AddUserCommand]
(org.ovirt.thread.pool-8-thread-24) [21867e72] Running command: AddUserCommand internal:
true. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction
group MANIPULATE_USERS with role type ADMIN
2015-09-11 11:54:50,301 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 21867e72, Call Stack: null,
Custom Event ID: -1, Message: User 'Administrator' was added successfully to the
system.
2015-09-11 11:54:50,379 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 73bff0e9, Call Stack: null,
Custom Event ID: -1, Message: User/Group Administrator was granted permission for Role
SuperUser on System by admin@internal.
Yet, when loging in as a user administrator I get:
{Extkey[name=EXTENSION_INVOKE_RESULT;type=class
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=No
search for principal 'administrator(a)int.corp.com'}
Followed by a java stack trace.
I did not find any configurable search path.
The config seems to load:
2015-09-11 12:01:34,897 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Loading
extension 'builtin-authn-internal'
2015-09-11 12:01:34,903 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Extension 'builtin-authn-internal' loaded
2015-09-11 12:01:34,905 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Loading extension 'internal'
2015-09-11 12:01:34,907 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Extension 'internal' loaded
2015-09-11 12:01:34,919 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Loading extension 'corp-authn'
2015-09-11 12:01:34,967 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Extension 'corp-authn' loaded
2015-09-11 12:01:34,971 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Loading extension 'corp-authz'
2015-09-11 12:01:34,981 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Extension 'corp-authz' loaded
2015-09-11 12:01:34,982 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Initializing extension 'corp-authn'
2015-09-11 12:01:34,983 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC
service thread 1-2) [ovirt-engine-extension-aaa-ldap.authn::corp-authn] Creating LDAP pool
'authz'
2015-09-11 12:01:35,120 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC
service thread 1-2) [ovirt-engine-extension-aaa-ldap.authn::corp-authn] Creating LDAP pool
'authn'
2015-09-11 12:01:35,159 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Extension 'corp-authn' initialized
2015-09-11 12:01:35,160 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Initializing extension 'builtin-authn-internal'
2015-09-11 12:01:35,161 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Extension 'builtin-authn-internal' initialized
2015-09-11 12:01:35,162 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Initializing extension 'corp-authz'
2015-09-11 12:01:35,162 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC
service thread 1-2) [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Creating LDAP pool
'authz'
2015-09-11 12:01:35,185 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC
service thread 1-2) [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Creating LDAP pool
'gc'
2015-09-11 12:01:35,222 INFO [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC
service thread 1-2) [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Available
Namespaces: [DC=int,DC=corp,DC=de]
2015-09-11 12:01:35,223 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Extension 'corp-authz' initialized
2015-09-11 12:01:35,224 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Initializing extension 'internal'
2015-09-11 12:01:35,224 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Extension 'internal' initialized
2015-09-11 12:01:35,225 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Start of enabled extensions list
2015-09-11 12:01:35,225 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Instance name: 'corp-authn', Extension name:
'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2', Notes:
'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL
2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface Version: '0', File:
'/etc/ovirt-engine/extensions.d/corp-authn.properties', Initialized:
'true'
2015-09-11 12:01:35,227 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Instance name: 'builtin-authn-internal', Extension name:
'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License:
'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
Project', Build interface Version: '0', File: 'N/A', Initialized:
'true'
2015-09-11 12:01:35,228 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Instance name: 'corp-authz', Extension name:
'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2', Notes:
'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL
2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface Version: '0', File:
'/etc/ovirt-engine/extensions.d/corp-authz.properties', Initialized:
'true'
2015-09-11 12:01:35,230 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) Instance name: 'internal', Extension name: 'Internal
Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL
2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface Version: '0', File: 'N/A', Initialized: 'true'
2015-09-11 12:01:35,231 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager]
(MSC service thread 1-2) End of enabled extensions list
Versions:
ovirt engine 3.5.4
AD: Windows Server 2012r2
Please let me know if you need further logs.
Thanks,
[readme.md]
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README
--
Daniel Helgenberger
m box bewegtbild GmbH
P: +49/30/2408781-22
F: +49/30/2408781-10
ACKERSTR. 19
D-10115 BERLIN
www.m-box.de www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner
Handeslregister: Amtsgericht Charlottenburg / HRB 112767