The user user@example.com(a)example.com is not authorized to perform login

Can you share the debug log, and also make sure the search user you are using is correct for example by running the ldapsearch command with it. On 06/13/2018 05:33 PM, Michael Watters wrote: > I've ran the ovirt-engine-extension-aaa-ldap-setup command to configure > LDAP authentication using Active Directory however I am unable to > authenticate using valid credentials.  Here is the output show while > testing the login flow. > > [ INFO  ] Executing login sequence... >            Login output: >            2018-06-13 11:27:17,931-04 INFO > ======================================================================== >            2018-06-13 11:27:17,960-04 INFO > ============================ Initialization ============================ >            2018-06-13 11:27:17,960-04 INFO > ======================================================================== >            2018-06-13 11:27:17,999-04 INFO    Loading extension > 'example.com-authn' >            2018-06-13 11:27:18,072-04 INFO    Extension > 'example.com-authn' loaded >            2018-06-13 11:27:18,077-04 INFO    Loading extension > 'example.com-authz' >            2018-06-13 11:27:18,089-04 INFO    Extension > 'example.com-authz' loaded >            2018-06-13 11:27:18,090-04 INFO    Initializing extension > 'example.com-authn' >            2018-06-13 11:27:18,091-04 INFO > [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP > pool 'authz' >            2018-06-13 11:27:19,574-04 WARNING Exception: 80090308: > LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, > v3839 >            2018-06-13 11:27:19,576-04 INFO > [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP > pool 'authn' >            2018-06-13 11:27:20,668-04 INFO > [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] LDAP pool > 'authn' information: vendor='null' version='null' >            2018-06-13 11:27:20,674-04 WARNING Ignoring records from > pool: > 'authz' >            2018-06-13 11:27:20,676-04 WARNING Ignoring records from > pool: > 'authz' >            2018-06-13 11:27:20,676-04 INFO    Extension > 'example.com-authn' initialized >            2018-06-13 11:27:20,677-04 INFO    Initializing extension > 'example.com-authz' >            2018-06-13 11:27:20,679-04 INFO > [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP > pool 'authz' >            2018-06-13 11:27:21,270-04 WARNING Exception: 80090308: > LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, > v3839 >            2018-06-13 11:27:21,273-04 INFO > [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP > pool 'gc' >            2018-06-13 11:27:22,065-04 WARNING Exception: 80090308: > LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, > v1db1 >            2018-06-13 11:27:22,069-04 WARNING Ignoring records from > pool: > 'authz' >            2018-06-13 11:27:22,072-04 WARNING Ignoring records from > pool: > 'authz' >            2018-06-13 11:27:22,085-04 WARNING Ignoring records from > pool: > 'authz' >            2018-06-13 11:27:22,086-04 INFO > [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Available > Namespaces: [] >            2018-06-13 11:27:22,087-04 INFO    Extension > 'example.com-authz' initialized >            2018-06-13 11:27:22,088-04 INFO    Start of enabled > extensions > list >            2018-06-13 11:27:22,089-04 INFO    Instance name: > 'example.com-authz', Extension name: > 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.7', Notes: > 'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos', > License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt > Project', Build interface Version: '0',  File: > '/tmp/tmpPQluAI/extensions.d/example.com-authz.properties', Initialized: > 'true' >            2018-06-13 11:27:22,089-04 INFO    Instance name: > 'example.com-authn', Extension name: > 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.7', Notes: > 'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos', > License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt > Project', Build interface Version: '0',  File: > '/tmp/tmpPQluAI/extensions.d/example.com-authn.properties', Initialized: > 'true' >            2018-06-13 11:27:22,090-04 INFO    End of enabled > extensions list >            2018-06-13 11:27:22,090-04 INFO > ======================================================================== >            2018-06-13 11:27:22,090-04 INFO > ============================== Execution =============================== >            2018-06-13 11:27:22,091-04 INFO > ======================================================================== >            2018-06-13 11:27:22,091-04 INFO    Iteration: 0 >            2018-06-13 11:27:22,093-04 INFO    Profile='example.com' > authn='example.com-authn' authz='example.com-authz' mapping='null' >            2018-06-13 11:27:22,094-04 INFO    API: > -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='example.com' > user='d861703' >            2018-06-13 11:27:22,251-04 INFO    API: > <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='example.com' > result=CREDENTIALS_INCORRECT >            2018-06-13 11:27:22,262-04 SEVERE  Authn.Result code is: > CREDENTIALS_INCORRECT > [ ERROR ] Login sequence failed > > Does anybody know what LdapErr: DSID-0C09042A, comment: > AcceptSecurityContext error, data 52e, v3839 means?  Is this a TLS > issue?  I am quite certain the password I'm using is correct. > _______________________________________________ > Users mailing list -- users(a)ovirt.org > To unsubscribe send an email to users-leave(a)ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/users@ovirt.org/message/7KTJZ6ID3PB... >

This error: The user user@example.com(a)example.com is not authorized to perform login means that you don't have any role assigned to your user. Please check following documentation: https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/#use... to understand permission model of oVirt. On 06/14/2018 02:39 PM, Michael Watters wrote: > ldapsearch works correctly and I'm able to bind to AD without any > issues.  ovirt-engine-extension-aaa-ldap-setup also shows searches > working correctly. > > One thing I've discovered is that I can login as &quot;user(a)domain.com&quot; but > then receive an error as follows. > >> The user user@example.com(a)example.com is not authorized to perform >> login > > How do I enable debug logs?  The log entries from the engine.log file > are the same as my previous message. > > > On 06/14/2018 06:37 AM, Ondra Machacek wrote: >> Can you share the debug log, and also make sure the search user you are >> using is correct for example by running the ldapsearch command with it. >> >> On 06/13/2018 05:33 PM, Michael Watters wrote: >>> I've ran the ovirt-engine-extension-aaa-ldap-setup command to >>> configure >>> LDAP authentication using Active Directory however I am unable to >>> authenticate using valid credentials.  Here is the output show while >>> testing the login flow. >>> >>> [ INFO  ] Executing login sequence... >>>             Login output: >>>             2018-06-13 11:27:17,931-04 INFO >>> ======================================================================== >>> >>>             2018-06-13 11:27:17,960-04 INFO >>> ============================ Initialization >>> ============================ >>>             2018-06-13 11:27:17,960-04 INFO >>> ======================================================================== >>> >>>             2018-06-13 11:27:17,999-04 INFO    Loading extension >>> 'example.com-authn' >>>             2018-06-13 11:27:18,072-04 INFO    Extension >>> 'example.com-authn' loaded >>>             2018-06-13 11:27:18,077-04 INFO    Loading extension >>> 'example.com-authz' >>>             2018-06-13 11:27:18,089-04 INFO    Extension >>> 'example.com-authz' loaded >>>             2018-06-13 11:27:18,090-04 INFO    Initializing extension >>> 'example.com-authn' >>>             2018-06-13 11:27:18,091-04 INFO >>> [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating >>> LDAP >>> pool 'authz' >>>             2018-06-13 11:27:19,574-04 WARNING Exception: 80090308: >>> LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data >>> 52e, >>> v3839 >>>             2018-06-13 11:27:19,576-04 INFO >>> [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating >>> LDAP >>> pool 'authn' >>>             2018-06-13 11:27:20,668-04 INFO >>> [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] LDAP pool >>> 'authn' information: vendor='null' version='null' >>>             2018-06-13 11:27:20,674-04 WARNING Ignoring records from >>> pool: >>> 'authz' >>>             2018-06-13 11:27:20,676-04 WARNING Ignoring records from >>> pool: >>> 'authz' >>>             2018-06-13 11:27:20,676-04 INFO    Extension >>> 'example.com-authn' initialized >>>             2018-06-13 11:27:20,677-04 INFO    Initializing extension >>> 'example.com-authz' >>>             2018-06-13 11:27:20,679-04 INFO >>> [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating >>> LDAP >>> pool 'authz' >>>             2018-06-13 11:27:21,270-04 WARNING Exception: 80090308: >>> LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data >>> 52e, >>> v3839 >>>             2018-06-13 11:27:21,273-04 INFO >>> [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating >>> LDAP >>> pool 'gc' >>>             2018-06-13 11:27:22,065-04 WARNING Exception: 80090308: >>> LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data >>> 52e, >>> v1db1 >>>             2018-06-13 11:27:22,069-04 WARNING Ignoring records from >>> pool: >>> 'authz' >>>             2018-06-13 11:27:22,072-04 WARNING Ignoring records from >>> pool: >>> 'authz' >>>             2018-06-13 11:27:22,085-04 WARNING Ignoring records from >>> pool: >>> 'authz' >>>             2018-06-13 11:27:22,086-04 INFO >>> [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Available >>> Namespaces: [] >>>             2018-06-13 11:27:22,087-04 INFO    Extension >>> 'example.com-authz' initialized >>>             2018-06-13 11:27:22,088-04 INFO    Start of enabled >>> extensions >>> list >>>             2018-06-13 11:27:22,089-04 INFO    Instance name: >>> 'example.com-authz', Extension name: >>> 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.7', Notes: >>> 'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos', >>> License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt >>> Project', Build interface Version: '0',  File: >>> '/tmp/tmpPQluAI/extensions.d/example.com-authz.properties', >>> Initialized: >>> 'true' >>>             2018-06-13 11:27:22,089-04 INFO    Instance name: >>> 'example.com-authn', Extension name: >>> 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.7', Notes: >>> 'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos', >>> License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt >>> Project', Build interface Version: '0',  File: >>> '/tmp/tmpPQluAI/extensions.d/example.com-authn.properties', >>> Initialized: >>> 'true' >>>             2018-06-13 11:27:22,090-04 INFO    End of enabled >>> extensions list >>>             2018-06-13 11:27:22,090-04 INFO >>> ======================================================================== >>> >>>             2018-06-13 11:27:22,090-04 INFO >>> ============================== Execution >>> =============================== >>>             2018-06-13 11:27:22,091-04 INFO >>> ======================================================================== >>> >>>             2018-06-13 11:27:22,091-04 INFO    Iteration: 0 >>>             2018-06-13 11:27:22,093-04 INFO    Profile='example.com' >>> authn='example.com-authn' authz='example.com-authz' mapping='null' >>>             2018-06-13 11:27:22,094-04 INFO    API: >>> -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='example.com' >>> user='d861703' >>>             2018-06-13 11:27:22,251-04 INFO    API: >>> <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='example.com' >>> result=CREDENTIALS_INCORRECT >>>             2018-06-13 11:27:22,262-04 SEVERE  Authn.Result code is: >>> CREDENTIALS_INCORRECT >>> [ ERROR ] Login sequence failed >>> >>> Does anybody know what LdapErr: DSID-0C09042A, comment: >>> AcceptSecurityContext error, data 52e, v3839 means?  Is this a TLS >>> issue?  I am quite certain the password I'm using is correct. >>> _______________________________________________ >>> Users mailing list -- users(a)ovirt.org >>> To unsubscribe send an email to users-leave(a)ovirt.org >>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>> oVirt Code of Conduct: >>> https://www.ovirt.org/community/about/community-guidelines/ >>> List Archives: >>> https://lists.ovirt.org/archives/list/users@ovirt.org/message/7KTJZ6ID3PB... >>> >>> >