Unable to grant permissions to AD users

I'm having some issues granting permissions to AD users in ovirt-engine 4.1. Users can log in but receive an error as below. The user user@example.com@example.com is not authorized to perform login I am also not able to grant this user any permissions through the admin console. Entering a user name in the search field for the System Permissions section results in a blank list. Attached is a screenshot for reference. Does anybody have an idea on what would cause this? The log files aren't very useful and don't show any errors.

Hi, it seems that you have an error in your aaa-ldap configuration. Could you please share your engine.log and your aaa-ldap configuration? Thanks Martin Perina On Thu, Oct 5, 2017 at 9:08 PM, Michael Watters <wattersm@watters.ws> wrote:
I'm having some issues granting permissions to AD users in ovirt-engine 4.1. Users can log in but receive an error as below. The user user@example.com@example.com is not authorized to perform login
I am also not able to grant this user any permissions through the admin console. Entering a user name in the search field for the System Permissions section results in a blank list. Attached is a screenshot for reference.
Does anybody have an idea on what would cause this? The log files aren't very useful and don't show any errors.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

I actually reran the ovirt-engine-extension-aaa-ldap-setup tool and was able to login and complete a search successfully but doing the same thing in the engine UI fails. Here's the configuration from the .properties file. include = <ad.properties> vars.domain = example.com vars.user = ldapuser@example.com vars.password = password pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.ssl.startTLS = true engine logs show this error. Is this a bug? I don't remember entering a trailing space anywhere during setup. 2017-10-05 14:17:38,156-04 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-354) [] OAuthException server_error: java.text.ParseException: Invalid character ' ' encountered. 2017-10-05 14:20:03,229-04 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-38) [] OAuthException server_error: java.text.ParseException: Invalid character ' ' encountered. 2017-10-05 14:22:24,691-04 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-185) [] The user username@example.com@example.com is not authorized to perform login On 10/05/2017 03:29 PM, Martin Perina wrote:
Hi,
it seems that you have an error in your aaa-ldap configuration. Could you please share your engine.log and your aaa-ldap configuration?
Thanks
Martin Perina
On Thu, Oct 5, 2017 at 9:08 PM, Michael Watters <wattersm@watters.ws> wrote:
I'm having some issues granting permissions to AD users in ovirt-engine 4.1. Users can log in but receive an error as below. The user user@example.com@example.com is not authorized to perform login
I am also not able to grant this user any permissions through the admin console. Entering a user name in the search field for the System Permissions section results in a blank list. Attached is a screenshot for reference.
Does anybody have an idea on what would cause this? The log files aren't very useful and don't show any errors.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

On Thu, Oct 5, 2017 at 10:13 PM, Michael Watters <wattersm@watters.ws> wrote:
I actually reran the ovirt-engine-extension-aaa-ldap-setup tool and was able to login and complete a search successfully but doing the same thing in the engine UI fails.
Here's the configuration from the .properties file.
include = <ad.properties>
vars.domain = example.com vars.user = ldapuser@example.com vars.password = password
pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.ssl.startTLS = true
engine logs show this error. Is this a bug? I don't remember entering a trailing space anywhere during setup.
Hmm, could you please try execute following commands with the same username as you have used to login to webui? ovirt-engine-extensions-tool aaa login-user --log-level=FINEST --profile=<YOUR PROFILE> --user-name=<USERNAME> ovirt-engine-extensions-tool aaa search --log-level=FINEST --extension-name=<YOUR AUTHZ NAME> --entity-name=<USERNAME> Thanks
2017-10-05 14:17:38,156-04 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-354) [] OAuthException server_error: java.text.ParseException: Invalid character ' ' encountered. 2017-10-05 14:20:03,229-04 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-38) [] OAuthException server_error: java.text.ParseException: Invalid character ' ' encountered. 2017-10-05 14:22:24,691-04 ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-185) [] The user username@example.com@example.com is not authorized to perform login
On 10/05/2017 03:29 PM, Martin Perina wrote:
Hi,
it seems that you have an error in your aaa-ldap configuration. Could you please share your engine.log and your aaa-ldap configuration?
Thanks
Martin Perina
On Thu, Oct 5, 2017 at 9:08 PM, Michael Watters <wattersm@watters.ws> wrote:
I'm having some issues granting permissions to AD users in ovirt-engine 4.1. Users can log in but receive an error as below. The user user@example.com@example.com is not authorized to perform login
I am also not able to grant this user any permissions through the admin console. Entering a user name in the search field for the System Permissions section results in a blank list. Attached is a screenshot for reference.
Does anybody have an idea on what would cause this? The log files aren't very useful and don't show any errors.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (2)
-
Martin Perina
-
Michael Watters