Can not configure with simple LDAP.

Hello, I'm running oVirt Engine, OpenLDAP and BIND on same machine. and running oVirt host (hypervisor) on another machine. I tried to configure OpenLDAP using ovirt-engine-extension-aaa-ldap, but No LDAP users can search and add from Web Admin Portal. CentOS release 6.5 (Final) ovirt-engine.noarch 3.5.0-0.0.master.20140821064931.gitb794d66.el6 ovirt-engine-extension-aaa-ldap.noarch 0.0.0-0.0.master.20140904095149.gitc7bd415.el6 openldap-clients.x86_64 2.4.23-34.el6_5.1 openldap-servers.x86_64 2.4.23-34.el6_5.1 cyrus-sasl-gssapi.x86_64 2.1.23-13.el6_3.1 bind.x86_64 32:9.8.2-0.23.rc1.el6_5.1 My setup procedures: ------------------------------------------------------------------------------- # yum -y install openldap-servers openldap-clients # yum -y install cyrus-sasl-gssapi ------------------------------------------------------------------------------- # rm -rf /etc/openldap/slapd.d # rm -rf /var/lib/ldap/* ------------------------------------------------------------------------------- (Copy slapd.conf template) # cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf ------------------------------------------------------------------------------- # vi /etc/openldap/slapd.conf ....(snip).... # remove comment out moduleload memberof.la ....(snip).... # modify value by dn.exact="cn=Manager,dc=rxc05271,dc=com" read ....(snip).... # add next two lines right under "database definitions" authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=Manager,dc=rxc05271,dc=com" ....(snip).... # modify value suffix "dc=rxc05271,dc=com" ....(snip).... # modify value rootdn "cn=Manager,dc=rxc05271,dc=com" ....(snip).... # remove comment out rootpw secret ....(snip).... # add next line to end of the file overlay memberof loglevel 4 ------------------------------------------------------------------------------- (Enabling SSL/TLS) # vi /etc/sysconfig/ldap SLAPD_LDAPS=yes ------------------------------------------------------------------------------- (Enabling OpenLDAP log output) # echo "local4.* /var/log/ldap.log" > /etc/rsyslog.d/ldaplog.conf # service rsyslog restart ------------------------------------------------------------------------------- # service slapd start # chkconfig slapd on ------------------------------------------------------------------------------- # vi ldapconfig.ldif dn: dc=rxc05271,dc=com objectClass: dcObject objectClass: organization dc: rxc05271 o: RXC05271 dn: ou=Groups,dc=rxc05271,dc=com objectclass: organizationalUnit ou: Groups dn: ou=Users,dc=rxc05271,dc=com objectclass: organizationalUnit ou: Users dn: uid=tani,ou=Users,dc=rxc05271,dc=com objectclass: inetOrgPerson objectclass: uidObject uid: tani cn: Tani givenName: Fumihide mail: tani@rxc05271.com sn: 0 dn: cn=Power-Users,ou=Groups,dc=rxc05271,dc=com objectclass: groupOfNames cn: Power-Users member: uid=tani,ou=Users,dc=rxc05271,dc=com ------------------------------------------------------------------------------- # ldapadd -x -D "cn=Manager,dc=rxc05271,dc=com" -w secret -f ldapconfig.ldif ------------------------------------------------------------------------------- # vi setsasl.ldif replace: olcSaslSecProps olcSaslSecProps: noanonymous,noplain,minssf=1 - ------------------------------------------------------------------------------- # ldapmodify -x -D "cn=Manager,dc=rxc05271,dc=com" -w secret -f setsasl.ldif ------------------------------------------------------------------------------- # ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=tani)" -b dc=rxc05271,dc=com memberOf SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 version: 1 dn: uid=tani,ou=Users,dc=rxc05271,dc=com memberOf: cn=Power-Users,ou=Groups,dc=rxc05271,dc=com ------------------------------------------------------------------------------- # yum install ovirt-engine-extension-aaa-ldap ------------------------------------------------------------------------------- # vi /etc/ovirt-engine/extensions.d/authn-company.properties ovirt.engine.extension.name = authn-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = rxc05271.com ovirt.engine.aaa.authn.authz.plugin = authz-company config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties ------------------------------------------------------------------------------- # vi /etc/ovirt-engine/aaa/rxc05271.properties include = <openldap.properties> vars.user = cn=Manager,dc=rxc05271,dc=com vars.password = 12345678 vars.server = ldap.rxc05271.com pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/openldap/certs/ldap.jks pool.default.ssl.truststore.password = 12345678 pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} ------------------------------------------------------------------------------- (Add DNS records) # vi /var/named/rxc05271.com.db (snip) ldap IN A 192.168.0.5 _ldap._tcp.rxc05271.com. IN SRV 10 0 389 ovirt.rxc05271.com. # vi /var/named/0.168.192.in-addr.arpa.db (snip) 5 IN PTR ldap.rxc05271.com. # service named restart ------------------------------------------------------------------------------- # service ovirt-engine restart ------------------------------------------------------------------------------- (ldap.log outputs after ovirt-engine restart) [root@ovirt ~]# cat /var/log/ldap.log Sep 21 14:33:20 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:20 ovirt slapd[19276]: connection_get(18) Sep 21 14:33:20 ovirt slapd[19276]: connection_get(17) Sep 21 14:33:20 ovirt slapd[19276]: connection_get(19) Sep 21 14:33:20 ovirt slapd[19276]: connection_get(20) Sep 21 14:33:20 ovirt slapd[19276]: connection_get(21) Sep 21 14:33:20 ovirt slapd[19276]: connection_get(23) Sep 21 14:33:20 ovirt slapd[19276]: connection_get(22) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037 Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:25 ovirt slapd[19276]: ==> bdb_bind: dn: cn=Manager,dc=rxc05271,dc=com Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17) Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037 Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17) Sep 21 14:33:25 ovirt slapd[19276]: ==> bdb_bind: dn: cn=Manager,dc=rxc05271,dc=com Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18) Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037 Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18) Sep 21 14:33:25 ovirt slapd[19276]: ==> bdb_bind: dn: cn=Manager,dc=rxc05271,dc=com Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19) Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037 Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19) Sep 21 14:33:25 ovirt slapd[19276]: ==> bdb_bind: dn: cn=Manager,dc=rxc05271,dc=com Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:25 ovirt slapd[19276]: SRCH "" 0 0 Sep 21 14:33:25 ovirt slapd[19276]: 1 0 0 Sep 21 14:33:25 ovirt slapd[19276]: filter: (objectClass=*) Sep 21 14:33:25 ovirt slapd[19276]: attrs: Sep 21 14:33:25 ovirt slapd[19276]: * Sep 21 14:33:25 ovirt slapd[19276]: + Sep 21 14:33:25 ovirt slapd[19276]: altServer Sep 21 14:33:25 ovirt slapd[19276]: changelog Sep 21 14:33:25 ovirt slapd[19276]: firstChangeNumber Sep 21 14:33:25 ovirt slapd[19276]: lastChangeNumber Sep 21 14:33:25 ovirt slapd[19276]: lastPurgedChangeNumber Sep 21 14:33:25 ovirt slapd[19276]: namingContexts Sep 21 14:33:25 ovirt slapd[19276]: subschemaSubentry Sep 21 14:33:25 ovirt slapd[19276]: supportedAuthPasswordSchemes Sep 21 14:33:25 ovirt slapd[19276]: supportedControl Sep 21 14:33:25 ovirt slapd[19276]: supportedExtension Sep 21 14:33:25 ovirt slapd[19276]: supportedFeatures Sep 21 14:33:25 ovirt slapd[19276]: supportedLDAPVersion Sep 21 14:33:25 ovirt slapd[19276]: supportedSASLMechanisms Sep 21 14:33:25 ovirt slapd[19276]: vendorName Sep 21 14:33:25 ovirt slapd[19276]: vendorVersion Sep 21 14:33:25 ovirt slapd[19276]: Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:25 ovirt slapd[19276]: connection_get(20) Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037 Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20) Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21) Sep 21 14:33:26 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037 Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21) Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22) Sep 21 14:33:26 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037 Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22) Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23) Sep 21 14:33:26 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037 Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23) Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20) Sep 21 14:33:26 ovirt slapd[19276]: SRCH "" 0 0 Sep 21 14:33:26 ovirt slapd[19276]: 1 0 0 Sep 21 14:33:26 ovirt slapd[19276]: filter: (objectClass=*) Sep 21 14:33:26 ovirt slapd[19276]: attrs: Sep 21 14:33:26 ovirt slapd[19276]: * Sep 21 14:33:26 ovirt slapd[19276]: + Sep 21 14:33:26 ovirt slapd[19276]: altServer Sep 21 14:33:26 ovirt slapd[19276]: changelog Sep 21 14:33:26 ovirt slapd[19276]: firstChangeNumber Sep 21 14:33:26 ovirt slapd[19276]: lastChangeNumber Sep 21 14:33:26 ovirt slapd[19276]: lastPurgedChangeNumber Sep 21 14:33:26 ovirt slapd[19276]: namingContexts Sep 21 14:33:26 ovirt slapd[19276]: subschemaSubentry Sep 21 14:33:26 ovirt slapd[19276]: supportedAuthPasswordSchemes Sep 21 14:33:26 ovirt slapd[19276]: supportedControl Sep 21 14:33:26 ovirt slapd[19276]: supportedExtension Sep 21 14:33:26 ovirt slapd[19276]: supportedFeatures Sep 21 14:33:26 ovirt slapd[19276]: supportedLDAPVersion Sep 21 14:33:26 ovirt slapd[19276]: supportedSASLMechanisms Sep 21 14:33:26 ovirt slapd[19276]: vendorName Sep 21 14:33:26 ovirt slapd[19276]: vendorVersion Sep 21 14:33:26 ovirt slapd[19276]: Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:26 ovirt slapd[19276]: connection_get(17) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(17) Sep 21 14:33:26 ovirt slapd[19276]: SRCH "" 0 0 Sep 21 14:33:26 ovirt slapd[19276]: 0 0 0 Sep 21 14:33:26 ovirt slapd[19276]: filter: (&(objectClass=*)) Sep 21 14:33:26 ovirt slapd[19276]: attrs: Sep 21 14:33:26 ovirt slapd[19276]: namingContexts Sep 21 14:33:26 ovirt slapd[19276]: Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" ------------------------------------------------------------------------------- (engine.log outputs after ovirt-engine restart) # cat /var/log/ovirt-engine/engine.log | grep extensions 2014-09-21 14:33:25,591 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-15) Creating LDAP pool 'authz' for 'authn-company' 2014-09-21 14:33:25,962 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-15) Creating LDAP pool 'authn' for 'authn-company' 2014-09-21 14:33:26,195 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-15) Start of enabled extensions list 2014-09-21 14:33:26,196 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-15) Instance name: 'builtin-authn-internal', Extension name: 'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2014-09-21 14:33:26,196 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-15) Instance name: 'authn-company', Extension name: 'aaa.ldap.authn', Version: '0.0.0_master', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-0.0.0-0.0.master.20140904095149.gitc7bd415.el6', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/authn-company.properties', Initialized: 'true' 2014-09-21 14:33:26,197 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-15) Instance name: 'internal', Extension name: 'Internal Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2014-09-21 14:33:26,197 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-15) End of enabled extensions list ------------------------------------------------------------------------------- I could not find out any erros in engine.log as well as ldap.log. And I can not search add ldap users from Web Admin Portal. Click "Users" tab, then click "Add". I can select "internal (internal)" only on [Add Users and Groups] in "Search" field. I do not know where the cause is. I'm missing another settings required? Thanks, Fumihide Tani

Hi, You need to create authz extension as well (authz-company). The configuration you provided is establishing authentication only (authn) which refer to authz-company but you did not add it. The terms are: 1. authn - who the user is. 2. authz - what user is permitted. 3. profile - combination of the two. ----------------------------- # vi /etc/ovirt-engine/extensions.d/authz-company.properties ovirt.engine.extension.name = authz-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties -------------------------------------------------- Regards, Alon

----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Fumihide Tani" <RXC05271@nifty.com> Cc: users@ovirt.org Sent: Sunday, September 21, 2014 10:19:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi,
You need to create authz extension as well (authz-company). The configuration you provided is establishing authentication only (authn) which refer to authz-company but you did not add it.
The terms are: 1. authn - who the user is. 2. authz - what user is permitted. 3. profile - combination of the two.
----------------------------- # vi /etc/ovirt-engine/extensions.d/authz-company.properties ovirt.engine.extension.name = authz-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension Sorry: org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties --------------------------------------------------
Regards, Alon

Hi, Alon Very thanks for your help. My problem was solved and the AAA is working now. I could add LDAP user. :) Fumihide Tani (2014/09/21 16:19), Alon Bar-Lev wrote:
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Fumihide Tani" <RXC05271@nifty.com> Cc: users@ovirt.org Sent: Sunday, September 21, 2014 10:19:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi,
You need to create authz extension as well (authz-company). The configuration you provided is establishing authentication only (authn) which refer to authz-company but you did not add it.
The terms are: 1. authn - who the user is. 2. authz - what user is permitted. 3. profile - combination of the two.
----------------------------- # vi /etc/ovirt-engine/extensions.d/authz-company.properties ovirt.engine.extension.name = authz-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension Sorry: org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties --------------------------------------------------
Regards, Alon

----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Sunday, September 21, 2014 11:11:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon
Very thanks for your help. My problem was solved and the AAA is working now. I could add LDAP user. :)
Great. Can you please send me a patch or modified README to make it better? Alon
Fumihide Tani
(2014/09/21 16:19), Alon Bar-Lev wrote:
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Fumihide Tani" <RXC05271@nifty.com> Cc: users@ovirt.org Sent: Sunday, September 21, 2014 10:19:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi,
You need to create authz extension as well (authz-company). The configuration you provided is establishing authentication only (authn) which refer to authz-company but you did not add it.
The terms are: 1. authn - who the user is. 2. authz - what user is permitted. 3. profile - combination of the two.
----------------------------- # vi /etc/ovirt-engine/extensions.d/authz-company.properties ovirt.engine.extension.name = authz-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension Sorry: org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties --------------------------------------------------
Regards, Alon

Hi, Alon, Following Alon's advice, I added authz-company.properties file to the configuration directory. Then OpenLDAP users can searched from oVirt Web admin. and I could add it's users to the portal successfully. But I have another problem. These OpenLDAP users that I added can not login to ovirt web user portal. User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as "First Name") Password: (I specified it as OpenLDAP's userPassword for "Fumihide") Domain: rxc05271.com (I selected instead of "internal") ? Please advice me, it's so thanksfull. Fumihide Tani (2014/09/21 17:13), Alon Bar-Lev wrote:
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Sunday, September 21, 2014 11:11:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon
Very thanks for your help. My problem was solved and the AAA is working now. I could add LDAP user. :) Great. Can you please send me a patch or modified README to make it better?
Alon
Fumihide Tani
(2014/09/21 16:19), Alon Bar-Lev wrote:
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Fumihide Tani" <RXC05271@nifty.com> Cc: users@ovirt.org Sent: Sunday, September 21, 2014 10:19:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi,
You need to create authz extension as well (authz-company). The configuration you provided is establishing authentication only (authn) which refer to authz-company but you did not add it.
The terms are: 1. authn - who the user is. 2. authz - what user is permitted. 3. profile - combination of the two.
----------------------------- # vi /etc/ovirt-engine/extensions.d/authz-company.properties ovirt.engine.extension.name = authz-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension Sorry: org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties --------------------------------------------------
Regards, Alon

----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Sunday, September 21, 2014 6:00:48 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon,
Following Alon's advice, I added authz-company.properties file to the configuration directory. Then OpenLDAP users can searched from oVirt Web admin. and I could add it's users to the portal successfully.
But I have another problem. These OpenLDAP users that I added can not login to ovirt web user portal.
User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as "First Name") Password: (I specified it as OpenLDAP's userPassword for "Fumihide") Domain: rxc05271.com (I selected instead of "internal")
?
1. What error do you get at ui? 2. Please look at engine.log while attempting to login, if you see something helpful. 3. Please make sure that the following is a success: $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN> uid=<LOGIN_NAME> 4. If working please modify /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in --- <file-handler name="ENGINE" autoflush="true"> - <level name="INFO"/> - <level name="FINEST"/> <snip> + <logger category="org.ovirt.engineextensions.aaa.ldap"> + <level name="FINEST"/> + </logger> <logger category="org.ovirt.engine.core.bll"> --- Restart engine, attempt login, send me the output.
Please advice me, it's so thanksfull.
Fumihide Tani
(2014/09/21 17:13), Alon Bar-Lev wrote:
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Sunday, September 21, 2014 11:11:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon
Very thanks for your help. My problem was solved and the AAA is working now. I could add LDAP user. :) Great. Can you please send me a patch or modified README to make it better?
Alon
Fumihide Tani
(2014/09/21 16:19), Alon Bar-Lev wrote:
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Fumihide Tani" <RXC05271@nifty.com> Cc: users@ovirt.org Sent: Sunday, September 21, 2014 10:19:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi,
You need to create authz extension as well (authz-company). The configuration you provided is establishing authentication only (authn) which refer to authz-company but you did not add it.
The terms are: 1. authn - who the user is. 2. authz - what user is permitted. 3. profile - combination of the two.
----------------------------- # vi /etc/ovirt-engine/extensions.d/authz-company.properties ovirt.engine.extension.name = authz-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension Sorry: org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties --------------------------------------------------
Regards, Alon

(2014/09/22 0:16), Alon Bar-Lev wrote: > > ----- Original Message ----- >> From: "Fumihide Tani" <RXC05271@nifty.com> >> To: "Alon Bar-Lev" <alonbl@redhat.com> >> Cc: users@ovirt.org >> Sent: Sunday, September 21, 2014 6:00:48 PM >> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >> >> Hi, Alon, >> >> Following Alon's advice, I added authz-company.properties file to the >> configuration directory. >> Then OpenLDAP users can searched from oVirt Web admin. and I could add it's >> users >> to the portal successfully. >> >> But I have another problem. >> These OpenLDAP users that I added can not login to ovirt web user portal. >> >> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as "First >> Name") >> Password: (I specified it as OpenLDAP's userPassword for "Fumihide") >> Domain: rxc05271.com (I selected instead of "internal") >> >> ? > 1. What error do you get at ui? "The user name or password is incorrect." > > 2. Please look at engine.log while attempting to login, if you see something helpful. 2014-09-22 09:53:27,669 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed. 2014-09-22 09:53:27,685 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 09:53:27,693 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 09:53:27,693 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD > > 3. Please make sure that the following is a success: > $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN> uid=<LOGIN_NAME> [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x '(uid=tani)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=rxc05271,dc=com> with scope subtree # filter: (uid=tani) # requesting: ALL # # tani, Users, rxc05271.com dn: uid=tani,ou=Users,dc=rxc05271,dc=com objectClass: inetOrgPerson objectClass: uidObject uid: tani cn: Fumihide Tani givenName: Fumihide mail: tani@rxc05271.com sn: Tani userPassword:: a3VtaXRhbg== # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ovirt ~]# > > 4. If working please modify /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in > --- > <file-handler name="ENGINE" autoflush="true"> > - <level name="INFO"/> > - <level name="FINEST"/> > <snip> > + <logger category="org.ovirt.engineextensions.aaa.ldap"> > + <level name="FINEST"/> > + </logger> > <logger category="org.ovirt.engine.core.bll"> > --- > Restart engine, attempt login, send me the output. 2014-09-22 10:03:57,517 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed. 2014-09-22 10:03:57,534 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 10:03:57,545 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 10:03:57,545 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD (logger level is not changed to FINEST? outputs is same as above.) Thanks, Fumihide Tani >> Please advice me, it's so thanksfull. >> >> Fumihide Tani >> >> >> (2014/09/21 17:13), Alon Bar-Lev wrote: >>> ----- Original Message ----- >>>> From: "Fumihide Tani" <RXC05271@nifty.com> >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> >>>> Cc: users@ovirt.org >>>> Sent: Sunday, September 21, 2014 11:11:11 AM >>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>> >>>> Hi, Alon >>>> >>>> Very thanks for your help. >>>> My problem was solved and the AAA is working now. >>>> I could add LDAP user. :) >>> Great. >>> Can you please send me a patch or modified README to make it better? >>> >>> Alon >>> >>>> Fumihide Tani >>>> >>>> (2014/09/21 16:19), Alon Bar-Lev wrote: >>>>> ----- Original Message ----- >>>>>> From: "Alon Bar-Lev" <alonbl@redhat.com> >>>>>> To: "Fumihide Tani" <RXC05271@nifty.com> >>>>>> Cc: users@ovirt.org >>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM >>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>>> >>>>>> Hi, >>>>>> >>>>>> You need to create authz extension as well (authz-company). >>>>>> The configuration you provided is establishing authentication only >>>>>> (authn) >>>>>> which refer to authz-company but you did not add it. >>>>>> >>>>>> The terms are: >>>>>> 1. authn - who the user is. >>>>>> 2. authz - what user is permitted. >>>>>> 3. profile - combination of the two. >>>>>> >>>>>> ----------------------------- >>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties >>>>>> ovirt.engine.extension.name = authz-company >>>>>> ovirt.engine.extension.bindings.method = jbossmodule >>>>>> ovirt.engine.extension.binding.jbossmodule.module = >>>>>> org.ovirt.engine-extensions.aaa.ldap >>>>>> ovirt.engine.extension.binding.jbossmodule.class = >>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension >>>>> Sorry: >>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension >>>>>> ovirt.engine.extension.provides = >>>>>> org.ovirt.engine.api.extensions.aaa.Authz >>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties >>>>>> -------------------------------------------------- >>>>>> >>>>>> Regards, >>>>>> Alon >>>> >> >> >

----- Original Message ----- > From: "Fumihide Tani" <RXC05271@nifty.com> > To: "Alon Bar-Lev" <alonbl@redhat.com> > Cc: users@ovirt.org > Sent: Monday, September 22, 2014 4:16:17 AM > Subject: Re: [ovirt-users] Can not configure with simple LDAP. > > (2014/09/22 0:16), Alon Bar-Lev wrote: > > > > ----- Original Message ----- > >> From: "Fumihide Tani" <RXC05271@nifty.com> > >> To: "Alon Bar-Lev" <alonbl@redhat.com> > >> Cc: users@ovirt.org > >> Sent: Sunday, September 21, 2014 6:00:48 PM > >> Subject: Re: [ovirt-users] Can not configure with simple LDAP. > >> > >> Hi, Alon, > >> > >> Following Alon's advice, I added authz-company.properties file to the > >> configuration directory. > >> Then OpenLDAP users can searched from oVirt Web admin. and I could add > >> it's > >> users > >> to the portal successfully. > >> > >> But I have another problem. > >> These OpenLDAP users that I added can not login to ovirt web user portal. > >> > >> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as > >> "First > >> Name") > >> Password: (I specified it as OpenLDAP's userPassword for "Fumihide") > >> Domain: rxc05271.com (I selected instead of "internal") > >> > >> ? > > 1. What error do you get at ui? > > "The user name or password is incorrect." > > > > > 2. Please look at engine.log while attempting to login, if you see > > something helpful. > > 2014-09-22 09:53:27,669 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] > (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication > profile "rxc05271.com" because the authentication failed. > 2014-09-22 09:53:27,685 ERROR > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event > ID: -1, Message: User Fumihide cannot login, please verify the username and > password. > 2014-09-22 09:53:27,693 ERROR > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event > ID: -1, Message: User Fumihide failed to log in. > 2014-09-22 09:53:27,693 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] > (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. > Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD > > > > > 3. Please make sure that the following is a success: > > $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN> > > uid=<LOGIN_NAME> > > [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D > "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x > '(uid=tani)' > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <dc=rxc05271,dc=com> with scope subtree > # filter: (uid=tani) > # requesting: ALL > # > > # tani, Users, rxc05271.com > dn: uid=tani,ou=Users,dc=rxc05271,dc=com > objectClass: inetOrgPerson > objectClass: uidObject > uid: tani > cn: Fumihide Tani > givenName: Fumihide > mail: tani@rxc05271.com > sn: Tani > userPassword:: a3VtaXRhbg== > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > [root@ovirt ~]# > > > > > 4. If working please modify > > /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in > > --- > > <file-handler name="ENGINE" autoflush="true"> > > - <level name="INFO"/> > > - <level name="FINEST"/> > > <snip> > > + <logger category="org.ovirt.engineextensions.aaa.ldap"> > > + <level name="FINEST"/> > > + </logger> > > <logger category="org.ovirt.engine.core.bll"> > > --- > > Restart engine, attempt login, send me the output. > > 2014-09-22 10:03:57,517 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] > (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication > profile "rxc05271.com" because the authentication failed. > 2014-09-22 10:03:57,534 ERROR > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event > ID: -1, Message: User Fumihide cannot login, please verify the username and > password. > 2014-09-22 10:03:57,545 ERROR > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event > ID: -1, Message: User Fumihide failed to log in. > 2014-09-22 10:03:57,545 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] > (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. > Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD > > (logger level is not changed to FINEST? outputs is same as above.) > I had a mistake above... the file-handler level should be set to finest. <file-handler name="ENGINE" autoflush="true"> <level name="FINEST"/> can you confirm? or best send me the engine.xml.in file and I can see what's wrong. thanks! > Thanks, > Fumihide Tani > > > >> Please advice me, it's so thanksfull. > >> > >> Fumihide Tani > >> > >> > >> (2014/09/21 17:13), Alon Bar-Lev wrote: > >>> ----- Original Message ----- > >>>> From: "Fumihide Tani" <RXC05271@nifty.com> > >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> > >>>> Cc: users@ovirt.org > >>>> Sent: Sunday, September 21, 2014 11:11:11 AM > >>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. > >>>> > >>>> Hi, Alon > >>>> > >>>> Very thanks for your help. > >>>> My problem was solved and the AAA is working now. > >>>> I could add LDAP user. :) > >>> Great. > >>> Can you please send me a patch or modified README to make it better? > >>> > >>> Alon > >>> > >>>> Fumihide Tani > >>>> > >>>> (2014/09/21 16:19), Alon Bar-Lev wrote: > >>>>> ----- Original Message ----- > >>>>>> From: "Alon Bar-Lev" <alonbl@redhat.com> > >>>>>> To: "Fumihide Tani" <RXC05271@nifty.com> > >>>>>> Cc: users@ovirt.org > >>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM > >>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. > >>>>>> > >>>>>> Hi, > >>>>>> > >>>>>> You need to create authz extension as well (authz-company). > >>>>>> The configuration you provided is establishing authentication only > >>>>>> (authn) > >>>>>> which refer to authz-company but you did not add it. > >>>>>> > >>>>>> The terms are: > >>>>>> 1. authn - who the user is. > >>>>>> 2. authz - what user is permitted. > >>>>>> 3. profile - combination of the two. > >>>>>> > >>>>>> ----------------------------- > >>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties > >>>>>> ovirt.engine.extension.name = authz-company > >>>>>> ovirt.engine.extension.bindings.method = jbossmodule > >>>>>> ovirt.engine.extension.binding.jbossmodule.module = > >>>>>> org.ovirt.engine-extensions.aaa.ldap > >>>>>> ovirt.engine.extension.binding.jbossmodule.class = > >>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension > >>>>> Sorry: > >>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension > >>>>>> ovirt.engine.extension.provides = > >>>>>> org.ovirt.engine.api.extensions.aaa.Authz > >>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties > >>>>>> -------------------------------------------------- > >>>>>> > >>>>>> Regards, > >>>>>> Alon > >>>> > >> > >> > > > > >

(2014/09/22 15:00), Alon Bar-Lev wrote: > > ----- Original Message ----- >> From: "Fumihide Tani" <RXC05271@nifty.com> >> To: "Alon Bar-Lev" <alonbl@redhat.com> >> Cc: users@ovirt.org >> Sent: Monday, September 22, 2014 4:16:17 AM >> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >> >> (2014/09/22 0:16), Alon Bar-Lev wrote: >>> ----- Original Message ----- >>>> From: "Fumihide Tani" <RXC05271@nifty.com> >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> >>>> Cc: users@ovirt.org >>>> Sent: Sunday, September 21, 2014 6:00:48 PM >>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>> >>>> Hi, Alon, >>>> >>>> Following Alon's advice, I added authz-company.properties file to the >>>> configuration directory. >>>> Then OpenLDAP users can searched from oVirt Web admin. and I could add >>>> it's >>>> users >>>> to the portal successfully. >>>> >>>> But I have another problem. >>>> These OpenLDAP users that I added can not login to ovirt web user portal. >>>> >>>> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as >>>> "First >>>> Name") >>>> Password: (I specified it as OpenLDAP's userPassword for "Fumihide") >>>> Domain: rxc05271.com (I selected instead of "internal") >>>> >>>> ? >>> 1. What error do you get at ui? >> "The user name or password is incorrect." >> >>> 2. Please look at engine.log while attempting to login, if you see >>> something helpful. >> 2014-09-22 09:53:27,669 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] >> (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication >> profile "rxc05271.com" because the authentication failed. >> 2014-09-22 09:53:27,685 ERROR >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event >> ID: -1, Message: User Fumihide cannot login, please verify the username and >> password. >> 2014-09-22 09:53:27,693 ERROR >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event >> ID: -1, Message: User Fumihide failed to log in. >> 2014-09-22 09:53:27,693 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] >> (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. >> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD >> >>> 3. Please make sure that the following is a success: >>> $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN> >>> uid=<LOGIN_NAME> >> [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D >> "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x >> '(uid=tani)' >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <dc=rxc05271,dc=com> with scope subtree >> # filter: (uid=tani) >> # requesting: ALL >> # >> >> # tani, Users, rxc05271.com >> dn: uid=tani,ou=Users,dc=rxc05271,dc=com >> objectClass: inetOrgPerson >> objectClass: uidObject >> uid: tani >> cn: Fumihide Tani >> givenName: Fumihide >> mail: tani@rxc05271.com >> sn: Tani >> userPassword:: a3VtaXRhbg== >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> [root@ovirt ~]# >> >>> 4. If working please modify >>> /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in >>> --- >>> <file-handler name="ENGINE" autoflush="true"> >>> - <level name="INFO"/> >>> - <level name="FINEST"/> >>> <snip> >>> + <logger category="org.ovirt.engineextensions.aaa.ldap"> >>> + <level name="FINEST"/> >>> + </logger> >>> <logger category="org.ovirt.engine.core.bll"> >>> --- >>> Restart engine, attempt login, send me the output. >> 2014-09-22 10:03:57,517 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] >> (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication >> profile "rxc05271.com" because the authentication failed. >> 2014-09-22 10:03:57,534 ERROR >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event >> ID: -1, Message: User Fumihide cannot login, please verify the username and >> password. >> 2014-09-22 10:03:57,545 ERROR >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event >> ID: -1, Message: User Fumihide failed to log in. >> 2014-09-22 10:03:57,545 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] >> (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. >> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD >> >> (logger level is not changed to FINEST? outputs is same as above.) >> > I had a mistake above... the file-handler level should be set to finest. > > <file-handler name="ENGINE" autoflush="true"> > <level name="FINEST"/> > > can you confirm? > or best send me the engine.xml.in file and I can see what's wrong. > > thanks! I set file-handler's level name to "FINEST". but outputs are same as before. I attached the ovirt-engine.xml.in Regards, > > >> Thanks, >> Fumihide Tani >> >> >>>> Please advice me, it's so thanksfull. >>>> >>>> Fumihide Tani >>>> >>>> >>>> (2014/09/21 17:13), Alon Bar-Lev wrote: >>>>> ----- Original Message ----- >>>>>> From: "Fumihide Tani" <RXC05271@nifty.com> >>>>>> To: "Alon Bar-Lev" <alonbl@redhat.com> >>>>>> Cc: users@ovirt.org >>>>>> Sent: Sunday, September 21, 2014 11:11:11 AM >>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>>> >>>>>> Hi, Alon >>>>>> >>>>>> Very thanks for your help. >>>>>> My problem was solved and the AAA is working now. >>>>>> I could add LDAP user. :) >>>>> Great. >>>>> Can you please send me a patch or modified README to make it better? >>>>> >>>>> Alon >>>>> >>>>>> Fumihide Tani >>>>>> >>>>>> (2014/09/21 16:19), Alon Bar-Lev wrote: >>>>>>> ----- Original Message ----- >>>>>>>> From: "Alon Bar-Lev" <alonbl@redhat.com> >>>>>>>> To: "Fumihide Tani" <RXC05271@nifty.com> >>>>>>>> Cc: users@ovirt.org >>>>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM >>>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> You need to create authz extension as well (authz-company). >>>>>>>> The configuration you provided is establishing authentication only >>>>>>>> (authn) >>>>>>>> which refer to authz-company but you did not add it. >>>>>>>> >>>>>>>> The terms are: >>>>>>>> 1. authn - who the user is. >>>>>>>> 2. authz - what user is permitted. >>>>>>>> 3. profile - combination of the two. >>>>>>>> >>>>>>>> ----------------------------- >>>>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties >>>>>>>> ovirt.engine.extension.name = authz-company >>>>>>>> ovirt.engine.extension.bindings.method = jbossmodule >>>>>>>> ovirt.engine.extension.binding.jbossmodule.module = >>>>>>>> org.ovirt.engine-extensions.aaa.ldap >>>>>>>> ovirt.engine.extension.binding.jbossmodule.class = >>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension >>>>>>> Sorry: >>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension >>>>>>>> ovirt.engine.extension.provides = >>>>>>>> org.ovirt.engine.api.extensions.aaa.Authz >>>>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties >>>>>>>> -------------------------------------------------- >>>>>>>> >>>>>>>> Regards, >>>>>>>> Alon >>>> >> >>

You need to add the following: + <logger category="org.ovirt.engineextensions.aaa.ldap"> + <level name="FINEST"/> + </logger> <logger category="org.ovirt.engine.core.bll"> Look at the + lines, please add these (without the +) just before: <logger category="org.ovirt.engine.core.bll"> Thanks! ----- Original Message ----- > From: "Fumihide Tani" <RXC05271@nifty.com> > To: "Alon Bar-Lev" <alonbl@redhat.com> > Cc: users@ovirt.org > Sent: Monday, September 22, 2014 1:10:57 PM > Subject: Re: [ovirt-users] Can not configure with simple LDAP. > > (2014/09/22 15:00), Alon Bar-Lev wrote: > > > > ----- Original Message ----- > >> From: "Fumihide Tani" <RXC05271@nifty.com> > >> To: "Alon Bar-Lev" <alonbl@redhat.com> > >> Cc: users@ovirt.org > >> Sent: Monday, September 22, 2014 4:16:17 AM > >> Subject: Re: [ovirt-users] Can not configure with simple LDAP. > >> > >> (2014/09/22 0:16), Alon Bar-Lev wrote: > >>> ----- Original Message ----- > >>>> From: "Fumihide Tani" <RXC05271@nifty.com> > >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> > >>>> Cc: users@ovirt.org > >>>> Sent: Sunday, September 21, 2014 6:00:48 PM > >>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. > >>>> > >>>> Hi, Alon, > >>>> > >>>> Following Alon's advice, I added authz-company.properties file to the > >>>> configuration directory. > >>>> Then OpenLDAP users can searched from oVirt Web admin. and I could add > >>>> it's > >>>> users > >>>> to the portal successfully. > >>>> > >>>> But I have another problem. > >>>> These OpenLDAP users that I added can not login to ovirt web user > >>>> portal. > >>>> > >>>> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as > >>>> "First > >>>> Name") > >>>> Password: (I specified it as OpenLDAP's userPassword for "Fumihide") > >>>> Domain: rxc05271.com (I selected instead of "internal") > >>>> > >>>> ? > >>> 1. What error do you get at ui? > >> "The user name or password is incorrect." > >> > >>> 2. Please look at engine.log while attempting to login, if you see > >>> something helpful. > >> 2014-09-22 09:53:27,669 INFO > >> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] > >> (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication > >> profile "rxc05271.com" because the authentication failed. > >> 2014-09-22 09:53:27,685 ERROR > >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > >> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom > >> Event > >> ID: -1, Message: User Fumihide cannot login, please verify the username > >> and > >> password. > >> 2014-09-22 09:53:27,693 ERROR > >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > >> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom > >> Event > >> ID: -1, Message: User Fumihide failed to log in. > >> 2014-09-22 09:53:27,693 WARN > >> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] > >> (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. > >> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD > >> > >>> 3. Please make sure that the following is a success: > >>> $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN> > >>> uid=<LOGIN_NAME> > >> [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D > >> "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x > >> '(uid=tani)' > >> Enter LDAP Password: > >> # extended LDIF > >> # > >> # LDAPv3 > >> # base <dc=rxc05271,dc=com> with scope subtree > >> # filter: (uid=tani) > >> # requesting: ALL > >> # > >> > >> # tani, Users, rxc05271.com > >> dn: uid=tani,ou=Users,dc=rxc05271,dc=com > >> objectClass: inetOrgPerson > >> objectClass: uidObject > >> uid: tani > >> cn: Fumihide Tani > >> givenName: Fumihide > >> mail: tani@rxc05271.com > >> sn: Tani > >> userPassword:: a3VtaXRhbg== > >> > >> # search result > >> search: 2 > >> result: 0 Success > >> > >> # numResponses: 2 > >> # numEntries: 1 > >> [root@ovirt ~]# > >> > >>> 4. If working please modify > >>> /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in > >>> --- > >>> <file-handler name="ENGINE" autoflush="true"> > >>> - <level name="INFO"/> > >>> - <level name="FINEST"/> > >>> <snip> > >>> + <logger category="org.ovirt.engineextensions.aaa.ldap"> > >>> + <level name="FINEST"/> > >>> + </logger> > >>> <logger category="org.ovirt.engine.core.bll"> > >>> --- > >>> Restart engine, attempt login, send me the output. > >> 2014-09-22 10:03:57,517 INFO > >> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] > >> (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication > >> profile "rxc05271.com" because the authentication failed. > >> 2014-09-22 10:03:57,534 ERROR > >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > >> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom > >> Event > >> ID: -1, Message: User Fumihide cannot login, please verify the username > >> and > >> password. > >> 2014-09-22 10:03:57,545 ERROR > >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > >> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom > >> Event > >> ID: -1, Message: User Fumihide failed to log in. > >> 2014-09-22 10:03:57,545 WARN > >> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] > >> (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. > >> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD > >> > >> (logger level is not changed to FINEST? outputs is same as above.) > >> > > I had a mistake above... the file-handler level should be set to finest. > > > > <file-handler name="ENGINE" autoflush="true"> > > <level name="FINEST"/> > > > > can you confirm? > > or best send me the engine.xml.in file and I can see what's wrong. > > > > thanks! > > I set file-handler's level name to "FINEST". but outputs are same as before. > I attached the ovirt-engine.xml.in > > Regards, > > > > > > >> Thanks, > >> Fumihide Tani > >> > >> > >>>> Please advice me, it's so thanksfull. > >>>> > >>>> Fumihide Tani > >>>> > >>>> > >>>> (2014/09/21 17:13), Alon Bar-Lev wrote: > >>>>> ----- Original Message ----- > >>>>>> From: "Fumihide Tani" <RXC05271@nifty.com> > >>>>>> To: "Alon Bar-Lev" <alonbl@redhat.com> > >>>>>> Cc: users@ovirt.org > >>>>>> Sent: Sunday, September 21, 2014 11:11:11 AM > >>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. > >>>>>> > >>>>>> Hi, Alon > >>>>>> > >>>>>> Very thanks for your help. > >>>>>> My problem was solved and the AAA is working now. > >>>>>> I could add LDAP user. :) > >>>>> Great. > >>>>> Can you please send me a patch or modified README to make it better? > >>>>> > >>>>> Alon > >>>>> > >>>>>> Fumihide Tani > >>>>>> > >>>>>> (2014/09/21 16:19), Alon Bar-Lev wrote: > >>>>>>> ----- Original Message ----- > >>>>>>>> From: "Alon Bar-Lev" <alonbl@redhat.com> > >>>>>>>> To: "Fumihide Tani" <RXC05271@nifty.com> > >>>>>>>> Cc: users@ovirt.org > >>>>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM > >>>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. > >>>>>>>> > >>>>>>>> Hi, > >>>>>>>> > >>>>>>>> You need to create authz extension as well (authz-company). > >>>>>>>> The configuration you provided is establishing authentication only > >>>>>>>> (authn) > >>>>>>>> which refer to authz-company but you did not add it. > >>>>>>>> > >>>>>>>> The terms are: > >>>>>>>> 1. authn - who the user is. > >>>>>>>> 2. authz - what user is permitted. > >>>>>>>> 3. profile - combination of the two. > >>>>>>>> > >>>>>>>> ----------------------------- > >>>>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties > >>>>>>>> ovirt.engine.extension.name = authz-company > >>>>>>>> ovirt.engine.extension.bindings.method = jbossmodule > >>>>>>>> ovirt.engine.extension.binding.jbossmodule.module = > >>>>>>>> org.ovirt.engine-extensions.aaa.ldap > >>>>>>>> ovirt.engine.extension.binding.jbossmodule.class = > >>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension > >>>>>>> Sorry: > >>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension > >>>>>>>> ovirt.engine.extension.provides = > >>>>>>>> org.ovirt.engine.api.extensions.aaa.Authz > >>>>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties > >>>>>>>> -------------------------------------------------- > >>>>>>>> > >>>>>>>> Regards, > >>>>>>>> Alon > >>>> > >> > >> > >

Hi, Alon, I modified ovirt-engine.xml.in and restarted ovirt-engine. Attached is the modified ovirt-engine.xml.in. The engine.log outputs are fllowing: (Unfortunately it became the same result.) ----- 2014-09-22 19:48:11,245 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed. 2014-09-22 19:48:11,257 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 19:48:11,265 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 19:48:11,266 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD ----- As a cause of fail to OpenLDAP user login, I suspect that the my openldap password encryption method setting not meet with the ovirt. Is there any method to verify? Thanks, (2014/09/22 19:15), Alon Bar-Lev wrote: > You need to add the following: > > + <logger category="org.ovirt.engineextensions.aaa.ldap"> > + <level name="FINEST"/> > + </logger> > <logger category="org.ovirt.engine.core.bll"> > > Look at the + lines, please add these (without the +) just before: <logger category="org.ovirt.engine.core.bll"> > > Thanks! > > ----- Original Message ----- >> From: "Fumihide Tani" <RXC05271@nifty.com> >> To: "Alon Bar-Lev" <alonbl@redhat.com> >> Cc: users@ovirt.org >> Sent: Monday, September 22, 2014 1:10:57 PM >> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >> >> (2014/09/22 15:00), Alon Bar-Lev wrote: >>> ----- Original Message ----- >>>> From: "Fumihide Tani" <RXC05271@nifty.com> >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> >>>> Cc: users@ovirt.org >>>> Sent: Monday, September 22, 2014 4:16:17 AM >>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>> >>>> (2014/09/22 0:16), Alon Bar-Lev wrote: >>>>> ----- Original Message ----- >>>>>> From: "Fumihide Tani" <RXC05271@nifty.com> >>>>>> To: "Alon Bar-Lev" <alonbl@redhat.com> >>>>>> Cc: users@ovirt.org >>>>>> Sent: Sunday, September 21, 2014 6:00:48 PM >>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>>> >>>>>> Hi, Alon, >>>>>> >>>>>> Following Alon's advice, I added authz-company.properties file to the >>>>>> configuration directory. >>>>>> Then OpenLDAP users can searched from oVirt Web admin. and I could add >>>>>> it's >>>>>> users >>>>>> to the portal successfully. >>>>>> >>>>>> But I have another problem. >>>>>> These OpenLDAP users that I added can not login to ovirt web user >>>>>> portal. >>>>>> >>>>>> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as >>>>>> "First >>>>>> Name") >>>>>> Password: (I specified it as OpenLDAP's userPassword for "Fumihide") >>>>>> Domain: rxc05271.com (I selected instead of "internal") >>>>>> >>>>>> ? >>>>> 1. What error do you get at ui? >>>> "The user name or password is incorrect." >>>> >>>>> 2. Please look at engine.log while attempting to login, if you see >>>>> something helpful. >>>> 2014-09-22 09:53:27,669 INFO >>>> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] >>>> (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication >>>> profile "rxc05271.com" because the authentication failed. >>>> 2014-09-22 09:53:27,685 ERROR >>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>>> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom >>>> Event >>>> ID: -1, Message: User Fumihide cannot login, please verify the username >>>> and >>>> password. >>>> 2014-09-22 09:53:27,693 ERROR >>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>>> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom >>>> Event >>>> ID: -1, Message: User Fumihide failed to log in. >>>> 2014-09-22 09:53:27,693 WARN >>>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] >>>> (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. >>>> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD >>>> >>>>> 3. Please make sure that the following is a success: >>>>> $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN> >>>>> uid=<LOGIN_NAME> >>>> [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D >>>> "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x >>>> '(uid=tani)' >>>> Enter LDAP Password: >>>> # extended LDIF >>>> # >>>> # LDAPv3 >>>> # base <dc=rxc05271,dc=com> with scope subtree >>>> # filter: (uid=tani) >>>> # requesting: ALL >>>> # >>>> >>>> # tani, Users, rxc05271.com >>>> dn: uid=tani,ou=Users,dc=rxc05271,dc=com >>>> objectClass: inetOrgPerson >>>> objectClass: uidObject >>>> uid: tani >>>> cn: Fumihide Tani >>>> givenName: Fumihide >>>> mail: tani@rxc05271.com >>>> sn: Tani >>>> userPassword:: a3VtaXRhbg== >>>> >>>> # search result >>>> search: 2 >>>> result: 0 Success >>>> >>>> # numResponses: 2 >>>> # numEntries: 1 >>>> [root@ovirt ~]# >>>> >>>>> 4. If working please modify >>>>> /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in >>>>> --- >>>>> <file-handler name="ENGINE" autoflush="true"> >>>>> - <level name="INFO"/> >>>>> - <level name="FINEST"/> >>>>> <snip> >>>>> + <logger category="org.ovirt.engineextensions.aaa.ldap"> >>>>> + <level name="FINEST"/> >>>>> + </logger> >>>>> <logger category="org.ovirt.engine.core.bll"> >>>>> --- >>>>> Restart engine, attempt login, send me the output. >>>> 2014-09-22 10:03:57,517 INFO >>>> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] >>>> (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication >>>> profile "rxc05271.com" because the authentication failed. >>>> 2014-09-22 10:03:57,534 ERROR >>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>>> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom >>>> Event >>>> ID: -1, Message: User Fumihide cannot login, please verify the username >>>> and >>>> password. >>>> 2014-09-22 10:03:57,545 ERROR >>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >>>> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom >>>> Event >>>> ID: -1, Message: User Fumihide failed to log in. >>>> 2014-09-22 10:03:57,545 WARN >>>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand] >>>> (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. >>>> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD >>>> >>>> (logger level is not changed to FINEST? outputs is same as above.) >>>> >>> I had a mistake above... the file-handler level should be set to finest. >>> >>> <file-handler name="ENGINE" autoflush="true"> >>> <level name="FINEST"/> >>> >>> can you confirm? >>> or best send me the engine.xml.in file and I can see what's wrong. >>> >>> thanks! >> I set file-handler's level name to "FINEST". but outputs are same as before. >> I attached the ovirt-engine.xml.in >> >> Regards, >> >>> >>>> Thanks, >>>> Fumihide Tani >>>> >>>> >>>>>> Please advice me, it's so thanksfull. >>>>>> >>>>>> Fumihide Tani >>>>>> >>>>>> >>>>>> (2014/09/21 17:13), Alon Bar-Lev wrote: >>>>>>> ----- Original Message ----- >>>>>>>> From: "Fumihide Tani" <RXC05271@nifty.com> >>>>>>>> To: "Alon Bar-Lev" <alonbl@redhat.com> >>>>>>>> Cc: users@ovirt.org >>>>>>>> Sent: Sunday, September 21, 2014 11:11:11 AM >>>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>>>>> >>>>>>>> Hi, Alon >>>>>>>> >>>>>>>> Very thanks for your help. >>>>>>>> My problem was solved and the AAA is working now. >>>>>>>> I could add LDAP user. :) >>>>>>> Great. >>>>>>> Can you please send me a patch or modified README to make it better? >>>>>>> >>>>>>> Alon >>>>>>> >>>>>>>> Fumihide Tani >>>>>>>> >>>>>>>> (2014/09/21 16:19), Alon Bar-Lev wrote: >>>>>>>>> ----- Original Message ----- >>>>>>>>>> From: "Alon Bar-Lev" <alonbl@redhat.com> >>>>>>>>>> To: "Fumihide Tani" <RXC05271@nifty.com> >>>>>>>>>> Cc: users@ovirt.org >>>>>>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM >>>>>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> You need to create authz extension as well (authz-company). >>>>>>>>>> The configuration you provided is establishing authentication only >>>>>>>>>> (authn) >>>>>>>>>> which refer to authz-company but you did not add it. >>>>>>>>>> >>>>>>>>>> The terms are: >>>>>>>>>> 1. authn - who the user is. >>>>>>>>>> 2. authz - what user is permitted. >>>>>>>>>> 3. profile - combination of the two. >>>>>>>>>> >>>>>>>>>> ----------------------------- >>>>>>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties >>>>>>>>>> ovirt.engine.extension.name = authz-company >>>>>>>>>> ovirt.engine.extension.bindings.method = jbossmodule >>>>>>>>>> ovirt.engine.extension.binding.jbossmodule.module = >>>>>>>>>> org.ovirt.engine-extensions.aaa.ldap >>>>>>>>>> ovirt.engine.extension.binding.jbossmodule.class = >>>>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension >>>>>>>>> Sorry: >>>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension >>>>>>>>>> ovirt.engine.extension.provides = >>>>>>>>>> org.ovirt.engine.api.extensions.aaa.Authz >>>>>>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties >>>>>>>>>> -------------------------------------------------- >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Alon >>>> >> >

Not sure what adds crlf to your file... please use *NIX editor, please use dos2unix to remove these, Per our previous discussion, you should modify: <file-handler name="ENGINE" autoflush="true"> <level name="INFO"/> Into: <file-handler name="ENGINE" autoflush="true"> <level name="FINEST"/> You should see a difference. Thanks! ----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 2:36:05 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon,
I modified ovirt-engine.xml.in and restarted ovirt-engine. Attached is the modified ovirt-engine.xml.in. The engine.log outputs are fllowing: (Unfortunately it became the same result.)
----- 2014-09-22 19:48:11,245 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed. 2014-09-22 19:48:11,257 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 19:48:11,265 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 19:48:11,266 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD -----
As a cause of fail to OpenLDAP user login, I suspect that the my openldap password encryption method setting not meet with the ovirt. Is there any method to verify?
Thanks,
(2014/09/22 19:15), Alon Bar-Lev wrote:
You need to add the following:
+ <logger category="org.ovirt.engineextensions.aaa.ldap"> + <level name="FINEST"/> + </logger> <logger category="org.ovirt.engine.core.bll">
Look at the + lines, please add these (without the +) just before: <logger category="org.ovirt.engine.core.bll">
Thanks!
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 1:10:57 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
(2014/09/22 15:00), Alon Bar-Lev wrote:
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 4:16:17 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
(2014/09/22 0:16), Alon Bar-Lev wrote:
----- Original Message ----- > From: "Fumihide Tani" <RXC05271@nifty.com> > To: "Alon Bar-Lev" <alonbl@redhat.com> > Cc: users@ovirt.org > Sent: Sunday, September 21, 2014 6:00:48 PM > Subject: Re: [ovirt-users] Can not configure with simple LDAP. > > Hi, Alon, > > Following Alon's advice, I added authz-company.properties file to the > configuration directory. > Then OpenLDAP users can searched from oVirt Web admin. and I could add > it's > users > to the portal successfully. > > But I have another problem. > These OpenLDAP users that I added can not login to ovirt web user > portal. > > User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as > "First > Name") > Password: (I specified it as OpenLDAP's userPassword for "Fumihide") > Domain: rxc05271.com (I selected instead of "internal") > > ? 1. What error do you get at ui? "The user name or password is incorrect."
2. Please look at engine.log while attempting to login, if you see something helpful. 2014-09-22 09:53:27,669 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed. 2014-09-22 09:53:27,685 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 09:53:27,693 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 09:53:27,693 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
3. Please make sure that the following is a success: $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN> uid=<LOGIN_NAME> [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x '(uid=tani)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=rxc05271,dc=com> with scope subtree # filter: (uid=tani) # requesting: ALL #
# tani, Users, rxc05271.com dn: uid=tani,ou=Users,dc=rxc05271,dc=com objectClass: inetOrgPerson objectClass: uidObject uid: tani cn: Fumihide Tani givenName: Fumihide mail: tani@rxc05271.com sn: Tani userPassword:: a3VtaXRhbg==
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@ovirt ~]#
4. If working please modify /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in --- <file-handler name="ENGINE" autoflush="true"> - <level name="INFO"/> - <level name="FINEST"/> <snip> + <logger category="org.ovirt.engineextensions.aaa.ldap"> + <level name="FINEST"/> + </logger> <logger category="org.ovirt.engine.core.bll"> --- Restart engine, attempt login, send me the output. 2014-09-22 10:03:57,517 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed. 2014-09-22 10:03:57,534 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 10:03:57,545 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 10:03:57,545 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
(logger level is not changed to FINEST? outputs is same as above.)
I had a mistake above... the file-handler level should be set to finest.
<file-handler name="ENGINE" autoflush="true"> <level name="FINEST"/>
can you confirm? or best send me the engine.xml.in file and I can see what's wrong.
thanks! I set file-handler's level name to "FINEST". but outputs are same as before. I attached the ovirt-engine.xml.in
Regards,
Thanks, Fumihide Tani
> Please advice me, it's so thanksfull. > > Fumihide Tani > > > (2014/09/21 17:13), Alon Bar-Lev wrote: >> ----- Original Message ----- >>> From: "Fumihide Tani" <RXC05271@nifty.com> >>> To: "Alon Bar-Lev" <alonbl@redhat.com> >>> Cc: users@ovirt.org >>> Sent: Sunday, September 21, 2014 11:11:11 AM >>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>> >>> Hi, Alon >>> >>> Very thanks for your help. >>> My problem was solved and the AAA is working now. >>> I could add LDAP user. :) >> Great. >> Can you please send me a patch or modified README to make it better? >> >> Alon >> >>> Fumihide Tani >>> >>> (2014/09/21 16:19), Alon Bar-Lev wrote: >>>> ----- Original Message ----- >>>>> From: "Alon Bar-Lev" <alonbl@redhat.com> >>>>> To: "Fumihide Tani" <RXC05271@nifty.com> >>>>> Cc: users@ovirt.org >>>>> Sent: Sunday, September 21, 2014 10:19:11 AM >>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>> >>>>> Hi, >>>>> >>>>> You need to create authz extension as well (authz-company). >>>>> The configuration you provided is establishing authentication only >>>>> (authn) >>>>> which refer to authz-company but you did not add it. >>>>> >>>>> The terms are: >>>>> 1. authn - who the user is. >>>>> 2. authz - what user is permitted. >>>>> 3. profile - combination of the two. >>>>> >>>>> ----------------------------- >>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties >>>>> ovirt.engine.extension.name = authz-company >>>>> ovirt.engine.extension.bindings.method = jbossmodule >>>>> ovirt.engine.extension.binding.jbossmodule.module = >>>>> org.ovirt.engine-extensions.aaa.ldap >>>>> ovirt.engine.extension.binding.jbossmodule.class = >>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension >>>> Sorry: >>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension >>>>> ovirt.engine.extension.provides = >>>>> org.ovirt.engine.api.extensions.aaa.Authz >>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties >>>>> -------------------------------------------------- >>>>> >>>>> Regards, >>>>> Alon

Sorry, I misunderstood. This is outputs after LDAP user logged in. 2014-09-22 21:01:32,619 DEBUG [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (ajp--127.0.0.1-8702-4) doAuthenticateCredentials Entry user='Fumihide' 2014-09-22 21:01:32,620 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) runSequence entry name='authn' 2014-09-22 21:01:32,621 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) Running sequence authn/010/call resolve user 2014-09-22 21:01:32,621 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-BEGIN 2014-09-22 21:01:32,621 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) _simple_baseDN = dc=rxc05271,dc=com 2014-09-22 21:01:32,622 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authn_enable = 1 2014-09-22 21:01:32,622 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_credentialsChange = false 2014-09-22 21:01:32,622 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_resucrsiveGroupResolution = false 2014-09-22 21:01:32,623 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) maxFilterSize = 50 2014-09-22 21:01:32,623 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) password = *** 2014-09-22 21:01:32,623 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) search_attr__dn = 2014-09-22 21:01:32,623 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) sensitiveKeys = , password, passwordNew 2014-09-22 21:01:32,624 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsBaseDN = namingContexts 2014-09-22 21:01:32,624 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsGroupRecord = entryUUID, cn, description, memberOf 2014-09-22 21:01:32,624 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsPrincipalRecord = entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail 2014-09-22 21:01:32,625 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsUserName = uid 2014-09-22 21:01:32,625 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_bindFormat = dn 2014-09-22 21:01:32,626 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterGroupObject = (objectClass=groupOfNames) 2014-09-22 21:01:32,626 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterUserObject = (objectClass=uidObject)(uid=*) 2014-09-22 21:01:32,626 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) stop = false 2014-09-22 21:01:32,627 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) user = Fumihide 2014-09-22 21:01:32,627 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-END 2014-09-22 21:01:32,627 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) runSequence entry name='simple-resolve-user' 2014-09-22 21:01:32,627 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) Running sequence simple-resolve-user/010/fetch-record resolve user 2014-09-22 21:01:32,628 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-BEGIN 2014-09-22 21:01:32,628 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) _simple_baseDN = dc=rxc05271,dc=com 2014-09-22 21:01:32,628 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authn_enable = 1 2014-09-22 21:01:32,628 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_credentialsChange = false 2014-09-22 21:01:32,629 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_resucrsiveGroupResolution = false 2014-09-22 21:01:32,629 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) maxFilterSize = 50 2014-09-22 21:01:32,629 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) password = *** 2014-09-22 21:01:32,629 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) search_attr__dn = 2014-09-22 21:01:32,630 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) sensitiveKeys = , password, passwordNew 2014-09-22 21:01:32,630 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsBaseDN = namingContexts 2014-09-22 21:01:32,630 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsGroupRecord = entryUUID, cn, description, memberOf 2014-09-22 21:01:32,631 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsPrincipalRecord = entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail 2014-09-22 21:01:32,631 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsUserName = uid 2014-09-22 21:01:32,631 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_bindFormat = dn 2014-09-22 21:01:32,631 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterGroupObject = (objectClass=groupOfNames) 2014-09-22 21:01:32,632 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterUserObject = (objectClass=uidObject)(uid=*) 2014-09-22 21:01:32,632 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) stop = false 2014-09-22 21:01:32,632 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) user = Fumihide 2014-09-22 21:01:32,632 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-END 2014-09-22 21:01:32,633 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) searchOpen Entry name='simple-user-mapping', pageSize=0, limit=5 2014-09-22 21:01:32,633 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) Creating SearchRequest 2014-09-22 21:01:32,634 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchRequest: SearchRequest(baseDN='dc=rxc05271,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='&(objectClass=uidObject)(uid=*)(uid=Fumihide)', attrs={entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail}) 2014-09-22 21:01:32,635 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) Entry name='authz' 2014-09-22 21:01:32,635 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) Entry name='map-principal-record' 2014-09-22 21:01:32,635 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) AttrMapInfo Return [AttrMapInfo(PrincipalRecord_DEPARTMENT, STRING, '%s', department), AttrMapInfo(PrincipalRecord_DISPLAY_NAME, STRING, '%s', displayName), AttrMapInfo(PrincipalRecord_DN, STRING, '%s', _dn), AttrMapInfo(PrincipalRecord_EMAIL, STRING, '%s', mail), AttrMapInfo(PrincipalRecord_FIRST_NAME, STRING, '%s', givenName), AttrMapInfo(PrincipalRecord_GROUPS_RAW, STRING, '%s', memberOf), AttrMapInfo(PrincipalRecord_ID, STRING, '%s', entryUUID), AttrMapInfo(PrincipalRecord_LAST_NAME, STRING, '%s', sn), AttrMapInfo(PrincipalRecord_NAME, STRING, '%s', uid), AttrMapInfo(PrincipalRecord_PRINCIPAL, STRING, '%s', uid), AttrMapInfo(PrincipalRecord_TITLE, STRING, '%s', title)] 2014-09-22 21:01:32,637 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchOpen Return SearchInstance(searchRequest='SearchRequest(baseDN='dc=rxc05271,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='&(objectClass=uidObject)(uid=*)(uid=Fumihide)', attrs={entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail})', doPaging=true, resumeCookie='null', pageSize=100, limitLeft=5, done=false) 2014-09-22 21:01:32,638 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) Enter 2014-09-22 21:01:32,638 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchRequest: SearchRequest(baseDN='dc=rxc05271,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='&(objectClass=uidObject)(uid=*)(uid=Fumihide)', attrs={entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail}, controls={SimplePagedResultsControl(pageSize=100, isCritical=false)}) 2014-09-22 21:01:32,640 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchResult: SearchResult(resultCode=0 (success), messageID=3, entriesReturned=0, referencesReturned=0, responseControls={SimplePagedResultsControl(pageSize=0, isCritical=false)}) 2014-09-22 21:01:32,641 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchReferences: [] 2014-09-22 21:01:32,641 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchReferences: [] 2014-09-22 21:01:32,641 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) Return: null 2014-09-22 21:01:32,642 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) End sequence simple-resolve-user resolve user 2014-09-22 21:01:32,642 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-BEGIN 2014-09-22 21:01:32,642 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) _simple_baseDN = dc=rxc05271,dc=com 2014-09-22 21:01:32,643 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authn_enable = 1 2014-09-22 21:01:32,643 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_credentialsChange = false 2014-09-22 21:01:32,643 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_resucrsiveGroupResolution = false 2014-09-22 21:01:32,643 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) maxFilterSize = 50 2014-09-22 21:01:32,644 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) password = *** 2014-09-22 21:01:32,644 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) sensitiveKeys = , password, passwordNew 2014-09-22 21:01:32,644 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsBaseDN = namingContexts 2014-09-22 21:01:32,644 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsGroupRecord = entryUUID, cn, description, memberOf 2014-09-22 21:01:32,645 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsPrincipalRecord = entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail 2014-09-22 21:01:32,645 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsUserName = uid 2014-09-22 21:01:32,645 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_bindFormat = dn 2014-09-22 21:01:32,646 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterGroupObject = (objectClass=groupOfNames) 2014-09-22 21:01:32,646 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterUserObject = (objectClass=uidObject)(uid=*) 2014-09-22 21:01:32,646 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) stop = false 2014-09-22 21:01:32,646 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) user = Fumihide 2014-09-22 21:01:32,647 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-END 2014-09-22 21:01:32,647 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) Running sequence simple-resolve-user/020/call no user? 2014-09-22 21:01:32,647 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-BEGIN 2014-09-22 21:01:32,648 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) _simple_baseDN = dc=rxc05271,dc=com 2014-09-22 21:01:32,648 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authn_enable = 1 2014-09-22 21:01:32,648 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_credentialsChange = false 2014-09-22 21:01:32,648 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_resucrsiveGroupResolution = false 2014-09-22 21:01:32,649 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) maxFilterSize = 50 2014-09-22 21:01:32,649 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) password = *** 2014-09-22 21:01:32,649 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) sensitiveKeys = , password, passwordNew 2014-09-22 21:01:32,649 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsBaseDN = namingContexts 2014-09-22 21:01:32,650 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsGroupRecord = entryUUID, cn, description, memberOf 2014-09-22 21:01:32,650 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsPrincipalRecord = entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail 2014-09-22 21:01:32,650 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsUserName = uid 2014-09-22 21:01:32,651 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_bindFormat = dn 2014-09-22 21:01:32,651 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterGroupObject = (objectClass=groupOfNames) 2014-09-22 21:01:32,651 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterUserObject = (objectClass=uidObject)(uid=*) 2014-09-22 21:01:32,652 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) stop = false 2014-09-22 21:01:32,652 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) user = Fumihide 2014-09-22 21:01:32,652 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-END 2014-09-22 21:01:32,652 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) runSequence entry name='simple-resolve-user-error' 2014-09-22 21:01:32,653 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) Running sequence simple-resolve-user-error/010/var-set error 2014-09-22 21:01:32,653 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-BEGIN 2014-09-22 21:01:32,653 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) _simple_baseDN = dc=rxc05271,dc=com 2014-09-22 21:01:32,653 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authn_enable = 1 2014-09-22 21:01:32,654 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_credentialsChange = false 2014-09-22 21:01:32,654 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_resucrsiveGroupResolution = false 2014-09-22 21:01:32,654 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) maxFilterSize = 50 2014-09-22 21:01:32,654 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) password = *** 2014-09-22 21:01:32,655 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) sensitiveKeys = , password, passwordNew 2014-09-22 21:01:32,655 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsBaseDN = namingContexts 2014-09-22 21:01:32,655 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsGroupRecord = entryUUID, cn, description, memberOf 2014-09-22 21:01:32,656 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsPrincipalRecord = entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail 2014-09-22 21:01:32,656 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsUserName = uid 2014-09-22 21:01:32,656 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_bindFormat = dn 2014-09-22 21:01:32,656 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterGroupObject = (objectClass=groupOfNames) 2014-09-22 21:01:32,657 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterUserObject = (objectClass=uidObject)(uid=*) 2014-09-22 21:01:32,657 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) stop = false 2014-09-22 21:01:32,657 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) user = Fumihide 2014-09-22 21:01:32,658 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-END 2014-09-22 21:01:32,658 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) End sequence simple-resolve-user-error error 2014-09-22 21:01:32,658 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-BEGIN 2014-09-22 21:01:32,658 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) _simple_baseDN = dc=rxc05271,dc=com 2014-09-22 21:01:32,659 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authn_enable = 1 2014-09-22 21:01:32,659 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_credentialsChange = false 2014-09-22 21:01:32,659 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_resucrsiveGroupResolution = false 2014-09-22 21:01:32,659 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) maxFilterSize = 50 2014-09-22 21:01:32,660 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) password = *** 2014-09-22 21:01:32,660 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) resultCode = INVALID_CREDENTIALS 2014-09-22 21:01:32,660 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) sensitiveKeys = , password, passwordNew 2014-09-22 21:01:32,660 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsBaseDN = namingContexts 2014-09-22 21:01:32,661 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsGroupRecord = entryUUID, cn, description, memberOf 2014-09-22 21:01:32,661 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsPrincipalRecord = entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail 2014-09-22 21:01:32,661 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsUserName = uid 2014-09-22 21:01:32,662 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_bindFormat = dn 2014-09-22 21:01:32,662 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterGroupObject = (objectClass=groupOfNames) 2014-09-22 21:01:32,662 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterUserObject = (objectClass=uidObject)(uid=*) 2014-09-22 21:01:32,663 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) stop = false 2014-09-22 21:01:32,663 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) user = Fumihide 2014-09-22 21:01:32,663 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-END 2014-09-22 21:01:32,663 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) Running sequence simple-resolve-user-error/020/var-set error 2014-09-22 21:01:32,664 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-BEGIN 2014-09-22 21:01:32,664 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) _simple_baseDN = dc=rxc05271,dc=com 2014-09-22 21:01:32,664 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authn_enable = 1 2014-09-22 21:01:32,664 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_credentialsChange = false 2014-09-22 21:01:32,665 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_resucrsiveGroupResolution = false 2014-09-22 21:01:32,665 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) maxFilterSize = 50 2014-09-22 21:01:32,665 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) password = *** 2014-09-22 21:01:32,665 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) resultCode = INVALID_CREDENTIALS 2014-09-22 21:01:32,666 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) sensitiveKeys = , password, passwordNew 2014-09-22 21:01:32,666 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsBaseDN = namingContexts 2014-09-22 21:01:32,666 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsGroupRecord = entryUUID, cn, description, memberOf 2014-09-22 21:01:32,667 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsPrincipalRecord = entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail 2014-09-22 21:01:32,667 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsUserName = uid 2014-09-22 21:01:32,667 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_bindFormat = dn 2014-09-22 21:01:32,668 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterGroupObject = (objectClass=groupOfNames) 2014-09-22 21:01:32,668 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterUserObject = (objectClass=uidObject)(uid=*) 2014-09-22 21:01:32,668 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) stop = false 2014-09-22 21:01:32,668 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) user = Fumihide 2014-09-22 21:01:32,669 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-END 2014-09-22 21:01:32,669 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) End sequence simple-resolve-user-error error 2014-09-22 21:01:32,669 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-BEGIN 2014-09-22 21:01:32,670 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) _simple_baseDN = dc=rxc05271,dc=com 2014-09-22 21:01:32,670 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authTranslatedMessage = CREDENTIALS_INVALID 2014-09-22 21:01:32,670 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authn_enable = 1 2014-09-22 21:01:32,671 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_credentialsChange = false 2014-09-22 21:01:32,671 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_resucrsiveGroupResolution = false 2014-09-22 21:01:32,672 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) maxFilterSize = 50 2014-09-22 21:01:32,672 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) password = *** 2014-09-22 21:01:32,673 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) resultCode = INVALID_CREDENTIALS 2014-09-22 21:01:32,673 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) sensitiveKeys = , password, passwordNew 2014-09-22 21:01:32,674 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsBaseDN = namingContexts 2014-09-22 21:01:32,674 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsGroupRecord = entryUUID, cn, description, memberOf 2014-09-22 21:01:32,675 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsPrincipalRecord = entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail 2014-09-22 21:01:32,675 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsUserName = uid 2014-09-22 21:01:32,676 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_bindFormat = dn 2014-09-22 21:01:32,676 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterGroupObject = (objectClass=groupOfNames) 2014-09-22 21:01:32,677 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterUserObject = (objectClass=uidObject)(uid=*) 2014-09-22 21:01:32,677 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) stop = false 2014-09-22 21:01:32,677 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) user = Fumihide 2014-09-22 21:01:32,677 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-END 2014-09-22 21:01:32,678 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) Running sequence simple-resolve-user-error/030/stop stop 2014-09-22 21:01:32,678 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-BEGIN 2014-09-22 21:01:32,678 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) _simple_baseDN = dc=rxc05271,dc=com 2014-09-22 21:01:32,679 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authTranslatedMessage = CREDENTIALS_INVALID 2014-09-22 21:01:32,679 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authn_enable = 1 2014-09-22 21:01:32,679 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_credentialsChange = false 2014-09-22 21:01:32,679 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_resucrsiveGroupResolution = false 2014-09-22 21:01:32,680 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) maxFilterSize = 50 2014-09-22 21:01:32,680 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) password = *** 2014-09-22 21:01:32,680 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) resultCode = INVALID_CREDENTIALS 2014-09-22 21:01:32,680 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) sensitiveKeys = , password, passwordNew 2014-09-22 21:01:32,681 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsBaseDN = namingContexts 2014-09-22 21:01:32,681 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsGroupRecord = entryUUID, cn, description, memberOf 2014-09-22 21:01:32,681 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsPrincipalRecord = entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail 2014-09-22 21:01:32,682 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsUserName = uid 2014-09-22 21:01:32,682 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_bindFormat = dn 2014-09-22 21:01:32,682 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterGroupObject = (objectClass=groupOfNames) 2014-09-22 21:01:32,683 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterUserObject = (objectClass=uidObject)(uid=*) 2014-09-22 21:01:32,683 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) stop = false 2014-09-22 21:01:32,683 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) user = Fumihide 2014-09-22 21:01:32,683 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-END 2014-09-22 21:01:32,684 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) End sequence simple-resolve-user-error stop 2014-09-22 21:01:32,684 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-BEGIN 2014-09-22 21:01:32,684 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) _simple_baseDN = dc=rxc05271,dc=com 2014-09-22 21:01:32,684 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authTranslatedMessage = CREDENTIALS_INVALID 2014-09-22 21:01:32,685 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authn_enable = 1 2014-09-22 21:01:32,685 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_credentialsChange = false 2014-09-22 21:01:32,685 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_resucrsiveGroupResolution = false 2014-09-22 21:01:32,685 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) maxFilterSize = 50 2014-09-22 21:01:32,686 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) password = *** 2014-09-22 21:01:32,686 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) resultCode = INVALID_CREDENTIALS 2014-09-22 21:01:32,686 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) sensitiveKeys = , password, passwordNew 2014-09-22 21:01:32,686 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsBaseDN = namingContexts 2014-09-22 21:01:32,687 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsGroupRecord = entryUUID, cn, description, memberOf 2014-09-22 21:01:32,687 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsPrincipalRecord = entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail 2014-09-22 21:01:32,687 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsUserName = uid 2014-09-22 21:01:32,688 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_bindFormat = dn 2014-09-22 21:01:32,688 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterGroupObject = (objectClass=groupOfNames) 2014-09-22 21:01:32,688 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterUserObject = (objectClass=uidObject)(uid=*) 2014-09-22 21:01:32,689 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) stop = true 2014-09-22 21:01:32,689 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) user = Fumihide 2014-09-22 21:01:32,689 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-END 2014-09-22 21:01:32,689 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) runSequence Return name='simple-resolve-user-error' 2014-09-22 21:01:32,690 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) End sequence simple-resolve-user no user? 2014-09-22 21:01:32,690 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-BEGIN 2014-09-22 21:01:32,690 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) _simple_baseDN = dc=rxc05271,dc=com 2014-09-22 21:01:32,690 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authTranslatedMessage = CREDENTIALS_INVALID 2014-09-22 21:01:32,691 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authn_enable = 1 2014-09-22 21:01:32,691 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_credentialsChange = false 2014-09-22 21:01:32,691 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_resucrsiveGroupResolution = false 2014-09-22 21:01:32,691 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) maxFilterSize = 50 2014-09-22 21:01:32,692 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) password = *** 2014-09-22 21:01:32,692 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) resultCode = INVALID_CREDENTIALS 2014-09-22 21:01:32,692 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) sensitiveKeys = , password, passwordNew 2014-09-22 21:01:32,692 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsBaseDN = namingContexts 2014-09-22 21:01:32,693 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsGroupRecord = entryUUID, cn, description, memberOf 2014-09-22 21:01:32,693 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsPrincipalRecord = entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail 2014-09-22 21:01:32,693 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsUserName = uid 2014-09-22 21:01:32,694 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_bindFormat = dn 2014-09-22 21:01:32,694 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterGroupObject = (objectClass=groupOfNames) 2014-09-22 21:01:32,694 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterUserObject = (objectClass=uidObject)(uid=*) 2014-09-22 21:01:32,694 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) stop = true 2014-09-22 21:01:32,695 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) user = Fumihide 2014-09-22 21:01:32,695 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-END 2014-09-22 21:01:32,695 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) runSequence Return name='simple-resolve-user' 2014-09-22 21:01:32,695 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) End sequence authn resolve user 2014-09-22 21:01:32,696 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-BEGIN 2014-09-22 21:01:32,696 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) _simple_baseDN = dc=rxc05271,dc=com 2014-09-22 21:01:32,696 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authTranslatedMessage = CREDENTIALS_INVALID 2014-09-22 21:01:32,696 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) authn_enable = 1 2014-09-22 21:01:32,697 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_credentialsChange = false 2014-09-22 21:01:32,697 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) capability_resucrsiveGroupResolution = false 2014-09-22 21:01:32,697 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) maxFilterSize = 50 2014-09-22 21:01:32,697 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) password = *** 2014-09-22 21:01:32,698 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) resultCode = INVALID_CREDENTIALS 2014-09-22 21:01:32,698 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) sensitiveKeys = , password, passwordNew 2014-09-22 21:01:32,698 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsBaseDN = namingContexts 2014-09-22 21:01:32,699 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsGroupRecord = entryUUID, cn, description, memberOf 2014-09-22 21:01:32,699 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsPrincipalRecord = entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail 2014-09-22 21:01:32,699 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_attrsUserName = uid 2014-09-22 21:01:32,699 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_bindFormat = dn 2014-09-22 21:01:32,700 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterGroupObject = (objectClass=groupOfNames) 2014-09-22 21:01:32,700 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) simple_filterUserObject = (objectClass=uidObject)(uid=*) 2014-09-22 21:01:32,700 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) stop = true 2014-09-22 21:01:32,701 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) user = Fumihide 2014-09-22 21:01:32,701 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) VARS-END 2014-09-22 21:01:32,701 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) runSequence Return name='authn' 2014-09-22 21:01:32,702 DEBUG [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (ajp--127.0.0.1-8702-4) doAuthenticateCredentials Return {Extkey[name=AAA_AUTHN_RESULT;type=class java.lang.Integer;uuid=AAA_AUTHN_RESULT[af9771dc-a0bb-417d-a700-277616aedd85];]=12} 2014-09-22 21:01:32,702 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-4) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed. 2014-09-22 21:01:32,713 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-4) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 21:01:32,724 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-4) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 21:01:32,724 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-4) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD (2014/09/22 20:41), Alon Bar-Lev wrote:
Not sure what adds crlf to your file... please use *NIX editor, please use dos2unix to remove these,
Per our previous discussion, you should modify: <file-handler name="ENGINE" autoflush="true"> <level name="INFO"/> Into: <file-handler name="ENGINE" autoflush="true"> <level name="FINEST"/>
You should see a difference. Thanks!
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 2:36:05 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon,
I modified ovirt-engine.xml.in and restarted ovirt-engine. Attached is the modified ovirt-engine.xml.in. The engine.log outputs are fllowing: (Unfortunately it became the same result.)
----- 2014-09-22 19:48:11,245 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed. 2014-09-22 19:48:11,257 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 19:48:11,265 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 19:48:11,266 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD -----
As a cause of fail to OpenLDAP user login, I suspect that the my openldap password encryption method setting not meet with the ovirt. Is there any method to verify?
Thanks,
(2014/09/22 19:15), Alon Bar-Lev wrote:
You need to add the following:
+ <logger category="org.ovirt.engineextensions.aaa.ldap"> + <level name="FINEST"/> + </logger> <logger category="org.ovirt.engine.core.bll">
Look at the + lines, please add these (without the +) just before: <logger category="org.ovirt.engine.core.bll">
Thanks!
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 1:10:57 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
(2014/09/22 15:00), Alon Bar-Lev wrote:
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 4:16:17 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
(2014/09/22 0:16), Alon Bar-Lev wrote: > ----- Original Message ----- >> From: "Fumihide Tani" <RXC05271@nifty.com> >> To: "Alon Bar-Lev" <alonbl@redhat.com> >> Cc: users@ovirt.org >> Sent: Sunday, September 21, 2014 6:00:48 PM >> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >> >> Hi, Alon, >> >> Following Alon's advice, I added authz-company.properties file to the >> configuration directory. >> Then OpenLDAP users can searched from oVirt Web admin. and I could add >> it's >> users >> to the portal successfully. >> >> But I have another problem. >> These OpenLDAP users that I added can not login to ovirt web user >> portal. >> >> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as >> "First >> Name") >> Password: (I specified it as OpenLDAP's userPassword for "Fumihide") >> Domain: rxc05271.com (I selected instead of "internal") >> >> ? > 1. What error do you get at ui? "The user name or password is incorrect."
> 2. Please look at engine.log while attempting to login, if you see > something helpful. 2014-09-22 09:53:27,669 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed. 2014-09-22 09:53:27,685 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 09:53:27,693 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 09:53:27,693 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
> 3. Please make sure that the following is a success: > $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN> > uid=<LOGIN_NAME> [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x '(uid=tani)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=rxc05271,dc=com> with scope subtree # filter: (uid=tani) # requesting: ALL #
# tani, Users, rxc05271.com dn: uid=tani,ou=Users,dc=rxc05271,dc=com objectClass: inetOrgPerson objectClass: uidObject uid: tani cn: Fumihide Tani givenName: Fumihide mail: tani@rxc05271.com sn: Tani userPassword:: a3VtaXRhbg==
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@ovirt ~]#
> 4. If working please modify > /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in > --- > <file-handler name="ENGINE" autoflush="true"> > - <level name="INFO"/> > - <level name="FINEST"/> > <snip> > + <logger category="org.ovirt.engineextensions.aaa.ldap"> > + <level name="FINEST"/> > + </logger> > <logger category="org.ovirt.engine.core.bll"> > --- > Restart engine, attempt login, send me the output. 2014-09-22 10:03:57,517 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication profile "rxc05271.com" because the authentication failed. 2014-09-22 10:03:57,534 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 10:03:57,545 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 10:03:57,545 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
(logger level is not changed to FINEST? outputs is same as above.)
I had a mistake above... the file-handler level should be set to finest.
<file-handler name="ENGINE" autoflush="true"> <level name="FINEST"/>
can you confirm? or best send me the engine.xml.in file and I can see what's wrong.
thanks! I set file-handler's level name to "FINEST". but outputs are same as before. I attached the ovirt-engine.xml.in
Regards,
Thanks, Fumihide Tani
>> Please advice me, it's so thanksfull. >> >> Fumihide Tani >> >> >> (2014/09/21 17:13), Alon Bar-Lev wrote: >>> ----- Original Message ----- >>>> From: "Fumihide Tani" <RXC05271@nifty.com> >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> >>>> Cc: users@ovirt.org >>>> Sent: Sunday, September 21, 2014 11:11:11 AM >>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>> >>>> Hi, Alon >>>> >>>> Very thanks for your help. >>>> My problem was solved and the AAA is working now. >>>> I could add LDAP user. :) >>> Great. >>> Can you please send me a patch or modified README to make it better? >>> >>> Alon >>> >>>> Fumihide Tani >>>> >>>> (2014/09/21 16:19), Alon Bar-Lev wrote: >>>>> ----- Original Message ----- >>>>>> From: "Alon Bar-Lev" <alonbl@redhat.com> >>>>>> To: "Fumihide Tani" <RXC05271@nifty.com> >>>>>> Cc: users@ovirt.org >>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM >>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP. >>>>>> >>>>>> Hi, >>>>>> >>>>>> You need to create authz extension as well (authz-company). >>>>>> The configuration you provided is establishing authentication only >>>>>> (authn) >>>>>> which refer to authz-company but you did not add it. >>>>>> >>>>>> The terms are: >>>>>> 1. authn - who the user is. >>>>>> 2. authz - what user is permitted. >>>>>> 3. profile - combination of the two. >>>>>> >>>>>> ----------------------------- >>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties >>>>>> ovirt.engine.extension.name = authz-company >>>>>> ovirt.engine.extension.bindings.method = jbossmodule >>>>>> ovirt.engine.extension.binding.jbossmodule.module = >>>>>> org.ovirt.engine-extensions.aaa.ldap >>>>>> ovirt.engine.extension.binding.jbossmodule.class = >>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension >>>>> Sorry: >>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension >>>>>> ovirt.engine.extension.provides = >>>>>> org.ovirt.engine.api.extensions.aaa.Authz >>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties >>>>>> -------------------------------------------------- >>>>>> >>>>>> Regards, >>>>>> Alon

----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 3:06:39 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Sorry, I misunderstood.
This is outputs after LDAP user logged in.
Please attach log as files, not inline, easier to handle. 2014-09-22 21:01:32,638 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchRequest: SearchRequest(baseDN='dc=rxc05271,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='&(objectClass=uidObject)(uid=*)(uid=Fumihide)', attrs={entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail}, controls={SimplePagedResultsControl(pageSize=100, isCritical=false)}) 2014-09-22 21:01:32,640 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchResult: SearchResult(resultCode=0 (success), messageID=3, entriesReturned=0, referencesReturned=0, responseControls={SimplePagedResultsControl(pageSize=0, isCritical=false)})
From the above I see that a search was issued: &(objectClass=uidObject)(uid=*)(uid=Fumihide) And no result returned.
Per previous output: --- # tani, Users, rxc05271.com dn: uid=tani,ou=Users,dc=rxc05271,dc=com objectClass: inetOrgPerson objectClass: uidObject uid: tani cn: Fumihide Tani givenName: Fumihide mail: tani@rxc05271.com sn: Tani userPassword:: a3VtaXRhbg== --- Your user name is tani and not Fumihide. Alon

Hi, Alon, Your requested engine.log attached. Also, I tried to login to web user portal by "tani" User Name: tani Password: (OpenLDAP userPassword) Domain: rxc05271.com cause: "General command validation failure." Attated log includes login by "Fumihide" first, "tani" second. Very thanks, (2014/09/22 21:24), Alon Bar-Lev wrote:
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 3:06:39 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Sorry, I misunderstood.
This is outputs after LDAP user logged in. Please attach log as files, not inline, easier to handle.
2014-09-22 21:01:32,638 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchRequest: SearchRequest(baseDN='dc=rxc05271,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='&(objectClass=uidObject)(uid=*)(uid=Fumihide)', attrs={entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail}, controls={SimplePagedResultsControl(pageSize=100, isCritical=false)}) 2014-09-22 21:01:32,640 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchResult: SearchResult(resultCode=0 (success), messageID=3, entriesReturned=0, referencesReturned=0, responseControls={SimplePagedResultsControl(pageSize=0, isCritical=false)})
From the above I see that a search was issued: &(objectClass=uidObject)(uid=*)(uid=Fumihide) And no result returned.
Per previous output: --- # tani, Users, rxc05271.com dn: uid=tani,ou=Users,dc=rxc05271,dc=com objectClass: inetOrgPerson objectClass: uidObject uid: tani cn: Fumihide Tani givenName: Fumihide mail: tani@rxc05271.com sn: Tani userPassword:: a3VtaXRhbg== ---
Your user name is tani and not Fumihide.
Alon

The version of engine you are using is probably out of date and unsynced with latest ldap package (20140821064931). Please make sure you take latest from[1] Thanks! [1] http://resources.ovirt.org/pub/ovirt-3.5-snapshot/ ----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 3:42:52 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon,
Your requested engine.log attached.
Also, I tried to login to web user portal by "tani"
User Name: tani Password: (OpenLDAP userPassword) Domain: rxc05271.com
cause: "General command validation failure."
Attated log includes login by "Fumihide" first, "tani" second.
Very thanks,
(2014/09/22 21:24), Alon Bar-Lev wrote:
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 3:06:39 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Sorry, I misunderstood.
This is outputs after LDAP user logged in. Please attach log as files, not inline, easier to handle.
2014-09-22 21:01:32,638 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchRequest: SearchRequest(baseDN='dc=rxc05271,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='&(objectClass=uidObject)(uid=*)(uid=Fumihide)', attrs={entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail}, controls={SimplePagedResultsControl(pageSize=100, isCritical=false)}) 2014-09-22 21:01:32,640 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchResult: SearchResult(resultCode=0 (success), messageID=3, entriesReturned=0, referencesReturned=0, responseControls={SimplePagedResultsControl(pageSize=0, isCritical=false)})
From the above I see that a search was issued: &(objectClass=uidObject)(uid=*)(uid=Fumihide) And no result returned.
Per previous output: --- # tani, Users, rxc05271.com dn: uid=tani,ou=Users,dc=rxc05271,dc=com objectClass: inetOrgPerson objectClass: uidObject uid: tani cn: Fumihide Tani givenName: Fumihide mail: tani@rxc05271.com sn: Tani userPassword:: a3VtaXRhbg== ---
Your user name is tani and not Fumihide.
Alon

Hi, Alon, Thanks a lot. I'll try the newest ovirt 3.5 release. (2014/09/22 22:20), Alon Bar-Lev wrote:
The version of engine you are using is probably out of date and unsynced with latest ldap package (20140821064931). Please make sure you take latest from[1] Thanks!
[1] http://resources.ovirt.org/pub/ovirt-3.5-snapshot/
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 3:42:52 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon,
Your requested engine.log attached.
Also, I tried to login to web user portal by "tani"
User Name: tani Password: (OpenLDAP userPassword) Domain: rxc05271.com
cause: "General command validation failure."
Attated log includes login by "Fumihide" first, "tani" second.
Very thanks,
(2014/09/22 21:24), Alon Bar-Lev wrote:
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 3:06:39 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Sorry, I misunderstood.
This is outputs after LDAP user logged in. Please attach log as files, not inline, easier to handle.
2014-09-22 21:01:32,638 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchRequest: SearchRequest(baseDN='dc=rxc05271,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='&(objectClass=uidObject)(uid=*)(uid=Fumihide)', attrs={entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail}, controls={SimplePagedResultsControl(pageSize=100, isCritical=false)}) 2014-09-22 21:01:32,640 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchResult: SearchResult(resultCode=0 (success), messageID=3, entriesReturned=0, referencesReturned=0, responseControls={SimplePagedResultsControl(pageSize=0, isCritical=false)})
From the above I see that a search was issued: &(objectClass=uidObject)(uid=*)(uid=Fumihide) And no result returned.
Per previous output: --- # tani, Users, rxc05271.com dn: uid=tani,ou=Users,dc=rxc05271,dc=com objectClass: inetOrgPerson objectClass: uidObject uid: tani cn: Fumihide Tani givenName: Fumihide mail: tani@rxc05271.com sn: Tani userPassword:: a3VtaXRhbg== ---
Your user name is tani and not Fumihide.
Alon

Hi, Alon, I have updated the oVirt 3.5 RC2 to the newest RC3 today. From my CentOS6.5 based oVirt Engine server and the oVirt Host server, # yum clean all # yum update Then rebooted these servers. But my LDAP problem is continued and same result as before. When I login to the oVirt User Portal, User Name: tani Password: (OpenLDAP's userPassword) Domain: rxc05271.com UI displays "General command validation failure." Please advice. Thanks, Fumihide Tani (2014/09/22 22:20), Alon Bar-Lev wrote:
The version of engine you are using is probably out of date and unsynced with latest ldap package (20140821064931). Please make sure you take latest from[1] Thanks!
[1] http://resources.ovirt.org/pub/ovirt-3.5-snapshot/
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 3:42:52 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon,
Your requested engine.log attached.
Also, I tried to login to web user portal by "tani"
User Name: tani Password: (OpenLDAP userPassword) Domain: rxc05271.com
cause: "General command validation failure."
Attated log includes login by "Fumihide" first, "tani" second.
Very thanks,
(2014/09/22 21:24), Alon Bar-Lev wrote:
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 3:06:39 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Sorry, I misunderstood.
This is outputs after LDAP user logged in. Please attach log as files, not inline, easier to handle.
2014-09-22 21:01:32,638 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchRequest: SearchRequest(baseDN='dc=rxc05271,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='&(objectClass=uidObject)(uid=*)(uid=Fumihide)', attrs={entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail}, controls={SimplePagedResultsControl(pageSize=100, isCritical=false)}) 2014-09-22 21:01:32,640 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchResult: SearchResult(resultCode=0 (success), messageID=3, entriesReturned=0, referencesReturned=0, responseControls={SimplePagedResultsControl(pageSize=0, isCritical=false)})
From the above I see that a search was issued: &(objectClass=uidObject)(uid=*)(uid=Fumihide) And no result returned.
Per previous output: --- # tani, Users, rxc05271.com dn: uid=tani,ou=Users,dc=rxc05271,dc=com objectClass: inetOrgPerson objectClass: uidObject uid: tani cn: Fumihide Tani givenName: Fumihide mail: tani@rxc05271.com sn: Tani userPassword:: a3VtaXRhbg== ---
Your user name is tani and not Fumihide.
Alon

----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Wednesday, September 24, 2014 3:24:23 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon,
I have updated the oVirt 3.5 RC2 to the newest RC3 today.
From my CentOS6.5 based oVirt Engine server and the oVirt Host server, # yum clean all # yum update Then rebooted these servers.
But my LDAP problem is continued and same result as before.
When I login to the oVirt User Portal, User Name: tani Password: (OpenLDAP's userPassword) Domain: rxc05271.com
UI displays "General command validation failure."
Please advice.
Hopefully I can if you provide log... :)
Thanks, Fumihide Tani
(2014/09/22 22:20), Alon Bar-Lev wrote:
The version of engine you are using is probably out of date and unsynced with latest ldap package (20140821064931). Please make sure you take latest from[1] Thanks!
[1] http://resources.ovirt.org/pub/ovirt-3.5-snapshot/
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 3:42:52 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon,
Your requested engine.log attached.
Also, I tried to login to web user portal by "tani"
User Name: tani Password: (OpenLDAP userPassword) Domain: rxc05271.com
cause: "General command validation failure."
Attated log includes login by "Fumihide" first, "tani" second.
Very thanks,
(2014/09/22 21:24), Alon Bar-Lev wrote:
----- Original Message -----
From: "Fumihide Tani" <RXC05271@nifty.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, September 22, 2014 3:06:39 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Sorry, I misunderstood.
This is outputs after LDAP user logged in. Please attach log as files, not inline, easier to handle.
2014-09-22 21:01:32,638 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchRequest: SearchRequest(baseDN='dc=rxc05271,dc=com', scope=SUB, deref=NEVER, sizeLimit=0, timeLimit=0, filter='&(objectClass=uidObject)(uid=*)(uid=Fumihide)', attrs={entryUUID, uid, displayName, memberOf, department, givenName, sn, title, mail}, controls={SimplePagedResultsControl(pageSize=100, isCritical=false)}) 2014-09-22 21:01:32,640 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (ajp--127.0.0.1-8702-4) SearchResult: SearchResult(resultCode=0 (success), messageID=3, entriesReturned=0, referencesReturned=0, responseControls={SimplePagedResultsControl(pageSize=0, isCritical=false)})
From the above I see that a search was issued: &(objectClass=uidObject)(uid=*)(uid=Fumihide) And no result returned.
Per previous output: --- # tani, Users, rxc05271.com dn: uid=tani,ou=Users,dc=rxc05271,dc=com objectClass: inetOrgPerson objectClass: uidObject uid: tani cn: Fumihide Tani givenName: Fumihide mail: tani@rxc05271.com sn: Tani userPassword:: a3VtaXRhbg== ---
Your user name is tani and not Fumihide.
Alon
participants (2)
-
Alon Bar-Lev
-
Fumihide Tani