2:47 p.m.
--_000_SN1PR10MB071807A20FF1DCCB62983C19D5C70SN1PR10MB0718namp_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can su=
ccessfully authenticate as an LDAP user. I can also login as admin@internal=
and search for, find, and select LDAP users but I cannot add permissions f=
or them. Each time I get the error "User admin@internal-authz failed to gra=
nt permission for Role UserRole on System to User/Group <UNKNOWN>."
I have no control over the LDAP server, which uses custom objectClasses and=
uses groupOfNames instead of PosixGroups. I assume I need to set sequence =
variables to accommodate our group configuration but I'm at a loss as to wh=
ere to begin. the The config I have is as follows:
include =3D <rfc2307-generic.properties>
vars.server =3D labauth.lan.lab.org
pool.authz.auth.type =3D none
pool.default.serverset.type =3D single
pool.default.serverset.single.server =3D ${global:vars.server}
pool.default.ssl.startTLS =3D true
pool.default.ssl.insecure =3D true
pool.default.connection-options.connectTimeoutMillis =3D 10000
pool.default.connection-options.responseTimeoutMillis =3D 90000
sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-vars
sequence.my-basedn-init-vars.010.description =3D set baseDN
sequence.my-basedn-init-vars.010.type =3D var-set
sequence.my-basedn-init-vars.010.var-set.variable =3D simple_baseDN
sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB
sequence-init.init.101-my-objectclass-init-vars =3D my-objectclass-init-var=
s
sequence.my-objectclass-init-vars.020.description =3D set objectClass
sequence.my-objectclass-init-vars.020.type =3D var-set
sequence.my-objectclass-init-vars.020.var-set.variable =3D simple_filterUse=
rObject
sequence.my-objectclass-init-vars.020.var-set.value =3D (objectClass=3DlabP=
erson)(uid=3D*)
search.default.search-request.derefPolicy =3D NEVER
sequence-init.init.900-local-init-vars =3D local-init-vars
sequence.local-init-vars.010.description =3D override name space
sequence.local-init-vars.010.type =3D var-set
sequence.local-init-vars.010.var-set.variable =3D simple_namespaceDefault
sequence.local-init-vars.010.var-set.value =3D *
sequence.local-init-vars.020.description =3D apply filter to users
sequence.local-init-vars.020.type =3D var-set
sequence.local-init-vars.020.var-set.variable =3D simple_filterUserObject
sequence.local-init-vars.020.var-set.value =3D ${seq:simple_filterUserObjec=
t}(employeeStatus=3D3)
sequence.local-init-vars.030.description =3D apply filter to groups
sequence.local-init-vars.030.type =3D var-set
sequence.local-init-vars.030.var-set.variable =3D simple_filterGroupObject
sequence.local-init-vars.030.var-set.value =3D (objectClass=3DgroupOfUnique=
Names)
--_000_SN1PR10MB071807A20FF1DCCB62983C19D5C70SN1PR10MB0718namp_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html;
charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"><!-- P
{margin-top:0;margi=
n-bottom:0;} --></style>
</head>
<body dir=3D"ltr">
<div id=3D"divtagdefaultwrapper"
style=3D"font-size:12pt;color:#000000;font=
-family:Calibri,Arial,Helvetica,sans-serif;">
<p>I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can=
successfully authenticate as an LDAP user. I can also login as admin@inter=
nal and search for, find, and select LDAP users but I cannot add permission=
s for them. Each time I get the
error "<span>User admin@internal-authz failed to grant permission for=
Role UserRole on System to User/Group
<UNKNOWN>.</span>"</p>
<p><br>
</p>
<p>I have no control over the LDAP server, which uses custom objectClasses =
and uses groupOfNames instead of PosixGroups. I assume I need to set sequen=
ce variables to accommodate our group configuration but I'm at a loss as to=
where to begin. the The config
I have is as follows:</p>
<p><br>
</p>
<p></p>
<div>include =3D <rfc2307-generic.properties><br>
<br>
vars.server =3D labauth.lan.lab.org<br>
<br>
pool.authz.auth.type =3D none<br>
pool.default.serverset.type =3D single<br>
pool.default.serverset.single.server =3D ${global:vars.server}<br>
pool.default.ssl.startTLS =3D true<br>
pool.default.ssl.insecure =3D true<br>
<br>
pool.default.connection-options.connectTimeoutMillis =3D 10000<br>
pool.default.connection-options.responseTimeoutMillis =3D 90000<br>
sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-vars<br>
sequence.my-basedn-init-vars.010.description =3D set baseDN<br>
sequence.my-basedn-init-vars.010.type =3D var-set<br>
sequence.my-basedn-init-vars.010.var-set.variable =3D simple_baseDN<br>
sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB<br>
<br>
sequence-init.init.101-my-objectclass-init-vars =3D my-objectclass-init-var=
s<br>
sequence.my-objectclass-init-vars.020.description =3D set objectClass<br>
sequence.my-objectclass-init-vars.020.type =3D var-set<br>
sequence.my-objectclass-init-vars.020.var-set.variable =3D simple_filterUse=
rObject<br>
sequence.my-objectclass-init-vars.020.var-set.value =3D (objectClass=3DlabP=
erson)(uid=3D*)<br>
<br>
search.default.search-request.derefPolicy =3D NEVER<br>
<br>
sequence-init.init.900-local-init-vars =3D local-init-vars<br>
sequence.local-init-vars.010.description =3D override name space<br>
sequence.local-init-vars.010.type =3D var-set<br>
sequence.local-init-vars.010.var-set.variable =3D simple_namespaceDefault<b=
r>
sequence.local-init-vars.010.var-set.value =3D *<br>
<br>
sequence.local-init-vars.020.description =3D apply filter to users<br>
sequence.local-init-vars.020.type =3D var-set<br>
sequence.local-init-vars.020.var-set.variable =3D simple_filterUserObject<b=
r>
sequence.local-init-vars.020.var-set.value =3D ${seq:simple_filterUserObjec=
t}(employeeStatus=3D3)<br>
<br>
sequence.local-init-vars.030.description =3D apply filter to groups<br>
sequence.local-init-vars.030.type =3D var-set<br>
sequence.local-init-vars.030.var-set.variable =3D simple_filterGroupObject<=
br>
sequence.local-init-vars.030.var-set.value =3D (objectClass=3DgroupOfUnique=
Names)<br>
<br>
<br>
</div>
<p></p>
</div>
</body>
</html>
--_000_SN1PR10MB071807A20FF1DCCB62983C19D5C70SN1PR10MB0718namp_--
5:36 p.m.
On 10/06/2016 01:47 PM, Michael Burch wrote:
I'm using the latest ovirt on CentOS7 with the aaa-ldap
extension. I can
successfully authenticate as an LDAP user. I can also login as
admin@internal and search for, find, and select LDAP users but I cannot
add permissions for them. Each time I get the error "User
admin@internal-authz failed to grant permission for Role UserRole on
System to User/Group <UNKNOWN>."
This error usually means bad unique attribute used.
I have no control over the LDAP server, which uses custom objectClasses
and uses groupOfNames instead of PosixGroups. I assume I need to set
sequence variables to accommodate our group configuration but I'm at a
loss as to where to begin. the The config I have is as follows:
include = <rfc2307-generic.properties>
vars.server = labauth.lan.lab.org
pool.authz.auth.type = none
pool.default.serverset.type = single
pool.default.serverset.single.server = ${global:vars.server}
pool.default.ssl.startTLS = true
pool.default.ssl.insecure = true
pool.default.connection-options.connectTimeoutMillis = 10000
pool.default.connection-options.responseTimeoutMillis = 90000
sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
sequence.my-basedn-init-vars.010.description = set baseDN
sequence.my-basedn-init-vars.010.type = var-set
sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
sequence-init.init.101-my-objectclass-init-vars = my-objectclass-init-vars
sequence.my-objectclass-init-vars.020.description = set objectClass
sequence.my-objectclass-init-vars.020.type = var-set
sequence.my-objectclass-init-vars.020.var-set.variable =
simple_filterUserObject
sequence.my-objectclass-init-vars.020.var-set.value =
(objectClass=labPerson)(uid=*)
search.default.search-request.derefPolicy = NEVER
sequence-init.init.900-local-init-vars = local-init-vars
sequence.local-init-vars.010.description = override name space
sequence.local-init-vars.010.type = var-set
sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault
sequence.local-init-vars.010.var-set.value = *
What's this^ for? I think it's unusable.
sequence.local-init-vars.020.description = apply filter to users
sequence.local-init-vars.020.type = var-set
sequence.local-init-vars.020.var-set.variable = simple_filterUserObject
sequence.local-init-vars.020.var-set.value =
${seq:simple_filterUserObject}(employeeStatus=3)
sequence.local-init-vars.030.description = apply filter to groups
sequence.local-init-vars.030.type = var-set
sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject
sequence.local-init-vars.030.var-set.value =
(objectClass=groupOfUniqueNames)
This looks as hard to maintain file. I would suggest you to insert into
this file just following:
include = <rfc2307-mycustom.properties>
vars.server = labauth.lan.lab.org
pool.authz.auth.type = none
pool.default.serverset.type = single
pool.default.serverset.single.server = ${global:vars.server}
pool.default.ssl.startTLS = true
pool.default.ssl.insecure = true
pool.default.connection-options.connectTimeoutMillis = 10000
pool.default.connection-options.responseTimeoutMillis = 90000
# Set custom base DN
sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
sequence.my-basedn-init-vars.010.description = set baseDN
sequence.my-basedn-init-vars.010.type = var-set
sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
And then create in directory
'/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file
'rfc2307-mycustom.properties' with content:
include = <rfc2307.properties>
sequence-init.init.100-rfc2307-mycustom-init-vars =
rfc2307-mycustom-init-vars
sequence.rfc2307-mycustom-init-vars.010.description = set unique attr
sequence.rfc2307-mycustom-init-vars.010.type = var-set
sequence.rfc2307-mycustom-init-vars.010.var-set.variable =
rfc2307_attrsUniqueId
sequence.rfc2307-mycustom-init-vars.010.var-set.value = FIND_THIS_ONE
sequence.rfc2307-mycustom-init-vars.020.type = var-set
sequence.rfc2307-mycustom-init-vars.020.var-set.variable =
simple_filterUserObject
sequence.rfc2307-mycustom-init-vars.020.var-set.value =
(objectClass=labPerson)(employeeStatus=3)(${seq:simple_attrsUserName}=*)
The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I
guess). It can be extended attribute(+,++).
$ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H
ldap://labauth.lan.lab.org 'objectClass=labPerson'
maybe (or even with two +):
$ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H
ldap://labauth.lan.lab.org 'objectClass=labPerson' +
The question is if even your implementation has unique attribute, does
it?
Also may you share what's your LDAP provider? And maybe if you share
content of some user it would help as well.
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
4:22 p.m.
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--qKUkRRsJKPkPGLV9qaud4bBRD5cEbiBoQ
Content-Type: multipart/mixed; boundary="QeOaACIuVvOH7wmPKPM0PSkjJqc0I1b8T";
protected-headers="v1"
From: Richard Neuboeck <hawk(a)tbi.univie.ac.at>
To: Ondra Machacek <omachace(a)redhat.com>, users <users(a)ovirt.org>
Message-ID: <fc8ab02e-6353-43f9-5133-decb2d39495f(a)tbi.univie.ac.at>
Subject: Re: [ovirt-users] Unable to add permissions for LDAP users
References:
<SN1PR10MB071807A20FF1DCCB62983C19D5C70(a)SN1PR10MB0718.namprd10.prod.outlook.com>
<32d6b45e-b3b2-eeae-1b7b-87af2d9c3bbd(a)redhat.com>
In-Reply-To: <32d6b45e-b3b2-eeae-1b7b-87af2d9c3bbd(a)redhat.com>
--QeOaACIuVvOH7wmPKPM0PSkjJqc0I1b8T
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Hi,
I seem to experience the same problem right now and am at a bit of a
loss as to where to dig for some more troubleshooting information. I
would highly appreciate some help.
Here is what I have and what I did:
ovirt-engine-4.1.0.4-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-1.3.0-1.el7.noarch
I executed ovirt-engine-extension-aaa-ldap-setup. My LDAP provider
is 389ds (FreeIPA). I can successfully run a search and also login
from the setup script.
After running the setup I rebootet the Engine VM to make sure
everything is restarted.
In the web UI configuration for 'System Permissions' I'm able to
find users from LDAP but when I try to 'Add' a selected user the UI
shows me this error: 'User admin@internal-authz failed to grant
permission for Role SuperUser on System to User/Group <UNKNOWN>.'.
In then engine.log the following lines are generated:
2017-03-09 14:02:49,308+01 INFO
[org.ovirt.engine.core.bll.AddSystemPermissionCommand]
(org.ovirt.thread.pool-6-thread-4)
[1ebae5e0-e5f6-49ba-ac80-95266c582893] Running command:
AddSystemPermissionCommand internal: false. Entities affected : ID:
aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
MANIPULATE_PERMISSIONS with role type USER, ID:
aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
2017-03-09 14:02:49,319+01 ERROR
[org.ovirt.engine.core.bll.AddSystemPermissionCommand]
(org.ovirt.thread.pool-6-thread-4)
[1ebae5e0-e5f6-49ba-ac80-95266c582893] Transaction rolled-back for
command 'org.ovirt.engine.core.bll.AddSystemPermissionCommand'.
2017-03-09 14:02:49,328+01 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(org.ovirt.thread.pool-6-thread-4)
[1ebae5e0-e5f6-49ba-ac80-95266c582893] EVENT_ID:
USER_ADD_SYSTEM_PERMISSION_FAILED(867), Correlation ID:
1ebae5e0-e5f6-49ba-ac80-95266c582893, Call Stack: null, Custom Event
ID: -1, Message: User admin@internal-authz failed to grant
permission for Role SuperUser on System to User/Group <UNKNOWN>.
So far I've re-run the ldap-setup routine. I made sure all newly
generated files in /etc/ovirt-engine/[aaa|extensions.d] are owned by
ovirt:ovirt (instead of root) and have 0600 as permission (instead
of 0644). That didn't change anything.
I've also found an older bug report but for oVirt 3.5
https://bugzilla.redhat.com/show_bug.cgi?id=3D1121954
That didn't reveal any new either.
Any ideas what I could try next?
Thanks!
Cheers
Richard
On 10/06/2016 04:36 PM, Ondra Machacek wrote:
On 10/06/2016 01:47 PM, Michael Burch wrote:
> I'm using the latest ovirt on CentOS7 with the aaa-ldap extension.
> I can
> successfully authenticate as an LDAP user. I can also login as
> admin@internal and search for, find, and select LDAP users but I
> cannot
> add permissions for them. Each time I get the error "User
> admin@internal-authz failed to grant permission for Role UserRole on
> System to User/Group <UNKNOWN>."
=20
This error usually means bad unique attribute used.
=20
>
>
> I have no control over the LDAP server, which uses custom
> objectClasses
> and uses groupOfNames instead of PosixGroups. I assume I need to set
> sequence variables to accommodate our group configuration but I'm
> at a
> loss as to where to begin. the The config I have is as follows:
>
>
> include =3D <rfc2307-generic.properties>
>
> vars.server =3D labauth.lan.lab.org
>
> pool.authz.auth.type =3D none
> pool.default.serverset.type =3D single
> pool.default.serverset.single.server =3D ${global:vars.server}
> pool.default.ssl.startTLS =3D true
> pool.default.ssl.insecure =3D true
>
> pool.default.connection-options.connectTimeoutMillis =3D 10000
> pool.default.connection-options.responseTimeoutMillis =3D 90000
> sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-vars
> sequence.my-basedn-init-vars.010.description =3D set baseDN
> sequence.my-basedn-init-vars.010.type =3D var-set
> sequence.my-basedn-init-vars.010.var-set.variable =3D simple_baseDN
> sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB
>
> sequence-init.init.101-my-objectclass-init-vars =3D
> my-objectclass-init-vars
> sequence.my-objectclass-init-vars.020.description =3D set objectClass
> sequence.my-objectclass-init-vars.020.type =3D var-set
> sequence.my-objectclass-init-vars.020.var-set.variable =3D
> simple_filterUserObject
> sequence.my-objectclass-init-vars.020.var-set.value =3D
> (objectClass=3DlabPerson)(uid=3D*)
>
> search.default.search-request.derefPolicy =3D NEVER
>
> sequence-init.init.900-local-init-vars =3D local-init-vars
> sequence.local-init-vars.010.description =3D override name space
> sequence.local-init-vars.010.type =3D var-set
> sequence.local-init-vars.010.var-set.variable =3D
> simple_namespaceDefault
> sequence.local-init-vars.010.var-set.value =3D *
=20
What's this^ for? I think it's unusable.
=20
>
> sequence.local-init-vars.020.description =3D apply filter to users
> sequence.local-init-vars.020.type =3D var-set
> sequence.local-init-vars.020.var-set.variable =3D
> simple_filterUserObject
> sequence.local-init-vars.020.var-set.value =3D
> ${seq:simple_filterUserObject}(employeeStatus=3D3)
>
> sequence.local-init-vars.030.description =3D apply filter to groups
> sequence.local-init-vars.030.type =3D var-set
> sequence.local-init-vars.030.var-set.variable =3D
> simple_filterGroupObject
> sequence.local-init-vars.030.var-set.value =3D
> (objectClass=3DgroupOfUniqueNames)
=20
This looks as hard to maintain file. I would suggest you to insert
into this file just following:
=20
include =3D <rfc2307-mycustom.properties>
=20
vars.server =3D labauth.lan.lab.org
=20
pool.authz.auth.type =3D none
pool.default.serverset.type =3D single
pool.default.serverset.single.server =3D ${global:vars.server}
pool.default.ssl.startTLS =3D true
pool.default.ssl.insecure =3D true
=20
pool.default.connection-options.connectTimeoutMillis =3D 10000
pool.default.connection-options.responseTimeoutMillis =3D 90000
=20
# Set custom base DN
sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-vars
sequence.my-basedn-init-vars.010.description =3D set baseDN
sequence.my-basedn-init-vars.010.type =3D var-set
sequence.my-basedn-init-vars.010.var-set.variable =3D simple_baseDN
sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB
=20
And then create in directory
'/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file
'rfc2307-mycustom.properties' with content:
=20
include =3D <rfc2307.properties>
=20
sequence-init.init.100-rfc2307-mycustom-init-vars =3D
rfc2307-mycustom-init-vars
sequence.rfc2307-mycustom-init-vars.010.description =3D set unique attr=
sequence.rfc2307-mycustom-init-vars.010.type =3D var-set
sequence.rfc2307-mycustom-init-vars.010.var-set.variable =3D
rfc2307_attrsUniqueId
sequence.rfc2307-mycustom-init-vars.010.var-set.value =3D FIND_THIS_ONE=
=20
sequence.rfc2307-mycustom-init-vars.020.type =3D var-set
sequence.rfc2307-mycustom-init-vars.020.var-set.variable =3D
simple_filterUserObject
sequence.rfc2307-mycustom-init-vars.020.var-set.value =3D
(objectClass=3DlabPerson)(employeeStatus=3D3)(${seq:simple_attrsUserNam=
e}=3D*)
=20
=20
=20
The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I
guess). It can be extended attribute(+,++).
=20
$ LDAPTLS_REQCERT=3Dnever ldapsearch -ZZ -x -b 'o=3DLANLAB' -H
ldap://labauth.lan.lab.org 'objectClass=3DlabPerson'
=20
maybe (or even with two +):
$ LDAPTLS_REQCERT=3Dnever ldapsearch -ZZ -x -b 'o=3DLANLAB' -H
ldap://labauth.lan.lab.org 'objectClass=3DlabPerson' +
=20
The question is if even your implementation has unique attribute, does
it?
=20
Also may you share what's your LDAP provider? And maybe if you share
content of some user it would help as well.
=20
>
>
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--=20
/dev/null
--QeOaACIuVvOH7wmPKPM0PSkjJqc0I1b8T--
--qKUkRRsJKPkPGLV9qaud4bBRD5cEbiBoQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJYwVcPAAoJEA7XCanqEVqIPl8QAIQFBRHbiGNiFao6ajVRmsxv
GaEOdE/1etNOcKEy8c39SmF0bQD6KYUNqUBnJ01Pgmfn65+QfzgjnloUcWrckB6x
2xooYVj8H7IO1HJbRXFjpP++XiJNxxkptJcDNGdnhojjcslNAd1Y970J+OrU5XCI
lIvbSSLnwl5HM9Eu7lOdcB3KYPmmBh4g+N0WWVVEv06IGRm3uMgdeoXvG7wx7Sv/
EqL+oDuDXNy0127btyi8I4LCGYzNpnh3XOwTvcDgbWBK51CAgPsNvHg1opLPaWPI
q2rPQpdKFui99KG5i7sWh33BVNWn1jX5qZPGYj3cLq9y6NkIEHX9k0cTiktcWkn5
sWYlFvsA3tTMj4WUjqefJiIakmQ8Y4EeTncY1QLcnEZHx3ltlU0bEtPkafh891G2
l3vgcnL5gc1Q5cPpZhfSngVg5GBYNrUwiqtsQJYNp5UWnWgRu5l8U3dMkKw87krf
4YtlGu9iMLvaOVGI1S8NrldpKBQ+nmAzfV3GOeKBztTizpmuyxgue9j6gkQL331d
dRBHfZfDWX2Lq6GqbDlkALTn7pbC1DzB5us8BPuEk6J8HSVwhPb9lz2vIBhq+ors
08/YrWSyjY4/a85tHoPEjurbmXZcDobaidkBSg1HpBCthCsX217/ujKCaFiPpvDg
vzJlHQWA92qIejXYi58d
=tlBm
-----END PGP SIGNATURE-----
--qKUkRRsJKPkPGLV9qaud4bBRD5cEbiBoQ--
11:46 a.m.
On Thu, Mar 9, 2017 at 2:22 PM, Richard Neuboeck <hawk(a)tbi.univie.ac.at>
wrote:
Hi,
I seem to experience the same problem right now and am at a bit of a
loss as to where to dig for some more troubleshooting information. I
would highly appreciate some help.
Here is what I have and what I did:
ovirt-engine-4.1.0.4-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-1.3.0-1.el7.noarch
I executed ovirt-engine-extension-aaa-ldap-setup. My LDAP provider
is 389ds (FreeIPA).
So what's your provider 389ds or FreeIPA?
Note that both use differrent unique ID. IPA is using 'ipaUniqueID',
and 389ds is using 'nsuniqueid'. DId you tried both?
I can successfully run a search and also login
from the setup script.
After running the setup I rebootet the Engine VM to make sure
everything is restarted.
In the web UI configuration for 'System Permissions' I'm able to
find users from LDAP but when I try to 'Add' a selected user the UI
shows me this error: 'User admin@internal-authz failed to grant
permission for Role SuperUser on System to User/Group <UNKNOWN>.'.
In then engine.log the following lines are generated:
2017-03-09 14:02:49,308+01 INFO
[org.ovirt.engine.core.bll.AddSystemPermissionCommand]
(org.ovirt.thread.pool-6-thread-4)
[1ebae5e0-e5f6-49ba-ac80-95266c582893] Running command:
AddSystemPermissionCommand internal: false. Entities affected : ID:
aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
MANIPULATE_PERMISSIONS with role type USER, ID:
aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
2017-03-09 14:02:49,319+01 ERROR
[org.ovirt.engine.core.bll.AddSystemPermissionCommand]
(org.ovirt.thread.pool-6-thread-4)
[1ebae5e0-e5f6-49ba-ac80-95266c582893] Transaction rolled-back for
command 'org.ovirt.engine.core.bll.AddSystemPermissionCommand'.
2017-03-09 14:02:49,328+01 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(org.ovirt.thread.pool-6-thread-4)
[1ebae5e0-e5f6-49ba-ac80-95266c582893] EVENT_ID:
USER_ADD_SYSTEM_PERMISSION_FAILED(867), Correlation ID:
1ebae5e0-e5f6-49ba-ac80-95266c582893, Call Stack: null, Custom Event
ID: -1, Message: User admin@internal-authz failed to grant
permission for Role SuperUser on System to User/Group <UNKNOWN>.
So far I've re-run the ldap-setup routine. I made sure all newly
generated files in /etc/ovirt-engine/[aaa|extensions.d] are owned by
ovirt:ovirt (instead of root) and have 0600 as permission (instead
of 0644). That didn't change anything.
I've also found an older bug report but for oVirt 3.5
https://bugzilla.redhat.com/show_bug.cgi?id=1121954
That didn't reveal any new either.
Any ideas what I could try next?
Thanks!
Cheers
Richard
On 10/06/2016 04:36 PM, Ondra Machacek wrote:
> On 10/06/2016 01:47 PM, Michael Burch wrote:
>> I'm using the latest ovirt on CentOS7 with the aaa-ldap extension.
>> I can
>> successfully authenticate as an LDAP user. I can also login as
>> admin@internal and search for, find, and select LDAP users but I
>> cannot
>> add permissions for them. Each time I get the error "User
>> admin@internal-authz failed to grant permission for Role UserRole on
>> System to User/Group <UNKNOWN>."
>
> This error usually means bad unique attribute used.
>
>>
>>
>> I have no control over the LDAP server, which uses custom
>> objectClasses
>> and uses groupOfNames instead of PosixGroups. I assume I need to set
>> sequence variables to accommodate our group configuration but I'm
>> at a
>> loss as to where to begin. the The config I have is as follows:
>>
>>
>> include = <rfc2307-generic.properties>
>>
>> vars.server = labauth.lan.lab.org
>>
>> pool.authz.auth.type = none
>> pool.default.serverset.type = single
>> pool.default.serverset.single.server = ${global:vars.server}
>> pool.default.ssl.startTLS = true
>> pool.default.ssl.insecure = true
>>
>> pool.default.connection-options.connectTimeoutMillis = 10000
>> pool.default.connection-options.responseTimeoutMillis = 90000
>> sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
>> sequence.my-basedn-init-vars.010.description = set baseDN
>> sequence.my-basedn-init-vars.010.type = var-set
>> sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
>> sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
>>
>> sequence-init.init.101-my-objectclass-init-vars =
>> my-objectclass-init-vars
>> sequence.my-objectclass-init-vars.020.description = set objectClass
>> sequence.my-objectclass-init-vars.020.type = var-set
>> sequence.my-objectclass-init-vars.020.var-set.variable =
>> simple_filterUserObject
>> sequence.my-objectclass-init-vars.020.var-set.value =
>> (objectClass=labPerson)(uid=*)
>>
>> search.default.search-request.derefPolicy = NEVER
>>
>> sequence-init.init.900-local-init-vars = local-init-vars
>> sequence.local-init-vars.010.description = override name space
>> sequence.local-init-vars.010.type = var-set
>> sequence.local-init-vars.010.var-set.variable =
>> simple_namespaceDefault
>> sequence.local-init-vars.010.var-set.value = *
>
> What's this^ for? I think it's unusable.
>
>>
>> sequence.local-init-vars.020.description = apply filter to users
>> sequence.local-init-vars.020.type = var-set
>> sequence.local-init-vars.020.var-set.variable =
>> simple_filterUserObject
>> sequence.local-init-vars.020.var-set.value =
>> ${seq:simple_filterUserObject}(employeeStatus=3)
>>
>> sequence.local-init-vars.030.description = apply filter to groups
>> sequence.local-init-vars.030.type = var-set
>> sequence.local-init-vars.030.var-set.variable =
>> simple_filterGroupObject
>> sequence.local-init-vars.030.var-set.value =
>> (objectClass=groupOfUniqueNames)
>
> This looks as hard to maintain file. I would suggest you to insert
> into this file just following:
>
> include = <rfc2307-mycustom.properties>
>
> vars.server = labauth.lan.lab.org
>
> pool.authz.auth.type = none
> pool.default.serverset.type = single
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.ssl.startTLS = true
> pool.default.ssl.insecure = true
>
> pool.default.connection-options.connectTimeoutMillis = 10000
> pool.default.connection-options.responseTimeoutMillis = 90000
>
> # Set custom base DN
> sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
> sequence.my-basedn-init-vars.010.description = set baseDN
> sequence.my-basedn-init-vars.010.type = var-set
> sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
> sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
>
> And then create in directory
> '/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file
> 'rfc2307-mycustom.properties' with content:
>
> include = <rfc2307.properties>
>
> sequence-init.init.100-rfc2307-mycustom-init-vars =
> rfc2307-mycustom-init-vars
> sequence.rfc2307-mycustom-init-vars.010.description = set unique attr
> sequence.rfc2307-mycustom-init-vars.010.type = var-set
> sequence.rfc2307-mycustom-init-vars.010.var-set.variable =
> rfc2307_attrsUniqueId
> sequence.rfc2307-mycustom-init-vars.010.var-set.value = FIND_THIS_ONE
>
> sequence.rfc2307-mycustom-init-vars.020.type = var-set
> sequence.rfc2307-mycustom-init-vars.020.var-set.variable =
> simple_filterUserObject
> sequence.rfc2307-mycustom-init-vars.020.var-set.value =
> (objectClass=labPerson)(employeeStatus=3)(${seq:simple_attrsUserName}=*)
>
>
>
> The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I
> guess). It can be extended attribute(+,++).
>
> $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H
> ldap://labauth.lan.lab.org 'objectClass=labPerson'
>
> maybe (or even with two +):
> $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H
> ldap://labauth.lan.lab.org 'objectClass=labPerson' +
>
> The question is if even your implementation has unique attribute, does
> it?
>
> Also may you share what's your LDAP provider? And maybe if you share
> content of some user it would help as well.
>
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
--
/dev/null
2813
days inactive
2968
days old
3 comments
3 participants
participants (3)
-
Michael Burch -
Ondra Machacek -
Richard Neuboeck