HI All, Can someone help me in configuring LDAP authentication for Ovirt ? Thanks,, Nagaraju
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: users@ovirt.org Sent: Tuesday, September 22, 2015 4:34:46 PM Subject: [ovirt-users] LDAP Authentication
HI All,
Can someone help me in configuring LDAP authentication for Ovirt ?
Please review: http://www.ovirt.org/Features/AAA https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob...
HI Alon, Below is the configuration which I have done ,but unable to search the users in UI can you pls help me ? [root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties> # # Server # vars.server = my.abc.net # # Search user and its password. # vars.user = uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net vars.password = company1 pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]# On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: users@ovirt.org Sent: Tuesday, September 22, 2015 4:34:46 PM Subject: [ovirt-users] LDAP Authentication
HI All,
Can someone help me in configuring LDAP authentication for Ovirt ?
Please review: http://www.ovirt.org/Features/AAA
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob...
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, September 22, 2015 5:24:36 PM Subject: Re: [ovirt-users] LDAP Authentication
HI Alon,
Below is the configuration which I have done ,but unable to search the users in UI can you pls help me ?
you need three files, see the /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
[root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net
# # Search user and its password. # vars.user = uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net vars.password = company1
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: users@ovirt.org Sent: Tuesday, September 22, 2015 4:34:46 PM Subject: [ovirt-users] LDAP Authentication
HI All,
Can someone help me in configuring LDAP authentication for Ovirt ?
Please review: http://www.ovirt.org/Features/AAA
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob...
its too complicated ,you have any script or video ? On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, September 22, 2015 5:24:36 PM Subject: Re: [ovirt-users] LDAP Authentication
HI Alon,
Below is the configuration which I have done ,but unable to search the users in UI can you pls help me ?
you need three files, see the /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
[root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net
# # Search user and its password. # vars.user =
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
vars.password = company1
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: users@ovirt.org Sent: Tuesday, September 22, 2015 4:34:46 PM Subject: [ovirt-users] LDAP Authentication
HI All,
Can someone help me in configuring LDAP authentication for Ovirt ?
Please review: http://www.ovirt.org/Features/AAA
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob...
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, September 22, 2015 5:35:16 PM Subject: Re: [ovirt-users] LDAP Authentication
its too complicated ,you have any script or video ?
in 3.6 we have a setup script. for now: cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/ this is written in the README. then customize files at /etc/ovirt-engine/extnesions.d/* /etc/ovirt-engine/aaa/* to match your setup
On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, September 22, 2015 5:24:36 PM Subject: Re: [ovirt-users] LDAP Authentication
HI Alon,
Below is the configuration which I have done ,but unable to search the users in UI can you pls help me ?
you need three files, see the /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
[root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net
# # Search user and its password. # vars.user =
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
vars.password = company1
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: users@ovirt.org Sent: Tuesday, September 22, 2015 4:34:46 PM Subject: [ovirt-users] LDAP Authentication
HI All,
Can someone help me in configuring LDAP authentication for Ovirt ?
Please review: http://www.ovirt.org/Features/AAA
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob...
below are the three files which I have modified. [root@cstlb2 extensions.d]# cat profile1-authn.properties ovirt.engine.extension.name = cloudspin-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = cloudspin ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties [root@cstlb2 extensions.d]# ls profile1-authn.properties profile1-authz.properties [root@cstlb2 extensions.d]# cat profile1-authz.properties ovirt.engine.extension.name = cloudspin-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties [root@cstlb2 extensions.d]# [root@cstlb2 aaa]# pwd /etc/ovirt-engine/aaa [root@cstlb2 aaa]# ls ldap1.properties [root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties> # # Server # vars.server = my.abc.net # # Search user and its password. # vars.user = uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net vars.password = company pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]# On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, September 22, 2015 5:35:16 PM Subject: Re: [ovirt-users] LDAP Authentication
its too complicated ,you have any script or video ?
in 3.6 we have a setup script. for now:
cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
this is written in the README.
then customize files at /etc/ovirt-engine/extnesions.d/* /etc/ovirt-engine/aaa/* to match your setup
On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, September 22, 2015 5:24:36 PM Subject: Re: [ovirt-users] LDAP Authentication
HI Alon,
Below is the configuration which I have done ,but unable to search
the
users in UI can you pls help me ?
you need three files, see the /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
[root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net
# # Search user and its password. # vars.user =
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
vars.password = company1
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: users@ovirt.org Sent: Tuesday, September 22, 2015 4:34:46 PM Subject: [ovirt-users] LDAP Authentication
HI All,
Can someone help me in configuring LDAP authentication for Ovirt
?
Please review: http://www.ovirt.org/Features/AAA
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob...
looks ok, now restart engine and see if you have any error at /var/log/ovirt-engine/engine.log ----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, September 22, 2015 5:45:42 PM Subject: Re: [ovirt-users] LDAP Authentication
below are the three files which I have modified.
[root@cstlb2 extensions.d]# cat profile1-authn.properties ovirt.engine.extension.name = cloudspin-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = cloudspin ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
[root@cstlb2 extensions.d]# ls profile1-authn.properties profile1-authz.properties [root@cstlb2 extensions.d]# cat profile1-authz.properties ovirt.engine.extension.name = cloudspin-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties [root@cstlb2 extensions.d]#
[root@cstlb2 aaa]# pwd /etc/ovirt-engine/aaa [root@cstlb2 aaa]# ls ldap1.properties [root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net
# # Search user and its password. # vars.user = uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net vars.password = company
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, September 22, 2015 5:35:16 PM Subject: Re: [ovirt-users] LDAP Authentication
its too complicated ,you have any script or video ?
in 3.6 we have a setup script. for now:
cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
this is written in the README.
then customize files at /etc/ovirt-engine/extnesions.d/* /etc/ovirt-engine/aaa/* to match your setup
On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, September 22, 2015 5:24:36 PM Subject: Re: [ovirt-users] LDAP Authentication
HI Alon,
Below is the configuration which I have done ,but unable to search
the
users in UI can you pls help me ?
you need three files, see the /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
[root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net
# # Search user and its password. # vars.user =
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
vars.password = company1
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message ----- > From: "Budur Nagaraju" <nbudoor@gmail.com> > To: users@ovirt.org > Sent: Tuesday, September 22, 2015 4:34:46 PM > Subject: [ovirt-users] LDAP Authentication > > HI All, > > Can someone help me in configuring LDAP authentication for Ovirt
?
Please review: http://www.ovirt.org/Features/AAA
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob...
Below is the log I have got, [root@cstlb2 ~]# tail -f /var/log/ovirt-engine/engine.log 2015-09-22 20:01:07,766 INFO [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo] (DefaultQuartzScheduler_Worker-90) Received a spice Device without an address when processing VM 94151df6-28a1-46d7-b92b-53c474b466d4 devices, skipping device: {device=spice, specParams={displayNetwork=ovirtmgmt, spiceSecureChannels=smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard, keyMap=en-us, displayIp=10.204.206.7, copyPasteEnable=true}, deviceType=graphics, type=graphics, tlsPort=5901} 2015-09-22 20:01:14,264 INFO [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--127.0.0.1-8702-1) [55ba816d] Running command: SetVmTicketCommand internal: false. Entities affected : ID: 6eafd9fb-b4eb-4e38-b445-5bef0e7bf06f Type: VMAction group CONNECT_TO_VM with role type USER 2015-09-22 20:01:14,269 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-1) [55ba816d] START, SetVmTicketVDSCommand(HostName = host1, HostId = b8804829-6107-4486-8c98-5ee4c0f4e797, vmId=6eafd9fb-b4eb-4e38-b445-5bef0e7bf06f, ticket=kInOP/00qRys, validTime=120,m userName=admin, userId=fdfc627c-d875-11e0-90f0-83df133b58cc), log id: 47b9cbd 2015-09-22 20:01:14,290 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (ajp--127.0.0.1-8702-1) [55ba816d] FINISH, SetVmTicketVDSCommand, log id: 47b9cbd 2015-09-22 20:01:14,296 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-1) [55ba816d] Correlation ID: 55ba816d, Call Stack: null, Custom Event ID: -1, Message: user admin@internal initiated console session for VM SA-8-2-1 2015-09-22 20:02:08,149 INFO [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo] (DefaultQuartzScheduler_Worker-21) [4926b491] VM win7-1 94151df6-28a1-46d7-b92b-53c474b466d4 moved from PoweringUp --> Up 2015-09-22 20:02:08,153 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-21) [4926b491] Correlation ID: 526e6d97, Job ID: bc4100d7-da56-4aea-b81c-4e326955bb24, Call Stack: null, Custom Event ID: -1, Message: VM win7-1 started on Host host1 2015-09-22 20:02:29,283 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.FullListVdsCommand] (DefaultQuartzScheduler_Worker-68) START, FullListVdsCommand(HostName = host1, HostId = b8804829-6107-4486-8c98-5ee4c0f4e797, vds=Host[host1,b8804829-6107-4486-8c98-5ee4c0f4e797], vmIds=[94151df6-28a1-46d7-b92b-53c474b466d4]), log id: 6e3f2b6f 2015-09-22 20:02:29,289 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.FullListVdsCommand] (DefaultQuartzScheduler_Worker-68) FINISH, FullListVdsCommand, return: [{acpiEnable=true, emulatedMachine=rhel6.5.0, vmId=94151df6-28a1-46d7-b92b-53c474b466d4, memGuaranteedSize=1024, transparentHugePages=true, displaySecurePort=5901, spiceSslCipherSuite=DEFAULT, cpuType=Penryn, smp=1, pauseCode=NOERR, smartcardEnable=false, hypervEnable=true, custom={device_c9ec3957-cc59-4589-9d34-ead7d4618c2adevice_218a2381-4d4f-47b5-82c0-2f0cd0c77260=VmDevice {vmId=94151df6-28a1-46d7-b92b-53c474b466d4, deviceId=218a2381-4d4f-47b5-82c0-2f0cd0c77260, device=unix, type=CHANNEL, bootOrder=0, specParams={}, address={bus=0, controller=0, type=virtio-serial, port=1}, managed=false, plugged=true, readOnly=false, deviceAlias=channel0, customProperties={}, snapshotId=null, logicalName=null}, device_c9ec3957-cc59-4589-9d34-ead7d4618c2adevice_218a2381-4d4f-47b5-82c0-2f0cd0c77260device_74f4d62c-f609-407c-b17b-e0e662eb430fdevice_f0404977-be50-4690-8218-93e0534c0ef3=VmDevice {vmId=94151df6-28a1-46d7-b92b-53c474b466d4, deviceId=f0404977-be50-4690-8218-93e0534c0ef3, device=spicevmc, type=CHANNEL, bootOrder=0, specParams={}, address={bus=0, controller=0, type=virtio-serial, port=3}, managed=false, plugged=true, readOnly=false, deviceAlias=channel2, customProperties={}, snapshotId=null, logicalName=null}, device_c9ec3957-cc59-4589-9d34-ead7d4618c2adevice_218a2381-4d4f-47b5-82c0-2f0cd0c77260device_74f4d62c-f609-407c-b17b-e0e662eb430f=VmDevice {vmId=94151df6-28a1-46d7-b92b-53c474b466d4, deviceId=74f4d62c-f609-407c-b17b-e0e662eb430f, device=unix, type=CHANNEL, bootOrder=0, specParams={}, address={bus=0, controller=0, type=virtio-serial, port=2}, managed=false, plugged=true, readOnly=false, deviceAlias=channel1, customProperties={}, snapshotId=null, logicalName=null}, device_c9ec3957-cc59-4589-9d34-ead7d4618c2a=VmDevice {vmId=94151df6-28a1-46d7-b92b-53c474b466d4, deviceId=c9ec3957-cc59-4589-9d34-ead7d4618c2a, device=ide, type=CONTROLLER, bootOrder=0, specParams={}, address={slot=0x01, bus=0x00, domain=0x0000, type=pci, function=0x1}, managed=false, plugged=true, readOnly=false, deviceAlias=ide0, customProperties={}, snapshotId=null, logicalName=null}}, vmType=kvm, memSize=1024, smpCoresPerSocket=1, vmName=win7-1, nice=0, status=Up, bootMenuEnable=false, pid=109741, copyPasteEnable=true, displayIp=10.204.206.7, displayPort=-1, guestDiskMapping={}, clientIp=, fileTransferEnable=true, nicModel=rtl8139,pv, keyboardLayout=en-us, kvmEnable=true, displayNetwork=ovirtmgmt, devices=[Ljava.lang.Object;@753cbcf4, timeOffset=19800, maxVCpus=16, spiceSecureChannels=smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard, display=qxl}], log id: 6e3f2b6f 2015-09-22 20:02:29,297 INFO [org.ovirt.engine.core.vdsbroker.VdsUpdateRunTimeInfo] (DefaultQuartzScheduler_Worker-68) Received a spice Device without an address when processing VM 94151df6-28a1-46d7-b92b-53c474b466d4 devices, skipping device: {device=spice, specParams={displayNetwork=ovirtmgmt, spiceSecureChannels=smain,sinputs,scursor,splayback,srecord,sdisplay,susbredir,ssmartcard, keyMap=en-us, displayIp=10.204.206.7, copyPasteEnable=true}, deviceType=graphics, type=graphics, tlsPort=5901} 2015-09-22 20:21:47,432 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Loaded file "/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.conf". 2015-09-22 20:21:47,432 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) The file "/etc/ovirt-engine/engine.conf" doesn't exist or isn't readable. Will return an empty set of properties. 2015-09-22 20:21:47,434 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Loaded file "/etc/ovirt-engine/engine.conf.d/10-setup-database.conf". 2015-09-22 20:21:47,440 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Loaded file "/etc/ovirt-engine/engine.conf.d/10-setup-java.conf". 2015-09-22 20:21:47,442 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Loaded file "/etc/ovirt-engine/engine.conf.d/10-setup-jboss.conf". 2015-09-22 20:21:47,443 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Loaded file "/etc/ovirt-engine/engine.conf.d/10-setup-pki.conf". 2015-09-22 20:21:47,445 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Loaded file "/etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf". 2015-09-22 20:21:47,446 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Loaded file "/etc/ovirt-engine/engine.conf.d/50-ovirt-engine-extension-aaa-ldap.conf". 2015-09-22 20:21:47,448 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_AJP_ENABLED" is "true". 2015-09-22 20:21:47,450 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_AJP_PORT" is "8702". 2015-09-22 20:21:47,452 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_APPS" is "engine.ear restapi.war legacy_restapi.war". 2015-09-22 20:21:47,454 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_CACHE" is "/var/cache/ovirt-engine". 2015-09-22 20:21:47,456 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_DB_CHECK_INTERVAL" is "1000". 2015-09-22 20:21:47,457 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_DB_CONNECTION_TIMEOUT" is "300000". 2015-09-22 20:21:47,458 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_DB_DATABASE" is "engine". 2015-09-22 20:21:47,459 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_DB_DRIVER" is "org.postgresql.Driver". 2015-09-22 20:21:47,466 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_DB_HOST" is "localhost". 2015-09-22 20:21:47,467 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_DB_MAX_CONNECTIONS" is "100". 2015-09-22 20:21:47,468 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_DB_MIN_CONNECTIONS" is "1". 2015-09-22 20:21:47,469 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_DB_PASSWORD" is "***". 2015-09-22 20:21:47,470 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_DB_PORT" is "5432". 2015-09-22 20:21:47,472 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_DB_SECURED" is "False". 2015-09-22 20:21:47,473 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_DB_SECURED_VALIDATION" is "False". 2015-09-22 20:21:47,474 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_DB_URL" is "jdbc:postgresql://localhost:5432/engine?sslfactory=org.postgresql.ssl.NonValidatingFactory". 2015-09-22 20:21:47,476 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_DB_USER" is "engine". 2015-09-22 20:21:47,477 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_DEBUG_ADDRESS" is "". 2015-09-22 20:21:47,478 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_DOC" is "/usr/share/doc/ovirt-engine". 2015-09-22 20:21:47,479 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_ETC" is "/etc/ovirt-engine". 2015-09-22 20:21:47,480 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_EXTENSION_PATH" is "/usr/share/ovirt-engine/extensions.d:/etc/ovirt-engine/extensions.d". 2015-09-22 20:21:47,482 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_EXTERNAL_PROVIDERS_TRUST_STORE" is "/var/lib/ovirt-engine/external_truststore". 2015-09-22 20:21:47,484 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_EXTERNAL_PROVIDERS_TRUST_STORE_PASSWORD" is "***". 2015-09-22 20:21:47,485 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_EXTERNAL_PROVIDERS_TRUST_STORE_TYPE" is "JKS". 2015-09-22 20:21:47,486 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_FQDN" is "cstlb2.bnglab.psecure.net". 2015-09-22 20:21:47,488 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_GROUP" is "ovirt". 2015-09-22 20:21:47,489 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_HEAP_MAX" is "1024M". 2015-09-22 20:21:47,490 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_HEAP_MIN" is "1024M". 2015-09-22 20:21:47,491 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_HTTPS_ENABLED" is "false". 2015-09-22 20:21:47,492 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_HTTPS_PORT" is "None". 2015-09-22 20:21:47,493 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_HTTPS_PROTOCOLS" is "SSLv3,TLSv1,TLSv1.1,TLSv1.2". 2015-09-22 20:21:47,495 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_HTTP_ENABLED" is "false". 2015-09-22 20:21:47,496 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_HTTP_PORT" is "None". 2015-09-22 20:21:47,497 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_JAVA_MODULEPATH" is "/usr/share/ovirt-engine/modules:/usr/share/ovirt-engine-extension-aaa-ldap/modules". 2015-09-22 20:21:47,499 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_JVM_ARGS" is " -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath="/var/log/ovirt-engine/dump"". 2015-09-22 20:21:47,500 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_LOG" is "/var/log/ovirt-engine". 2015-09-22 20:21:47,502 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_LOG_TO_CONSOLE" is "false". 2015-09-22 20:21:47,503 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_MANUAL" is "/usr/share/ovirt-engine/manual". 2015-09-22 20:21:47,504 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_PERM_MAX" is "256m". 2015-09-22 20:21:47,506 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_PERM_MIN" is "256m". 2015-09-22 20:21:47,512 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_PKI" is "/etc/pki/ovirt-engine". 2015-09-22 20:21:47,514 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_PKI_CA" is "/etc/pki/ovirt-engine/ca.pem". 2015-09-22 20:21:47,515 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_PKI_ENGINE_CERT" is "/etc/pki/ovirt-engine/certs/engine.cer". 2015-09-22 20:21:47,516 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_PKI_ENGINE_STORE" is "/etc/pki/ovirt-engine/keys/engine.p12". 2015-09-22 20:21:47,518 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_PKI_ENGINE_STORE_ALIAS" is "1". 2015-09-22 20:21:47,519 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_PKI_ENGINE_STORE_PASSWORD" is "***". 2015-09-22 20:21:47,520 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_PKI_TRUST_STORE" is "/etc/pki/ovirt-engine/.truststore". 2015-09-22 20:21:47,522 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_PKI_TRUST_STORE_PASSWORD" is "***". 2015-09-22 20:21:47,526 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_PROPERTIES" is " java.awt.headless=true sun.rmi.dgc.client.gcInterval=3600000 sun.rmi.dgc.server.gcInterval=3600000 jsse.enableSNIExtension=false "java.security.krb5.conf=/etc/ovirt-engine/krb5.conf"". 2015-09-22 20:21:47,528 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_PROXY_ENABLED" is "true". 2015-09-22 20:21:47,530 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_PROXY_HTTPS_PORT" is "443". 2015-09-22 20:21:47,531 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_PROXY_HTTP_PORT" is "80". 2015-09-22 20:21:47,533 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_REPORTS_BASE_URL" is "". 2015-09-22 20:21:47,534 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_REPORTS_DASHBOARD_URL" is "/flow.html?viewAsDashboardFrame=true". 2015-09-22 20:21:47,535 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_REPORTS_NOT_INSTALLED_URL" is "/ovirt-engine/ReportsNotInstalled.html". 2015-09-22 20:21:47,537 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_REPORTS_PROXY_URL" is "/ovirt/reports-interface". 2015-09-22 20:21:47,538 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_REPORTS_READ_TIMEOUT" is "". 2015-09-22 20:21:47,539 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_REPORTS_RIGHTCLICK_URL" is "". 2015-09-22 20:21:47,540 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_REPORTS_VERIFY_CHAIN" is "true". 2015-09-22 20:21:47,541 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_REPORTS_VERIFY_HOST" is "true". 2015-09-22 20:21:47,543 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_STOP_INTERVAL" is "1". 2015-09-22 20:21:47,544 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_STOP_TIME" is "10". 2015-09-22 20:21:47,545 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_TMP" is "/var/tmp/ovirt-engine". 2015-09-22 20:21:47,546 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_UP_MARK" is "/var/lib/ovirt-engine/engine.up". 2015-09-22 20:21:47,548 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_URI" is "/ovirt-engine". 2015-09-22 20:21:47,549 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_USER" is "ovirt". 2015-09-22 20:21:47,551 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_USR" is "/usr/share/ovirt-engine". 2015-09-22 20:21:47,552 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_VAR" is "/var/lib/ovirt-engine". 2015-09-22 20:21:47,554 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "ENGINE_VERBOSE_GC" is "false". 2015-09-22 20:21:47,555 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "JBOSS_HOME" is "/usr/share/ovirt-engine-jboss-as". 2015-09-22 20:21:47,556 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "JBOSS_RUNTIME" is "/var/lib/ovirt-engine/jboss_runtime". 2015-09-22 20:21:47,558 INFO [org.ovirt.engine.core.uutils.config.ShellLikeConfd] (MSC service thread 1-5) Value of property "SENSITIVE_KEYS" is ",ENGINE_DB_PASSWORD,ENGINE_PKI_TRUST_STORE_PASSWORD,ENGINE_PKI_ENGINE_STORE_PASSWORD,ENGINE_EXTERNAL_PROVIDERS_TRUST_STORE_PASSWORD". 2015-09-22 20:21:47,754 INFO [org.ovirt.engine.core.bll.Backend] (MSC service thread 1-8) Start initializing Backend 2015-09-22 20:21:47,948 INFO [org.ovirt.engine.core.utils.osinfo.OsInfoPreferencesLoader] (MSC service thread 1-8) Loading file /etc/ovirt-engine/osinfo.conf.d/00-defaults.properties 2015-09-22 20:21:48,016 INFO [org.ovirt.engine.core.bll.Backend] (MSC service thread 1-8) Running ovirt-engine 3.5.4.2-1.el6 2015-09-22 20:21:48,016 INFO [org.ovirt.engine.core.bll.CpuFlagsManagerHandler] (MSC service thread 1-8) Start initializing dictionaries 2015-09-22 20:21:48,018 INFO [org.ovirt.engine.core.bll.CpuFlagsManagerHandler] (MSC service thread 1-8) Finished initializing dictionaries 2015-09-22 20:21:48,019 INFO [org.ovirt.engine.core.bll.AuditLogCleanupManager] (MSC service thread 1-8) Start initializing AuditLogCleanupManager 2015-09-22 20:21:48,021 INFO [org.ovirt.engine.core.bll.AuditLogCleanupManager] (MSC service thread 1-8) Setting audit cleanup manager to run at: 35 35 3 * * ? 2015-09-22 20:21:48,033 INFO [org.ovirt.engine.core.bll.AuditLogCleanupManager] (MSC service thread 1-8) Finished initializing AuditLogCleanupManager 2015-09-22 20:21:48,034 INFO [org.ovirt.engine.core.bll.AuditLogCleanupManager] (MSC service thread 1-8) Start initializing CommandEntityCleanupManager 2015-09-22 20:21:48,034 INFO [org.ovirt.engine.core.bll.AuditLogCleanupManager] (MSC service thread 1-8) Setting command entity cleanup manager to run at: 35 35 3 * * ? 2015-09-22 20:21:48,036 INFO [org.ovirt.engine.core.bll.AuditLogCleanupManager] (MSC service thread 1-8) Finished initializing CommandEntityCleanupManager 2015-09-22 20:21:48,037 INFO [org.ovirt.engine.core.bll.TagsDirector] (MSC service thread 1-8) Start initializing TagsDirector 2015-09-22 20:21:48,043 INFO [org.ovirt.engine.core.bll.TagsDirector] (MSC service thread 1-8) Tag root added to tree 2015-09-22 20:21:48,049 INFO [org.ovirt.engine.core.bll.TagsDirector] (MSC service thread 1-8) Finished initializing TagsDirector 2015-09-22 20:21:48,049 INFO [org.ovirt.engine.core.bll.IsoDomainListSyncronizer] (MSC service thread 1-8) Start initializing IsoDomainListSyncronizer 2015-09-22 20:21:48,054 INFO [org.ovirt.engine.core.bll.IsoDomainListSyncronizer] (MSC service thread 1-8) Finished initializing IsoDomainListSyncronizer 2015-09-22 20:21:48,098 INFO [org.ovirt.engine.core.bll.Backend] (MSC service thread 1-8) Completed initializing handlers 2015-09-22 20:21:48,122 INFO [org.ovirt.engine.core.utils.ErrorTranslatorImpl] (MSC service thread 1-8) Start initializing ErrorTranslatorImpl 2015-09-22 20:21:48,130 WARN [org.ovirt.engine.core.utils.ErrorTranslatorImpl] (MSC service thread 1-8) Code MAC_ADDRESS_IS_IN_USE appears more than once in string table. 2015-09-22 20:21:48,131 INFO [org.ovirt.engine.core.utils.ErrorTranslatorImpl] (MSC service thread 1-8) Finished initializing ErrorTranslatorImpl 2015-09-22 20:21:48,131 INFO [org.ovirt.engine.core.utils.ErrorTranslatorImpl] (MSC service thread 1-8) Start initializing ErrorTranslatorImpl 2015-09-22 20:21:48,132 INFO [org.ovirt.engine.core.utils.ErrorTranslatorImpl] (MSC service thread 1-8) Finished initializing ErrorTranslatorImpl 2015-09-22 20:21:48,133 INFO [org.ovirt.engine.core.bll.Backend] (MSC service thread 1-8) Mark incomplete jobs as UNKNOWN 2015-09-22 20:21:48,152 INFO [org.ovirt.engine.core.bll.job.JobRepositoryCleanupManager] (MSC service thread 1-8) Start initializing JobRepositoryCleanupManager 2015-09-22 20:21:48,153 INFO [org.ovirt.engine.core.bll.job.JobRepositoryCleanupManager] (MSC service thread 1-8) Finished initializing JobRepositoryCleanupManager 2015-09-22 20:21:48,153 INFO [org.ovirt.engine.core.bll.AutoRecoveryManager] (MSC service thread 1-8) Start initializing AutoRecoveryManager 2015-09-22 20:21:48,154 INFO [org.ovirt.engine.core.bll.AutoRecoveryManager] (MSC service thread 1-8) Finished initializing AutoRecoveryManager 2015-09-22 20:21:48,156 INFO [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (MSC service thread 1-8) Start initializing ExecutionMessageDirector 2015-09-22 20:21:48,157 INFO [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (MSC service thread 1-8) Finished initializing ExecutionMessageDirector 2015-09-22 20:21:48,184 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Loading extension 'builtin-authn-internal' 2015-09-22 20:21:48,186 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Extension 'builtin-authn-internal' loaded 2015-09-22 20:21:48,187 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Loading extension 'internal' 2015-09-22 20:21:48,189 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Extension 'internal' loaded 2015-09-22 20:21:48,193 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Loading extension 'cloudspin-authn' 2015-09-22 20:21:48,232 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Extension 'cloudspin-authn' loaded 2015-09-22 20:21:48,235 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Loading extension 'cloudspin-authz' 2015-09-22 20:21:48,241 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Extension 'cloudspin-authz' loaded 2015-09-22 20:21:48,242 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Initializing extension 'cloudspin-authn' 2015-09-22 20:21:48,243 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-8) [ovirt-engine-extension-aaa-ldap.authn::cloudspin-authn] Creating LDAP pool 'authz' 2015-09-22 20:21:51,533 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-8) [ovirt-engine-extension-aaa-ldap.authn::cloudspin-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to resolve address 'psbngdc01.psecure.net ': java.net.UnknownHostException: psbngdc01.psecure.net : Name or service not known 2015-09-22 20:21:51,534 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Extension 'cloudspin-authn' initialized 2015-09-22 20:21:51,535 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Initializing extension 'builtin-authn-internal' 2015-09-22 20:21:51,536 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Extension 'builtin-authn-internal' initialized 2015-09-22 20:21:51,536 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Initializing extension 'cloudspin-authz' 2015-09-22 20:21:51,537 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-8) [ovirt-engine-extension-aaa-ldap.authz::cloudspin-authz] Creating LDAP pool 'authz' 2015-09-22 20:21:51,538 WARN [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-8) [ovirt-engine-extension-aaa-ldap.authz::cloudspin-authz] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to resolve address 'psbngdc01.psecure.net ': java.net.UnknownHostException: psbngdc01.psecure.net 2015-09-22 20:21:51,539 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Extension 'cloudspin-authz' initialized 2015-09-22 20:21:51,539 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Initializing extension 'internal' 2015-09-22 20:21:51,540 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Extension 'internal' initialized 2015-09-22 20:21:51,540 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Start of enabled extensions list 2015-09-22 20:21:51,541 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Instance name: 'cloudspin-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el6', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/profile1-authn.properties', Initialized: 'true' 2015-09-22 20:21:51,542 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Instance name: 'builtin-authn-internal', Extension name: 'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2015-09-22 20:21:51,543 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Instance name: 'cloudspin-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el6', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/profile1-authz.properties', Initialized: 'true' 2015-09-22 20:21:51,544 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) Instance name: 'internal', Extension name: 'Internal Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: ' http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2015-09-22 20:21:51,545 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-8) End of enabled extensions list 2015-09-22 20:21:51,606 INFO [org.ovirt.engine.core.bll.tasks.AsyncTaskManager] (MSC service thread 1-8) Initialization of AsyncTaskManager completed successfully. 2015-09-22 20:21:51,607 INFO [org.ovirt.engine.core.vdsbroker.ResourceManager] (MSC service thread 1-8) Start initializing ResourceManager 2015-09-22 20:21:51,647 INFO [org.ovirt.engine.core.vdsbroker.VdsManager] (MSC service thread 1-8) Entered VdsManager constructor 2015-09-22 20:21:51,666 INFO [org.ovirt.engine.core.vdsbroker.VdsManager] (MSC service thread 1-8) Initialize vdsBroker (10.204.206.7,54,321) 2015-09-22 20:21:51,746 INFO [org.ovirt.engine.core.bll.aaa.LogoutUserCommand] (ajp--127.0.0.1-8702-3) [2a118704] Running command: LogoutUserCommand internal: false. 2015-09-22 20:21:51,755 ERROR [org.ovirt.engine.core.bll.aaa.LogoutUserCommand] (ajp--127.0.0.1-8702-3) [2a118704] Transaction rolled-back for command: org.ovirt.engine.core.bll.aaa.LogoutUserCommand. 2015-09-22 20:21:51,756 INFO [org.ovirt.engine.core.vdsbroker.ResourceManager] (MSC service thread 1-8) VDS b8804829-6107-4486-8c98-5ee4c0f4e797 was added to the Resource Manager 2015-09-22 20:21:51,776 INFO [org.ovirt.engine.core.vdsbroker.ResourceManager] (MSC service thread 1-8) Finished initializing ResourceManager 2015-09-22 20:21:51,777 INFO [org.ovirt.engine.core.bll.OvfDataUpdater] (MSC service thread 1-8) Initialization of OvfDataUpdater completed successfully. 2015-09-22 20:21:51,778 INFO [org.ovirt.engine.core.bll.scheduling.SchedulingManager] (MSC service thread 1-8) Start scheduling to enable vds load balancer 2015-09-22 20:21:51,780 INFO [org.ovirt.engine.core.bll.scheduling.SchedulingManager] (MSC service thread 1-8) Finished scheduling to enable vds load balancer 2015-09-22 20:21:51,782 INFO [org.ovirt.engine.core.bll.scheduling.SchedulingManager] (MSC service thread 1-8) Start HA Reservation check 2015-09-22 20:21:51,783 INFO [org.ovirt.engine.core.bll.scheduling.SchedulingManager] (MSC service thread 1-8) Finished HA Reservation check 2015-09-22 20:21:51,786 INFO [org.ovirt.engine.core.bll.network.MacPoolManagerRanges] (org.ovirt.thread.pool-8-thread-1) Start initializing MacPoolManagerRanges 2015-09-22 20:21:51,798 INFO [org.ovirt.engine.core.bll.aaa.LogoutUserCommand] (ajp--127.0.0.1-8702-5) [4efef7fc] Running command: LogoutUserCommand internal: false. 2015-09-22 20:21:51,799 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: UNASSIGNED not exist in string table 2015-09-22 20:21:51,799 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: VDS_HIGH_NETWORK_USE not exist in string table 2015-09-22 20:21:51,800 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: USER_FAILED_REMOVE_VM not exist in string table 2015-09-22 20:21:51,800 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: USER_RUN_UNLOCK_ENTITY_SCRIPT not exist in string table 2015-09-22 20:21:51,801 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: VDS_NETWORK_MTU_DIFFER_FROM_LOGICAL_NETWORK not exist in string table 2015-09-22 20:21:51,802 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: STORAGE_ACTIVATE_ASYNC not exist in string table 2015-09-22 20:21:51,804 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: USER_ADDED_DISK_PROFILE not exist in string table 2015-09-22 20:21:51,806 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: USER_FAILED_TO_ADD_DISK_PROFILE not exist in string table 2015-09-22 20:21:51,804 INFO [org.ovirt.engine.core.bll.aaa.LogoutUserCommand] (ajp--127.0.0.1-8702-4) [12813c5d] Running command: LogoutUserCommand internal: false. 2015-09-22 20:21:51,810 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: USER_REMOVED_DISK_PROFILE not exist in string table 2015-09-22 20:21:51,808 INFO [org.ovirt.engine.core.bll.aaa.LogoutUserCommand] (ajp--127.0.0.1-8702-7) [57727bae] Running command: LogoutUserCommand internal: false. 2015-09-22 20:21:51,807 INFO [org.ovirt.engine.core.bll.aaa.LogoutUserCommand] (ajp--127.0.0.1-8702-8) [3ca9cc99] Running command: LogoutUserCommand internal: false. 2015-09-22 20:21:51,806 INFO [org.ovirt.engine.core.bll.InitBackendServicesOnStartupBean] (MSC service thread 1-8) Init VM custom properties utilities 2015-09-22 20:21:51,821 ERROR [org.ovirt.engine.core.bll.aaa.LogoutUserCommand] (ajp--127.0.0.1-8702-4) [12813c5d] Transaction rolled-back for command: org.ovirt.engine.core.bll.aaa.LogoutUserCommand. 2015-09-22 20:21:51,812 INFO [org.ovirt.engine.core.bll.aaa.LogoutUserCommand] (ajp--127.0.0.1-8702-6) [6b476411] Running command: LogoutUserCommand internal: false. 2015-09-22 20:21:51,828 ERROR [org.ovirt.engine.core.bll.aaa.LogoutUserCommand] (ajp--127.0.0.1-8702-5) [4efef7fc] Transaction rolled-back for command: org.ovirt.engine.core.bll.aaa.LogoutUserCommand. 2015-09-22 20:21:51,830 ERROR [org.ovirt.engine.core.bll.aaa.LogoutUserCommand] (ajp--127.0.0.1-8702-7) [57727bae] Transaction rolled-back for command: org.ovirt.engine.core.bll.aaa.LogoutUserCommand. 2015-09-22 20:21:51,831 INFO [org.ovirt.engine.core.bll.network.MacPoolManagerRanges] (org.ovirt.thread.pool-8-thread-1) Finished initializing. Available MACs in pool: 252 2015-09-22 20:21:51,826 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: USER_FAILED_TO_REMOVE_DISK_PROFILE not exist in string table 2015-09-22 20:21:51,827 INFO [org.ovirt.engine.core.bll.InitBackendServicesOnStartupBean] (MSC service thread 1-8) Init device custom properties utilities 2015-09-22 20:21:51,840 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: USER_UPDATED_DISK_PROFILE not exist in string table 2015-09-22 20:21:51,835 ERROR [org.ovirt.engine.core.bll.aaa.LogoutUserCommand] (ajp--127.0.0.1-8702-6) [6b476411] Transaction rolled-back for command: org.ovirt.engine.core.bll.aaa.LogoutUserCommand. 2015-09-22 20:21:51,841 ERROR [org.ovirt.engine.core.bll.aaa.LogoutUserCommand] (ajp--127.0.0.1-8702-8) [3ca9cc99] Transaction rolled-back for command: org.ovirt.engine.core.bll.aaa.LogoutUserCommand. 2015-09-22 20:21:51,842 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: USER_FAILED_TO_UPDATE_DISK_PROFILE not exist in string table 2015-09-22 20:21:51,844 INFO [org.ovirt.engine.core.bll.scheduling.SchedulingManager] (MSC service thread 1-8) Initializing Scheduling manager 2015-09-22 20:21:51,845 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: USER_ADDED_CPU_PROFILE not exist in string table 2015-09-22 20:21:51,846 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: USER_FAILED_TO_ADD_CPU_PROFILE not exist in string table 2015-09-22 20:21:51,847 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: USER_REMOVED_CPU_PROFILE not exist in string table 2015-09-22 20:21:51,848 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: USER_FAILED_TO_REMOVE_CPU_PROFILE not exist in string table 2015-09-22 20:21:51,849 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: USER_UPDATED_CPU_PROFILE not exist in string table 2015-09-22 20:21:51,851 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] AuditLogType: USER_FAILED_TO_UPDATE_CPU_PROFILE not exist in string table 2015-09-22 20:21:51,874 INFO [org.ovirt.engine.core.bll.scheduling.SchedulingManager] (MSC service thread 1-8) External scheduler disabled, discovery skipped 2015-09-22 20:21:51,875 INFO [org.ovirt.engine.core.bll.scheduling.SchedulingManager] (MSC service thread 1-8) Initialized Scheduling manager 2015-09-22 20:21:51,876 INFO [org.ovirt.engine.core.bll.dwh.DwhHeartBeat] (MSC service thread 1-8) Initializing DWH Heart Beat 2015-09-22 20:21:51,877 INFO [org.ovirt.engine.core.bll.dwh.DwhHeartBeat] (MSC service thread 1-8) DWH Heart Beat initialized 2015-09-22 20:21:51,892 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-5) [4efef7fc] Correlation ID: 4efef7fc, Call Stack: null, Custom Event ID: -1, Message: Failed to log User null@N/A out. 2015-09-22 20:21:51,891 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-6) [6b476411] Correlation ID: 6b476411, Call Stack: null, Custom Event ID: -1, Message: Failed to log User null@N/A out. 2015-09-22 20:21:51,908 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-4) [12813c5d] Correlation ID: 12813c5d, Call Stack: null, Custom Event ID: -1, Message: Failed to log User null@N/A out. 2015-09-22 20:21:51,900 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-8) [3ca9cc99] Correlation ID: 3ca9cc99, Call Stack: null, Custom Event ID: -1, Message: Failed to log User null@N/A out. 2015-09-22 20:21:51,910 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-7) [57727bae] Correlation ID: 57727bae, Call Stack: null, Custom Event ID: -1, Message: Failed to log User null@N/A out. 2015-09-22 20:21:51,928 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-3) [2a118704] Correlation ID: 2a118704, Call Stack: null, Custom Event ID: -1, Message: Failed to log User null@N/A out. 2015-09-22 20:21:53,666 ERROR [org.ovirt.engine.core.utils.servlet.ServletUtils] (ajp--127.0.0.1-8702-4) Can't read file "/usr/share/ovirt-engine/files/spice/SpiceVersion.txt" for request "/ovirt-engine/services/files/spice/SpiceVersion.txt", will send a 404 error response. 2015-09-22 20:21:53,668 INFO [org.ovirt.engine.docs.utils.servlet.ContextSensitiveHelpMappingServlet] (ajp--127.0.0.1-8702-11) Context-sensitive help is not installed. Manual directory doesn't exist: /usr/share/ovirt-engine/manual 2015-09-22 20:21:54,817 INFO [org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp Reactor) Connecting to /10.204.206.7 2015-09-22 20:21:55,178 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.GetHardwareInfoVDSCommand] (DefaultQuartzScheduler_Worker-8) START, GetHardwareInfoVDSCommand(HostName = host1, HostId = b8804829-6107-4486-8c98-5ee4c0f4e797, vds=Host[host1,b8804829-6107-4486-8c98-5ee4c0f4e797]), log id: 674c0bda 2015-09-22 20:21:55,183 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.GetHardwareInfoVDSCommand] (DefaultQuartzScheduler_Worker-8) FINISH, GetHardwareInfoVDSCommand, log id: 674c0bda 2015-09-22 20:21:55,363 INFO [org.ovirt.engine.core.vdsbroker.VdsManager] (DefaultQuartzScheduler_Worker-8) Initializing Host: host1 2015-09-22 20:21:55,380 INFO [org.ovirt.engine.core.bll.HandleVdsVersionCommand] (DefaultQuartzScheduler_Worker-8) [51dd69b4] Running command: HandleVdsVersionCommand internal: true. Entities affected : ID: b8804829-6107-4486-8c98-5ee4c0f4e797 Type: VDS 2015-09-22 20:22:01,790 INFO [org.ovirt.engine.core.bll.storage.SetStoragePoolStatusCommand] (DefaultQuartzScheduler_Worker-22) [759b2abb] Running command: SetStoragePoolStatusCommand internal: true. Entities affected : ID: 92328f51-9152-4730-a558-8c1fd0b4e076 Type: StoragePool 2015-09-22 20:22:01,799 INFO [org.ovirt.engine.core.vdsbroker.storage.StoragePoolDomainHelper] (DefaultQuartzScheduler_Worker-22) [759b2abb] Storage Pool 92328f51-9152-4730-a558-8c1fd0b4e076 - Updating Storage Domain 93c85300-dfd1-4a59-be7b-78d871bc1f28 status from Active to Unknown, reason : null 2015-09-22 20:22:01,803 INFO [org.ovirt.engine.core.vdsbroker.storage.StoragePoolDomainHelper] (DefaultQuartzScheduler_Worker-22) [759b2abb] Storage Pool 92328f51-9152-4730-a558-8c1fd0b4e076 - Updating Storage Domain 18aeba02-fde6-40db-aed6-b5ca61eea6f6 status from Active to Unknown, reason : null 2015-09-22 20:22:01,805 INFO [org.ovirt.engine.core.vdsbroker.storage.StoragePoolDomainHelper] (DefaultQuartzScheduler_Worker-22) [759b2abb] Storage Pool 92328f51-9152-4730-a558-8c1fd0b4e076 - Updating Storage Domain d5939ef5-3597-4b80-99f3-b365906308c0 status from Active to Unknown, reason : null 2015-09-22 20:22:01,919 WARN [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-22) [759b2abb] Correlation ID: 759b2abb, Call Stack: null, Custom Event ID: -1, Message: Invalid status on Data Center Pulse. Setting status to Non Responsive. 2015-09-22 20:22:01,998 INFO [org.ovirt.engine.core.vdsbroker.irsbroker.IrsProxyData] (DefaultQuartzScheduler_Worker-22) [759b2abb] hostFromVds::selectedVds - host1, spmStatus SPM, storage pool Pulse 2015-09-22 20:22:02,002 INFO [org.ovirt.engine.core.vdsbroker.irsbroker.IrsProxyData] (DefaultQuartzScheduler_Worker-22) [759b2abb] Initialize Irs proxy from vds: 10.204.206.7 2015-09-22 20:22:02,006 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (DefaultQuartzScheduler_Worker-22) [759b2abb] Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: Storage Pool Manager runs on Host host1 (Address: 10.204.206.7). 2015-09-22 20:22:02,009 INFO [org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp Reactor) Connecting to /10.204.206.7 2015-09-22 20:22:02,025 INFO [org.ovirt.engine.core.vdsbroker.irsbroker.SPMGetAllTasksInfoVDSCommand] (org.ovirt.thread.pool-8-thread-8) [759b2abb] START, SPMGetAllTasksInfoVDSCommand( storagePoolId = 92328f51-9152-4730-a558-8c1fd0b4e076, ignoreFailoverLimit = false), log id: 45cd45aa 2015-09-22 20:22:02,150 INFO [org.ovirt.engine.core.vdsbroker.irsbroker.SPMGetAllTasksInfoVDSCommand] (org.ovirt.thread.pool-8-thread-8) [759b2abb] -- executeIrsBrokerCommand: Attempting on storage pool 92328f51-9152-4730-a558-8c1fd0b4e076 2015-09-22 20:22:02,155 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.HSMGetAllTasksInfoVDSCommand] (org.ovirt.thread.pool-8-thread-8) [759b2abb] START, HSMGetAllTasksInfoVDSCommand(HostName = host1, HostId = b8804829-6107-4486-8c98-5ee4c0f4e797), log id: f9a6597 2015-09-22 20:22:02,160 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.HSMGetAllTasksInfoVDSCommand] (org.ovirt.thread.pool-8-thread-8) [759b2abb] FINISH, HSMGetAllTasksInfoVDSCommand, return: [], log id: f9a6597 2015-09-22 20:22:02,160 INFO [org.ovirt.engine.core.vdsbroker.irsbroker.SPMGetAllTasksInfoVDSCommand] (org.ovirt.thread.pool-8-thread-8) [759b2abb] FINISH, SPMGetAllTasksInfoVDSCommand, return: [], log id: 45cd45aa 2015-09-22 20:22:02,161 INFO [org.ovirt.engine.core.bll.tasks.AsyncTaskManager] (org.ovirt.thread.pool-8-thread-8) [759b2abb] Discovered no tasks on Storage Pool Pulse w On Tue, Sep 22, 2015 at 8:20 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
looks ok, now restart engine and see if you have any error at /var/log/ovirt-engine/engine.log
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, September 22, 2015 5:45:42 PM Subject: Re: [ovirt-users] LDAP Authentication
below are the three files which I have modified.
[root@cstlb2 extensions.d]# cat profile1-authn.properties ovirt.engine.extension.name = cloudspin-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = cloudspin ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
[root@cstlb2 extensions.d]# ls profile1-authn.properties profile1-authz.properties [root@cstlb2 extensions.d]# cat profile1-authz.properties ovirt.engine.extension.name = cloudspin-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties [root@cstlb2 extensions.d]#
[root@cstlb2 aaa]# pwd /etc/ovirt-engine/aaa [root@cstlb2 aaa]# ls ldap1.properties [root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net
# # Search user and its password. # vars.user =
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
vars.password = company
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, September 22, 2015 5:35:16 PM Subject: Re: [ovirt-users] LDAP Authentication
its too complicated ,you have any script or video ?
in 3.6 we have a setup script. for now:
cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
this is written in the README.
then customize files at /etc/ovirt-engine/extnesions.d/* /etc/ovirt-engine/aaa/* to match your setup
On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <alonbl@redhat.com>
wrote:
----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, September 22, 2015 5:24:36 PM Subject: Re: [ovirt-users] LDAP Authentication
HI Alon,
Below is the configuration which I have done ,but unable to
search the
users in UI can you pls help me ?
you need three files, see the /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
[root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net
# # Search user and its password. # vars.user =
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
vars.password = company1
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <alonbl@redhat.com
wrote:
> > > ----- Original Message ----- > > From: "Budur Nagaraju" <nbudoor@gmail.com> > > To: users@ovirt.org > > Sent: Tuesday, September 22, 2015 4:34:46 PM > > Subject: [ovirt-users] LDAP Authentication > > > > HI All, > > > > Can someone help me in configuring LDAP authentication for
Ovirt ?
> > Please review: > http://www.ovirt.org/Features/AAA > >
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob...
>
please do not paste logs inline, either attach or pastebin. please try to read errors and warnings before sending out, you have trailing space in configuration I guess. 2015-09-22 20:21:51,533 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-8) [ovirt-engine-extension-aaa-ldap.authn::cloudspin-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to resolve address 'psbngdc01.psecure.net ': java.net.UnknownHostException: psbngdc01.psecure.net : Name or service not known ----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, September 22, 2015 5:53:10 PM Subject: Re: [ovirt-users] LDAP Authentication
Below is the log I have got,
Hello Budur, I've done this recently. Alon, no offense, but the docs are not quite strait forward... Requirements: - LDAP server (obviously) - called here ldap.mydomain.com - LDAP bind account - called here ldap@mydomain.com, password 'Passw@rd' - At least one existing account in ladp, called user@mydomain.com Please note, the most common issue will be DNS. I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :) 1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup) 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me): # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://ldap.mydomain.com:3268/ -x \ -D 'ldap@mydomain.com' -w Passw@rd -b '' '(userPrincipalName=user@mydomian.com)' cn userPrincipalName If this command does not return details of the user, do debug your ldap and continue once this works. Example: # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (userPrincipalName=user@mydomain.com) # requesting: cn userPrincipalName # with pagedResults control: size=1024 # # Some Name, some-ou, mydomain.com dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com cn: Some Name userPrincipalName: user@mydomain.com # search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA= pagedresults: cookie= # numResponses: 2 # numEntries: 1 3. Copy the examples as mentioned from the readme. 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is. 5. There, set: vars.domain = ldap.mydomain.com vars.user = ldap@${global:vars.domain} vars.password = Passw@rd 6. Restart ovirt engine service 7. Log in as admin@einternal and add user rights and roles from the new provider Hope this helps. On 22.09.2015 16:46, Budur Nagaraju wrote:
below are the three files which I have modified.
[root@cstlb2 extensions.d]# cat profile1-authn.properties ovirt.engine.extension.name <http://ovirt.engine.extension.name> = cloudspin-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> = cloudspin ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
[root@cstlb2 extensions.d]# ls profile1-authn.properties profile1-authz.properties [root@cstlb2 extensions.d]# cat profile1-authz.properties ovirt.engine.extension.name <http://ovirt.engine.extension.name> = cloudspin-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties [root@cstlb2 extensions.d]#
[root@cstlb2 aaa]# pwd /etc/ovirt-engine/aaa [root@cstlb2 aaa]# ls ldap1.properties [root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net <http://my.abc.net>
# # Search user and its password. # vars.user = uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net vars.password = company
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com>> wrote:
----- Original Message ----- > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto:nbudoor@gmail.com>> > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com>> > Cc:users@ovirt.org <mailto:users@ovirt.org> > Sent: Tuesday, September 22, 2015 5:35:16 PM > Subject: Re: [ovirt-users] LDAP Authentication > > its too complicated ,you have any script or video ?
in 3.6 we have a setup script. for now:
cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
this is written in the README.
then customize files at /etc/ovirt-engine/extnesions.d/* /etc/ovirt-engine/aaa/* to match your setup
> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com>> wrote: > > > > > > > ----- Original Message ----- > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto:nbudoor@gmail.com>> > > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com>> > > > Cc:users@ovirt.org <mailto:users@ovirt.org> > > > Sent: Tuesday, September 22, 2015 5:24:36 PM > > > Subject: Re: [ovirt-users] LDAP Authentication > > > > > > HI Alon, > > > > > > Below is the configuration which I have done ,but unable to search the > > > users in UI > > > can you pls help me ? > > > > you need three files, see the > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple > > > > > > > > > > > [root@cstlb2 aaa]# cat ldap1.properties > > > # > > > # Select one > > > # > > > include = <openldap.properties> > > > #include = <389ds.properties> > > > #include = <rhds.properties> > > > #include = <ipa.properties> > > > #include = <iplanet.properties> > > > #include = <rfc2307.properties> > > > #include = <rfc2307-openldap.properties> > > > > > > # > > > # Server > > > # > > > vars.server =my.abc.net <http://my.abc.net> > > > > > > # > > > # Search user and its password. > > > # > > > vars.user = > > > > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net > > > vars.password = company1 > > > > > > pool.default.serverset.single.server = ${global:vars.server} > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > # Create keystore, import certificate chain and uncomment > > > # if using ssl/tls. > > > #pool.default.ssl.startTLS = true > > > #pool.default.ssl.truststore.file = > > > ${local:_basedir}/${global:vars.server}.jks > > > #pool.default.ssl.truststore.password = changeit > > > [root@cstlb2 aaa]# > > > > > > > > > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com>> wrote: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto:nbudoor@gmail.com>> > > > > > To:users@ovirt.org <mailto:users@ovirt.org> > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM > > > > > Subject: [ovirt-users] LDAP Authentication > > > > > > > > > > HI All, > > > > > > > > > > Can someone help me in configuring LDAP authentication for Ovirt ? > > > > > > > > Please review: > > > >http://www.ovirt.org/Features/AAA > > > > > > > > > >https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob... > > > > > > > > > >
-- Daniel Helgenberger m box bewegtbild GmbH P: +49/30/2408781-22 F: +49/30/2408781-10 ACKERSTR. 19 D-10115 BERLIN www.m-box.de www.monkeymen.tv Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767
HI Alon, Tried all the options but no luck , I have copied the logs in the pastebin below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get . http://pastebin.com/7qN9QnHK Thanks, Nagaraju On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger < daniel.helgenberger@m-box.de> wrote:
Hello Budur,
I've done this recently. Alon, no offense, but the docs are not quite strait forward...
Requirements: - LDAP server (obviously) - called here ldap.mydomain.com - LDAP bind account - called here ldap@mydomain.com, password 'Passw@rd' - At least one existing account in ladp, called user@mydomain.com
Please note, the most common issue will be DNS.
I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)
1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup) 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me): # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap:// ldap.mydomain.com:3268/ -x \ -D 'ldap@mydomain.com' -w Passw@rd -b '' '(userPrincipalName= user@mydomian.com)' cn userPrincipalName
If this command does not return details of the user, do debug your ldap and continue once this works. Example:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (userPrincipalName=user@mydomain.com) # requesting: cn userPrincipalName # with pagedResults control: size=1024 #
# Some Name, some-ou, mydomain.com dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com cn: Some Name userPrincipalName: user@mydomain.com
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA= pagedresults: cookie=
# numResponses: 2 # numEntries: 1
3. Copy the examples as mentioned from the readme. 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is. 5. There, set:
vars.domain = ldap.mydomain.com vars.user = ldap@${global:vars.domain} vars.password = Passw@rd
6. Restart ovirt engine service 7. Log in as admin@einternal and add user rights and roles from the new provider
Hope this helps.
On 22.09.2015 16:46, Budur Nagaraju wrote:
below are the three files which I have modified.
[root@cstlb2 extensions.d]# cat profile1-authn.properties ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
cloudspin-authn
ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name < http://ovirt.engine.aaa.authn.profile.name> = cloudspin ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
[root@cstlb2 extensions.d]# ls profile1-authn.properties profile1-authz.properties [root@cstlb2 extensions.d]# cat profile1-authz.properties ovirt.engine.extension.name <http://ovirt.engine.extension.name> = cloudspin-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties [root@cstlb2 extensions.d]#
[root@cstlb2 aaa]# pwd /etc/ovirt-engine/aaa [root@cstlb2 aaa]# ls ldap1.properties [root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net <http://my.abc.net>
# # Search user and its password. # vars.user =
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
vars.password = company
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com>> wrote:
----- Original Message ----- > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto: nbudoor@gmail.com>> > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com>> > Cc:users@ovirt.org <mailto:users@ovirt.org> > Sent: Tuesday, September 22, 2015 5:35:16 PM > Subject: Re: [ovirt-users] LDAP Authentication > > its too complicated ,you have any script or video ?
in 3.6 we have a setup script. for now:
cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
this is written in the README.
then customize files at /etc/ovirt-engine/extnesions.d/* /etc/ovirt-engine/aaa/* to match your setup
> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com>> wrote: > > > > > > > ----- Original Message ----- > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto: nbudoor@gmail.com>> > > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto: alonbl@redhat.com>> > > > Cc:users@ovirt.org <mailto:users@ovirt.org> > > > Sent: Tuesday, September 22, 2015 5:24:36 PM > > > Subject: Re: [ovirt-users] LDAP Authentication > > > > > > HI Alon, > > > > > > Below is the configuration which I have done ,but unable to search the > > > users in UI > > > can you pls help me ? > > > > you need three files, see the > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple > > > > > > > > > > > [root@cstlb2 aaa]# cat ldap1.properties > > > # > > > # Select one > > > # > > > include = <openldap.properties> > > > #include = <389ds.properties> > > > #include = <rhds.properties> > > > #include = <ipa.properties> > > > #include = <iplanet.properties> > > > #include = <rfc2307.properties> > > > #include = <rfc2307-openldap.properties> > > > > > > # > > > # Server > > > # > > > vars.server =my.abc.net <http://my.abc.net> > > > > > > # > > > # Search user and its password. > > > # > > > vars.user = > > > > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net > > > vars.password = company1 > > > > > > pool.default.serverset.single.server = ${global:vars.server} > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > # Create keystore, import certificate chain and uncomment > > > # if using ssl/tls. > > > #pool.default.ssl.startTLS = true > > > #pool.default.ssl.truststore.file = > > > ${local:_basedir}/${global:vars.server}.jks > > > #pool.default.ssl.truststore.password = changeit > > > [root@cstlb2 aaa]# > > > > > > > > > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev < alonbl@redhat.com <mailto:alonbl@redhat.com>> wrote: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto: nbudoor@gmail.com>> > > > > > To:users@ovirt.org <mailto:users@ovirt.org> > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM > > > > > Subject: [ovirt-users] LDAP Authentication > > > > > > > > > > HI All, > > > > > > > > > > Can someone help me in configuring LDAP authentication for Ovirt ? > > > > > > > > Please review: > > > >http://www.ovirt.org/Features/AAA > > > > > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob... > > > > > > > > > >
-- Daniel Helgenberger m box bewegtbild GmbH
P: +49/30/2408781-22 F: +49/30/2408781-10
ACKERSTR. 19 D-10115 BERLIN
www.m-box.de www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767
Below is the result I Got when I run the command ldapsearch [root@cstlb2 ~]# ldapsearch -E pr=1024/noprompt -H ldap://172.21.0.15:389 -x -D 'nbudoor@abc.net' -w company1 # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # with pagedResults control: size=1024 # # search result search: 2 result: 32 No such object text: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of: '' # numResponses: 1 [root@cstlb2 ~]# On Wed, Sep 23, 2015 at 9:05 AM, Budur Nagaraju <nbudoor@gmail.com> wrote:
HI Alon,
Tried all the options but no luck ,
I have copied the logs in the pastebin below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get .
Thanks, Nagaraju
On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger < daniel.helgenberger@m-box.de> wrote:
Hello Budur,
I've done this recently. Alon, no offense, but the docs are not quite strait forward...
Requirements: - LDAP server (obviously) - called here ldap.mydomain.com - LDAP bind account - called here ldap@mydomain.com, password 'Passw@rd' - At least one existing account in ladp, called user@mydomain.com
Please note, the most common issue will be DNS.
I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)
1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup) 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me): # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap:// ldap.mydomain.com:3268/ -x \ -D 'ldap@mydomain.com' -w Passw@rd -b '' '(userPrincipalName= user@mydomian.com)' cn userPrincipalName
If this command does not return details of the user, do debug your ldap and continue once this works. Example:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (userPrincipalName=user@mydomain.com) # requesting: cn userPrincipalName # with pagedResults control: size=1024 #
# Some Name, some-ou, mydomain.com dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com cn: Some Name userPrincipalName: user@mydomain.com
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA= pagedresults: cookie=
# numResponses: 2 # numEntries: 1
3. Copy the examples as mentioned from the readme. 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is. 5. There, set:
vars.domain = ldap.mydomain.com vars.user = ldap@${global:vars.domain} vars.password = Passw@rd
6. Restart ovirt engine service 7. Log in as admin@einternal and add user rights and roles from the new provider
Hope this helps.
On 22.09.2015 16:46, Budur Nagaraju wrote:
below are the three files which I have modified.
[root@cstlb2 extensions.d]# cat profile1-authn.properties ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
cloudspin-authn
ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name < http://ovirt.engine.aaa.authn.profile.name> = cloudspin ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
[root@cstlb2 extensions.d]# ls profile1-authn.properties profile1-authz.properties [root@cstlb2 extensions.d]# cat profile1-authz.properties ovirt.engine.extension.name <http://ovirt.engine.extension.name> = cloudspin-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties [root@cstlb2 extensions.d]#
[root@cstlb2 aaa]# pwd /etc/ovirt-engine/aaa [root@cstlb2 aaa]# ls ldap1.properties [root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net <http://my.abc.net>
# # Search user and its password. # vars.user =
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
vars.password = company
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com>> wrote:
----- Original Message ----- > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto: nbudoor@gmail.com>> > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com>> > Cc:users@ovirt.org <mailto:users@ovirt.org> > Sent: Tuesday, September 22, 2015 5:35:16 PM > Subject: Re: [ovirt-users] LDAP Authentication > > its too complicated ,you have any script or video ?
in 3.6 we have a setup script. for now:
cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
this is written in the README.
then customize files at /etc/ovirt-engine/extnesions.d/* /etc/ovirt-engine/aaa/* to match your setup
> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com>> wrote: > > > > > > > ----- Original Message ----- > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto: nbudoor@gmail.com>> > > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto: alonbl@redhat.com>> > > > Cc:users@ovirt.org <mailto:users@ovirt.org> > > > Sent: Tuesday, September 22, 2015 5:24:36 PM > > > Subject: Re: [ovirt-users] LDAP Authentication > > > > > > HI Alon, > > > > > > Below is the configuration which I have done ,but unable to search the > > > users in UI > > > can you pls help me ? > > > > you need three files, see the > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple > > > > > > > > > > > [root@cstlb2 aaa]# cat ldap1.properties > > > # > > > # Select one > > > # > > > include = <openldap.properties> > > > #include = <389ds.properties> > > > #include = <rhds.properties> > > > #include = <ipa.properties> > > > #include = <iplanet.properties> > > > #include = <rfc2307.properties> > > > #include = <rfc2307-openldap.properties> > > > > > > # > > > # Server > > > # > > > vars.server =my.abc.net <http://my.abc.net> > > > > > > # > > > # Search user and its password. > > > # > > > vars.user = > > > > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net > > > vars.password = company1 > > > > > > pool.default.serverset.single.server = ${global:vars.server} > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > # Create keystore, import certificate chain and uncomment > > > # if using ssl/tls. > > > #pool.default.ssl.startTLS = true > > > #pool.default.ssl.truststore.file = > > > ${local:_basedir}/${global:vars.server}.jks > > > #pool.default.ssl.truststore.password = changeit > > > [root@cstlb2 aaa]# > > > > > > > > > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev < alonbl@redhat.com <mailto:alonbl@redhat.com>> wrote: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto: nbudoor@gmail.com>> > > > > > To:users@ovirt.org <mailto:users@ovirt.org> > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM > > > > > Subject: [ovirt-users] LDAP Authentication > > > > > > > > > > HI All, > > > > > > > > > > Can someone help me in configuring LDAP authentication for Ovirt ? > > > > > > > > Please review: > > > >http://www.ovirt.org/Features/AAA > > > > > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob... > > > > > > > > > >
-- Daniel Helgenberger m box bewegtbild GmbH
P: +49/30/2408781-22 F: +49/30/2408781-10
ACKERSTR. 19 D-10115 BERLIN
www.m-box.de www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767
This is a multi-part message in MIME format. --------------000106070501090607000604 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Hi, as Alon already said, you have trailing space in your configuration 'my.abc.net ' <-- space at the end Please remove this space and try again. Ondra On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
HI Alon,
Tried all the options but no luck ,
I have copied the logs in the pastebin below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get .
Thanks, Nagaraju
On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger <daniel.helgenberger@m-box.de <mailto:daniel.helgenberger@m-box.de>> wrote:
Hello Budur,
I've done this recently. Alon, no offense, but the docs are not quite strait forward...
Requirements: - LDAP server (obviously) - called here ldap.mydomain.com <http://ldap.mydomain.com> - LDAP bind account - called here ldap@mydomain.com <mailto:ldap@mydomain.com>, password 'Passw@rd' - At least one existing account in ladp, called user@mydomain.com <mailto:user@mydomain.com>
Please note, the most common issue will be DNS.
I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)
1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup) 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me): # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://ldap.mydomain.com:3268/ <http://ldap.mydomain.com:3268/> -x \ -D 'ldap@mydomain.com <mailto:ldap@mydomain.com>' -w Passw@rd -b '' '(userPrincipalName=user@mydomian.com <mailto:user@mydomian.com>)' cn userPrincipalName
If this command does not return details of the user, do debug your ldap and continue once this works. Example:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (userPrincipalName=user@mydomain.com <mailto:user@mydomain.com>) # requesting: cn userPrincipalName # with pagedResults control: size=1024 #
# Some Name, some-ou, mydomain.com <http://mydomain.com> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com cn: Some Name userPrincipalName: user@mydomain.com <mailto:user@mydomain.com>
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA= pagedresults: cookie=
# numResponses: 2 # numEntries: 1
3. Copy the examples as mentioned from the readme. 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is. 5. There, set:
vars.domain = ldap.mydomain.com <http://ldap.mydomain.com> vars.user = ldap@${global:vars.domain} vars.password = Passw@rd
6. Restart ovirt engine service 7. Log in as admin@einternal and add user rights and roles from the new provider
Hope this helps.
On 22.09.2015 16 <tel:22.09.2015%2016>:46, Budur Nagaraju wrote: > > below are the three files which I have modified. > > > [root@cstlb2 extensions.d]# cat profile1-authn.properties > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> = cloudspin-authn > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthnExtension > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn > ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.authn.profile.name> > = cloudspin > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties > > > [root@cstlb2 extensions.d]# ls > profile1-authn.properties profile1-authz.properties > [root@cstlb2 extensions.d]# cat profile1-authz.properties > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> = cloudspin-authz > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthzExtension > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties > [root@cstlb2 extensions.d]# > > > > [root@cstlb2 aaa]# pwd > /etc/ovirt-engine/aaa > [root@cstlb2 aaa]# ls > ldap1.properties > [root@cstlb2 aaa]# cat ldap1.properties > # > # Select one > # > include = <openldap.properties> > #include = <389ds.properties> > #include = <rhds.properties> > #include = <ipa.properties> > #include = <iplanet.properties> > #include = <rfc2307.properties> > #include = <rfc2307-openldap.properties> > > # > # Server > # > vars.server = my.abc.net <http://my.abc.net> <http://my.abc.net> > > # > # Search user and its password. > # > vars.user = > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net > vars.password = company > > pool.default.serverset.single.server = ${global:vars.server} > pool.default.auth.simple.bindDN = ${global:vars.user} > pool.default.auth.simple.password = ${global:vars.password} > > # Create keystore, import certificate chain and uncomment > # if using ssl/tls. > #pool.default.ssl.startTLS = true > #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks > #pool.default.ssl.truststore.password = changeit > [root@cstlb2 aaa]# > > > > > > > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> wrote: > > > > ----- Original Message ----- > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto:nbudoor@gmail.com> <mailto:nbudoor@gmail.com <mailto:nbudoor@gmail.com>>> > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> > > Cc:users@ovirt.org <mailto:Cc%3Ausers@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > Sent: Tuesday, September 22, 2015 5:35:16 PM > > Subject: Re: [ovirt-users] LDAP Authentication > > > > its too complicated ,you have any script or video ? > > in 3.6 we have a setup script. > for now: > > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/ > > this is written in the README. > > then customize files at /etc/ovirt-engine/extnesions.d/* > /etc/ovirt-engine/aaa/* to match your setup > > > > > > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> wrote: > > > > > > > > > > > ----- Original Message ----- > > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto:nbudoor@gmail.com> <mailto:nbudoor@gmail.com <mailto:nbudoor@gmail.com>>> > > > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> > > > > Cc:users@ovirt.org <mailto:Cc%3Ausers@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM > > > > Subject: Re: [ovirt-users] LDAP Authentication > > > > > > > > HI Alon, > > > > > > > > Below is the configuration which I have done ,but unable to search the > > > > users in UI > > > > can you pls help me ? > > > > > > you need three files, see the > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple > > > > > > > > > > > > > > > [root@cstlb2 aaa]# cat ldap1.properties > > > > # > > > > # Select one > > > > # > > > > include = <openldap.properties> > > > > #include = <389ds.properties> > > > > #include = <rhds.properties> > > > > #include = <ipa.properties> > > > > #include = <iplanet.properties> > > > > #include = <rfc2307.properties> > > > > #include = <rfc2307-openldap.properties> > > > > > > > > # > > > > # Server > > > > # > > > > vars.server =my.abc.net <http://my.abc.net> <http://my.abc.net> > > > > > > > > # > > > > # Search user and its password. > > > > # > > > > vars.user = > > > > > > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net > > > > vars.password = company1 > > > > > > > > pool.default.serverset.single.server = ${global:vars.server} > > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > > > # Create keystore, import certificate chain and uncomment > > > > # if using ssl/tls. > > > > #pool.default.ssl.startTLS = true > > > > #pool.default.ssl.truststore.file = > > > > ${local:_basedir}/${global:vars.server}.jks > > > > #pool.default.ssl.truststore.password = changeit > > > > [root@cstlb2 aaa]# > > > > > > > > > > > > > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> wrote: > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto:nbudoor@gmail.com> <mailto:nbudoor@gmail.com <mailto:nbudoor@gmail.com>>> > > > > > > To:users@ovirt.org <mailto:To%3Ausers@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM > > > > > > Subject: [ovirt-users] LDAP Authentication > > > > > > > > > > > > HI All, > > > > > > > > > > > > Can someone help me in configuring LDAP authentication for Ovirt ? > > > > > > > > > > Please review: > > > > >http://www.ovirt.org/Features/AAA > > > > > > > > > > > > >https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob... > > > > > > > > > > > > > > > >
-- Daniel Helgenberger m box bewegtbild GmbH
P: +49/30/2408781-22 F: +49/30/2408781-10
ACKERSTR. 19 D-10115 BERLIN
www.m-box.de <http://www.m-box.de> www.monkeymen.tv <http://www.monkeymen.tv>
Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--------------000106070501090607000604 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit <html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hi,<br> <br> as Alon already said, you have trailing space in your configuration<br> <br> 'my.abc.net ' <-- space at the end<br> <br> Please remove this space and try again.<br> <br> Ondra<br> <br> <div class="moz-cite-prefix">On 09/23/2015 05:35 AM, Budur Nagaraju wrote:<br> </div> <blockquote cite="mid:CAHNF9Q_fLL+d3aCLbP44eFW7iyeNfPwCrsdS6sBGkyW5_2Wz7g@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div> <div> <div>HI Alon,<br> <br> </div> Tried all the options but no luck ,<br> <br> </div> I have copied the logs in the pastebin below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get .<br> <br> <a moz-do-not-send="true" href="http://pastebin.com/7qN9QnHK">http://pastebin.com/7qN9QnHK</a><br> <br> </div> Thanks,<br> </div> Nagaraju<br> <br> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger <span dir="ltr"><<a moz-do-not-send="true" href="mailto:daniel.helgenberger@m-box.de" target="_blank">daniel.helgenberger@m-box.de</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Budur,<br> <br> I've done this recently. Alon, no offense, but the docs are not quite strait forward...<br> <br> Requirements:<br> - LDAP server (obviously) - called here <a moz-do-not-send="true" href="http://ldap.mydomain.com" rel="noreferrer" target="_blank">ldap.mydomain.com</a><br> - LDAP bind account - called here <a moz-do-not-send="true" href="mailto:ldap@mydomain.com"><a class="moz-txt-link-abbreviated" href="mailto:ldap@mydomain.com">ldap@mydomain.com</a></a>, password 'Passw@rd'<br> - At least one existing account in ladp, called <a moz-do-not-send="true" href="mailto:user@mydomain.com"><a class="moz-txt-link-abbreviated" href="mailto:user@mydomain.com">user@mydomain.com</a></a><br> <br> Please note, the most common issue will be DNS.<br> <br> I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)<br> <br> 1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup)<br> 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me):<br> # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H <a class="moz-txt-link-freetext" href="ldap://">ldap://</a><a moz-do-not-send="true" href="http://ldap.mydomain.com:3268/" rel="noreferrer" target="_blank">ldap.mydomain.com:3268/</a> -x \<br> -D '<a moz-do-not-send="true" href="mailto:ldap@mydomain.com">ldap@mydomain.com</a>' -w Passw@rd -b '' '(userPrincipalName=<a moz-do-not-send="true" href="mailto:user@mydomian.com"><a class="moz-txt-link-abbreviated" href="mailto:user@mydomian.com">user@mydomian.com</a></a>)' cn userPrincipalName<br> <br> If this command does not return details of the user, do debug your ldap and continue once this works. Example:<br> <br> # extended LDIF<br> #<br> # LDAPv3<br> # base <> with scope subtree<br> # filter: (userPrincipalName=<a moz-do-not-send="true" href="mailto:user@mydomain.com">user@mydomain.com</a>)<br> # requesting: cn userPrincipalName<br> # with pagedResults control: size=1024<br> #<br> <br> # Some Name, some-ou, <a moz-do-not-send="true" href="http://mydomain.com" rel="noreferrer" target="_blank">mydomain.com</a><br> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com<br> cn: Some Name<br> userPrincipalName: <a moz-do-not-send="true" href="mailto:user@mydomain.com">user@mydomain.com</a><br> <br> # search result<br> search: 2<br> result: 0 Success<br> control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=<br> pagedresults: cookie=<br> <br> # numResponses: 2<br> # numEntries: 1<br> <br> <br> 3. Copy the examples as mentioned from the readme.<br> 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is.<br> 5. There, set:<br> <br> vars.domain = <a moz-do-not-send="true" href="http://ldap.mydomain.com" rel="noreferrer" target="_blank">ldap.mydomain.com</a><br> vars.user = ldap@${global:vars.domain}<br> vars.password = Passw@rd<br> <br> 6. Restart ovirt engine service<br> 7. Log in as admin@einternal and add user rights and roles from the new provider<br> <br> Hope this helps.<br> <span class=""><br> On <a moz-do-not-send="true" href="tel:22.09.2015%2016" value="+12209201516">22.09.2015 16</a>:46, Budur Nagaraju wrote:<br> ><br> > below are the three files which I have modified.<br> ><br> ><br> > [root@cstlb2 extensions.d]# cat profile1-authn.properties<br> </span>> <a moz-do-not-send="true" href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> <<a moz-do-not-send="true" href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="http://ovirt.engine.extension.name">http://ovirt.engine.extension.name</a></a>>; = cloudspin-authn<br> <span class="">> ovirt.engine.extension.bindings.method = jbossmodule<br> > ovirt.engine.extension.binding.jbossmodule.module =<br> > org.ovirt.engine-extensions.aaa.ldap<br> > ovirt.engine.extension.binding.jbossmodule.class =<br> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension<br> > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn<br> </span>> <a moz-do-not-send="true" href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">ovirt.engine.aaa.authn.profile.name</a> <<a moz-do-not-send="true" href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">http://ovirt.engine.aaa.authn.profile.name</a>><br> <span class="">> = cloudspin<br> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth<br> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties<br> ><br> ><br> > [root@cstlb2 extensions.d]# ls<br> > profile1-authn.properties profile1-authz.properties<br> > [root@cstlb2 extensions.d]# cat profile1-authz.properties<br> </span>> <a moz-do-not-send="true" href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> <<a moz-do-not-send="true" href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="http://ovirt.engine.extension.name">http://ovirt.engine.extension.name</a></a>>; = cloudspin-authz<br> <div> <div class="h5">> ovirt.engine.extension.bindings.method = jbossmodule<br> > ovirt.engine.extension.binding.jbossmodule.module =<br> > org.ovirt.engine-extensions.aaa.ldap<br> > ovirt.engine.extension.binding.jbossmodule.class =<br> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension<br> > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz<br> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties<br> > [root@cstlb2 extensions.d]#<br> ><br> ><br> ><br> > [root@cstlb2 aaa]# pwd<br> > /etc/ovirt-engine/aaa<br> > [root@cstlb2 aaa]# ls<br> > ldap1.properties<br> > [root@cstlb2 aaa]# cat ldap1.properties<br> > #<br> > # Select one<br> > #<br> > include = <openldap.properties><br> > #include = <389ds.properties><br> > #include = <rhds.properties><br> > #include = <ipa.properties><br> > #include = <iplanet.properties><br> > #include = <rfc2307.properties><br> > #include = <rfc2307-openldap.properties><br> ><br> > #<br> > # Server<br> > #<br> </div> </div> > vars.server = <a moz-do-not-send="true" href="http://my.abc.net" rel="noreferrer" target="_blank">my.abc.net</a> <<a moz-do-not-send="true" href="http://my.abc.net" rel="noreferrer" target="_blank">http://my.abc.net</a>><br> <span class="">><br> > #<br> > # Search user and its password.<br> > #<br> > vars.user =<br> > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net<br> > vars.password = company<br> ><br> > pool.default.serverset.single.server = ${global:vars.server}<br> > pool.default.auth.simple.bindDN = ${global:vars.user}<br> > pool.default.auth.simple.password = ${global:vars.password}<br> ><br> > # Create keystore, import certificate chain and uncomment<br> > # if using ssl/tls.<br> > #pool.default.ssl.startTLS = true<br> > #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks<br> > #pool.default.ssl.truststore.password = changeit<br> > [root@cstlb2 aaa]#<br> ><br> ><br> ><br> ><br> ><br> ><br> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a><br> </span><span class="">> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>> wrote:<br> ><br> ><br> ><br> > ----- Original Message -----<br> </span><span class="">> > From: "Budur Nagaraju" <<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a> <mailto:<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a>>><br> > > To: "Alon Bar-Lev" <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>>><br> > > <a moz-do-not-send="true" href="mailto:Cc%3Ausers@ovirt.org">Cc:users@ovirt.org</a> <mailto:<a moz-do-not-send="true" href="mailto:users@ovirt.org">users@ovirt.org</a>><br> > > Sent: Tuesday, September 22, 2015 5:35:16 PM<br> > > Subject: Re: [ovirt-users] LDAP Authentication<br> > ><br> > > its too complicated ,you have any script or video ?<br> ><br> > in 3.6 we have a setup script.<br> > for now:<br> ><br> > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/<br> ><br> > this is written in the README.<br> ><br> > then customize files at /etc/ovirt-engine/extnesions.d/*<br> > /etc/ovirt-engine/aaa/* to match your setup<br> ><br> > ><br> > ><br> </span><span class="">> > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>>> wrote:<br> > ><br> > > ><br> > > ><br> > > > ----- Original Message -----<br> </span> <div> <div class="h5">> > > > From: "Budur Nagaraju" <<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a> <mailto:<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a>>><br> > > > > To: "Alon Bar-Lev" <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>>><br> > > > > <a moz-do-not-send="true" href="mailto:Cc%3Ausers@ovirt.org">Cc:users@ovirt.org</a> <mailto:<a moz-do-not-send="true" href="mailto:users@ovirt.org">users@ovirt.org</a>><br> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM<br> > > > > Subject: Re: [ovirt-users] LDAP Authentication<br> > > > ><br> > > > > HI Alon,<br> > > > ><br> > > > > Below is the configuration which I have done ,but unable to search the<br> > > > > users in UI<br> > > > > can you pls help me ?<br> > > ><br> > > > you need three files, see the<br> > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple<br> > > ><br> > > > ><br> > > > ><br> > > > > [root@cstlb2 aaa]# cat ldap1.properties<br> > > > > #<br> > > > > # Select one<br> > > > > #<br> > > > > include = <openldap.properties><br> > > > > #include = <389ds.properties><br> > > > > #include = <rhds.properties><br> > > > > #include = <ipa.properties><br> > > > > #include = <iplanet.properties><br> > > > > #include = <rfc2307.properties><br> > > > > #include = <rfc2307-openldap.properties><br> > > > ><br> > > > > #<br> > > > > # Server<br> > > > > #<br> </div> </div> > > > > vars.server =<a moz-do-not-send="true" href="http://my.abc.net" rel="noreferrer" target="_blank">my.abc.net</a> <<a moz-do-not-send="true" href="http://my.abc.net" rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="http://my.abc.net">http://my.abc.net</a></a>><br> <span class="">> > > ><br> > > > > #<br> > > > > # Search user and its password.<br> > > > > #<br> > > > > vars.user =<br> > > > ><br> > > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net<br> > > > > vars.password = company1<br> > > > ><br> > > > > pool.default.serverset.single.server = ${global:vars.server}<br> > > > > pool.default.auth.simple.bindDN = ${global:vars.user}<br> > > > > pool.default.auth.simple.password = ${global:vars.password}<br> > > > ><br> > > > > # Create keystore, import certificate chain and uncomment<br> > > > > # if using ssl/tls.<br> > > > > #pool.default.ssl.startTLS = true<br> > > > > #pool.default.ssl.truststore.file =<br> > > > > ${local:_basedir}/${global:vars.server}.jks<br> > > > > #pool.default.ssl.truststore.password = changeit<br> > > > > [root@cstlb2 aaa]#<br> > > > ><br> > > > ><br> > > > ><br> </span><span class="">> > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>>> wrote:<br> > > > ><br> > > > > ><br> > > > > ><br> > > > > > ----- Original Message -----<br> </span><span class="">> > > > > > From: "Budur Nagaraju" <<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a> <mailto:<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a>>><br> > > > > > > <a moz-do-not-send="true" href="mailto:To%3Ausers@ovirt.org"><a class="moz-txt-link-abbreviated" href="mailto:To:users@ovirt.org">To:users@ovirt.org</a></a> <mailto:<a moz-do-not-send="true" href="mailto:users@ovirt.org">users@ovirt.org</a>><br> > > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM<br> > > > > > > Subject: [ovirt-users] LDAP Authentication<br> > > > > > ><br> > > > > > > HI All,<br> > > > > > ><br> > > > > > > Can someone help me in configuring LDAP authentication for Ovirt ?<br> > > > > ><br> > > > > > Please review:<br> > > > > ><a moz-do-not-send="true" href="http://www.ovirt.org/Features/AAA" rel="noreferrer" target="_blank">http://www.ovirt.org/Features/AAA</a><br> > > > > ><br> > > > > ><br> > > ><a moz-do-not-send="true" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob..." rel="noreferrer" target="_blank">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0</a><br> > > > > ><br> > > > ><br> > > ><br> > ><br> ><br> ><br> <br> </span>--<br> Daniel Helgenberger<br> m box bewegtbild GmbH<br> <br> P: +49/30/2408781-22<br> F: +49/30/2408781-10<br> <br> ACKERSTR. 19<br> D-10115 BERLIN<br> <br> <br> <a moz-do-not-send="true" href="http://www.m-box.de" rel="noreferrer" target="_blank">www.m-box.de</a> <a moz-do-not-send="true" href="http://www.monkeymen.tv" rel="noreferrer" target="_blank"><a class="moz-txt-link-abbreviated" href="http://www.monkeymen.tv">www.monkeymen.tv</a></a><br> <br> Geschäftsführer: Martin Retschitzegger / Michaela Göllner<br> Handeslregister: Amtsgericht Charlottenburg / HRB 112767<br> </blockquote> </div> <br> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a> <a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a> </pre> </blockquote> <br> </body> </html> --------------000106070501090607000604--
HI All, After rectifying this able to search the domain in the users in UI, but unable to login getting the below error , 2015-09-23 12:41:47,482 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user nbudoor@abc.net. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION Thanks, Nagaraju On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek <omachace@redhat.com> wrote:
Hi,
as Alon already said, you have trailing space in your configuration
'my.abc.net ' <-- space at the end
Please remove this space and try again.
Ondra
On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
HI Alon,
Tried all the options but no luck ,
I have copied the logs in the pastebin below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get .
Thanks, Nagaraju
On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger < daniel.helgenberger@m-box.de> wrote:
Hello Budur,
I've done this recently. Alon, no offense, but the docs are not quite strait forward...
Requirements: - LDAP server (obviously) - called here ldap.mydomain.com - LDAP bind account - called here <ldap@mydomain.com>ldap@mydomain.com, password 'Passw@rd' - At least one existing account in ladp, called <user@mydomain.com> user@mydomain.com
Please note, the most common issue will be DNS.
I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)
1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup) 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me): # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap:// ldap.mydomain.com:3268/ -x \ -D 'ldap@mydomain.com' -w Passw@rd -b '' '(userPrincipalName= <user@mydomian.com>user@mydomian.com)' cn userPrincipalName
If this command does not return details of the user, do debug your ldap and continue once this works. Example:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (userPrincipalName=user@mydomain.com) # requesting: cn userPrincipalName # with pagedResults control: size=1024 #
# Some Name, some-ou, mydomain.com dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com cn: Some Name userPrincipalName: user@mydomain.com
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA= pagedresults: cookie=
# numResponses: 2 # numEntries: 1
3. Copy the examples as mentioned from the readme. 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is. 5. There, set:
vars.domain = ldap.mydomain.com vars.user = ldap@${global:vars.domain} vars.password = Passw@rd
6. Restart ovirt engine service 7. Log in as admin@einternal and add user rights and roles from the new provider
Hope this helps.
On 22.09.2015 16:46, Budur Nagaraju wrote:
below are the three files which I have modified.
[root@cstlb2 extensions.d]# cat profile1-authn.properties ovirt.engine.extension.name < <http://ovirt.engine.extension.name>
http://ovirt.engine.extension.name> = cloudspin-authn
ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name < http://ovirt.engine.aaa.authn.profile.name> = cloudspin ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
[root@cstlb2 extensions.d]# ls profile1-authn.properties profile1-authz.properties [root@cstlb2 extensions.d]# cat profile1-authz.properties ovirt.engine.extension.name < <http://ovirt.engine.extension.name> http://ovirt.engine.extension.name> = cloudspin-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties [root@cstlb2 extensions.d]#
[root@cstlb2 aaa]# pwd /etc/ovirt-engine/aaa [root@cstlb2 aaa]# ls ldap1.properties [root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net <http://my.abc.net>
# # Search user and its password. # vars.user =
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
vars.password = company
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev < <alonbl@redhat.com> alonbl@redhat.com <mailto: <alonbl@redhat.com>alonbl@redhat.com>> wrote:
----- Original Message ----- > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto: nbudoor@gmail.com>> > To: "Alon Bar-Lev" < <alonbl@redhat.com>alonbl@redhat.com <mailto:alonbl@redhat.com>> > Cc:users@ovirt.org <mailto:users@ovirt.org> > Sent: Tuesday, September 22, 2015 5:35:16 PM > Subject: Re: [ovirt-users] LDAP Authentication > > its too complicated ,you have any script or video ?
in 3.6 we have a setup script. for now:
cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
this is written in the README.
then customize files at /etc/ovirt-engine/extnesions.d/* /etc/ovirt-engine/aaa/* to match your setup
> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com>> wrote: > > > > > > > ----- Original Message ----- > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto: nbudoor@gmail.com>> > > > To: "Alon Bar-Lev" < <alonbl@redhat.com>alonbl@redhat.com <mailto:alonbl@redhat.com>> > > > Cc:users@ovirt.org <mailto:users@ovirt.org> > > > Sent: Tuesday, September 22, 2015 5:24:36 PM > > > Subject: Re: [ovirt-users] LDAP Authentication > > > > > > HI Alon, > > > > > > Below is the configuration which I have done ,but unable to search the > > > users in UI > > > can you pls help me ? > > > > you need three files, see the > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple > > > > > > > > > > > [root@cstlb2 aaa]# cat ldap1.properties > > > # > > > # Select one > > > # > > > include = <openldap.properties> > > > #include = <389ds.properties> > > > #include = <rhds.properties> > > > #include = <ipa.properties> > > > #include = <iplanet.properties> > > > #include = <rfc2307.properties> > > > #include = <rfc2307-openldap.properties> > > > > > > # > > > # Server > > > # > > > vars.server =my.abc.net < <http://my.abc.net> http://my.abc.net> > > > > > > # > > > # Search user and its password. > > > # > > > vars.user = > > > > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net > > > vars.password = company1 > > > > > > pool.default.serverset.single.server = ${global:vars.server} > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > # Create keystore, import certificate chain and uncomment > > > # if using ssl/tls. > > > #pool.default.ssl.startTLS = true > > > #pool.default.ssl.truststore.file = > > > ${local:_basedir}/${global:vars.server}.jks > > > #pool.default.ssl.truststore.password = changeit > > > [root@cstlb2 aaa]# > > > > > > > > > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev < <alonbl@redhat.com>alonbl@redhat.com <mailto:alonbl@redhat.com>> wrote: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto: nbudoor@gmail.com>> > > > > > <To%3Ausers@ovirt.org>To:users@ovirt.org <mailto: users@ovirt.org> > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM > > > > > Subject: [ovirt-users] LDAP Authentication > > > > > > > > > > HI All, > > > > > > > > > > Can someone help me in configuring LDAP authentication for Ovirt ? > > > > > > > > Please review: > > > >http://www.ovirt.org/Features/AAA > > > > > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob... > > > > > > > > > >
-- Daniel Helgenberger m box bewegtbild GmbH
P: +49/30/2408781-22 F: +49/30/2408781-10
ACKERSTR. 19 D-10115 BERLIN
www.m-box.de <http://www.monkeymen.tv>www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767
_______________________________________________ Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users
This is a multi-part message in MIME format. --------------020703070204080601010105 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Hi, your user nbudoor@abc.net doesn't have appropriate permissions to login. First you need to login as 'admin@internal' and assign him some permissions, then you will be able to login. Ondra On 09/23/2015 09:15 AM, Budur Nagaraju wrote:
HI All,
After rectifying this able to search the domain in the users in UI, but unable to login getting the below error ,
2015-09-23 12:41:47,482 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user nbudoor@abc.net <mailto:nbudoor@abc.net>. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
Thanks, Nagaraju
On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>> wrote:
Hi,
as Alon already said, you have trailing space in your configuration
'my.abc.net <http://my.abc.net> ' <-- space at the end
Please remove this space and try again.
Ondra
On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
HI Alon,
Tried all the options but no luck ,
I have copied the logs in the pastebin below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get .
Thanks, Nagaraju
On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger <daniel.helgenberger@m-box.de <mailto:daniel.helgenberger@m-box.de>> wrote:
Hello Budur,
I've done this recently. Alon, no offense, but the docs are not quite strait forward...
Requirements: - LDAP server (obviously) - called here ldap.mydomain.com <http://ldap.mydomain.com> - LDAP bind account - called here ldap@mydomain.com <mailto:ldap@mydomain.com>, password 'Passw@rd' - At least one existing account in ladp, called user@mydomain.com <mailto:user@mydomain.com>
Please note, the most common issue will be DNS.
I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)
1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup) 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me): # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://ldap.mydomain.com:3268/ <http://ldap.mydomain.com:3268/> -x \ -D 'ldap@mydomain.com <mailto:ldap@mydomain.com>' -w Passw@rd -b '' '(userPrincipalName=user@mydomian.com <mailto:user@mydomian.com>)' cn userPrincipalName
If this command does not return details of the user, do debug your ldap and continue once this works. Example:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (userPrincipalName=user@mydomain.com <mailto:user@mydomain.com>) # requesting: cn userPrincipalName # with pagedResults control: size=1024 #
# Some Name, some-ou, mydomain.com <http://mydomain.com> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com cn: Some Name userPrincipalName: user@mydomain.com <mailto:user@mydomain.com>
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA= pagedresults: cookie=
# numResponses: 2 # numEntries: 1
3. Copy the examples as mentioned from the readme. 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is. 5. There, set:
vars.domain = ldap.mydomain.com <http://ldap.mydomain.com> vars.user = ldap@${global:vars.domain} vars.password = Passw@rd
6. Restart ovirt engine service 7. Log in as admin@einternal and add user rights and roles from the new provider
Hope this helps.
On 22.09.2015 16 <tel:22.09.2015%2016>:46, Budur Nagaraju wrote: > > below are the three files which I have modified. > > > [root@cstlb2 extensions.d]# cat profile1-authn.properties > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> = cloudspin-authn > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthnExtension > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn > ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.authn.profile.name> > = cloudspin > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties > > > [root@cstlb2 extensions.d]# ls > profile1-authn.properties profile1-authz.properties > [root@cstlb2 extensions.d]# cat profile1-authz.properties > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> = cloudspin-authz > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthzExtension > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties > [root@cstlb2 extensions.d]# > > > > [root@cstlb2 aaa]# pwd > /etc/ovirt-engine/aaa > [root@cstlb2 aaa]# ls > ldap1.properties > [root@cstlb2 aaa]# cat ldap1.properties > # > # Select one > # > include = <openldap.properties> > #include = <389ds.properties> > #include = <rhds.properties> > #include = <ipa.properties> > #include = <iplanet.properties> > #include = <rfc2307.properties> > #include = <rfc2307-openldap.properties> > > # > # Server > # > vars.server = my.abc.net <http://my.abc.net> <http://my.abc.net> > > # > # Search user and its password. > # > vars.user = > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net > vars.password = company > > pool.default.serverset.single.server = ${global:vars.server} > pool.default.auth.simple.bindDN = ${global:vars.user} > pool.default.auth.simple.password = ${global:vars.password} > > # Create keystore, import certificate chain and uncomment > # if using ssl/tls. > #pool.default.ssl.startTLS = true > #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks > #pool.default.ssl.truststore.password = changeit > [root@cstlb2 aaa]# > > > > > > > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> wrote: > > > > ----- Original Message ----- > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto:nbudoor@gmail.com> <mailto:nbudoor@gmail.com <mailto:nbudoor@gmail.com>>> > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> > > Cc:users@ovirt.org <mailto:Cc%3Ausers@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > Sent: Tuesday, September 22, 2015 5:35:16 PM > > Subject: Re: [ovirt-users] LDAP Authentication > > > > its too complicated ,you have any script or video ? > > in 3.6 we have a setup script. > for now: > > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/ > > this is written in the README. > > then customize files at /etc/ovirt-engine/extnesions.d/* > /etc/ovirt-engine/aaa/* to match your setup > > > > > > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> wrote: > > > > > > > > > > > ----- Original Message ----- > > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto:nbudoor@gmail.com> <mailto:nbudoor@gmail.com <mailto:nbudoor@gmail.com>>> > > > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> > > > > Cc:users@ovirt.org <mailto:Cc%3Ausers@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM > > > > Subject: Re: [ovirt-users] LDAP Authentication > > > > > > > > HI Alon, > > > > > > > > Below is the configuration which I have done ,but unable to search the > > > > users in UI > > > > can you pls help me ? > > > > > > you need three files, see the > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple > > > > > > > > > > > > > > > [root@cstlb2 aaa]# cat ldap1.properties > > > > # > > > > # Select one > > > > # > > > > include = <openldap.properties> > > > > #include = <389ds.properties> > > > > #include = <rhds.properties> > > > > #include = <ipa.properties> > > > > #include = <iplanet.properties> > > > > #include = <rfc2307.properties> > > > > #include = <rfc2307-openldap.properties> > > > > > > > > # > > > > # Server > > > > # > > > > vars.server =my.abc.net <http://my.abc.net> <http://my.abc.net> > > > > > > > > # > > > > # Search user and its password. > > > > # > > > > vars.user = > > > > > > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net > > > > vars.password = company1 > > > > > > > > pool.default.serverset.single.server = ${global:vars.server} > > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > > > # Create keystore, import certificate chain and uncomment > > > > # if using ssl/tls. > > > > #pool.default.ssl.startTLS = true > > > > #pool.default.ssl.truststore.file = > > > > ${local:_basedir}/${global:vars.server}.jks > > > > #pool.default.ssl.truststore.password = changeit > > > > [root@cstlb2 aaa]# > > > > > > > > > > > > > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> wrote: > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto:nbudoor@gmail.com> <mailto:nbudoor@gmail.com <mailto:nbudoor@gmail.com>>> > > > > > > To:users@ovirt.org <mailto:To:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM > > > > > > Subject: [ovirt-users] LDAP Authentication > > > > > > > > > > > > HI All, > > > > > > > > > > > > Can someone help me in configuring LDAP authentication for Ovirt ? > > > > > > > > > > Please review: > > > > >http://www.ovirt.org/Features/AAA > > > > > > > > > > > > >https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob... > > > > > > > > > > > > > > > >
-- Daniel Helgenberger m box bewegtbild GmbH
P: +49/30/2408781-22 F: +49/30/2408781-10
ACKERSTR. 19 D-10115 BERLIN
www.m-box.de <http://www.m-box.de> www.monkeymen.tv <http://www.monkeymen.tv>
Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767
_______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users
--------------020703070204080601010105 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit <html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hi,<br> <br> your user <a class="moz-txt-link-abbreviated" href="mailto:nbudoor@abc.net">nbudoor@abc.net</a> doesn't have appropriate permissions to login.<br> First you need to login as 'admin@internal' and assign him some permissions, then you will be able to login.<br> <br> Ondra<br> <br> <div class="moz-cite-prefix">On 09/23/2015 09:15 AM, Budur Nagaraju wrote:<br> </div> <blockquote cite="mid:CAHNF9Q_Rs_O5rhN5g49714RrfMMW7UuY-J6UmN6r3Jh3OXew4g@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div> <div> <div>HI All,<br> <br> </div> After rectifying this able to search the domain in the users in UI,<br> </div> but unable to login getting the below error ,<br> <br> <br> 2015-09-23 12:41:47,482 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user <a moz-do-not-send="true" href="mailto:nbudoor@abc.net">nbudoor@abc.net</a>. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION<br> <br> </div> Thanks,<br> </div> Nagaraju<br> <br> <div> <div><br> <div> <div><br> <br> </div> </div> </div> </div> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek <span dir="ltr"><<a moz-do-not-send="true" href="mailto:omachace@redhat.com" target="_blank">omachace@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> Hi,<br> <br> as Alon already said, you have trailing space in your configuration<br> <br> '<a moz-do-not-send="true" href="http://my.abc.net" target="_blank">my.abc.net</a> ' <-- space at the end<br> <br> Please remove this space and try again.<br> <br> Ondra <div> <div class="h5"><br> <br> <div>On 09/23/2015 05:35 AM, Budur Nagaraju wrote:<br> </div> </div> </div> <blockquote type="cite"> <div> <div class="h5"> <div dir="ltr"> <div> <div> <div> <div>HI Alon,<br> <br> </div> Tried all the options but no luck ,<br> <br> </div> I have copied the logs in the pastebin below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get .<br> <br> <a moz-do-not-send="true" href="http://pastebin.com/7qN9QnHK" target="_blank">http://pastebin.com/7qN9QnHK</a><br> <br> </div> Thanks,<br> </div> Nagaraju<br> <br> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger <span dir="ltr"><<a moz-do-not-send="true" href="mailto:daniel.helgenberger@m-box.de" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:daniel.helgenberger@m-box.de">daniel.helgenberger@m-box.de</a></a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Budur,<br> <br> I've done this recently. Alon, no offense, but the docs are not quite strait forward...<br> <br> Requirements:<br> - LDAP server (obviously) - called here <a moz-do-not-send="true" href="http://ldap.mydomain.com" rel="noreferrer" target="_blank">ldap.mydomain.com</a><br> - LDAP bind account - called here <a moz-do-not-send="true" href="mailto:ldap@mydomain.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ldap@mydomain.com">ldap@mydomain.com</a></a>, password 'Passw@rd'<br> - At least one existing account in ladp, called <a moz-do-not-send="true" href="mailto:user@mydomain.com" target="_blank">user@mydomain.com</a><br> <br> Please note, the most common issue will be DNS.<br> <br> I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)<br> <br> 1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup)<br> 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me):<br> # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H <a moz-do-not-send="true">ldap://</a><a moz-do-not-send="true" href="http://ldap.mydomain.com:3268/" rel="noreferrer" target="_blank">ldap.mydomain.com:3268/</a> -x \<br> -D '<a moz-do-not-send="true" href="mailto:ldap@mydomain.com" target="_blank">ldap@mydomain.com</a>' -w Passw@rd -b '' '(userPrincipalName=<a moz-do-not-send="true" href="mailto:user@mydomian.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:user@mydomian.com">user@mydomian.com</a></a>)' cn userPrincipalName<br> <br> If this command does not return details of the user, do debug your ldap and continue once this works. Example:<br> <br> # extended LDIF<br> #<br> # LDAPv3<br> # base <> with scope subtree<br> # filter: (userPrincipalName=<a moz-do-not-send="true" href="mailto:user@mydomain.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:user@mydomain.com">user@mydomain.com</a></a>)<br> # requesting: cn userPrincipalName<br> # with pagedResults control: size=1024<br> #<br> <br> # Some Name, some-ou, <a moz-do-not-send="true" href="http://mydomain.com" rel="noreferrer" target="_blank">mydomain.com</a><br> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com<br> cn: Some Name<br> userPrincipalName: <a moz-do-not-send="true" href="mailto:user@mydomain.com" target="_blank">user@mydomain.com</a><br> <br> # search result<br> search: 2<br> result: 0 Success<br> control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=<br> pagedresults: cookie=<br> <br> # numResponses: 2<br> # numEntries: 1<br> <br> <br> 3. Copy the examples as mentioned from the readme.<br> 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is.<br> 5. There, set:<br> <br> vars.domain = <a moz-do-not-send="true" href="http://ldap.mydomain.com" rel="noreferrer" target="_blank">ldap.mydomain.com</a><br> vars.user = ldap@${global:vars.domain}<br> vars.password = Passw@rd<br> <br> 6. Restart ovirt engine service<br> 7. Log in as admin@einternal and add user rights and roles from the new provider<br> <br> Hope this helps.<br> <span><br> On <a moz-do-not-send="true" href="tel:22.09.2015%2016" value="+12209201516" target="_blank">22.09.2015 16</a>:46, Budur Nagaraju wrote:<br> ><br> > below are the three files which I have modified.<br> ><br> ><br> > [root@cstlb2 extensions.d]# cat profile1-authn.properties<br> </span>> <a moz-do-not-send="true" href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> <<a moz-do-not-send="true" href="http://ovirt.engine.extension.name" target="_blank">http://ovirt.engine.extension.name</a>>; = cloudspin-authn<br> <span>> ovirt.engine.extension.bindings.method = jbossmodule<br> > ovirt.engine.extension.binding.jbossmodule.module =<br> > org.ovirt.engine-extensions.aaa.ldap<br> > ovirt.engine.extension.binding.jbossmodule.class =<br> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension<br> > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn<br> </span>> <a moz-do-not-send="true" href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">ovirt.engine.aaa.authn.profile.name</a> <<a moz-do-not-send="true" href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">http://ovirt.engine.aaa.authn.profile.name</a>><br> <span>> = cloudspin<br> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth<br> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties<br> ><br> ><br> > [root@cstlb2 extensions.d]# ls<br> > profile1-authn.properties profile1-authz.properties<br> > [root@cstlb2 extensions.d]# cat profile1-authz.properties<br> </span>> <a moz-do-not-send="true" href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> <<a moz-do-not-send="true" href="http://ovirt.engine.extension.name" target="_blank">http://ovirt.engine.extension.name</a>>; = cloudspin-authz<br> <div> <div>> ovirt.engine.extension.bindings.method = jbossmodule<br> > ovirt.engine.extension.binding.jbossmodule.module =<br> > org.ovirt.engine-extensions.aaa.ldap<br> > ovirt.engine.extension.binding.jbossmodule.class =<br> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension<br> > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz<br> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties<br> > [root@cstlb2 extensions.d]#<br> ><br> ><br> ><br> > [root@cstlb2 aaa]# pwd<br> > /etc/ovirt-engine/aaa<br> > [root@cstlb2 aaa]# ls<br> > ldap1.properties<br> > [root@cstlb2 aaa]# cat ldap1.properties<br> > #<br> > # Select one<br> > #<br> > include = <openldap.properties><br> > #include = <389ds.properties><br> > #include = <rhds.properties><br> > #include = <ipa.properties><br> > #include = <iplanet.properties><br> > #include = <rfc2307.properties><br> > #include = <rfc2307-openldap.properties><br> ><br> > #<br> > # Server<br> > #<br> </div> </div> > vars.server = <a moz-do-not-send="true" href="http://my.abc.net" rel="noreferrer" target="_blank">my.abc.net</a> <<a moz-do-not-send="true" href="http://my.abc.net" rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="http://my.abc.net">http://my.abc.net</a></a>><br> <span>><br> > #<br> > # Search user and its password.<br> > #<br> > vars.user =<br> > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net<br> > vars.password = company<br> ><br> > pool.default.serverset.single.server = ${global:vars.server}<br> > pool.default.auth.simple.bindDN = ${global:vars.user}<br> > pool.default.auth.simple.password = ${global:vars.password}<br> ><br> > # Create keystore, import certificate chain and uncomment<br> > # if using ssl/tls.<br> > #pool.default.ssl.startTLS = true<br> > #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks<br> > #pool.default.ssl.truststore.password = changeit<br> > [root@cstlb2 aaa]#<br> ><br> ><br> ><br> ><br> ><br> ><br> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a><br> </span><span>> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>> wrote:<br> ><br> ><br> ><br> > ----- Original Message -----<br> </span><span>> > From: "Budur Nagaraju" <<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a> <mailto:<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a>>><br> > > To: "Alon Bar-Lev" <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>>><br> > > <a moz-do-not-send="true" href="mailto:Cc%3Ausers@ovirt.org" target="_blank">Cc:users@ovirt.org</a> <mailto:<a moz-do-not-send="true" href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>><br> > > Sent: Tuesday, September 22, 2015 5:35:16 PM<br> > > Subject: Re: [ovirt-users] LDAP Authentication<br> > ><br> > > its too complicated ,you have any script or video ?<br> ><br> > in 3.6 we have a setup script.<br> > for now:<br> ><br> > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/<br> ><br> > this is written in the README.<br> ><br> > then customize files at /etc/ovirt-engine/extnesions.d/*<br> > /etc/ovirt-engine/aaa/* to match your setup<br> ><br> > ><br> > ><br> </span><span>> > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>>> wrote:<br> > ><br> > > ><br> > > ><br> > > > ----- Original Message -----<br> </span> <div> <div>> > > > From: "Budur Nagaraju" <<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a> <mailto:<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a>>><br> > > > > To: "Alon Bar-Lev" <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>>><br> > > > > <a moz-do-not-send="true" href="mailto:Cc%3Ausers@ovirt.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:Cc:users@ovirt.org">Cc:users@ovirt.org</a></a> <mailto:<a moz-do-not-send="true" href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>><br> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM<br> > > > > Subject: Re: [ovirt-users] LDAP Authentication<br> > > > ><br> > > > > HI Alon,<br> > > > ><br> > > > > Below is the configuration which I have done ,but unable to search the<br> > > > > users in UI<br> > > > > can you pls help me ?<br> > > ><br> > > > you need three files, see the<br> > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple<br> > > ><br> > > > ><br> > > > ><br> > > > > [root@cstlb2 aaa]# cat ldap1.properties<br> > > > > #<br> > > > > # Select one<br> > > > > #<br> > > > > include = <openldap.properties><br> > > > > #include = <389ds.properties><br> > > > > #include = <rhds.properties><br> > > > > #include = <ipa.properties><br> > > > > #include = <iplanet.properties><br> > > > > #include = <rfc2307.properties><br> > > > > #include = <rfc2307-openldap.properties><br> > > > ><br> > > > > #<br> > > > > # Server<br> > > > > #<br> </div> </div> > > > > vars.server =<a moz-do-not-send="true" href="http://my.abc.net" rel="noreferrer" target="_blank">my.abc.net</a> <<a moz-do-not-send="true" href="http://my.abc.net" target="_blank"><a class="moz-txt-link-freetext" href="http://my.abc.net">http://my.abc.net</a></a>><br> <span>> > > ><br> > > > > #<br> > > > > # Search user and its password.<br> > > > > #<br> > > > > vars.user =<br> > > > ><br> > > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net<br> > > > > vars.password = company1<br> > > > ><br> > > > > pool.default.serverset.single.server = ${global:vars.server}<br> > > > > pool.default.auth.simple.bindDN = ${global:vars.user}<br> > > > > pool.default.auth.simple.password = ${global:vars.password}<br> > > > ><br> > > > > # Create keystore, import certificate chain and uncomment<br> > > > > # if using ssl/tls.<br> > > > > #pool.default.ssl.startTLS = true<br> > > > > #pool.default.ssl.truststore.file =<br> > > > > ${local:_basedir}/${global:vars.server}.jks<br> > > > > #pool.default.ssl.truststore.password = changeit<br> > > > > [root@cstlb2 aaa]#<br> > > > ><br> > > > ><br> > > > ><br> </span><span>> > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>>> wrote:<br> > > > ><br> > > > > ><br> > > > > ><br> > > > > > ----- Original Message -----<br> </span><span>> > > > > > From: "Budur Nagaraju" <<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a>>><br> > > > > > > <a moz-do-not-send="true" href="mailto:To:users@ovirt.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:To:users@ovirt.org">To:users@ovirt.org</a></a> <mailto:<a moz-do-not-send="true" href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>><br> > > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM<br> > > > > > > Subject: [ovirt-users] LDAP Authentication<br> > > > > > ><br> > > > > > > HI All,<br> > > > > > ><br> > > > > > > Can someone help me in configuring LDAP authentication for Ovirt ?<br> > > > > ><br> > > > > > Please review:<br> > > > > ><a moz-do-not-send="true" href="http://www.ovirt.org/Features/AAA" rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="http://www.ovirt.org/Features/AAA">http://www.ovirt.org/Features/AAA</a></a><br> > > > > ><br> > > > > ><br> > > ><a moz-do-not-send="true" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob..." rel="noreferrer" target="_blank">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0</a><br> > > > > ><br> > > > ><br> > > ><br> > ><br> ><br> ><br> <br> </span>--<br> Daniel Helgenberger<br> m box bewegtbild GmbH<br> <br> P: +49/30/2408781-22<br> F: +49/30/2408781-10<br> <br> ACKERSTR. 19<br> D-10115 BERLIN<br> <br> <br> <a moz-do-not-send="true" href="http://www.m-box.de" rel="noreferrer" target="_blank">www.m-box.de</a> <a moz-do-not-send="true" href="http://www.monkeymen.tv" target="_blank"><a class="moz-txt-link-abbreviated" href="http://www.monkeymen.tv">www.monkeymen.tv</a></a><br> <br> Geschäftsführer: Martin Retschitzegger / Michaela Göllner<br> Handeslregister: Amtsgericht Charlottenburg / HRB 112767<br> </blockquote> </div> <br> </div> <br> <fieldset></fieldset> <br> </div> </div> <pre>_______________________________________________ Users mailing list <a moz-do-not-send="true" href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a> <a moz-do-not-send="true" href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a> </pre> </blockquote> <br> </div> </blockquote> </div> <br> </div> </blockquote> <br> </body> </html> --------------020703070204080601010105--
Provided the "user role" permissions still same issue On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek <omachace@redhat.com> wrote:
Hi,
your user nbudoor@abc.net doesn't have appropriate permissions to login. First you need to login as 'admin@internal' and assign him some permissions, then you will be able to login.
Ondra
On 09/23/2015 09:15 AM, Budur Nagaraju wrote:
HI All,
After rectifying this able to search the domain in the users in UI, but unable to login getting the below error ,
2015-09-23 12:41:47,482 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user nbudoor@abc.net. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
Thanks, Nagaraju
On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek <omachace@redhat.com> wrote:
Hi,
as Alon already said, you have trailing space in your configuration
'my.abc.net ' <-- space at the end
Please remove this space and try again.
Ondra
On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
HI Alon,
Tried all the options but no luck ,
I have copied the logs in the pastebin below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get .
Thanks, Nagaraju
On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger < <daniel.helgenberger@m-box.de>daniel.helgenberger@m-box.de> wrote:
Hello Budur,
I've done this recently. Alon, no offense, but the docs are not quite strait forward...
Requirements: - LDAP server (obviously) - called here ldap.mydomain.com - LDAP bind account - called here <ldap@mydomain.com>ldap@mydomain.com, password 'Passw@rd' - At least one existing account in ladp, called user@mydomain.com
Please note, the most common issue will be DNS.
I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)
1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup) 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me): # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap:// ldap.mydomain.com:3268/ -x \ -D 'ldap@mydomain.com' -w Passw@rd -b '' '(userPrincipalName= <user@mydomian.com>user@mydomian.com)' cn userPrincipalName
If this command does not return details of the user, do debug your ldap and continue once this works. Example:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (userPrincipalName= <user@mydomain.com>user@mydomain.com) # requesting: cn userPrincipalName # with pagedResults control: size=1024 #
# Some Name, some-ou, mydomain.com dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com cn: Some Name userPrincipalName: user@mydomain.com
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA= pagedresults: cookie=
# numResponses: 2 # numEntries: 1
3. Copy the examples as mentioned from the readme. 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is. 5. There, set:
vars.domain = ldap.mydomain.com vars.user = ldap@${global:vars.domain} vars.password = Passw@rd
6. Restart ovirt engine service 7. Log in as admin@einternal and add user rights and roles from the new provider
Hope this helps.
On 22.09.2015 16 <22.09.2015%2016>:46, Budur Nagaraju wrote:
below are the three files which I have modified.
[root@cstlb2 extensions.d]# cat profile1-authn.properties ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
cloudspin-authn
ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name < http://ovirt.engine.aaa.authn.profile.name> = cloudspin ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
[root@cstlb2 extensions.d]# ls profile1-authn.properties profile1-authz.properties [root@cstlb2 extensions.d]# cat profile1-authz.properties ovirt.engine.extension.name <http://ovirt.engine.extension.name> = cloudspin-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties [root@cstlb2 extensions.d]#
[root@cstlb2 aaa]# pwd /etc/ovirt-engine/aaa [root@cstlb2 aaa]# ls ldap1.properties [root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net < <http://my.abc.net>http://my.abc.net>
# # Search user and its password. # vars.user =
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
vars.password = company
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <alonbl@redhat.com <mailto: <alonbl@redhat.com>alonbl@redhat.com>> wrote:
----- Original Message ----- > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto: nbudoor@gmail.com>> > To: "Alon Bar-Lev" < <alonbl@redhat.com>alonbl@redhat.com <mailto:alonbl@redhat.com>> > Cc:users@ovirt.org <mailto:users@ovirt.org> > Sent: Tuesday, September 22, 2015 5:35:16 PM > Subject: Re: [ovirt-users] LDAP Authentication > > its too complicated ,you have any script or video ?
in 3.6 we have a setup script. for now:
cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
this is written in the README.
then customize files at /etc/ovirt-engine/extnesions.d/* /etc/ovirt-engine/aaa/* to match your setup
> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev < <alonbl@redhat.com>alonbl@redhat.com <mailto:alonbl@redhat.com>> wrote: > > > > > > > ----- Original Message ----- > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto: nbudoor@gmail.com>> > > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto: alonbl@redhat.com>> > > > <Cc%3Ausers@ovirt.org>Cc:users@ovirt.org <mailto: users@ovirt.org> > > > Sent: Tuesday, September 22, 2015 5:24:36 PM > > > Subject: Re: [ovirt-users] LDAP Authentication > > > > > > HI Alon, > > > > > > Below is the configuration which I have done ,but unable to search the > > > users in UI > > > can you pls help me ? > > > > you need three files, see the > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple > > > > > > > > > > > [root@cstlb2 aaa]# cat ldap1.properties > > > # > > > # Select one > > > # > > > include = <openldap.properties> > > > #include = <389ds.properties> > > > #include = <rhds.properties> > > > #include = <ipa.properties> > > > #include = <iplanet.properties> > > > #include = <rfc2307.properties> > > > #include = <rfc2307-openldap.properties> > > > > > > # > > > # Server > > > # > > > vars.server =my.abc.net < <http://my.abc.net> http://my.abc.net> > > > > > > # > > > # Search user and its password. > > > # > > > vars.user = > > > > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net > > > vars.password = company1 > > > > > > pool.default.serverset.single.server = ${global:vars.server} > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > # Create keystore, import certificate chain and uncomment > > > # if using ssl/tls. > > > #pool.default.ssl.startTLS = true > > > #pool.default.ssl.truststore.file = > > > ${local:_basedir}/${global:vars.server}.jks > > > #pool.default.ssl.truststore.password = changeit > > > [root@cstlb2 aaa]# > > > > > > > > > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev < <alonbl@redhat.com>alonbl@redhat.com <mailto:alonbl@redhat.com>> wrote: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Budur Nagaraju" < <nbudoor@gmail.com> nbudoor@gmail.com <mailto:nbudoor@gmail.com>> > > > > > <To:users@ovirt.org>To:users@ovirt.org <mailto: users@ovirt.org> > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM > > > > > Subject: [ovirt-users] LDAP Authentication > > > > > > > > > > HI All, > > > > > > > > > > Can someone help me in configuring LDAP authentication for Ovirt ? > > > > > > > > Please review: > > > > <http://www.ovirt.org/Features/AAA> http://www.ovirt.org/Features/AAA > > > > > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob... > > > > > > > > > >
-- Daniel Helgenberger m box bewegtbild GmbH
P: +49/30/2408781-22 F: +49/30/2408781-10
ACKERSTR. 19 D-10115 BERLIN
www.m-box.de <http://www.monkeymen.tv>www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767
_______________________________________________ Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users
This is a multi-part message in MIME format. --------------030008040602000200080603 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit With UserRole you can only login to UserPortal, not webadmin. Do you have this issue when you try to login to UserPortal? On 09/23/2015 09:22 AM, Budur Nagaraju wrote:
Provided the "user role" permissions still same issue
On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>> wrote:
Hi,
your user nbudoor@abc.net <mailto:nbudoor@abc.net> doesn't have appropriate permissions to login. First you need to login as 'admin@internal' and assign him some permissions, then you will be able to login.
Ondra
On 09/23/2015 09:15 AM, Budur Nagaraju wrote:
HI All,
After rectifying this able to search the domain in the users in UI, but unable to login getting the below error ,
2015-09-23 12:41:47,482 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user nbudoor@abc.net <mailto:nbudoor@abc.net>. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
Thanks, Nagaraju
On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>> wrote:
Hi,
as Alon already said, you have trailing space in your configuration
'my.abc.net <http://my.abc.net> ' <-- space at the end
Please remove this space and try again.
Ondra
On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
HI Alon,
Tried all the options but no luck ,
I have copied the logs in the pastebin below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get .
Thanks, Nagaraju
On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger <daniel.helgenberger@m-box.de <mailto:daniel.helgenberger@m-box.de>> wrote:
Hello Budur,
I've done this recently. Alon, no offense, but the docs are not quite strait forward...
Requirements: - LDAP server (obviously) - called here ldap.mydomain.com <http://ldap.mydomain.com> - LDAP bind account - called here ldap@mydomain.com <mailto:ldap@mydomain.com>, password 'Passw@rd' - At least one existing account in ladp, called user@mydomain.com <mailto:user@mydomain.com>
Please note, the most common issue will be DNS.
I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)
1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup) 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me): # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://ldap.mydomain.com:3268/ <http://ldap.mydomain.com:3268/> -x \ -D 'ldap@mydomain.com <mailto:ldap@mydomain.com>' -w Passw@rd -b '' '(userPrincipalName=user@mydomian.com <mailto:user@mydomian.com>)' cn userPrincipalName
If this command does not return details of the user, do debug your ldap and continue once this works. Example:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (userPrincipalName=user@mydomain.com <mailto:user@mydomain.com>) # requesting: cn userPrincipalName # with pagedResults control: size=1024 #
# Some Name, some-ou, mydomain.com <http://mydomain.com> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com cn: Some Name userPrincipalName: user@mydomain.com <mailto:user@mydomain.com>
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA= pagedresults: cookie=
# numResponses: 2 # numEntries: 1
3. Copy the examples as mentioned from the readme. 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is. 5. There, set:
vars.domain = ldap.mydomain.com <http://ldap.mydomain.com> vars.user = ldap@${global:vars.domain} vars.password = Passw@rd
6. Restart ovirt engine service 7. Log in as admin@einternal and add user rights and roles from the new provider
Hope this helps.
On 22.09.2015 16 <tel:22.09.2015%2016>:46, Budur Nagaraju wrote: > > below are the three files which I have modified. > > > [root@cstlb2 extensions.d]# cat profile1-authn.properties > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> = cloudspin-authn > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthnExtension > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn > ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.authn.profile.name> > = cloudspin > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties > > > [root@cstlb2 extensions.d]# ls > profile1-authn.properties profile1-authz.properties > [root@cstlb2 extensions.d]# cat profile1-authz.properties > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> = cloudspin-authz > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthzExtension > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties > [root@cstlb2 extensions.d]# > > > > [root@cstlb2 aaa]# pwd > /etc/ovirt-engine/aaa > [root@cstlb2 aaa]# ls > ldap1.properties > [root@cstlb2 aaa]# cat ldap1.properties > # > # Select one > # > include = <openldap.properties> > #include = <389ds.properties> > #include = <rhds.properties> > #include = <ipa.properties> > #include = <iplanet.properties> > #include = <rfc2307.properties> > #include = <rfc2307-openldap.properties> > > # > # Server > # > vars.server = my.abc.net <http://my.abc.net> <http://my.abc.net> > > # > # Search user and its password. > # > vars.user = > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net > vars.password = company > > pool.default.serverset.single.server = ${global:vars.server} > pool.default.auth.simple.bindDN = ${global:vars.user} > pool.default.auth.simple.password = ${global:vars.password} > > # Create keystore, import certificate chain and uncomment > # if using ssl/tls. > #pool.default.ssl.startTLS = true > #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks > #pool.default.ssl.truststore.password = changeit > [root@cstlb2 aaa]# > > > > > > > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> wrote: > > > > ----- Original Message ----- > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto:nbudoor@gmail.com> <mailto:nbudoor@gmail.com <mailto:nbudoor@gmail.com>>> > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> > > Cc:users@ovirt.org <mailto:Cc%3Ausers@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > Sent: Tuesday, September 22, 2015 5:35:16 PM > > Subject: Re: [ovirt-users] LDAP Authentication > > > > its too complicated ,you have any script or video ? > > in 3.6 we have a setup script. > for now: > > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/ > > this is written in the README. > > then customize files at /etc/ovirt-engine/extnesions.d/* > /etc/ovirt-engine/aaa/* to match your setup > > > > > > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> wrote: > > > > > > > > > > > ----- Original Message ----- > > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto:nbudoor@gmail.com> <mailto:nbudoor@gmail.com <mailto:nbudoor@gmail.com>>> > > > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> > > > > Cc:users@ovirt.org <mailto:Cc:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM > > > > Subject: Re: [ovirt-users] LDAP Authentication > > > > > > > > HI Alon, > > > > > > > > Below is the configuration which I have done ,but unable to search the > > > > users in UI > > > > can you pls help me ? > > > > > > you need three files, see the > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple > > > > > > > > > > > > > > > [root@cstlb2 aaa]# cat ldap1.properties > > > > # > > > > # Select one > > > > # > > > > include = <openldap.properties> > > > > #include = <389ds.properties> > > > > #include = <rhds.properties> > > > > #include = <ipa.properties> > > > > #include = <iplanet.properties> > > > > #include = <rfc2307.properties> > > > > #include = <rfc2307-openldap.properties> > > > > > > > > # > > > > # Server > > > > # > > > > vars.server =my.abc.net <http://my.abc.net> <http://my.abc.net> > > > > > > > > # > > > > # Search user and its password. > > > > # > > > > vars.user = > > > > > > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net > > > > vars.password = company1 > > > > > > > > pool.default.serverset.single.server = ${global:vars.server} > > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > > > # Create keystore, import certificate chain and uncomment > > > > # if using ssl/tls. > > > > #pool.default.ssl.startTLS = true > > > > #pool.default.ssl.truststore.file = > > > > ${local:_basedir}/${global:vars.server}.jks > > > > #pool.default.ssl.truststore.password = changeit > > > > [root@cstlb2 aaa]# > > > > > > > > > > > > > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> wrote: > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto:nbudoor@gmail.com> <mailto:nbudoor@gmail.com <mailto:nbudoor@gmail.com>>> > > > > > > To:users@ovirt.org <mailto:To:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM > > > > > > Subject: [ovirt-users] LDAP Authentication > > > > > > > > > > > > HI All, > > > > > > > > > > > > Can someone help me in configuring LDAP authentication for Ovirt ? > > > > > > > > > > Please review: > > > > >http://www.ovirt.org/Features/AAA > > > > > > > > > > > > >https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob... > > > > > > > > > > > > > > > >
-- Daniel Helgenberger m box bewegtbild GmbH
P: +49/30/2408781-22 F: +49/30/2408781-10
ACKERSTR. 19 D-10115 BERLIN
www.m-box.de <http://www.m-box.de> www.monkeymen.tv <http://www.monkeymen.tv>
Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767
_______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users
--------------030008040602000200080603 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit <html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> With UserRole you can only login to UserPortal, not webadmin. Do you have this issue when you try to login to UserPortal?<br> <br> <div class="moz-cite-prefix">On 09/23/2015 09:22 AM, Budur Nagaraju wrote:<br> </div> <blockquote cite="mid:CAHNF9Q99WKUBJXbXn_SMR8JUgexSc4g6=p41cFZmnSwMuYSR_g@mail.gmail.com" type="cite"> <div dir="ltr">Provided the "user role" permissions still same issue <br> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek <span dir="ltr"><<a moz-do-not-send="true" href="mailto:omachace@redhat.com" target="_blank">omachace@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> Hi,<br> <br> your user <a moz-do-not-send="true" href="mailto:nbudoor@abc.net" target="_blank">nbudoor@abc.net</a> doesn't have appropriate permissions to login.<br> First you need to login as 'admin@internal' and assign him some permissions, then you will be able to login.<span class="HOEnZb"><font color="#888888"><br> <br> Ondra</font></span> <div> <div class="h5"><br> <br> <div>On 09/23/2015 09:15 AM, Budur Nagaraju wrote:<br> </div> <blockquote type="cite"> <div dir="ltr"> <div> <div> <div> <div>HI All,<br> <br> </div> After rectifying this able to search the domain in the users in UI,<br> </div> but unable to login getting the below error ,<br> <br> <br> 2015-09-23 12:41:47,482 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user <a moz-do-not-send="true" href="mailto:nbudoor@abc.net" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nbudoor@abc.net">nbudoor@abc.net</a></a>. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION<br> <br> </div> Thanks,<br> </div> Nagaraju<br> <br> <div> <div><br> <div> <div><br> <br> </div> </div> </div> </div> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek <span dir="ltr"><<a moz-do-not-send="true" href="mailto:omachace@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:omachace@redhat.com">omachace@redhat.com</a></a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> Hi,<br> <br> as Alon already said, you have trailing space in your configuration<br> <br> '<a moz-do-not-send="true" href="http://my.abc.net" target="_blank">my.abc.net</a> ' <-- space at the end<br> <br> Please remove this space and try again.<br> <br> Ondra <div> <div><br> <br> <div>On 09/23/2015 05:35 AM, Budur Nagaraju wrote:<br> </div> </div> </div> <blockquote type="cite"> <div> <div> <div dir="ltr"> <div> <div> <div> <div>HI Alon,<br> <br> </div> Tried all the options but no luck ,<br> <br> </div> I have copied the logs in the pastebin below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get .<br> <br> <a moz-do-not-send="true" href="http://pastebin.com/7qN9QnHK" target="_blank">http://pastebin.com/7qN9QnHK</a><br> <br> </div> Thanks,<br> </div> Nagaraju<br> <br> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger <span dir="ltr"><<a moz-do-not-send="true" href="mailto:daniel.helgenberger@m-box.de" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:daniel.helgenberger@m-box.de">daniel.helgenberger@m-box.de</a></a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Budur,<br> <br> I've done this recently. Alon, no offense, but the docs are not quite strait forward...<br> <br> Requirements:<br> - LDAP server (obviously) - called here <a moz-do-not-send="true" href="http://ldap.mydomain.com" rel="noreferrer" target="_blank">ldap.mydomain.com</a><br> - LDAP bind account - called here <a moz-do-not-send="true" href="mailto:ldap@mydomain.com" target="_blank">ldap@mydomain.com</a>, password 'Passw@rd'<br> - At least one existing account in ladp, called <a moz-do-not-send="true" href="mailto:user@mydomain.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:user@mydomain.com">user@mydomain.com</a></a><br> <br> Please note, the most common issue will be DNS.<br> <br> I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)<br> <br> 1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup)<br> 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me):<br> # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H <a moz-do-not-send="true">ldap://</a><a moz-do-not-send="true" href="http://ldap.mydomain.com:3268/" rel="noreferrer" target="_blank">ldap.mydomain.com:3268/</a> -x \<br> -D '<a moz-do-not-send="true" href="mailto:ldap@mydomain.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ldap@mydomain.com">ldap@mydomain.com</a></a>' -w Passw@rd -b '' '(userPrincipalName=<a moz-do-not-send="true" href="mailto:user@mydomian.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:user@mydomian.com">user@mydomian.com</a></a>)' cn userPrincipalName<br> <br> If this command does not return details of the user, do debug your ldap and continue once this works. Example:<br> <br> # extended LDIF<br> #<br> # LDAPv3<br> # base <> with scope subtree<br> # filter: (userPrincipalName=<a moz-do-not-send="true" href="mailto:user@mydomain.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:user@mydomain.com">user@mydomain.com</a></a>)<br> # requesting: cn userPrincipalName<br> # with pagedResults control: size=1024<br> #<br> <br> # Some Name, some-ou, <a moz-do-not-send="true" href="http://mydomain.com" rel="noreferrer" target="_blank">mydomain.com</a><br> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com<br> cn: Some Name<br> userPrincipalName: <a moz-do-not-send="true" href="mailto:user@mydomain.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:user@mydomain.com">user@mydomain.com</a></a><br> <br> # search result<br> search: 2<br> result: 0 Success<br> control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=<br> pagedresults: cookie=<br> <br> # numResponses: 2<br> # numEntries: 1<br> <br> <br> 3. Copy the examples as mentioned from the readme.<br> 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is.<br> 5. There, set:<br> <br> vars.domain = <a moz-do-not-send="true" href="http://ldap.mydomain.com" rel="noreferrer" target="_blank">ldap.mydomain.com</a><br> vars.user = ldap@${global:vars.domain}<br> vars.password = Passw@rd<br> <br> 6. Restart ovirt engine service<br> 7. Log in as admin@einternal and add user rights and roles from the new provider<br> <br> Hope this helps.<br> <span><br> On <a moz-do-not-send="true" href="tel:22.09.2015%2016" value="+12209201516" target="_blank">22.09.2015 16</a>:46, Budur Nagaraju wrote:<br> ><br> > below are the three files which I have modified.<br> ><br> ><br> > [root@cstlb2 extensions.d]# cat profile1-authn.properties<br> </span>> <a moz-do-not-send="true" href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> <<a moz-do-not-send="true" href="http://ovirt.engine.extension.name" target="_blank">http://ovirt.engine.extension.name</a>>; = cloudspin-authn<br> <span>> ovirt.engine.extension.bindings.method = jbossmodule<br> > ovirt.engine.extension.binding.jbossmodule.module =<br> > org.ovirt.engine-extensions.aaa.ldap<br> > ovirt.engine.extension.binding.jbossmodule.class =<br> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension<br> > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn<br> </span>> <a moz-do-not-send="true" href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">ovirt.engine.aaa.authn.profile.name</a> <<a moz-do-not-send="true" href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">http://ovirt.engine.aaa.authn.profile.name</a>><br> <span>> = cloudspin<br> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth<br> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties<br> ><br> ><br> > [root@cstlb2 extensions.d]# ls<br> > profile1-authn.properties profile1-authz.properties<br> > [root@cstlb2 extensions.d]# cat profile1-authz.properties<br> </span>> <a moz-do-not-send="true" href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> <<a moz-do-not-send="true" href="http://ovirt.engine.extension.name" target="_blank">http://ovirt.engine.extension.name</a>>; = cloudspin-authz<br> <div> <div>> ovirt.engine.extension.bindings.method = jbossmodule<br> > ovirt.engine.extension.binding.jbossmodule.module =<br> > org.ovirt.engine-extensions.aaa.ldap<br> > ovirt.engine.extension.binding.jbossmodule.class =<br> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension<br> > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz<br> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties<br> > [root@cstlb2 extensions.d]#<br> ><br> ><br> ><br> > [root@cstlb2 aaa]# pwd<br> > /etc/ovirt-engine/aaa<br> > [root@cstlb2 aaa]# ls<br> > ldap1.properties<br> > [root@cstlb2 aaa]# cat ldap1.properties<br> > #<br> > # Select one<br> > #<br> > include = <openldap.properties><br> > #include = <389ds.properties><br> > #include = <rhds.properties><br> > #include = <ipa.properties><br> > #include = <iplanet.properties><br> > #include = <rfc2307.properties><br> > #include = <rfc2307-openldap.properties><br> ><br> > #<br> > # Server<br> > #<br> </div> </div> > vars.server = <a moz-do-not-send="true" href="http://my.abc.net" rel="noreferrer" target="_blank">my.abc.net</a> <<a moz-do-not-send="true" href="http://my.abc.net" target="_blank">http://my.abc.net</a>><br> <span>><br> > #<br> > # Search user and its password.<br> > #<br> > vars.user =<br> > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net<br> > vars.password = company<br> ><br> > pool.default.serverset.single.server = ${global:vars.server}<br> > pool.default.auth.simple.bindDN = ${global:vars.user}<br> > pool.default.auth.simple.password = ${global:vars.password}<br> ><br> > # Create keystore, import certificate chain and uncomment<br> > # if using ssl/tls.<br> > #pool.default.ssl.startTLS = true<br> > #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks<br> > #pool.default.ssl.truststore.password = changeit<br> > [root@cstlb2 aaa]#<br> ><br> ><br> ><br> ><br> ><br> ><br> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a><br> </span><span>> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>> wrote:<br> ><br> ><br> ><br> > ----- Original Message -----<br> </span><span>> > From: "Budur Nagaraju" <<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>>><br> > > To: "Alon Bar-Lev" <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>><br> > > <a moz-do-not-send="true" href="mailto:Cc%3Ausers@ovirt.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:Cc:users@ovirt.org">Cc:users@ovirt.org</a></a> <mailto:<a moz-do-not-send="true" href="mailto:users@ovirt.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:users@ovirt.org">users@ovirt.org</a></a>><br> > > Sent: Tuesday, September 22, 2015 5:35:16 PM<br> > > Subject: Re: [ovirt-users] LDAP Authentication<br> > ><br> > > its too complicated ,you have any script or video ?<br> ><br> > in 3.6 we have a setup script.<br> > for now:<br> ><br> > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/<br> ><br> > this is written in the README.<br> ><br> > then customize files at /etc/ovirt-engine/extnesions.d/*<br> > /etc/ovirt-engine/aaa/* to match your setup<br> ><br> > ><br> > ><br> </span><span>> > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>> wrote:<br> > ><br> > > ><br> > > ><br> > > > ----- Original Message -----<br> </span> <div> <div>> > > > From: "Budur Nagaraju" <<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>>><br> > > > > To: "Alon Bar-Lev" <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>><br> > > > > <a moz-do-not-send="true" href="mailto:Cc:users@ovirt.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:Cc:users@ovirt.org">Cc:users@ovirt.org</a></a> <mailto:<a moz-do-not-send="true" href="mailto:users@ovirt.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:users@ovirt.org">users@ovirt.org</a></a>><br> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM<br> > > > > Subject: Re: [ovirt-users] LDAP Authentication<br> > > > ><br> > > > > HI Alon,<br> > > > ><br> > > > > Below is the configuration which I have done ,but unable to search the<br> > > > > users in UI<br> > > > > can you pls help me ?<br> > > ><br> > > > you need three files, see the<br> > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple<br> > > ><br> > > > ><br> > > > ><br> > > > > [root@cstlb2 aaa]# cat ldap1.properties<br> > > > > #<br> > > > > # Select one<br> > > > > #<br> > > > > include = <openldap.properties><br> > > > > #include = <389ds.properties><br> > > > > #include = <rhds.properties><br> > > > > #include = <ipa.properties><br> > > > > #include = <iplanet.properties><br> > > > > #include = <rfc2307.properties><br> > > > > #include = <rfc2307-openldap.properties><br> > > > ><br> > > > > #<br> > > > > # Server<br> > > > > #<br> </div> </div> > > > > vars.server =<a moz-do-not-send="true" href="http://my.abc.net" rel="noreferrer" target="_blank">my.abc.net</a> <<a moz-do-not-send="true" href="http://my.abc.net" target="_blank">http://my.abc.net</a>><br> <span>> > > ><br> > > > > #<br> > > > > # Search user and its password.<br> > > > > #<br> > > > > vars.user =<br> > > > ><br> > > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net<br> > > > > vars.password = company1<br> > > > ><br> > > > > pool.default.serverset.single.server = ${global:vars.server}<br> > > > > pool.default.auth.simple.bindDN = ${global:vars.user}<br> > > > > pool.default.auth.simple.password = ${global:vars.password}<br> > > > ><br> > > > > # Create keystore, import certificate chain and uncomment<br> > > > > # if using ssl/tls.<br> > > > > #pool.default.ssl.startTLS = true<br> > > > > #pool.default.ssl.truststore.file =<br> > > > > ${local:_basedir}/${global:vars.server}.jks<br> > > > > #pool.default.ssl.truststore.password = changeit<br> > > > > [root@cstlb2 aaa]#<br> > > > ><br> > > > ><br> > > > ><br> </span><span>> > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>> wrote:<br> > > > ><br> > > > > ><br> > > > > ><br> > > > > > ----- Original Message -----<br> </span><span>> > > > > > From: "Budur Nagaraju" <<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>>><br> > > > > > > <a moz-do-not-send="true" href="mailto:To:users@ovirt.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:To:users@ovirt.org">To:users@ovirt.org</a></a> <mailto:<a moz-do-not-send="true" href="mailto:users@ovirt.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:users@ovirt.org">users@ovirt.org</a></a>><br> > > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM<br> > > > > > > Subject: [ovirt-users] LDAP Authentication<br> > > > > > ><br> > > > > > > HI All,<br> > > > > > ><br> > > > > > > Can someone help me in configuring LDAP authentication for Ovirt ?<br> > > > > ><br> > > > > > Please review:<br> > > > > ><a moz-do-not-send="true" href="http://www.ovirt.org/Features/AAA" target="_blank"><a class="moz-txt-link-freetext" href="http://www.ovirt.org/Features/AAA">http://www.ovirt.org/Features/AAA</a></a><br> > > > > ><br> > > > > ><br> > > ><a moz-do-not-send="true" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob..." rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0</a></a><br> > > > > ><br> > > > ><br> > > ><br> > ><br> ><br> ><br> <br> </span>--<br> Daniel Helgenberger<br> m box bewegtbild GmbH<br> <br> P: +49/30/2408781-22<br> F: +49/30/2408781-10<br> <br> ACKERSTR. 19<br> D-10115 BERLIN<br> <br> <br> <a moz-do-not-send="true" href="http://www.m-box.de" rel="noreferrer" target="_blank">www.m-box.de</a> <a moz-do-not-send="true" href="http://www.monkeymen.tv" target="_blank">www.monkeymen.tv</a><br> <br> Geschäftsführer: Martin Retschitzegger / Michaela Göllner<br> Handeslregister: Amtsgericht Charlottenburg / HRB 112767<br> </blockquote> </div> <br> </div> <br> <fieldset></fieldset> <br> </div> </div> <pre>_______________________________________________ Users mailing list <a moz-do-not-send="true" href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a> <a moz-do-not-send="true" href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a> </pre> </blockquote> <br> </div> </blockquote> </div> <br> </div> </blockquote> <br> </div> </div> </div> </blockquote> </div> <br> </div> </blockquote> <br> </body> </html> --------------030008040602000200080603--
yeah facing issues while logging to the user portal. On Wed, Sep 23, 2015 at 12:54 PM, Ondra Machacek <omachace@redhat.com> wrote:
With UserRole you can only login to UserPortal, not webadmin. Do you have this issue when you try to login to UserPortal?
On 09/23/2015 09:22 AM, Budur Nagaraju wrote:
Provided the "user role" permissions still same issue
On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek <omachace@redhat.com> wrote:
Hi,
your user nbudoor@abc.net doesn't have appropriate permissions to login. First you need to login as 'admin@internal' and assign him some permissions, then you will be able to login.
Ondra
On 09/23/2015 09:15 AM, Budur Nagaraju wrote:
HI All,
After rectifying this able to search the domain in the users in UI, but unable to login getting the below error ,
2015-09-23 12:41:47,482 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user <nbudoor@abc.net>nbudoor@abc.net. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
Thanks, Nagaraju
On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek < <omachace@redhat.com> omachace@redhat.com> wrote:
Hi,
as Alon already said, you have trailing space in your configuration
'my.abc.net ' <-- space at the end
Please remove this space and try again.
Ondra
On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
HI Alon,
Tried all the options but no luck ,
I have copied the logs in the pastebin below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get .
Thanks, Nagaraju
On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger < <daniel.helgenberger@m-box.de>daniel.helgenberger@m-box.de> wrote:
Hello Budur,
I've done this recently. Alon, no offense, but the docs are not quite strait forward...
Requirements: - LDAP server (obviously) - called here ldap.mydomain.com - LDAP bind account - called here ldap@mydomain.com, password 'Passw@rd' - At least one existing account in ladp, called <user@mydomain.com> user@mydomain.com
Please note, the most common issue will be DNS.
I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)
1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup) 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me): # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap:// ldap.mydomain.com:3268/ -x \ -D ' <ldap@mydomain.com>ldap@mydomain.com' -w Passw@rd -b '' '(userPrincipalName= <user@mydomian.com>user@mydomian.com)' cn userPrincipalName
If this command does not return details of the user, do debug your ldap and continue once this works. Example:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (userPrincipalName= <user@mydomain.com>user@mydomain.com) # requesting: cn userPrincipalName # with pagedResults control: size=1024 #
# Some Name, some-ou, mydomain.com dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com cn: Some Name userPrincipalName: <user@mydomain.com>user@mydomain.com
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA= pagedresults: cookie=
# numResponses: 2 # numEntries: 1
3. Copy the examples as mentioned from the readme. 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is. 5. There, set:
vars.domain = ldap.mydomain.com vars.user = ldap@${global:vars.domain} vars.password = Passw@rd
6. Restart ovirt engine service 7. Log in as admin@einternal and add user rights and roles from the new provider
Hope this helps.
On 22.09.2015 16 <22.09.2015%2016>:46, Budur Nagaraju wrote:
below are the three files which I have modified.
[root@cstlb2 extensions.d]# cat profile1-authn.properties ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
cloudspin-authn
ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name < http://ovirt.engine.aaa.authn.profile.name> = cloudspin ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
[root@cstlb2 extensions.d]# ls profile1-authn.properties profile1-authz.properties [root@cstlb2 extensions.d]# cat profile1-authz.properties ovirt.engine.extension.name <http://ovirt.engine.extension.name> = cloudspin-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties [root@cstlb2 extensions.d]#
[root@cstlb2 aaa]# pwd /etc/ovirt-engine/aaa [root@cstlb2 aaa]# ls ldap1.properties [root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net <http://my.abc.net>
# # Search user and its password. # vars.user =
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
vars.password = company
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev < <alonbl@redhat.com> alonbl@redhat.com <mailto: <alonbl@redhat.com>alonbl@redhat.com>> wrote:
----- Original Message ----- > From: "Budur Nagaraju" < <nbudoor@gmail.com>nbudoor@gmail.com <mailto: <nbudoor@gmail.com>nbudoor@gmail.com>> > To: "Alon Bar-Lev" < <alonbl@redhat.com>alonbl@redhat.com <mailto: <alonbl@redhat.com>alonbl@redhat.com>> > <Cc%3Ausers@ovirt.org>Cc:users@ovirt.org <mailto: <users@ovirt.org>users@ovirt.org> > Sent: Tuesday, September 22, 2015 5:35:16 PM > Subject: Re: [ovirt-users] LDAP Authentication > > its too complicated ,you have any script or video ?
in 3.6 we have a setup script. for now:
cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
this is written in the README.
then customize files at /etc/ovirt-engine/extnesions.d/* /etc/ovirt-engine/aaa/* to match your setup
> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev < <alonbl@redhat.com>alonbl@redhat.com <mailto: <alonbl@redhat.com> alonbl@redhat.com>> wrote: > > > > > > > ----- Original Message ----- > > > From: "Budur Nagaraju" < <nbudoor@gmail.com> nbudoor@gmail.com <mailto: <nbudoor@gmail.com>nbudoor@gmail.com>> > > > To: "Alon Bar-Lev" < <alonbl@redhat.com>alonbl@redhat.com <mailto: <alonbl@redhat.com>alonbl@redhat.com>> > > > <Cc:users@ovirt.org>Cc:users@ovirt.org <mailto: <users@ovirt.org>users@ovirt.org> > > > Sent: Tuesday, September 22, 2015 5:24:36 PM > > > Subject: Re: [ovirt-users] LDAP Authentication > > > > > > HI Alon, > > > > > > Below is the configuration which I have done ,but unable to search the > > > users in UI > > > can you pls help me ? > > > > you need three files, see the > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple > > > > > > > > > > > [root@cstlb2 aaa]# cat ldap1.properties > > > # > > > # Select one > > > # > > > include = <openldap.properties> > > > #include = <389ds.properties> > > > #include = <rhds.properties> > > > #include = <ipa.properties> > > > #include = <iplanet.properties> > > > #include = <rfc2307.properties> > > > #include = <rfc2307-openldap.properties> > > > > > > # > > > # Server > > > # > > > vars.server =my.abc.net <http://my.abc.net> > > > > > > # > > > # Search user and its password. > > > # > > > vars.user = > > > > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net > > > vars.password = company1 > > > > > > pool.default.serverset.single.server = ${global:vars.server} > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > # Create keystore, import certificate chain and uncomment > > > # if using ssl/tls. > > > #pool.default.ssl.startTLS = true > > > #pool.default.ssl.truststore.file = > > > ${local:_basedir}/${global:vars.server}.jks > > > #pool.default.ssl.truststore.password = changeit > > > [root@cstlb2 aaa]# > > > > > > > > > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev < <alonbl@redhat.com>alonbl@redhat.com <mailto: <alonbl@redhat.com> alonbl@redhat.com>> wrote: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Budur Nagaraju" < <nbudoor@gmail.com> nbudoor@gmail.com <mailto: <nbudoor@gmail.com>nbudoor@gmail.com>> > > > > > <To:users@ovirt.org>To:users@ovirt.org <mailto: <users@ovirt.org>users@ovirt.org> > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM > > > > > Subject: [ovirt-users] LDAP Authentication > > > > > > > > > > HI All, > > > > > > > > > > Can someone help me in configuring LDAP authentication for Ovirt ? > > > > > > > > Please review: > > > > <http://www.ovirt.org/Features/AAA> http://www.ovirt.org/Features/AAA > > > > > > > > > > <https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob... > > > > > > > > > >
-- Daniel Helgenberger m box bewegtbild GmbH
P: +49/30/2408781-22 F: +49/30/2408781-10
ACKERSTR. 19 D-10115 BERLIN
www.m-box.de www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767
_______________________________________________ Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users
This is a multi-part message in MIME format. --------------030403060902070607030005 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Should work well, strange. The 'warn' message you sent was unsuccessfull login to webadmin as I can see 'LoginAdminUserCommand', in UserPortal it's 'LoginUserCommand'. Please try to assign UserRole to some vm to another user in domain if it will work properly, if not please open bz. On 09/23/2015 09:29 AM, Budur Nagaraju wrote:
yeah facing issues while logging to the user portal.
On Wed, Sep 23, 2015 at 12:54 PM, Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>> wrote:
With UserRole you can only login to UserPortal, not webadmin. Do you have this issue when you try to login to UserPortal?
On 09/23/2015 09:22 AM, Budur Nagaraju wrote:
Provided the "user role" permissions still same issue
On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>> wrote:
Hi,
your user nbudoor@abc.net <mailto:nbudoor@abc.net> doesn't have appropriate permissions to login. First you need to login as 'admin@internal' and assign him some permissions, then you will be able to login.
Ondra
On 09/23/2015 09:15 AM, Budur Nagaraju wrote:
HI All,
After rectifying this able to search the domain in the users in UI, but unable to login getting the below error ,
2015-09-23 12:41:47,482 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user nbudoor@abc.net <mailto:nbudoor@abc.net>. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
Thanks, Nagaraju
On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek <omachace@redhat.com <mailto:omachace@redhat.com>> wrote:
Hi,
as Alon already said, you have trailing space in your configuration
'my.abc.net <http://my.abc.net> ' <-- space at the end
Please remove this space and try again.
Ondra
On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
HI Alon,
Tried all the options but no luck ,
I have copied the logs in the pastebin below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get .
Thanks, Nagaraju
On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger <daniel.helgenberger@m-box.de <mailto:daniel.helgenberger@m-box.de>> wrote:
Hello Budur,
I've done this recently. Alon, no offense, but the docs are not quite strait forward...
Requirements: - LDAP server (obviously) - called here ldap.mydomain.com <http://ldap.mydomain.com> - LDAP bind account - called here ldap@mydomain.com <mailto:ldap@mydomain.com>, password 'Passw@rd' - At least one existing account in ladp, called user@mydomain.com <mailto:user@mydomain.com>
Please note, the most common issue will be DNS.
I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)
1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup) 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me): # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://ldap.mydomain.com:3268/ <http://ldap.mydomain.com:3268/> -x \ -D 'ldap@mydomain.com <mailto:ldap@mydomain.com>' -w Passw@rd -b '' '(userPrincipalName=user@mydomian.com <mailto:user@mydomian.com>)' cn userPrincipalName
If this command does not return details of the user, do debug your ldap and continue once this works. Example:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (userPrincipalName=user@mydomain.com <mailto:user@mydomain.com>) # requesting: cn userPrincipalName # with pagedResults control: size=1024 #
# Some Name, some-ou, mydomain.com <http://mydomain.com> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com cn: Some Name userPrincipalName: user@mydomain.com <mailto:user@mydomain.com>
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA= pagedresults: cookie=
# numResponses: 2 # numEntries: 1
3. Copy the examples as mentioned from the readme. 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is. 5. There, set:
vars.domain = ldap.mydomain.com <http://ldap.mydomain.com> vars.user = ldap@${global:vars.domain} vars.password = Passw@rd
6. Restart ovirt engine service 7. Log in as admin@einternal and add user rights and roles from the new provider
Hope this helps.
On 22.09.2015 16 <tel:22.09.2015%2016>:46, Budur Nagaraju wrote: > > below are the three files which I have modified. > > > [root@cstlb2 extensions.d]# cat profile1-authn.properties > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> = cloudspin-authn > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthnExtension > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn > ovirt.engine.aaa.authn.profile.name <http://ovirt.engine.aaa.authn.profile.name> <http://ovirt.engine.aaa.authn.profile.name> > = cloudspin > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties > > > [root@cstlb2 extensions.d]# ls > profile1-authn.properties profile1-authz.properties > [root@cstlb2 extensions.d]# cat profile1-authz.properties > ovirt.engine.extension.name <http://ovirt.engine.extension.name> <http://ovirt.engine.extension.name> = cloudspin-authz > ovirt.engine.extension.bindings.method = jbossmodule > ovirt.engine.extension.binding.jbossmodule.module = > org.ovirt.engine-extensions.aaa.ldap > ovirt.engine.extension.binding.jbossmodule.class = > org.ovirt.engineextensions.aaa.ldap.AuthzExtension > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties > [root@cstlb2 extensions.d]# > > > > [root@cstlb2 aaa]# pwd > /etc/ovirt-engine/aaa > [root@cstlb2 aaa]# ls > ldap1.properties > [root@cstlb2 aaa]# cat ldap1.properties > # > # Select one > # > include = <openldap.properties> > #include = <389ds.properties> > #include = <rhds.properties> > #include = <ipa.properties> > #include = <iplanet.properties> > #include = <rfc2307.properties> > #include = <rfc2307-openldap.properties> > > # > # Server > # > vars.server = my.abc.net <http://my.abc.net> <http://my.abc.net> > > # > # Search user and its password. > # > vars.user = > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net > vars.password = company > > pool.default.serverset.single.server = ${global:vars.server} > pool.default.auth.simple.bindDN = ${global:vars.user} > pool.default.auth.simple.password = ${global:vars.password} > > # Create keystore, import certificate chain and uncomment > # if using ssl/tls. > #pool.default.ssl.startTLS = true > #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks > #pool.default.ssl.truststore.password = changeit > [root@cstlb2 aaa]# > > > > > > > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> > <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> wrote: > > > > ----- Original Message ----- > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto:nbudoor@gmail.com> <mailto:nbudoor@gmail.com <mailto:nbudoor@gmail.com>>> > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> > > Cc:users@ovirt.org <mailto:Cc:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > Sent: Tuesday, September 22, 2015 5:35:16 PM > > Subject: Re: [ovirt-users] LDAP Authentication > > > > its too complicated ,you have any script or video ? > > in 3.6 we have a setup script. > for now: > > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/ > > this is written in the README. > > then customize files at /etc/ovirt-engine/extnesions.d/* > /etc/ovirt-engine/aaa/* to match your setup > > > > > > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> wrote: > > > > > > > > > > > ----- Original Message ----- > > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto:nbudoor@gmail.com> <mailto:nbudoor@gmail.com <mailto:nbudoor@gmail.com>>> > > > > To: "Alon Bar-Lev" <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> > > > > Cc:users@ovirt.org <mailto:Cc:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM > > > > Subject: Re: [ovirt-users] LDAP Authentication > > > > > > > > HI Alon, > > > > > > > > Below is the configuration which I have done ,but unable to search the > > > > users in UI > > > > can you pls help me ? > > > > > > you need three files, see the > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple > > > > > > > > > > > > > > > [root@cstlb2 aaa]# cat ldap1.properties > > > > # > > > > # Select one > > > > # > > > > include = <openldap.properties> > > > > #include = <389ds.properties> > > > > #include = <rhds.properties> > > > > #include = <ipa.properties> > > > > #include = <iplanet.properties> > > > > #include = <rfc2307.properties> > > > > #include = <rfc2307-openldap.properties> > > > > > > > > # > > > > # Server > > > > # > > > > vars.server =my.abc.net <http://my.abc.net> <http://my.abc.net> > > > > > > > > # > > > > # Search user and its password. > > > > # > > > > vars.user = > > > > > > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net > > > > vars.password = company1 > > > > > > > > pool.default.serverset.single.server = ${global:vars.server} > > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > > > # Create keystore, import certificate chain and uncomment > > > > # if using ssl/tls. > > > > #pool.default.ssl.startTLS = true > > > > #pool.default.ssl.truststore.file = > > > > ${local:_basedir}/${global:vars.server}.jks > > > > #pool.default.ssl.truststore.password = changeit > > > > [root@cstlb2 aaa]# > > > > > > > > > > > > > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <alonbl@redhat.com <mailto:alonbl@redhat.com> <mailto:alonbl@redhat.com <mailto:alonbl@redhat.com>>> wrote: > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Budur Nagaraju" <nbudoor@gmail.com <mailto:nbudoor@gmail.com> <mailto:nbudoor@gmail.com <mailto:nbudoor@gmail.com>>> > > > > > > To:users@ovirt.org <mailto:To:users@ovirt.org> <mailto:users@ovirt.org <mailto:users@ovirt.org>> > > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM > > > > > > Subject: [ovirt-users] LDAP Authentication > > > > > > > > > > > > HI All, > > > > > > > > > > > > Can someone help me in configuring LDAP authentication for Ovirt ? > > > > > > > > > > Please review: > > > > >http://www.ovirt.org/Features/AAA > > > > > > > > > > > > >https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob... > > > > > > > > > > > > > > > >
-- Daniel Helgenberger m box bewegtbild GmbH
P: +49/30/2408781-22 F: +49/30/2408781-10
ACKERSTR. 19 D-10115 BERLIN
www.m-box.de <http://www.m-box.de> www.monkeymen.tv <http://www.monkeymen.tv>
Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767
_______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users
--------------030403060902070607030005 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit <html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> Should work well, strange.<br> The 'warn' message you sent was unsuccessfull login to webadmin as I can see 'LoginAdminUserCommand', in UserPortal it's 'LoginUserCommand'.<br> Please try to assign UserRole to some vm to another user in domain if it will work properly, if not please open bz.<br> <br> <div class="moz-cite-prefix">On 09/23/2015 09:29 AM, Budur Nagaraju wrote:<br> </div> <blockquote cite="mid:CAHNF9Q-z5Ew2hkHJxBri+f_JS_OPVpwXtqZTOjzydJMWOZNYFQ@mail.gmail.com" type="cite"> <div dir="ltr">yeah facing issues while logging to the user portal.<br> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On Wed, Sep 23, 2015 at 12:54 PM, Ondra Machacek <span dir="ltr"><<a moz-do-not-send="true" href="mailto:omachace@redhat.com" target="_blank">omachace@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> With UserRole you can only login to UserPortal, not webadmin. Do you have this issue when you try to login to UserPortal? <div> <div class="h5"><br> <br> <div>On 09/23/2015 09:22 AM, Budur Nagaraju wrote:<br> </div> <blockquote type="cite"> <div dir="ltr">Provided the "user role" permissions still same issue <br> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek <span dir="ltr"><<a moz-do-not-send="true" href="mailto:omachace@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:omachace@redhat.com">omachace@redhat.com</a></a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> Hi,<br> <br> your user <a moz-do-not-send="true" href="mailto:nbudoor@abc.net" target="_blank">nbudoor@abc.net</a> doesn't have appropriate permissions to login.<br> First you need to login as 'admin@internal' and assign him some permissions, then you will be able to login.<span><font color="#888888"><br> <br> Ondra</font></span> <div> <div><br> <br> <div>On 09/23/2015 09:15 AM, Budur Nagaraju wrote:<br> </div> <blockquote type="cite"> <div dir="ltr"> <div> <div> <div> <div>HI All,<br> <br> </div> After rectifying this able to search the domain in the users in UI,<br> </div> but unable to login getting the below error ,<br> <br> <br> 2015-09-23 12:41:47,482 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user <a moz-do-not-send="true" href="mailto:nbudoor@abc.net" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nbudoor@abc.net">nbudoor@abc.net</a></a>. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION<br> <br> </div> Thanks,<br> </div> Nagaraju<br> <br> <div> <div><br> <div> <div><br> <br> </div> </div> </div> </div> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek <span dir="ltr"><<a moz-do-not-send="true" href="mailto:omachace@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:omachace@redhat.com">omachace@redhat.com</a></a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> Hi,<br> <br> as Alon already said, you have trailing space in your configuration<br> <br> '<a moz-do-not-send="true" href="http://my.abc.net" target="_blank">my.abc.net</a> ' <-- space at the end<br> <br> Please remove this space and try again.<br> <br> Ondra <div> <div><br> <br> <div>On 09/23/2015 05:35 AM, Budur Nagaraju wrote:<br> </div> </div> </div> <blockquote type="cite"> <div> <div> <div dir="ltr"> <div> <div> <div> <div>HI Alon,<br> <br> </div> Tried all the options but no luck ,<br> <br> </div> I have copied the logs in the pastebin below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get .<br> <br> <a moz-do-not-send="true" href="http://pastebin.com/7qN9QnHK" target="_blank"><a class="moz-txt-link-freetext" href="http://pastebin.com/7qN9QnHK">http://pastebin.com/7qN9QnHK</a></a><br> <br> </div> Thanks,<br> </div> Nagaraju<br> <br> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger <span dir="ltr"><<a moz-do-not-send="true" href="mailto:daniel.helgenberger@m-box.de" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:daniel.helgenberger@m-box.de">daniel.helgenberger@m-box.de</a></a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Budur,<br> <br> I've done this recently. Alon, no offense, but the docs are not quite strait forward...<br> <br> Requirements:<br> - LDAP server (obviously) - called here <a moz-do-not-send="true" href="http://ldap.mydomain.com" rel="noreferrer" target="_blank">ldap.mydomain.com</a><br> - LDAP bind account - called here <a moz-do-not-send="true" href="mailto:ldap@mydomain.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ldap@mydomain.com">ldap@mydomain.com</a></a>, password 'Passw@rd'<br> - At least one existing account in ladp, called <a moz-do-not-send="true" href="mailto:user@mydomain.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:user@mydomain.com">user@mydomain.com</a></a><br> <br> Please note, the most common issue will be DNS.<br> <br> I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)<br> <br> 1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup)<br> 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me):<br> # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H <a moz-do-not-send="true"><a class="moz-txt-link-freetext" href="ldap://">ldap://</a></a><a moz-do-not-send="true" href="http://ldap.mydomain.com:3268/" rel="noreferrer" target="_blank">ldap.mydomain.com:3268/</a> -x \<br> -D '<a moz-do-not-send="true" href="mailto:ldap@mydomain.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:ldap@mydomain.com">ldap@mydomain.com</a></a>' -w Passw@rd -b '' '(userPrincipalName=<a moz-do-not-send="true" href="mailto:user@mydomian.com" target="_blank">user@mydomian.com</a>)' cn userPrincipalName<br> <br> If this command does not return details of the user, do debug your ldap and continue once this works. Example:<br> <br> # extended LDIF<br> #<br> # LDAPv3<br> # base <> with scope subtree<br> # filter: (userPrincipalName=<a moz-do-not-send="true" href="mailto:user@mydomain.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:user@mydomain.com">user@mydomain.com</a></a>)<br> # requesting: cn userPrincipalName<br> # with pagedResults control: size=1024<br> #<br> <br> # Some Name, some-ou, <a moz-do-not-send="true" href="http://mydomain.com" rel="noreferrer" target="_blank">mydomain.com</a><br> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com<br> cn: Some Name<br> userPrincipalName: <a moz-do-not-send="true" href="mailto:user@mydomain.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:user@mydomain.com">user@mydomain.com</a></a><br> <br> # search result<br> search: 2<br> result: 0 Success<br> control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=<br> pagedresults: cookie=<br> <br> # numResponses: 2<br> # numEntries: 1<br> <br> <br> 3. Copy the examples as mentioned from the readme.<br> 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is.<br> 5. There, set:<br> <br> vars.domain = <a moz-do-not-send="true" href="http://ldap.mydomain.com" rel="noreferrer" target="_blank">ldap.mydomain.com</a><br> vars.user = ldap@${global:vars.domain}<br> vars.password = Passw@rd<br> <br> 6. Restart ovirt engine service<br> 7. Log in as admin@einternal and add user rights and roles from the new provider<br> <br> Hope this helps.<br> <span><br> On <a moz-do-not-send="true" href="tel:22.09.2015%2016" value="+12209201516" target="_blank">22.09.2015 16</a>:46, Budur Nagaraju wrote:<br> ><br> > below are the three files which I have modified.<br> ><br> ><br> > [root@cstlb2 extensions.d]# cat profile1-authn.properties<br> </span>> <a moz-do-not-send="true" href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> <<a moz-do-not-send="true" href="http://ovirt.engine.extension.name" target="_blank"><a class="moz-txt-link-freetext" href="http://ovirt.engine.extension.name">http://ovirt.engine.extension.name</a></a>>; = cloudspin-authn<br> <span>> ovirt.engine.extension.bindings.method = jbossmodule<br> > ovirt.engine.extension.binding.jbossmodule.module =<br> > org.ovirt.engine-extensions.aaa.ldap<br> > ovirt.engine.extension.binding.jbossmodule.class =<br> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension<br> > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn<br> </span>> <a moz-do-not-send="true" href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">ovirt.engine.aaa.authn.profile.name</a> <<a moz-do-not-send="true" href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank"><a class="moz-txt-link-freetext" href="http://ovirt.engine.aaa.authn.profile.name">http://ovirt.engine.aaa.authn.profile.name</a></a>><br> <span>> = cloudspin<br> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth<br> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties<br> ><br> ><br> > [root@cstlb2 extensions.d]# ls<br> > profile1-authn.properties profile1-authz.properties<br> > [root@cstlb2 extensions.d]# cat profile1-authz.properties<br> </span>> <a moz-do-not-send="true" href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> <<a moz-do-not-send="true" href="http://ovirt.engine.extension.name" target="_blank"><a class="moz-txt-link-freetext" href="http://ovirt.engine.extension.name">http://ovirt.engine.extension.name</a></a>>; = cloudspin-authz<br> <div> <div>> ovirt.engine.extension.bindings.method = jbossmodule<br> > ovirt.engine.extension.binding.jbossmodule.module =<br> > org.ovirt.engine-extensions.aaa.ldap<br> > ovirt.engine.extension.binding.jbossmodule.class =<br> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension<br> > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz<br> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties<br> > [root@cstlb2 extensions.d]#<br> ><br> ><br> ><br> > [root@cstlb2 aaa]# pwd<br> > /etc/ovirt-engine/aaa<br> > [root@cstlb2 aaa]# ls<br> > ldap1.properties<br> > [root@cstlb2 aaa]# cat ldap1.properties<br> > #<br> > # Select one<br> > #<br> > include = <openldap.properties><br> > #include = <389ds.properties><br> > #include = <rhds.properties><br> > #include = <ipa.properties><br> > #include = <iplanet.properties><br> > #include = <rfc2307.properties><br> > #include = <rfc2307-openldap.properties><br> ><br> > #<br> > # Server<br> > #<br> </div> </div> > vars.server = <a moz-do-not-send="true" href="http://my.abc.net" rel="noreferrer" target="_blank">my.abc.net</a> <<a moz-do-not-send="true" href="http://my.abc.net" target="_blank"><a class="moz-txt-link-freetext" href="http://my.abc.net">http://my.abc.net</a></a>><br> <span>><br> > #<br> > # Search user and its password.<br> > #<br> > vars.user =<br> > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net<br> > vars.password = company<br> ><br> > pool.default.serverset.single.server = ${global:vars.server}<br> > pool.default.auth.simple.bindDN = ${global:vars.user}<br> > pool.default.auth.simple.password = ${global:vars.password}<br> ><br> > # Create keystore, import certificate chain and uncomment<br> > # if using ssl/tls.<br> > #pool.default.ssl.startTLS = true<br> > #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks<br> > #pool.default.ssl.truststore.password = changeit<br> > [root@cstlb2 aaa]#<br> ><br> ><br> ><br> ><br> ><br> ><br> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a><br> </span><span>> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>> wrote:<br> ><br> ><br> ><br> > ----- Original Message -----<br> </span><span>> > From: "Budur Nagaraju" <<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>>><br> > > To: "Alon Bar-Lev" <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>><br> > > <a moz-do-not-send="true" href="mailto:Cc:users@ovirt.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:Cc:users@ovirt.org">Cc:users@ovirt.org</a></a> <mailto:<a moz-do-not-send="true" href="mailto:users@ovirt.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:users@ovirt.org">users@ovirt.org</a></a>><br> > > Sent: Tuesday, September 22, 2015 5:35:16 PM<br> > > Subject: Re: [ovirt-users] LDAP Authentication<br> > ><br> > > its too complicated ,you have any script or video ?<br> ><br> > in 3.6 we have a setup script.<br> > for now:<br> ><br> > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/<br> ><br> > this is written in the README.<br> ><br> > then customize files at /etc/ovirt-engine/extnesions.d/*<br> > /etc/ovirt-engine/aaa/* to match your setup<br> ><br> > ><br> > ><br> </span><span>> > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>> wrote:<br> > ><br> > > ><br> > > ><br> > > > ----- Original Message -----<br> </span> <div> <div>> > > > From: "Budur Nagaraju" <<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>>><br> > > > > To: "Alon Bar-Lev" <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>><br> > > > > <a moz-do-not-send="true" href="mailto:Cc:users@ovirt.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:Cc:users@ovirt.org">Cc:users@ovirt.org</a></a> <mailto:<a moz-do-not-send="true" href="mailto:users@ovirt.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:users@ovirt.org">users@ovirt.org</a></a>><br> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM<br> > > > > Subject: Re: [ovirt-users] LDAP Authentication<br> > > > ><br> > > > > HI Alon,<br> > > > ><br> > > > > Below is the configuration which I have done ,but unable to search the<br> > > > > users in UI<br> > > > > can you pls help me ?<br> > > ><br> > > > you need three files, see the<br> > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple<br> > > ><br> > > > ><br> > > > ><br> > > > > [root@cstlb2 aaa]# cat ldap1.properties<br> > > > > #<br> > > > > # Select one<br> > > > > #<br> > > > > include = <openldap.properties><br> > > > > #include = <389ds.properties><br> > > > > #include = <rhds.properties><br> > > > > #include = <ipa.properties><br> > > > > #include = <iplanet.properties><br> > > > > #include = <rfc2307.properties><br> > > > > #include = <rfc2307-openldap.properties><br> > > > ><br> > > > > #<br> > > > > # Server<br> > > > > #<br> </div> </div> > > > > vars.server =<a moz-do-not-send="true" href="http://my.abc.net" rel="noreferrer" target="_blank">my.abc.net</a> <<a moz-do-not-send="true" href="http://my.abc.net" target="_blank"><a class="moz-txt-link-freetext" href="http://my.abc.net">http://my.abc.net</a></a>><br> <span>> > > ><br> > > > > #<br> > > > > # Search user and its password.<br> > > > > #<br> > > > > vars.user =<br> > > > ><br> > > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net<br> > > > > vars.password = company1<br> > > > ><br> > > > > pool.default.serverset.single.server = ${global:vars.server}<br> > > > > pool.default.auth.simple.bindDN = ${global:vars.user}<br> > > > > pool.default.auth.simple.password = ${global:vars.password}<br> > > > ><br> > > > > # Create keystore, import certificate chain and uncomment<br> > > > > # if using ssl/tls.<br> > > > > #pool.default.ssl.startTLS = true<br> > > > > #pool.default.ssl.truststore.file =<br> > > > > ${local:_basedir}/${global:vars.server}.jks<br> > > > > #pool.default.ssl.truststore.password = changeit<br> > > > > [root@cstlb2 aaa]#<br> > > > ><br> > > > ><br> > > > ><br> </span><span>> > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:alonbl@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:alonbl@redhat.com">alonbl@redhat.com</a></a>>> wrote:<br> > > > ><br> > > > > ><br> > > > > ><br> > > > > > ----- Original Message -----<br> </span><span>> > > > > > From: "Budur Nagaraju" <<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a> <mailto:<a moz-do-not-send="true" href="mailto:nbudoor@gmail.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:nbudoor@gmail.com">nbudoor@gmail.com</a></a>>><br> > > > > > > <a moz-do-not-send="true" href="mailto:To:users@ovirt.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:To:users@ovirt.org">To:users@ovirt.org</a></a> <mailto:<a moz-do-not-send="true" href="mailto:users@ovirt.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:users@ovirt.org">users@ovirt.org</a></a>><br> > > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM<br> > > > > > > Subject: [ovirt-users] LDAP Authentication<br> > > > > > ><br> > > > > > > HI All,<br> > > > > > ><br> > > > > > > Can someone help me in configuring LDAP authentication for Ovirt ?<br> > > > > ><br> > > > > > Please review:<br> > > > > ><a moz-do-not-send="true" href="http://www.ovirt.org/Features/AAA" target="_blank"><a class="moz-txt-link-freetext" href="http://www.ovirt.org/Features/AAA">http://www.ovirt.org/Features/AAA</a></a><br> > > > > ><br> > > > > ><br> > > ><a moz-do-not-send="true" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob..." target="_blank"><a class="moz-txt-link-freetext" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0</a></a><br> > > > > ><br> > > > ><br> > > ><br> > ><br> ><br> ><br> <br> </span>--<br> Daniel Helgenberger<br> m box bewegtbild GmbH<br> <br> P: +49/30/2408781-22<br> F: +49/30/2408781-10<br> <br> ACKERSTR. 19<br> D-10115 BERLIN<br> <br> <br> <a moz-do-not-send="true" href="http://www.m-box.de" rel="noreferrer" target="_blank"><a class="moz-txt-link-abbreviated" href="http://www.m-box.de">www.m-box.de</a></a> <a moz-do-not-send="true" href="http://www.monkeymen.tv" target="_blank"><a class="moz-txt-link-abbreviated" href="http://www.monkeymen.tv">www.monkeymen.tv</a></a><br> <br> Geschäftsführer: Martin Retschitzegger / Michaela Göllner<br> Handeslregister: Amtsgericht Charlottenburg / HRB 112767<br> </blockquote> </div> <br> </div> <br> <fieldset></fieldset> <br> </div> </div> <pre>_______________________________________________ Users mailing list <a moz-do-not-send="true" href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a> <a moz-do-not-send="true" href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a> </pre> </blockquote> <br> </div> </blockquote> </div> <br> </div> </blockquote> <br> </div> </div> </div> </blockquote> </div> <br> </div> </blockquote> <br> </div> </div> </div> </blockquote> </div> <br> </div> </blockquote> <br> </body> </html> --------------030403060902070607030005--
When I give "superuser" permission then able to login and its taking too long time to login. Pls suggest any thing needs to be dome ? On Wed, Sep 23, 2015 at 1:07 PM, Ondra Machacek <omachace@redhat.com> wrote:
Should work well, strange. The 'warn' message you sent was unsuccessfull login to webadmin as I can see 'LoginAdminUserCommand', in UserPortal it's 'LoginUserCommand'. Please try to assign UserRole to some vm to another user in domain if it will work properly, if not please open bz.
On 09/23/2015 09:29 AM, Budur Nagaraju wrote:
yeah facing issues while logging to the user portal.
On Wed, Sep 23, 2015 at 12:54 PM, Ondra Machacek <omachace@redhat.com> wrote:
With UserRole you can only login to UserPortal, not webadmin. Do you have this issue when you try to login to UserPortal?
On 09/23/2015 09:22 AM, Budur Nagaraju wrote:
Provided the "user role" permissions still same issue
On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek < <omachace@redhat.com> omachace@redhat.com> wrote:
Hi,
your user nbudoor@abc.net doesn't have appropriate permissions to login. First you need to login as 'admin@internal' and assign him some permissions, then you will be able to login.
Ondra
On 09/23/2015 09:15 AM, Budur Nagaraju wrote:
HI All,
After rectifying this able to search the domain in the users in UI, but unable to login getting the below error ,
2015-09-23 12:41:47,482 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user <nbudoor@abc.net>nbudoor@abc.net. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
Thanks, Nagaraju
On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek < <omachace@redhat.com> omachace@redhat.com> wrote:
Hi,
as Alon already said, you have trailing space in your configuration
'my.abc.net ' <-- space at the end
Please remove this space and try again.
Ondra
On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
HI Alon,
Tried all the options but no luck ,
I have copied the logs in the pastebin below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get .
<http://pastebin.com/7qN9QnHK>http://pastebin.com/7qN9QnHK
Thanks, Nagaraju
On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger < <daniel.helgenberger@m-box.de>daniel.helgenberger@m-box.de> wrote:
Hello Budur,
I've done this recently. Alon, no offense, but the docs are not quite strait forward...
Requirements: - LDAP server (obviously) - called here ldap.mydomain.com - LDAP bind account - called here <ldap@mydomain.com> ldap@mydomain.com, password 'Passw@rd' - At least one existing account in ladp, called <user@mydomain.com> user@mydomain.com
Please note, the most common issue will be DNS.
I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)
1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup) 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me): # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap:// ldap.mydomain.com:3268/ -x \ -D ' <ldap@mydomain.com>ldap@mydomain.com' -w Passw@rd -b '' '(userPrincipalName=user@mydomian.com)' cn userPrincipalName
If this command does not return details of the user, do debug your ldap and continue once this works. Example:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (userPrincipalName= <user@mydomain.com>user@mydomain.com) # requesting: cn userPrincipalName # with pagedResults control: size=1024 #
# Some Name, some-ou, mydomain.com dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com cn: Some Name userPrincipalName: <user@mydomain.com>user@mydomain.com
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA= pagedresults: cookie=
# numResponses: 2 # numEntries: 1
3. Copy the examples as mentioned from the readme. 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is. 5. There, set:
vars.domain = ldap.mydomain.com vars.user = ldap@${global:vars.domain} vars.password = Passw@rd
6. Restart ovirt engine service 7. Log in as admin@einternal and add user rights and roles from the new provider
Hope this helps.
On 22.09.2015 16 <22.09.2015%2016>:46, Budur Nagaraju wrote:
below are the three files which I have modified.
[root@cstlb2 extensions.d]# cat profile1-authn.properties ovirt.engine.extension.name < <http://ovirt.engine.extension.name>
http://ovirt.engine.extension.name> = cloudspin-authn
ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name < <http://ovirt.engine.aaa.authn.profile.name> http://ovirt.engine.aaa.authn.profile.name> = cloudspin ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
[root@cstlb2 extensions.d]# ls profile1-authn.properties profile1-authz.properties [root@cstlb2 extensions.d]# cat profile1-authz.properties ovirt.engine.extension.name < <http://ovirt.engine.extension.name> http://ovirt.engine.extension.name> = cloudspin-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties [root@cstlb2 extensions.d]#
[root@cstlb2 aaa]# pwd /etc/ovirt-engine/aaa [root@cstlb2 aaa]# ls ldap1.properties [root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net < <http://my.abc.net>http://my.abc.net>
# # Search user and its password. # vars.user =
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
vars.password = company
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev < <alonbl@redhat.com> alonbl@redhat.com <mailto: <alonbl@redhat.com>alonbl@redhat.com>> wrote:
----- Original Message ----- > From: "Budur Nagaraju" < <nbudoor@gmail.com>nbudoor@gmail.com <mailto: <nbudoor@gmail.com>nbudoor@gmail.com>> > To: "Alon Bar-Lev" < <alonbl@redhat.com>alonbl@redhat.com <mailto: <alonbl@redhat.com>alonbl@redhat.com>> > <Cc:users@ovirt.org>Cc:users@ovirt.org <mailto: <users@ovirt.org>users@ovirt.org> > Sent: Tuesday, September 22, 2015 5:35:16 PM > Subject: Re: [ovirt-users] LDAP Authentication > > its too complicated ,you have any script or video ?
in 3.6 we have a setup script. for now:
cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
this is written in the README.
then customize files at /etc/ovirt-engine/extnesions.d/* /etc/ovirt-engine/aaa/* to match your setup
> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev < <alonbl@redhat.com>alonbl@redhat.com <mailto: <alonbl@redhat.com> alonbl@redhat.com>> wrote: > > > > > > > ----- Original Message ----- > > > From: "Budur Nagaraju" < <nbudoor@gmail.com> nbudoor@gmail.com <mailto: <nbudoor@gmail.com>nbudoor@gmail.com>> > > > To: "Alon Bar-Lev" < <alonbl@redhat.com>alonbl@redhat.com <mailto: <alonbl@redhat.com>alonbl@redhat.com>> > > > <Cc:users@ovirt.org>Cc:users@ovirt.org <mailto: <users@ovirt.org>users@ovirt.org> > > > Sent: Tuesday, September 22, 2015 5:24:36 PM > > > Subject: Re: [ovirt-users] LDAP Authentication > > > > > > HI Alon, > > > > > > Below is the configuration which I have done ,but unable to search the > > > users in UI > > > can you pls help me ? > > > > you need three files, see the > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple > > > > > > > > > > > [root@cstlb2 aaa]# cat ldap1.properties > > > # > > > # Select one > > > # > > > include = <openldap.properties> > > > #include = <389ds.properties> > > > #include = <rhds.properties> > > > #include = <ipa.properties> > > > #include = <iplanet.properties> > > > #include = <rfc2307.properties> > > > #include = <rfc2307-openldap.properties> > > > > > > # > > > # Server > > > # > > > vars.server =my.abc.net < <http://my.abc.net> http://my.abc.net> > > > > > > # > > > # Search user and its password. > > > # > > > vars.user = > > > > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net > > > vars.password = company1 > > > > > > pool.default.serverset.single.server = ${global:vars.server} > > > pool.default.auth.simple.bindDN = ${global:vars.user} > > > pool.default.auth.simple.password = ${global:vars.password} > > > > > > # Create keystore, import certificate chain and uncomment > > > # if using ssl/tls. > > > #pool.default.ssl.startTLS = true > > > #pool.default.ssl.truststore.file = > > > ${local:_basedir}/${global:vars.server}.jks > > > #pool.default.ssl.truststore.password = changeit > > > [root@cstlb2 aaa]# > > > > > > > > > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev < <alonbl@redhat.com>alonbl@redhat.com <mailto: <alonbl@redhat.com> alonbl@redhat.com>> wrote: > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Budur Nagaraju" < <nbudoor@gmail.com> nbudoor@gmail.com <mailto: <nbudoor@gmail.com>nbudoor@gmail.com>> > > > > > <To:users@ovirt.org>To:users@ovirt.org <mailto: <users@ovirt.org>users@ovirt.org> > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM > > > > > Subject: [ovirt-users] LDAP Authentication > > > > > > > > > > HI All, > > > > > > > > > > Can someone help me in configuring LDAP authentication for Ovirt ? > > > > > > > > Please review: > > > > <http://www.ovirt.org/Features/AAA> http://www.ovirt.org/Features/AAA > > > > > > > > > > <https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob... > > > > > > > > > >
-- Daniel Helgenberger m box bewegtbild GmbH
P: +49/30/2408781-22 F: +49/30/2408781-10
ACKERSTR. 19 D-10115 BERLIN
<http://www.m-box.de>www.m-box.de <http://www.monkeymen.tv> www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767
_______________________________________________ Users mailing listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users
SuperUser is required to login user to webadmin. Not sure what is "too long time"... within any logs nobody can help you. ----- Original Message -----
From: "Budur Nagaraju" <nbudoor@gmail.com> To: "Ondra Machacek" <omachace@redhat.com> Cc: users@ovirt.org Sent: Wednesday, September 23, 2015 10:39:50 AM Subject: Re: [ovirt-users] LDAP Authentication
When I give "superuser" permission then able to login and its taking too long time to login. Pls suggest any thing needs to be dome ?
On Wed, Sep 23, 2015 at 1:07 PM, Ondra Machacek < omachace@redhat.com > wrote:
Should work well, strange. The 'warn' message you sent was unsuccessfull login to webadmin as I can see 'LoginAdminUserCommand', in UserPortal it's 'LoginUserCommand'. Please try to assign UserRole to some vm to another user in domain if it will work properly, if not please open bz.
On 09/23/2015 09:29 AM, Budur Nagaraju wrote:
yeah facing issues while logging to the user portal.
On Wed, Sep 23, 2015 at 12:54 PM, Ondra Machacek < omachace@redhat.com > wrote:
With UserRole you can only login to UserPortal, not webadmin. Do you have this issue when you try to login to UserPortal?
On 09/23/2015 09:22 AM, Budur Nagaraju wrote:
Provided the "user role" permissions still same issue
On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek < omachace@redhat.com > wrote:
Hi,
your user nbudoor@abc.net doesn't have appropriate permissions to login. First you need to login as 'admin@internal' and assign him some permissions, then you will be able to login.
Ondra
On 09/23/2015 09:15 AM, Budur Nagaraju wrote:
HI All,
After rectifying this able to search the domain in the users in UI, but unable to login getting the below error ,
2015-09-23 12:41:47,482 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user nbudoor@abc.net . Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
Thanks, Nagaraju
On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek < omachace@redhat.com > wrote:
Hi,
as Alon already said, you have trailing space in your configuration
' my.abc.net ' <-- space at the end
Please remove this space and try again.
Ondra
On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
HI Alon,
Tried all the options but no luck ,
I have copied the logs in the pastebin below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get .
Thanks, Nagaraju
On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger < daniel.helgenberger@m-box.de > wrote:
Hello Budur,
I've done this recently. Alon, no offense, but the docs are not quite strait forward...
Requirements: - LDAP server (obviously) - called here ldap.mydomain.com - LDAP bind account - called here ldap@mydomain.com , password 'Passw@rd' - At least one existing account in ladp, called user@mydomain.com
Please note, the most common issue will be DNS.
I'll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)
1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup) 2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me): # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap:// ldap.mydomain.com:3268/ -x \ -D ' ldap@mydomain.com ' -w Passw@rd -b '' '(userPrincipalName= user@mydomian.com )' cn userPrincipalName
If this command does not return details of the user, do debug your ldap and continue once this works. Example:
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (userPrincipalName= user@mydomain.com ) # requesting: cn userPrincipalName # with pagedResults control: size=1024 #
# Some Name, some-ou, mydomain.com dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com cn: Some Name userPrincipalName: user@mydomain.com
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA= pagedresults: cookie=
# numResponses: 2 # numEntries: 1
3. Copy the examples as mentioned from the readme. 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is. 5. There, set:
vars.domain = ldap.mydomain.com vars.user = ldap@${global:vars.domain} vars.password = Passw@rd
6. Restart ovirt engine service 7. Log in as admin@einternal and add user rights and roles from the new provider
Hope this helps.
On 22.09.2015 16 :46, Budur Nagaraju wrote:
below are the three files which I have modified.
[root@cstlb2 extensions.d]# cat profile1-authn.properties ovirt.engine.extension.name < http://ovirt.engine.extension.name > = cloudspin-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name < http://ovirt.engine.aaa.authn.profile.name > = cloudspin ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
[root@cstlb2 extensions.d]# ls profile1-authn.properties profile1-authz.properties [root@cstlb2 extensions.d]# cat profile1-authz.properties ovirt.engine.extension.name < http://ovirt.engine.extension.name > = cloudspin-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties [root@cstlb2 extensions.d]#
[root@cstlb2 aaa]# pwd /etc/ovirt-engine/aaa [root@cstlb2 aaa]# ls ldap1.properties [root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net < http://my.abc.net >
# # Search user and its password. # vars.user = uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net vars.password = company
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev < alonbl@redhat.com <mailto: alonbl@redhat.com >> wrote:
----- Original Message -----
From: "Budur Nagaraju" < nbudoor@gmail.com <mailto: nbudoor@gmail.com >> To: "Alon Bar-Lev" < alonbl@redhat.com <mailto: alonbl@redhat.com >> Cc:users@ovirt.org <mailto: users@ovirt.org > Sent: Tuesday, September 22, 2015 5:35:16 PM Subject: Re: [ovirt-users] LDAP Authentication
its too complicated ,you have any script or video ?
in 3.6 we have a setup script. for now:
cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
this is written in the README.
then customize files at /etc/ovirt-engine/extnesions.d/* /etc/ovirt-engine/aaa/* to match your setup
On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev < alonbl@redhat.com <mailto: alonbl@redhat.com >> wrote:
----- Original Message -----
From: "Budur Nagaraju" < nbudoor@gmail.com <mailto: nbudoor@gmail.com
> To: "Alon Bar-Lev" < alonbl@redhat.com <mailto: alonbl@redhat.com >> Cc:users@ovirt.org <mailto: users@ovirt.org > Sent: Tuesday, September 22, 2015 5:24:36 PM Subject: Re: [ovirt-users] LDAP Authentication
HI Alon,
Below is the configuration which I have done ,but unable to search the users in UI can you pls help me ?
you need three files, see the /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
[root@cstlb2 aaa]# cat ldap1.properties # # Select one # include = <openldap.properties> #include = <389ds.properties> #include = <rhds.properties> #include = <ipa.properties> #include = <iplanet.properties> #include = <rfc2307.properties> #include = <rfc2307-openldap.properties>
# # Server # vars.server = my.abc.net < http://my.abc.net >
# # Search user and its password. # vars.user =
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
vars.password = company1
pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password}
# Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit [root@cstlb2 aaa]#
On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev < alonbl@redhat.com <mailto: alonbl@redhat.com >> wrote:
----- Original Message ----- > From: "Budur Nagaraju" < nbudoor@gmail.com <mailto: > nbudoor@gmail.com >> > To:users@ovirt.org <mailto: users@ovirt.org > > Sent: Tuesday, September 22, 2015 4:34:46 PM > Subject: [ovirt-users] LDAP Authentication > > HI All, > > Can someone help me in configuring LDAP authentication for Ovirt > ?
Please review: http://www.ovirt.org/Features/AAA
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob...
-- Daniel Helgenberger m box bewegtbild GmbH
P: +49/30/2408781-22 F: +49/30/2408781-10
ACKERSTR. 19 D-10115 BERLIN
www.m-box.de www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner Handeslregister: Amtsgericht Charlottenburg / HRB 112767
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "Daniel Helgenberger" <daniel.helgenberger@m-box.de> To: "Budur Nagaraju" <nbudoor@gmail.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Tuesday, September 22, 2015 6:14:50 PM Subject: Re: [ovirt-users] LDAP Authentication
Hello Budur,
I've done this recently. Alon, no offense, but the docs are not quite strait forward...
Patches to documentation will be most welcomed. However, these should not assume a specific environment nor mode. Thanks!
participants (4)
-
Alon Bar-Lev -
Budur Nagaraju -
Daniel Helgenberger -
Ondra Machacek