ovirt with 389 server inactive groups
I have ovirt engine running and connected to a 389 server with the memberof plugin enabled and working properly. I can add users and assign them to roles without any issues. when I look at a user I can see all the LDAP groups they are a member of. when I run engine-manage-domains -action=validate it tells me the domain is valid. here is my problem when I try to assign a role to an LDAP group it looks like it works but in the general tab when under the group it tells me the status is Inactive. dose any one know how to enable the group?
On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
I have ovirt engine running and connected to a 389 server with the memberof plugin enabled and working properly.
I can add users and assign them to roles without any issues.
when I look at a user I can see all the LDAP groups they are a member of.
when I run engine-manage-domains -action=validate it tells me the domain is valid.
here is my problem when I try to assign a role to an LDAP group it looks like it works but in the general tab when under the group it tells me the status is Inactive.
dose any one know how to enable the group? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
3.4 or new 3.5 Generic LDAP provider?
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org Sent: Friday, August 8, 2014 10:37:11 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
I have ovirt engine running and connected to a 389 server with the memberof plugin enabled and working properly.
I can add users and assign them to roles without any issues.
when I look at a user I can see all the LDAP groups they are a member of.
when I run engine-manage-domains -action=validate it tells me the domain is valid.
here is my problem when I try to assign a role to an LDAP group it looks like it works but in the general tab when under the group it tells me the status is Inactive.
dose any one know how to enable the group? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
3.4 or new 3.5 Generic LDAP provider?
On case this is 3.5 it is known issue, all groups will be seen as inactive, this field will probably be removed from UI, as groups are no longer fetched periodically. This field is totally ignored. Alon
Does this still require the use of kerberos? Will 389-ds work on its own? ----- Original Message ----- From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Friday, August 8, 2014 3:45:07 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups ----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org Sent: Friday, August 8, 2014 10:37:11 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
I have ovirt engine running and connected to a 389 server with the memberof plugin enabled and working properly.
I can add users and assign them to roles without any issues.
when I look at a user I can see all the LDAP groups they are a member of.
when I run engine-manage-domains -action=validate it tells me the domain is valid.
here is my problem when I try to assign a role to an LDAP group it looks like it works but in the general tab when under the group it tells me the status is Inactive.
dose any one know how to enable the group? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
3.4 or new 3.5 Generic LDAP provider?
On case this is 3.5 it is known issue, all groups will be seen as inactive, this field will probably be removed from UI, as groups are no longer fetched periodically. This field is totally ignored. Alon _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "Maurice James" <mjames@media-node.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Saturday, August 9, 2014 3:47:04 AM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Does this still require the use of kerberos? Will 389-ds work on its own?
In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap mix. It will be great to receive feedback[2]. 389ds is not supported directly, I think it is similar to IPA as it uses 389. Maybe I should rename the profile of ipa to 389 if it works properly. Regards, Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
----- Original Message ----- From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Friday, August 8, 2014 3:45:07 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org Sent: Friday, August 8, 2014 10:37:11 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
I have ovirt engine running and connected to a 389 server with the memberof plugin enabled and working properly.
I can add users and assign them to roles without any issues.
when I look at a user I can see all the LDAP groups they are a member of.
when I run engine-manage-domains -action=validate it tells me the domain is valid.
here is my problem when I try to assign a role to an LDAP group it looks like it works but in the general tab when under the group it tells me the status is Inactive.
dose any one know how to enable the group? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
3.4 or new 3.5 Generic LDAP provider?
On case this is 3.5 it is known issue, all groups will be seen as inactive, this field will probably be removed from UI, as groups are no longer fetched periodically. This field is totally ignored.
Alon _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Sorry for my delayed response to this I am using ovirt 3.3. I am using Kerberos 5, and all of the DNS requirements are in place. Finally 389 server is the upstream project for RHDS and one of the upstream projects for IPA. So I chose to set it as RHDS because its an identical match. User authentication works just fine my problem is adding roles to groups. I can assign a role to a group but the group always shows an inactive status; however if I assign a role directly to to a user it works fine. In addition if I drill down into a user it knows what groups in the 389 server the user is a member of. finally I can't see any error in the logs when adding a role to a group On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Maurice James" <mjames@media-node.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Saturday, August 9, 2014 3:47:04 AM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Does this still require the use of kerberos? Will 389-ds work on its own?
In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap mix.
It will be great to receive feedback[2].
389ds is not supported directly, I think it is similar to IPA as it uses 389. Maybe I should rename the profile of ipa to 389 if it works properly.
Regards, Alon
[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
----- Original Message ----- From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Friday, August 8, 2014 3:45:07 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org Sent: Friday, August 8, 2014 10:37:11 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
I have ovirt engine running and connected to a 389 server with the memberof plugin enabled and working properly.
I can add users and assign them to roles without any issues.
when I look at a user I can see all the LDAP groups they are a member of.
when I run engine-manage-domains -action=validate it tells me the domain is valid.
here is my problem when I try to assign a role to an LDAP group it looks like it works but in the general tab when under the group it tells me the status is Inactive.
dose any one know how to enable the group? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
3.4 or new 3.5 Generic LDAP provider?
On case this is 3.5 it is known issue, all groups will be seen as inactive, this field will probably be removed from UI, as groups are no longer fetched periodically. This field is totally ignored.
Alon _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org Sent: Sunday, August 10, 2014 10:43:14 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Sorry for my delayed response to this
I am using ovirt 3.3. I am using Kerberos 5, and all of the DNS requirements are in place. Finally 389 server is the upstream project for RHDS and one of the upstream projects for IPA. So I chose to set it as RHDS because its an identical match.
User authentication works just fine my problem is adding roles to groups. I can assign a role to a group but the group always shows an inactive status; however if I assign a role directly to to a user it works fine. In addition if I drill down into a user it knows what groups in the 389 server the user is a member of.
finally I can't see any error in the logs when adding a role to a group
Please open a bug, I am unsure that it will be addressed before 3.5, as we have done major rework for the authentication and authorization to make it much more versatile. Even if there will be a fix it will be provided to 3.4.z. It will be best if you want to test this scenario in 3.5 release candidate and the new ldap provider, so we can address the issue before 3.5 release if exists.
On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Maurice James" <mjames@media-node.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Saturday, August 9, 2014 3:47:04 AM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Does this still require the use of kerberos? Will 389-ds work on its own?
In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap mix.
It will be great to receive feedback[2].
389ds is not supported directly, I think it is similar to IPA as it uses 389. Maybe I should rename the profile of ipa to 389 if it works properly.
Regards, Alon
[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
----- Original Message ----- From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Friday, August 8, 2014 3:45:07 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org Sent: Friday, August 8, 2014 10:37:11 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
I have ovirt engine running and connected to a 389 server with the memberof plugin enabled and working properly.
I can add users and assign them to roles without any issues.
when I look at a user I can see all the LDAP groups they are a member of.
when I run engine-manage-domains -action=validate it tells me the domain is valid.
here is my problem when I try to assign a role to an LDAP group it looks like it works but in the general tab when under the group it tells me the status is Inactive.
dose any one know how to enable the group? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
3.4 or new 3.5 Generic LDAP provider?
On case this is 3.5 it is known issue, all groups will be seen as inactive, this field will probably be removed from UI, as groups are no longer fetched periodically. This field is totally ignored.
Alon _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org Sent: Sunday, August 10, 2014 10:43:14 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Sorry for my delayed response to this
I am using ovirt 3.3. I am using Kerberos 5, and all of the DNS requirements are in place. Finally 389 server is the upstream project for RHDS and one of the upstream projects for IPA. So I chose to set it as RHDS because its an identical match.
User authentication works just fine my problem is adding roles to groups. I can assign a role to a group but the group always shows an inactive status; however if I assign a role directly to to a user it works fine. In addition if I drill down into a user it knows what groups in the 389 server the user is a member of.
finally I can't see any error in the logs when adding a role to a group
Please open a bug, I am unsure that it will be addressed before 3.5, as we have done major rework for the authentication and authorization to make it much more versatile. Even if there will be a fix it will be provided to 3.4.z.
It will be best if you want to test this scenario in 3.5 release candidate and the new ldap provider, so we can address the issue before 3.5 release if exists.
could also be one of these fixed in 3.4: 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it does not inherit the group permissions 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to a group indirectly, it does not inherit the group permissions
On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Maurice James" <mjames@media-node.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Saturday, August 9, 2014 3:47:04 AM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Does this still require the use of kerberos? Will 389-ds work on its own?
In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap mix.
It will be great to receive feedback[2].
389ds is not supported directly, I think it is similar to IPA as it uses 389. Maybe I should rename the profile of ipa to 389 if it works properly.
Regards, Alon
[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
----- Original Message ----- From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Friday, August 8, 2014 3:45:07 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org Sent: Friday, August 8, 2014 10:37:11 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
I have ovirt engine running and connected to a 389 server with the memberof plugin enabled and working properly.
I can add users and assign them to roles without any issues.
when I look at a user I can see all the LDAP groups they are a member of.
when I run engine-manage-domains -action=validate it tells me the domain is valid.
here is my problem when I try to assign a role to an LDAP group it looks like it works but in the general tab when under the group it tells me the status is Inactive.
dose any one know how to enable the group? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
3.4 or new 3.5 Generic LDAP provider?
On case this is 3.5 it is known issue, all groups will be seen as inactive, this field will probably be removed from UI, as groups are no longer fetched periodically. This field is totally ignored.
Alon _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
I have checked the codebase of 3.3 - the "active" field is used for presentation purpose only. Alon has addressed our plans for this in his previous comments. I hope this clarifies more.. Yair ----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, "Paul Robert Marino" <prmarino1@gmail.com> Cc: users@ovirt.org Sent: Sunday, August 10, 2014 11:54:05 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org Sent: Sunday, August 10, 2014 10:43:14 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Sorry for my delayed response to this
I am using ovirt 3.3. I am using Kerberos 5, and all of the DNS requirements are in place. Finally 389 server is the upstream project for RHDS and one of the upstream projects for IPA. So I chose to set it as RHDS because its an identical match.
User authentication works just fine my problem is adding roles to groups. I can assign a role to a group but the group always shows an inactive status; however if I assign a role directly to to a user it works fine. In addition if I drill down into a user it knows what groups in the 389 server the user is a member of.
finally I can't see any error in the logs when adding a role to a group
Please open a bug, I am unsure that it will be addressed before 3.5, as we have done major rework for the authentication and authorization to make it much more versatile. Even if there will be a fix it will be provided to 3.4.z.
It will be best if you want to test this scenario in 3.5 release candidate and the new ldap provider, so we can address the issue before 3.5 release if exists.
could also be one of these fixed in 3.4: 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it does not inherit the group permissions 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to a group indirectly, it does not inherit the group permissions
On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Maurice James" <mjames@media-node.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Saturday, August 9, 2014 3:47:04 AM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Does this still require the use of kerberos? Will 389-ds work on its own?
In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap mix.
It will be great to receive feedback[2].
389ds is not supported directly, I think it is similar to IPA as it uses 389. Maybe I should rename the profile of ipa to 389 if it works properly.
Regards, Alon
[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
----- Original Message ----- From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Friday, August 8, 2014 3:45:07 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org Sent: Friday, August 8, 2014 10:37:11 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/07/2014 07:06 PM, Paul Robert Marino wrote: > I have ovirt engine running and connected to a 389 server with the > memberof plugin enabled and working properly. > > I can add users and assign them to roles without any issues. > > when I look at a user I can see all the LDAP groups they are a member > of. > > when I run engine-manage-domains -action=validate it tells me the > domain is valid. > > here is my problem when I try to assign a role to an LDAP group it > looks like it works but in the general tab when under the group it > tells me the status is Inactive. > > dose any one know how to enable the group? > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users >
3.4 or new 3.5 Generic LDAP provider?
On case this is 3.5 it is known issue, all groups will be seen as inactive, this field will probably be removed from UI, as groups are no longer fetched periodically. This field is totally ignored.
Alon _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Monday, August 11, 2014 8:13:53 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
I have checked the codebase of 3.3 - the "active" field is used for presentation purpose only.
Presentation wise only - means that it is not used for our permissions calculation , for example.
Alon has addressed our plans for this in his previous comments. I hope this clarifies more..
Yair
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, "Paul Robert Marino" <prmarino1@gmail.com> Cc: users@ovirt.org Sent: Sunday, August 10, 2014 11:54:05 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org Sent: Sunday, August 10, 2014 10:43:14 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Sorry for my delayed response to this
I am using ovirt 3.3. I am using Kerberos 5, and all of the DNS requirements are in place. Finally 389 server is the upstream project for RHDS and one of the upstream projects for IPA. So I chose to set it as RHDS because its an identical match.
User authentication works just fine my problem is adding roles to groups. I can assign a role to a group but the group always shows an inactive status; however if I assign a role directly to to a user it works fine. In addition if I drill down into a user it knows what groups in the 389 server the user is a member of.
finally I can't see any error in the logs when adding a role to a group
Please open a bug, I am unsure that it will be addressed before 3.5, as we have done major rework for the authentication and authorization to make it much more versatile. Even if there will be a fix it will be provided to 3.4.z.
It will be best if you want to test this scenario in 3.5 release candidate and the new ldap provider, so we can address the issue before 3.5 release if exists.
could also be one of these fixed in 3.4: 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it does not inherit the group permissions 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to a group indirectly, it does not inherit the group permissions
On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message -----
From: "Maurice James" <mjames@media-node.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Saturday, August 9, 2014 3:47:04 AM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Does this still require the use of kerberos? Will 389-ds work on its own?
In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap mix.
It will be great to receive feedback[2].
389ds is not supported directly, I think it is similar to IPA as it uses 389. Maybe I should rename the profile of ipa to 389 if it works properly.
Regards, Alon
[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
----- Original Message ----- From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Friday, August 8, 2014 3:45:07 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
----- Original Message ----- > From: "Itamar Heim" <iheim@redhat.com> > To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org > Sent: Friday, August 8, 2014 10:37:11 PM > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > On 08/07/2014 07:06 PM, Paul Robert Marino wrote: >> I have ovirt engine running and connected to a 389 server with the >> memberof plugin enabled and working properly. >> >> I can add users and assign them to roles without any issues. >> >> when I look at a user I can see all the LDAP groups they are a >> member >> of. >> >> when I run engine-manage-domains -action=validate it tells me the >> domain is valid. >> >> here is my problem when I try to assign a role to an LDAP group it >> looks like it works but in the general tab when under the group it >> tells me the status is Inactive. >> >> dose any one know how to enable the group? >> _______________________________________________ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> > > 3.4 or new 3.5 Generic LDAP provider?
On case this is 3.5 it is known issue, all groups will be seen as inactive, this field will probably be removed from UI, as groups are no longer fetched periodically. This field is totally ignored.
Alon _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says "Active: false " on LDAP groups. Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as "<domain name>/Groups/sysadmin" I adder the permisions by clicking on the configure link on the top of the screen and set them in the "System Permissions" tab I added a user (pmarino) to the system which shows in the "Directory Group" tab shows "sysadmin groups <domian name>" among others however it only shows in the Permissions tab the permissions inherited by "Everyone" it does not show any permissions inherited by the sysadmin group. just to prove it didnt work I logged out and attempted to log back in as the user (pmarino) it wouldn't let me log in I logged back in as the internal admin user then I added the SuperUser permissions directly to the pmarino account and logged back out again. Now when I logged in as pmarino it gave me the access I expected. Here is the relevant portion of the engine log " 2014-08-13 16:00:38,801 INFO [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) [1e7fa420] Running command: AddGroupCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:00:38,813 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call Stack: null, Custom Event ID: -1, Message: User '<domain name>/Groups/sysadmin' was added successfully to the system. 2014-08-13 16:09:01,352 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:09:01,371 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role SuperUser on System by admin. 2014-08-13 16:10:40,963 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:10:40,979 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role PowerUserRole on System by admin. 2014-08-13 16:20:53,891 INFO [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4) [58e00be1] Running command: AddUserCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:20:53,919 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added successfully to the system. 2014-08-13 16:35:52,202 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino failed to log in. 2014-08-13 16:35:52,202 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2014-08-13 16:39:48,048 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:39:48,069 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID: 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group pmarino was granted permission for Role SuperUser on System by admin. 2014-08-13 16:40:43,357 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino logged in. " On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Monday, August 11, 2014 8:13:53 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
I have checked the codebase of 3.3 - the "active" field is used for presentation purpose only.
Presentation wise only - means that it is not used for our permissions calculation , for example.
Alon has addressed our plans for this in his previous comments. I hope this clarifies more..
Yair
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, "Paul Robert Marino" <prmarino1@gmail.com> Cc: users@ovirt.org Sent: Sunday, August 10, 2014 11:54:05 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org Sent: Sunday, August 10, 2014 10:43:14 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Sorry for my delayed response to this
I am using ovirt 3.3. I am using Kerberos 5, and all of the DNS requirements are in place. Finally 389 server is the upstream project for RHDS and one of the upstream projects for IPA. So I chose to set it as RHDS because its an identical match.
User authentication works just fine my problem is adding roles to groups. I can assign a role to a group but the group always shows an inactive status; however if I assign a role directly to to a user it works fine. In addition if I drill down into a user it knows what groups in the 389 server the user is a member of.
finally I can't see any error in the logs when adding a role to a group
Please open a bug, I am unsure that it will be addressed before 3.5, as we have done major rework for the authentication and authorization to make it much more versatile. Even if there will be a fix it will be provided to 3.4.z.
It will be best if you want to test this scenario in 3.5 release candidate and the new ldap provider, so we can address the issue before 3.5 release if exists.
could also be one of these fixed in 3.4: 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it does not inherit the group permissions 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to a group indirectly, it does not inherit the group permissions
On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> wrote:
----- Original Message ----- > From: "Maurice James" <mjames@media-node.com> > To: "Alon Bar-Lev" <alonbl@redhat.com> > Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org > Sent: Saturday, August 9, 2014 3:47:04 AM > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > Does this still require the use of kerberos? Will 389-ds work on its > own?
In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap mix.
It will be great to receive feedback[2].
389ds is not supported directly, I think it is similar to IPA as it uses 389. Maybe I should rename the profile of ipa to 389 if it works properly.
Regards, Alon
[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
> > ----- Original Message ----- > From: "Alon Bar-Lev" <alonbl@redhat.com> > To: "Itamar Heim" <iheim@redhat.com> > Cc: users@ovirt.org > Sent: Friday, August 8, 2014 3:45:07 PM > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > > > ----- Original Message ----- >> From: "Itamar Heim" <iheim@redhat.com> >> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org >> Sent: Friday, August 8, 2014 10:37:11 PM >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: >>> I have ovirt engine running and connected to a 389 server with the >>> memberof plugin enabled and working properly. >>> >>> I can add users and assign them to roles without any issues. >>> >>> when I look at a user I can see all the LDAP groups they are a >>> member >>> of. >>> >>> when I run engine-manage-domains -action=validate it tells me the >>> domain is valid. >>> >>> here is my problem when I try to assign a role to an LDAP group it >>> looks like it works but in the general tab when under the group it >>> tells me the status is Inactive. >>> >>> dose any one know how to enable the group? >>> _______________________________________________ >>> Users mailing list >>> Users@ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >>> >> >> 3.4 or new 3.5 Generic LDAP provider? > > > On case this is 3.5 it is known issue, all groups will be seen as > inactive, > this field will probably be removed from UI, as groups are no longer > fetched > periodically. > This field is totally ignored. > > Alon > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Wednesday, August 13, 2014 11:47:40 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says "Active: false " on LDAP groups.
Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as "<domain name>/Groups/sysadmin" I adder the permisions by clicking on the configure link on the top of the screen and set them in the "System Permissions" tab
Sounds good so far. I assume also you see the permissiosn in the permissions sub tab when you click the group.
I added a user (pmarino) to the system which shows in the "Directory Group" tab shows "sysadmin groups <domian name>" among others however it only shows in the Permissions tab the permissions inherited by "Everyone" it does not show any permissions inherited by the sysadmin group.
This is not good - I mean, should have worked.
just to prove it didnt work I logged out and attempted to log back in as the user (pmarino) it wouldn't let me log in
I logged back in as the internal admin user then I added the SuperUser permissions directly to the pmarino account and logged back out again. Now when I logged in as pmarino it gave me the access I expected.
Can I please ask you to provide some database info ? It will be awesome if you can provide the following SQL queries results - select group_ids, groups from users where username ilike '%pmarino%'; In addition, please perform - select id, name from ad_groups; Thanks for your help. P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the bugs) should have fixed your issue as well.
Here is the relevant portion of the engine log " 2014-08-13 16:00:38,801 INFO [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) [1e7fa420] Running command: AddGroupCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:00:38,813 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call Stack: null, Custom Event ID: -1, Message: User '<domain name>/Groups/sysadmin' was added successfully to the system. 2014-08-13 16:09:01,352 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:09:01,371 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role SuperUser on System by admin. 2014-08-13 16:10:40,963 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:10:40,979 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role PowerUserRole on System by admin. 2014-08-13 16:20:53,891 INFO [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4) [58e00be1] Running command: AddUserCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:20:53,919 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added successfully to the system. 2014-08-13 16:35:52,202 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino failed to log in. 2014-08-13 16:35:52,202 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2014-08-13 16:39:48,048 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:39:48,069 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID: 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group pmarino was granted permission for Role SuperUser on System by admin. 2014-08-13 16:40:43,357 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino logged in.
"
On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Monday, August 11, 2014 8:13:53 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
I have checked the codebase of 3.3 - the "active" field is used for presentation purpose only.
Presentation wise only - means that it is not used for our permissions calculation , for example.
Alon has addressed our plans for this in his previous comments. I hope this clarifies more..
Yair
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, "Paul Robert Marino" <prmarino1@gmail.com> Cc: users@ovirt.org Sent: Sunday, August 10, 2014 11:54:05 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org Sent: Sunday, August 10, 2014 10:43:14 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Sorry for my delayed response to this
I am using ovirt 3.3. I am using Kerberos 5, and all of the DNS requirements are in place. Finally 389 server is the upstream project for RHDS and one of the upstream projects for IPA. So I chose to set it as RHDS because its an identical match.
User authentication works just fine my problem is adding roles to groups. I can assign a role to a group but the group always shows an inactive status; however if I assign a role directly to to a user it works fine. In addition if I drill down into a user it knows what groups in the 389 server the user is a member of.
finally I can't see any error in the logs when adding a role to a group
Please open a bug, I am unsure that it will be addressed before 3.5, as we have done major rework for the authentication and authorization to make it much more versatile. Even if there will be a fix it will be provided to 3.4.z.
It will be best if you want to test this scenario in 3.5 release candidate and the new ldap provider, so we can address the issue before 3.5 release if exists.
could also be one of these fixed in 3.4: 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it does not inherit the group permissions 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to a group indirectly, it does not inherit the group permissions
On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> wrote: > > > ----- Original Message ----- >> From: "Maurice James" <mjames@media-node.com> >> To: "Alon Bar-Lev" <alonbl@redhat.com> >> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org >> Sent: Saturday, August 9, 2014 3:47:04 AM >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> Does this still require the use of kerberos? Will 389-ds work on >> its >> own? > > In 3.5 we introduced pure ldap support[1], obsoleting the > kerberos/ldap > mix. > > It will be great to receive feedback[2]. > > 389ds is not supported directly, I think it is similar to IPA as it > uses > 389. Maybe I should rename the profile of ipa to 389 if it works > properly. > > Regards, > Alon > > [1] > http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... > [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html > >> >> ----- Original Message ----- >> From: "Alon Bar-Lev" <alonbl@redhat.com> >> To: "Itamar Heim" <iheim@redhat.com> >> Cc: users@ovirt.org >> Sent: Friday, August 8, 2014 3:45:07 PM >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> >> >> ----- Original Message ----- >>> From: "Itamar Heim" <iheim@redhat.com> >>> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org >>> Sent: Friday, August 8, 2014 10:37:11 PM >>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>> >>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: >>>> I have ovirt engine running and connected to a 389 server with >>>> the >>>> memberof plugin enabled and working properly. >>>> >>>> I can add users and assign them to roles without any issues. >>>> >>>> when I look at a user I can see all the LDAP groups they are a >>>> member >>>> of. >>>> >>>> when I run engine-manage-domains -action=validate it tells me >>>> the >>>> domain is valid. >>>> >>>> here is my problem when I try to assign a role to an LDAP group >>>> it >>>> looks like it works but in the general tab when under the group >>>> it >>>> tells me the status is Inactive. >>>> >>>> dose any one know how to enable the group? >>>> _______________________________________________ >>>> Users mailing list >>>> Users@ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> >>> >>> 3.4 or new 3.5 Generic LDAP provider? >> >> >> On case this is 3.5 it is known issue, all groups will be seen as >> inactive, >> this field will probably be removed from UI, as groups are no >> longer >> fetched >> periodically. >> This field is totally ignored. >> >> Alon >> _______________________________________________ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
here are the results of the queries you asked for group_ids | groups -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---- 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000 | core.ux.medi a.cbs.net/groups/sysadmin,<domain here>/groups/pmarino,<domain here>/groups/pd managers,<domain here>/groups/qa managers,<domain here>/groups/accounting managers,<domain here>/directory administrat ors (1 row) engine=# select id, name from ad_groups; id | name --------------------------------------+--------------------------------------- eee00000-0000-0000-0000-123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | <domain here>/Groups/sysadmin (2 rows) On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Wednesday, August 13, 2014 11:47:40 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says "Active: false " on LDAP groups.
Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as "<domain name>/Groups/sysadmin" I adder the permisions by clicking on the configure link on the top of the screen and set them in the "System Permissions" tab
Sounds good so far. I assume also you see the permissiosn in the permissions sub tab when you click the group.
I added a user (pmarino) to the system which shows in the "Directory Group" tab shows "sysadmin groups <domian name>" among others however it only shows in the Permissions tab the permissions inherited by "Everyone" it does not show any permissions inherited by the sysadmin group.
This is not good - I mean, should have worked.
just to prove it didnt work I logged out and attempted to log back in as the user (pmarino) it wouldn't let me log in
I logged back in as the internal admin user then I added the SuperUser permissions directly to the pmarino account and logged back out again. Now when I logged in as pmarino it gave me the access I expected.
Can I please ask you to provide some database info ?
It will be awesome if you can provide the following SQL queries results -
select group_ids, groups from users where username ilike '%pmarino%';
In addition, please perform - select id, name from ad_groups;
Thanks for your help.
P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the bugs) should have fixed your issue as well.
Here is the relevant portion of the engine log " 2014-08-13 16:00:38,801 INFO [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) [1e7fa420] Running command: AddGroupCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:00:38,813 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call Stack: null, Custom Event ID: -1, Message: User '<domain name>/Groups/sysadmin' was added successfully to the system. 2014-08-13 16:09:01,352 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:09:01,371 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role SuperUser on System by admin. 2014-08-13 16:10:40,963 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:10:40,979 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role PowerUserRole on System by admin. 2014-08-13 16:20:53,891 INFO [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4) [58e00be1] Running command: AddUserCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:20:53,919 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added successfully to the system. 2014-08-13 16:35:52,202 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino failed to log in. 2014-08-13 16:35:52,202 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2014-08-13 16:39:48,048 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:39:48,069 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID: 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group pmarino was granted permission for Role SuperUser on System by admin. 2014-08-13 16:40:43,357 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino logged in.
"
On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Monday, August 11, 2014 8:13:53 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
I have checked the codebase of 3.3 - the "active" field is used for presentation purpose only.
Presentation wise only - means that it is not used for our permissions calculation , for example.
Alon has addressed our plans for this in his previous comments. I hope this clarifies more..
Yair
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, "Paul Robert Marino" <prmarino1@gmail.com> Cc: users@ovirt.org Sent: Sunday, August 10, 2014 11:54:05 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/10/2014 10:50 PM, Alon Bar-Lev wrote:
----- Original Message ----- > From: "Paul Robert Marino" <prmarino1@gmail.com> > To: "Alon Bar-Lev" <alonbl@redhat.com> > Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org > Sent: Sunday, August 10, 2014 10:43:14 PM > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > Sorry for my delayed response to this > > I am using ovirt 3.3. > I am using Kerberos 5, and all of the DNS requirements are in place. > Finally 389 server is the upstream project for RHDS and one of the > upstream projects for IPA. > So I chose to set it as RHDS because its an identical match. > > User authentication works just fine my problem is adding roles to > groups. > I can assign a role to a group but the group always shows an inactive > status; however if I assign a role directly to to a user it works > fine. > In addition if I drill down into a user it knows what groups in the > 389 server the user is a member of. > > finally I can't see any error in the logs when adding a role to a > group >
Please open a bug, I am unsure that it will be addressed before 3.5, as we have done major rework for the authentication and authorization to make it much more versatile. Even if there will be a fix it will be provided to 3.4.z.
It will be best if you want to test this scenario in 3.5 release candidate and the new ldap provider, so we can address the issue before 3.5 release if exists.
could also be one of these fixed in 3.4: 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it does not inherit the group permissions 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to a group indirectly, it does not inherit the group permissions
> > > On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> > wrote: >> >> >> ----- Original Message ----- >>> From: "Maurice James" <mjames@media-node.com> >>> To: "Alon Bar-Lev" <alonbl@redhat.com> >>> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org >>> Sent: Saturday, August 9, 2014 3:47:04 AM >>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>> >>> Does this still require the use of kerberos? Will 389-ds work on >>> its >>> own? >> >> In 3.5 we introduced pure ldap support[1], obsoleting the >> kerberos/ldap >> mix. >> >> It will be great to receive feedback[2]. >> >> 389ds is not supported directly, I think it is similar to IPA as it >> uses >> 389. Maybe I should rename the profile of ipa to 389 if it works >> properly. >> >> Regards, >> Alon >> >> [1] >> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... >> [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html >> >>> >>> ----- Original Message ----- >>> From: "Alon Bar-Lev" <alonbl@redhat.com> >>> To: "Itamar Heim" <iheim@redhat.com> >>> Cc: users@ovirt.org >>> Sent: Friday, August 8, 2014 3:45:07 PM >>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>> >>> >>> >>> ----- Original Message ----- >>>> From: "Itamar Heim" <iheim@redhat.com> >>>> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org >>>> Sent: Friday, August 8, 2014 10:37:11 PM >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>>> >>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: >>>>> I have ovirt engine running and connected to a 389 server with >>>>> the >>>>> memberof plugin enabled and working properly. >>>>> >>>>> I can add users and assign them to roles without any issues. >>>>> >>>>> when I look at a user I can see all the LDAP groups they are a >>>>> member >>>>> of. >>>>> >>>>> when I run engine-manage-domains -action=validate it tells me >>>>> the >>>>> domain is valid. >>>>> >>>>> here is my problem when I try to assign a role to an LDAP group >>>>> it >>>>> looks like it works but in the general tab when under the group >>>>> it >>>>> tells me the status is Inactive. >>>>> >>>>> dose any one know how to enable the group? >>>>> _______________________________________________ >>>>> Users mailing list >>>>> Users@ovirt.org >>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>> >>>> >>>> 3.4 or new 3.5 Generic LDAP provider? >>> >>> >>> On case this is 3.5 it is known issue, all groups will be seen as >>> inactive, >>> this field will probably be removed from UI, as groups are no >>> longer >>> fetched >>> periodically. >>> This field is totally ignored. >>> >>> Alon >>> _______________________________________________ >>> Users mailing list >>> Users@ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >>> >> _______________________________________________ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Just for the sake of testing even though some one said previously to ignore it I set the active = t on the group in ad_group on the sysadmin group it had no effect other than changing Active: to true in the iterface and in answer to this "I assume also you see the permissiosn in the permissions sub tab when you click the group." yes On Sun, Aug 17, 2014 at 9:33 AM, Paul Robert Marino <prmarino1@gmail.com> wrote:
here are the results of the queries you asked for
group_ids
|
groups
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---- 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000 | core.ux.medi a.cbs.net/groups/sysadmin,<domain here>/groups/pmarino,<domain here>/groups/pd managers,<domain here>/groups/qa managers,<domain here>/groups/accounting managers,<domain here>/directory administrat ors (1 row)
engine=# select id, name from ad_groups; id | name --------------------------------------+--------------------------------------- eee00000-0000-0000-0000-123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | <domain here>/Groups/sysadmin (2 rows)
On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Wednesday, August 13, 2014 11:47:40 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says "Active: false " on LDAP groups.
Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as "<domain name>/Groups/sysadmin" I adder the permisions by clicking on the configure link on the top of the screen and set them in the "System Permissions" tab
Sounds good so far. I assume also you see the permissiosn in the permissions sub tab when you click the group.
I added a user (pmarino) to the system which shows in the "Directory Group" tab shows "sysadmin groups <domian name>" among others however it only shows in the Permissions tab the permissions inherited by "Everyone" it does not show any permissions inherited by the sysadmin group.
This is not good - I mean, should have worked.
just to prove it didnt work I logged out and attempted to log back in as the user (pmarino) it wouldn't let me log in
I logged back in as the internal admin user then I added the SuperUser permissions directly to the pmarino account and logged back out again. Now when I logged in as pmarino it gave me the access I expected.
Can I please ask you to provide some database info ?
It will be awesome if you can provide the following SQL queries results -
select group_ids, groups from users where username ilike '%pmarino%';
In addition, please perform - select id, name from ad_groups;
Thanks for your help.
P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the bugs) should have fixed your issue as well.
Here is the relevant portion of the engine log " 2014-08-13 16:00:38,801 INFO [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) [1e7fa420] Running command: AddGroupCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:00:38,813 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call Stack: null, Custom Event ID: -1, Message: User '<domain name>/Groups/sysadmin' was added successfully to the system. 2014-08-13 16:09:01,352 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:09:01,371 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role SuperUser on System by admin. 2014-08-13 16:10:40,963 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:10:40,979 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role PowerUserRole on System by admin. 2014-08-13 16:20:53,891 INFO [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4) [58e00be1] Running command: AddUserCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:20:53,919 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added successfully to the system. 2014-08-13 16:35:52,202 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino failed to log in. 2014-08-13 16:35:52,202 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2014-08-13 16:39:48,048 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:39:48,069 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID: 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group pmarino was granted permission for Role SuperUser on System by admin. 2014-08-13 16:40:43,357 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino logged in.
"
On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Monday, August 11, 2014 8:13:53 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
I have checked the codebase of 3.3 - the "active" field is used for presentation purpose only.
Presentation wise only - means that it is not used for our permissions calculation , for example.
Alon has addressed our plans for this in his previous comments. I hope this clarifies more..
Yair
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, "Paul Robert Marino" <prmarino1@gmail.com> Cc: users@ovirt.org Sent: Sunday, August 10, 2014 11:54:05 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/10/2014 10:50 PM, Alon Bar-Lev wrote: > > > ----- Original Message ----- >> From: "Paul Robert Marino" <prmarino1@gmail.com> >> To: "Alon Bar-Lev" <alonbl@redhat.com> >> Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org >> Sent: Sunday, August 10, 2014 10:43:14 PM >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> Sorry for my delayed response to this >> >> I am using ovirt 3.3. >> I am using Kerberos 5, and all of the DNS requirements are in place. >> Finally 389 server is the upstream project for RHDS and one of the >> upstream projects for IPA. >> So I chose to set it as RHDS because its an identical match. >> >> User authentication works just fine my problem is adding roles to >> groups. >> I can assign a role to a group but the group always shows an inactive >> status; however if I assign a role directly to to a user it works >> fine. >> In addition if I drill down into a user it knows what groups in the >> 389 server the user is a member of. >> >> finally I can't see any error in the logs when adding a role to a >> group >> > > Please open a bug, I am unsure that it will be addressed before 3.5, > as > we > have done major rework for the authentication and authorization to > make > it > much more versatile. Even if there will be a fix it will be provided > to > 3.4.z. > > It will be best if you want to test this scenario in 3.5 release > candidate > and the new ldap provider, so we can address the issue before 3.5 > release > if exists. >
could also be one of these fixed in 3.4: 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it does not inherit the group permissions 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to a group indirectly, it does not inherit the group permissions
>> >> >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> >> wrote: >>> >>> >>> ----- Original Message ----- >>>> From: "Maurice James" <mjames@media-node.com> >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> >>>> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org >>>> Sent: Saturday, August 9, 2014 3:47:04 AM >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>>> >>>> Does this still require the use of kerberos? Will 389-ds work on >>>> its >>>> own? >>> >>> In 3.5 we introduced pure ldap support[1], obsoleting the >>> kerberos/ldap >>> mix. >>> >>> It will be great to receive feedback[2]. >>> >>> 389ds is not supported directly, I think it is similar to IPA as it >>> uses >>> 389. Maybe I should rename the profile of ipa to 389 if it works >>> properly. >>> >>> Regards, >>> Alon >>> >>> [1] >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... >>> [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html >>> >>>> >>>> ----- Original Message ----- >>>> From: "Alon Bar-Lev" <alonbl@redhat.com> >>>> To: "Itamar Heim" <iheim@redhat.com> >>>> Cc: users@ovirt.org >>>> Sent: Friday, August 8, 2014 3:45:07 PM >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>>> >>>> >>>> >>>> ----- Original Message ----- >>>>> From: "Itamar Heim" <iheim@redhat.com> >>>>> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org >>>>> Sent: Friday, August 8, 2014 10:37:11 PM >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>>>> >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: >>>>>> I have ovirt engine running and connected to a 389 server with >>>>>> the >>>>>> memberof plugin enabled and working properly. >>>>>> >>>>>> I can add users and assign them to roles without any issues. >>>>>> >>>>>> when I look at a user I can see all the LDAP groups they are a >>>>>> member >>>>>> of. >>>>>> >>>>>> when I run engine-manage-domains -action=validate it tells me >>>>>> the >>>>>> domain is valid. >>>>>> >>>>>> here is my problem when I try to assign a role to an LDAP group >>>>>> it >>>>>> looks like it works but in the general tab when under the group >>>>>> it >>>>>> tells me the status is Inactive. >>>>>> >>>>>> dose any one know how to enable the group? >>>>>> _______________________________________________ >>>>>> Users mailing list >>>>>> Users@ovirt.org >>>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>>> >>>>> >>>>> 3.4 or new 3.5 Generic LDAP provider? >>>> >>>> >>>> On case this is 3.5 it is known issue, all groups will be seen as >>>> inactive, >>>> this field will probably be removed from UI, as groups are no >>>> longer >>>> fetched >>>> periodically. >>>> This field is totally ignored. >>>> >>>> Alon >>>> _______________________________________________ >>>> Users mailing list >>>> Users@ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> >>> _______________________________________________ >>> Users mailing list >>> Users@ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >> > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Sunday, August 17, 2014 4:33:30 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
here are the results of the queries you asked for
group_ids
|
groups
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---- 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000 | core.ux.medi a.cbs.net/groups/sysadmin,<domain here>/groups/pmarino,<domain here>/groups/pd managers,<domain here>/groups/qa managers,<domain here>/groups/accounting managers,<domain here>/directory administrat ors (1 row)
engine=# select id, name from ad_groups; id | name --------------------------------------+--------------------------------------- eee00000-0000-0000-0000-123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | <domain here>/Groups/sysadmin (2 rows)
It does look that there is something wrong in the association of users to their group IDS. Just to make sure I'm not missing anything - Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission? Yair
On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Wednesday, August 13, 2014 11:47:40 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says "Active: false " on LDAP groups.
Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as "<domain name>/Groups/sysadmin" I adder the permisions by clicking on the configure link on the top of the screen and set them in the "System Permissions" tab
Sounds good so far. I assume also you see the permissiosn in the permissions sub tab when you click the group.
I added a user (pmarino) to the system which shows in the "Directory Group" tab shows "sysadmin groups <domian name>" among others however it only shows in the Permissions tab the permissions inherited by "Everyone" it does not show any permissions inherited by the sysadmin group.
This is not good - I mean, should have worked.
just to prove it didnt work I logged out and attempted to log back in as the user (pmarino) it wouldn't let me log in
I logged back in as the internal admin user then I added the SuperUser permissions directly to the pmarino account and logged back out again. Now when I logged in as pmarino it gave me the access I expected.
Can I please ask you to provide some database info ?
It will be awesome if you can provide the following SQL queries results -
select group_ids, groups from users where username ilike '%pmarino%';
In addition, please perform - select id, name from ad_groups;
Thanks for your help.
P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the bugs) should have fixed your issue as well.
Here is the relevant portion of the engine log " 2014-08-13 16:00:38,801 INFO [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) [1e7fa420] Running command: AddGroupCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:00:38,813 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call Stack: null, Custom Event ID: -1, Message: User '<domain name>/Groups/sysadmin' was added successfully to the system. 2014-08-13 16:09:01,352 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:09:01,371 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role SuperUser on System by admin. 2014-08-13 16:10:40,963 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:10:40,979 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role PowerUserRole on System by admin. 2014-08-13 16:20:53,891 INFO [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4) [58e00be1] Running command: AddUserCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:20:53,919 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added successfully to the system. 2014-08-13 16:35:52,202 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino failed to log in. 2014-08-13 16:35:52,202 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2014-08-13 16:39:48,048 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:39:48,069 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID: 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group pmarino was granted permission for Role SuperUser on System by admin. 2014-08-13 16:40:43,357 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino logged in.
"
On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Monday, August 11, 2014 8:13:53 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
I have checked the codebase of 3.3 - the "active" field is used for presentation purpose only.
Presentation wise only - means that it is not used for our permissions calculation , for example.
Alon has addressed our plans for this in his previous comments. I hope this clarifies more..
Yair
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Alon Bar-Lev" <alonbl@redhat.com>, "Paul Robert Marino" <prmarino1@gmail.com> Cc: users@ovirt.org Sent: Sunday, August 10, 2014 11:54:05 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/10/2014 10:50 PM, Alon Bar-Lev wrote: > > > ----- Original Message ----- >> From: "Paul Robert Marino" <prmarino1@gmail.com> >> To: "Alon Bar-Lev" <alonbl@redhat.com> >> Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org >> Sent: Sunday, August 10, 2014 10:43:14 PM >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> Sorry for my delayed response to this >> >> I am using ovirt 3.3. >> I am using Kerberos 5, and all of the DNS requirements are in >> place. >> Finally 389 server is the upstream project for RHDS and one of the >> upstream projects for IPA. >> So I chose to set it as RHDS because its an identical match. >> >> User authentication works just fine my problem is adding roles to >> groups. >> I can assign a role to a group but the group always shows an >> inactive >> status; however if I assign a role directly to to a user it works >> fine. >> In addition if I drill down into a user it knows what groups in >> the >> 389 server the user is a member of. >> >> finally I can't see any error in the logs when adding a role to a >> group >> > > Please open a bug, I am unsure that it will be addressed before > 3.5, > as > we > have done major rework for the authentication and authorization to > make > it > much more versatile. Even if there will be a fix it will be > provided > to > 3.4.z. > > It will be best if you want to test this scenario in 3.5 release > candidate > and the new ldap provider, so we can address the issue before 3.5 > release > if exists. >
could also be one of these fixed in 3.4: 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it does not inherit the group permissions 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs to a group indirectly, it does not inherit the group permissions
>> >> >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> >> wrote: >>> >>> >>> ----- Original Message ----- >>>> From: "Maurice James" <mjames@media-node.com> >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> >>>> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org >>>> Sent: Saturday, August 9, 2014 3:47:04 AM >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>>> >>>> Does this still require the use of kerberos? Will 389-ds work on >>>> its >>>> own? >>> >>> In 3.5 we introduced pure ldap support[1], obsoleting the >>> kerberos/ldap >>> mix. >>> >>> It will be great to receive feedback[2]. >>> >>> 389ds is not supported directly, I think it is similar to IPA as >>> it >>> uses >>> 389. Maybe I should rename the profile of ipa to 389 if it works >>> properly. >>> >>> Regards, >>> Alon >>> >>> [1] >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... >>> [2] >>> http://lists.ovirt.org/pipermail/devel/2014-August/008367.html >>> >>>> >>>> ----- Original Message ----- >>>> From: "Alon Bar-Lev" <alonbl@redhat.com> >>>> To: "Itamar Heim" <iheim@redhat.com> >>>> Cc: users@ovirt.org >>>> Sent: Friday, August 8, 2014 3:45:07 PM >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >>>> >>>> >>>> >>>> ----- Original Message ----- >>>>> From: "Itamar Heim" <iheim@redhat.com> >>>>> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org >>>>> Sent: Friday, August 8, 2014 10:37:11 PM >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive >>>>> groups >>>>> >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: >>>>>> I have ovirt engine running and connected to a 389 server with >>>>>> the >>>>>> memberof plugin enabled and working properly. >>>>>> >>>>>> I can add users and assign them to roles without any issues. >>>>>> >>>>>> when I look at a user I can see all the LDAP groups they are a >>>>>> member >>>>>> of. >>>>>> >>>>>> when I run engine-manage-domains -action=validate it tells me >>>>>> the >>>>>> domain is valid. >>>>>> >>>>>> here is my problem when I try to assign a role to an LDAP >>>>>> group >>>>>> it >>>>>> looks like it works but in the general tab when under the >>>>>> group >>>>>> it >>>>>> tells me the status is Inactive. >>>>>> >>>>>> dose any one know how to enable the group? >>>>>> _______________________________________________ >>>>>> Users mailing list >>>>>> Users@ovirt.org >>>>>> http://lists.ovirt.org/mailman/listinfo/users >>>>>> >>>>> >>>>> 3.4 or new 3.5 Generic LDAP provider? >>>> >>>> >>>> On case this is 3.5 it is known issue, all groups will be seen >>>> as >>>> inactive, >>>> this field will probably be removed from UI, as groups are no >>>> longer >>>> fetched >>>> periodically. >>>> This field is totally ignored. >>>> >>>> Alon >>>> _______________________________________________ >>>> Users mailing list >>>> Users@ovirt.org >>>> http://lists.ovirt.org/mailman/listinfo/users >>>> >>> _______________________________________________ >>> Users mailing list >>> Users@ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >> > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
confirmed that does seem to be the cause I updated the group_ids field of a user to the appropriate Id's from ad_groups and it fixed that user. in answer to your question "Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission?" Ive tried it ever different way I can think of the results are always the same. On Sun, Aug 17, 2014 at 9:46 AM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Sunday, August 17, 2014 4:33:30 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
here are the results of the queries you asked for
group_ids
|
groups
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---- 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000 | <domain here>/groups/sysadmin,<domain here>/groups/pmarino,<domain here>/groups/pd managers,<domain here>/groups/qa managers,<domain here>/groups/accounting managers,<domain here>/directory administrat ors (1 row)
engine=# select id, name from ad_groups; id | name --------------------------------------+--------------------------------------- eee00000-0000-0000-0000-123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | <domain here>/Groups/sysadmin (2 rows)
It does look that there is something wrong in the association of users to their group IDS. Just to make sure I'm not missing anything - Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission?
Yair
On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Wednesday, August 13, 2014 11:47:40 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says "Active: false " on LDAP groups.
Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as "<domain name>/Groups/sysadmin" I adder the permisions by clicking on the configure link on the top of the screen and set them in the "System Permissions" tab
Sounds good so far. I assume also you see the permissiosn in the permissions sub tab when you click the group.
I added a user (pmarino) to the system which shows in the "Directory Group" tab shows "sysadmin groups <domian name>" among others however it only shows in the Permissions tab the permissions inherited by "Everyone" it does not show any permissions inherited by the sysadmin group.
This is not good - I mean, should have worked.
just to prove it didnt work I logged out and attempted to log back in as the user (pmarino) it wouldn't let me log in
I logged back in as the internal admin user then I added the SuperUser permissions directly to the pmarino account and logged back out again. Now when I logged in as pmarino it gave me the access I expected.
Can I please ask you to provide some database info ?
It will be awesome if you can provide the following SQL queries results -
select group_ids, groups from users where username ilike '%pmarino%';
In addition, please perform - select id, name from ad_groups;
Thanks for your help.
P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the bugs) should have fixed your issue as well.
Here is the relevant portion of the engine log " 2014-08-13 16:00:38,801 INFO [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) [1e7fa420] Running command: AddGroupCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:00:38,813 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call Stack: null, Custom Event ID: -1, Message: User '<domain name>/Groups/sysadmin' was added successfully to the system. 2014-08-13 16:09:01,352 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:09:01,371 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role SuperUser on System by admin. 2014-08-13 16:10:40,963 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:10:40,979 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role PowerUserRole on System by admin. 2014-08-13 16:20:53,891 INFO [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4) [58e00be1] Running command: AddUserCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:20:53,919 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added successfully to the system. 2014-08-13 16:35:52,202 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino failed to log in. 2014-08-13 16:35:52,202 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2014-08-13 16:39:48,048 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:39:48,069 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID: 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group pmarino was granted permission for Role SuperUser on System by admin. 2014-08-13 16:40:43,357 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino logged in.
"
On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Yair Zaslavsky" <yzaslavs@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Monday, August 11, 2014 8:13:53 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
I have checked the codebase of 3.3 - the "active" field is used for presentation purpose only.
Presentation wise only - means that it is not used for our permissions calculation , for example.
Alon has addressed our plans for this in his previous comments. I hope this clarifies more..
Yair
----- Original Message ----- > From: "Itamar Heim" <iheim@redhat.com> > To: "Alon Bar-Lev" <alonbl@redhat.com>, "Paul Robert Marino" > <prmarino1@gmail.com> > Cc: users@ovirt.org > Sent: Sunday, August 10, 2014 11:54:05 PM > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote: > > > > > > ----- Original Message ----- > >> From: "Paul Robert Marino" <prmarino1@gmail.com> > >> To: "Alon Bar-Lev" <alonbl@redhat.com> > >> Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org > >> Sent: Sunday, August 10, 2014 10:43:14 PM > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > >> > >> Sorry for my delayed response to this > >> > >> I am using ovirt 3.3. > >> I am using Kerberos 5, and all of the DNS requirements are in > >> place. > >> Finally 389 server is the upstream project for RHDS and one of the > >> upstream projects for IPA. > >> So I chose to set it as RHDS because its an identical match. > >> > >> User authentication works just fine my problem is adding roles to > >> groups. > >> I can assign a role to a group but the group always shows an > >> inactive > >> status; however if I assign a role directly to to a user it works > >> fine. > >> In addition if I drill down into a user it knows what groups in > >> the > >> 389 server the user is a member of. > >> > >> finally I can't see any error in the logs when adding a role to a > >> group > >> > > > > Please open a bug, I am unsure that it will be addressed before > > 3.5, > > as > > we > > have done major rework for the authentication and authorization to > > make > > it > > much more versatile. Even if there will be a fix it will be > > provided > > to > > 3.4.z. > > > > It will be best if you want to test this scenario in 3.5 release > > candidate > > and the new ldap provider, so we can address the issue before 3.5 > > release > > if exists. > > > > could also be one of these fixed in 3.4: > 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it > does not inherit the group permissions > 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs > to > a group indirectly, it does not inherit the group permissions > > >> > >> > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> > >> wrote: > >>> > >>> > >>> ----- Original Message ----- > >>>> From: "Maurice James" <mjames@media-node.com> > >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> > >>>> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org > >>>> Sent: Saturday, August 9, 2014 3:47:04 AM > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > >>>> > >>>> Does this still require the use of kerberos? Will 389-ds work on > >>>> its > >>>> own? > >>> > >>> In 3.5 we introduced pure ldap support[1], obsoleting the > >>> kerberos/ldap > >>> mix. > >>> > >>> It will be great to receive feedback[2]. > >>> > >>> 389ds is not supported directly, I think it is similar to IPA as > >>> it > >>> uses > >>> 389. Maybe I should rename the profile of ipa to 389 if it works > >>> properly. > >>> > >>> Regards, > >>> Alon > >>> > >>> [1] > >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... > >>> [2] > >>> http://lists.ovirt.org/pipermail/devel/2014-August/008367.html > >>> > >>>> > >>>> ----- Original Message ----- > >>>> From: "Alon Bar-Lev" <alonbl@redhat.com> > >>>> To: "Itamar Heim" <iheim@redhat.com> > >>>> Cc: users@ovirt.org > >>>> Sent: Friday, August 8, 2014 3:45:07 PM > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > >>>> > >>>> > >>>> > >>>> ----- Original Message ----- > >>>>> From: "Itamar Heim" <iheim@redhat.com> > >>>>> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org > >>>>> Sent: Friday, August 8, 2014 10:37:11 PM > >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive > >>>>> groups > >>>>> > >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: > >>>>>> I have ovirt engine running and connected to a 389 server with > >>>>>> the > >>>>>> memberof plugin enabled and working properly. > >>>>>> > >>>>>> I can add users and assign them to roles without any issues. > >>>>>> > >>>>>> when I look at a user I can see all the LDAP groups they are a > >>>>>> member > >>>>>> of. > >>>>>> > >>>>>> when I run engine-manage-domains -action=validate it tells me > >>>>>> the > >>>>>> domain is valid. > >>>>>> > >>>>>> here is my problem when I try to assign a role to an LDAP > >>>>>> group > >>>>>> it > >>>>>> looks like it works but in the general tab when under the > >>>>>> group > >>>>>> it > >>>>>> tells me the status is Inactive. > >>>>>> > >>>>>> dose any one know how to enable the group? > >>>>>> _______________________________________________ > >>>>>> Users mailing list > >>>>>> Users@ovirt.org > >>>>>> http://lists.ovirt.org/mailman/listinfo/users > >>>>>> > >>>>> > >>>>> 3.4 or new 3.5 Generic LDAP provider? > >>>> > >>>> > >>>> On case this is 3.5 it is known issue, all groups will be seen > >>>> as > >>>> inactive, > >>>> this field will probably be removed from UI, as groups are no > >>>> longer > >>>> fetched > >>>> periodically. > >>>> This field is totally ignored. > >>>> > >>>> Alon > >>>> _______________________________________________ > >>>> Users mailing list > >>>> Users@ovirt.org > >>>> http://lists.ovirt.org/mailman/listinfo/users > >>>> > >>> _______________________________________________ > >>> Users mailing list > >>> Users@ovirt.org > >>> http://lists.ovirt.org/mailman/listinfo/users > >> > > _______________________________________________ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
I found why the group_ids field is wrong If you look at the ad_groups table then mane for the group is "<domain here>/Groups/sysadmin" however if you look at the groups field in the users table it says "<domain here>/groups/sysadmin" I tried updating the name field in the ad_groups table to match "<domain here>/groups/sysadmin" then removed and added a user now the if for that group in the group_ids field is being set correctly. This is at least a usable workaround for now. now we need to find the root cause. On Sun, Aug 17, 2014 at 10:39 AM, Paul Robert Marino <prmarino1@gmail.com> wrote:
confirmed that does seem to be the cause I updated the group_ids field of a user to the appropriate Id's from ad_groups and it fixed that user. in answer to your question "Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission?" Ive tried it ever different way I can think of the results are always the same.
On Sun, Aug 17, 2014 at 9:46 AM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Sunday, August 17, 2014 4:33:30 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
here are the results of the queries you asked for
group_ids
|
groups
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---- 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000 | <domain here>/groups/sysadmin,<domain here>/groups/pmarino,<domain here>/groups/pd managers,<domain here>/groups/qa managers,<domain here>/groups/accounting managers,<domain here>/directory administrat ors (1 row)
engine=# select id, name from ad_groups; id | name --------------------------------------+--------------------------------------- eee00000-0000-0000-0000-123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | <domain here>/Groups/sysadmin (2 rows)
It does look that there is something wrong in the association of users to their group IDS. Just to make sure I'm not missing anything - Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission?
Yair
On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Wednesday, August 13, 2014 11:47:40 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says "Active: false " on LDAP groups.
Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as "<domain name>/Groups/sysadmin" I adder the permisions by clicking on the configure link on the top of the screen and set them in the "System Permissions" tab
Sounds good so far. I assume also you see the permissiosn in the permissions sub tab when you click the group.
I added a user (pmarino) to the system which shows in the "Directory Group" tab shows "sysadmin groups <domian name>" among others however it only shows in the Permissions tab the permissions inherited by "Everyone" it does not show any permissions inherited by the sysadmin group.
This is not good - I mean, should have worked.
just to prove it didnt work I logged out and attempted to log back in as the user (pmarino) it wouldn't let me log in
I logged back in as the internal admin user then I added the SuperUser permissions directly to the pmarino account and logged back out again. Now when I logged in as pmarino it gave me the access I expected.
Can I please ask you to provide some database info ?
It will be awesome if you can provide the following SQL queries results -
select group_ids, groups from users where username ilike '%pmarino%';
In addition, please perform - select id, name from ad_groups;
Thanks for your help.
P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the bugs) should have fixed your issue as well.
Here is the relevant portion of the engine log " 2014-08-13 16:00:38,801 INFO [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) [1e7fa420] Running command: AddGroupCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:00:38,813 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call Stack: null, Custom Event ID: -1, Message: User '<domain name>/Groups/sysadmin' was added successfully to the system. 2014-08-13 16:09:01,352 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:09:01,371 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role SuperUser on System by admin. 2014-08-13 16:10:40,963 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:10:40,979 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role PowerUserRole on System by admin. 2014-08-13 16:20:53,891 INFO [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4) [58e00be1] Running command: AddUserCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:20:53,919 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added successfully to the system. 2014-08-13 16:35:52,202 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino failed to log in. 2014-08-13 16:35:52,202 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2014-08-13 16:39:48,048 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:39:48,069 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID: 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group pmarino was granted permission for Role SuperUser on System by admin. 2014-08-13 16:40:43,357 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino logged in.
"
On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message ----- > From: "Yair Zaslavsky" <yzaslavs@redhat.com> > To: "Itamar Heim" <iheim@redhat.com> > Cc: users@ovirt.org > Sent: Monday, August 11, 2014 8:13:53 PM > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > I have checked the codebase of 3.3 - > the "active" field is used for presentation purpose only.
Presentation wise only - means that it is not used for our permissions calculation , for example.
> Alon has addressed our plans for this in his previous comments. > I hope this clarifies more.. > > Yair > > > ----- Original Message ----- > > From: "Itamar Heim" <iheim@redhat.com> > > To: "Alon Bar-Lev" <alonbl@redhat.com>, "Paul Robert Marino" > > <prmarino1@gmail.com> > > Cc: users@ovirt.org > > Sent: Sunday, August 10, 2014 11:54:05 PM > > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > > > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote: > > > > > > > > > ----- Original Message ----- > > >> From: "Paul Robert Marino" <prmarino1@gmail.com> > > >> To: "Alon Bar-Lev" <alonbl@redhat.com> > > >> Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org > > >> Sent: Sunday, August 10, 2014 10:43:14 PM > > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > >> > > >> Sorry for my delayed response to this > > >> > > >> I am using ovirt 3.3. > > >> I am using Kerberos 5, and all of the DNS requirements are in > > >> place. > > >> Finally 389 server is the upstream project for RHDS and one of the > > >> upstream projects for IPA. > > >> So I chose to set it as RHDS because its an identical match. > > >> > > >> User authentication works just fine my problem is adding roles to > > >> groups. > > >> I can assign a role to a group but the group always shows an > > >> inactive > > >> status; however if I assign a role directly to to a user it works > > >> fine. > > >> In addition if I drill down into a user it knows what groups in > > >> the > > >> 389 server the user is a member of. > > >> > > >> finally I can't see any error in the logs when adding a role to a > > >> group > > >> > > > > > > Please open a bug, I am unsure that it will be addressed before > > > 3.5, > > > as > > > we > > > have done major rework for the authentication and authorization to > > > make > > > it > > > much more versatile. Even if there will be a fix it will be > > > provided > > > to > > > 3.4.z. > > > > > > It will be best if you want to test this scenario in 3.5 release > > > candidate > > > and the new ldap provider, so we can address the issue before 3.5 > > > release > > > if exists. > > > > > > > could also be one of these fixed in 3.4: > > 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it > > does not inherit the group permissions > > 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs > > to > > a group indirectly, it does not inherit the group permissions > > > > >> > > >> > > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> > > >> wrote: > > >>> > > >>> > > >>> ----- Original Message ----- > > >>>> From: "Maurice James" <mjames@media-node.com> > > >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> > > >>>> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org > > >>>> Sent: Saturday, August 9, 2014 3:47:04 AM > > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > >>>> > > >>>> Does this still require the use of kerberos? Will 389-ds work on > > >>>> its > > >>>> own? > > >>> > > >>> In 3.5 we introduced pure ldap support[1], obsoleting the > > >>> kerberos/ldap > > >>> mix. > > >>> > > >>> It will be great to receive feedback[2]. > > >>> > > >>> 389ds is not supported directly, I think it is similar to IPA as > > >>> it > > >>> uses > > >>> 389. Maybe I should rename the profile of ipa to 389 if it works > > >>> properly. > > >>> > > >>> Regards, > > >>> Alon > > >>> > > >>> [1] > > >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... > > >>> [2] > > >>> http://lists.ovirt.org/pipermail/devel/2014-August/008367.html > > >>> > > >>>> > > >>>> ----- Original Message ----- > > >>>> From: "Alon Bar-Lev" <alonbl@redhat.com> > > >>>> To: "Itamar Heim" <iheim@redhat.com> > > >>>> Cc: users@ovirt.org > > >>>> Sent: Friday, August 8, 2014 3:45:07 PM > > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > >>>> > > >>>> > > >>>> > > >>>> ----- Original Message ----- > > >>>>> From: "Itamar Heim" <iheim@redhat.com> > > >>>>> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org > > >>>>> Sent: Friday, August 8, 2014 10:37:11 PM > > >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive > > >>>>> groups > > >>>>> > > >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: > > >>>>>> I have ovirt engine running and connected to a 389 server with > > >>>>>> the > > >>>>>> memberof plugin enabled and working properly. > > >>>>>> > > >>>>>> I can add users and assign them to roles without any issues. > > >>>>>> > > >>>>>> when I look at a user I can see all the LDAP groups they are a > > >>>>>> member > > >>>>>> of. > > >>>>>> > > >>>>>> when I run engine-manage-domains -action=validate it tells me > > >>>>>> the > > >>>>>> domain is valid. > > >>>>>> > > >>>>>> here is my problem when I try to assign a role to an LDAP > > >>>>>> group > > >>>>>> it > > >>>>>> looks like it works but in the general tab when under the > > >>>>>> group > > >>>>>> it > > >>>>>> tells me the status is Inactive. > > >>>>>> > > >>>>>> dose any one know how to enable the group? > > >>>>>> _______________________________________________ > > >>>>>> Users mailing list > > >>>>>> Users@ovirt.org > > >>>>>> http://lists.ovirt.org/mailman/listinfo/users > > >>>>>> > > >>>>> > > >>>>> 3.4 or new 3.5 Generic LDAP provider? > > >>>> > > >>>> > > >>>> On case this is 3.5 it is known issue, all groups will be seen > > >>>> as > > >>>> inactive, > > >>>> this field will probably be removed from UI, as groups are no > > >>>> longer > > >>>> fetched > > >>>> periodically. > > >>>> This field is totally ignored. > > >>>> > > >>>> Alon > > >>>> _______________________________________________ > > >>>> Users mailing list > > >>>> Users@ovirt.org > > >>>> http://lists.ovirt.org/mailman/listinfo/users > > >>>> > > >>> _______________________________________________ > > >>> Users mailing list > > >>> Users@ovirt.org > > >>> http://lists.ovirt.org/mailman/listinfo/users > > >> > > > _______________________________________________ > > > Users mailing list > > > Users@ovirt.org > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > _______________________________________________ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Ok I dug in a little further it looks like them memberof plugin in 389 server is making them lowercase which from an LDAP and or Posix perspective is not a problem but this seems to be the root cause of the issue of the difference. while this behavior is strange it is not invalid because DN's are case insensitive. The easiest way to fix this is to change the query of the group from the ad_groups table to an ilike. The potential problem here is it conflicts with SAM in windows where group names are case sensitive. This is definitely a conflict in design between AD and LDAP's core design. Interestingly I can add roles to the group and there is no problem it sets it correctly so somewhere else in the code an ilike is being uses to query the groups table. On Sun, Aug 17, 2014 at 11:05 AM, Paul Robert Marino <prmarino1@gmail.com> wrote:
I found why the group_ids field is wrong
If you look at the ad_groups table then mane for the group is "<domain here>/Groups/sysadmin" however if you look at the groups field in the users table it says "<domain here>/groups/sysadmin" I tried updating the name field in the ad_groups table to match "<domain here>/groups/sysadmin" then removed and added a user now the if for that group in the group_ids field is being set correctly.
This is at least a usable workaround for now. now we need to find the root cause.
On Sun, Aug 17, 2014 at 10:39 AM, Paul Robert Marino <prmarino1@gmail.com> wrote:
confirmed that does seem to be the cause I updated the group_ids field of a user to the appropriate Id's from ad_groups and it fixed that user. in answer to your question "Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission?" Ive tried it ever different way I can think of the results are always the same.
On Sun, Aug 17, 2014 at 9:46 AM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Sunday, August 17, 2014 4:33:30 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
here are the results of the queries you asked for
group_ids
|
groups
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---- 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000 | <domain here>/groups/sysadmin,<domain here>/groups/pmarino,<domain here>/groups/pd managers,<domain here>/groups/qa managers,<domain here>/groups/accounting managers,<domain here>/directory administrat ors (1 row)
engine=# select id, name from ad_groups; id | name --------------------------------------+--------------------------------------- eee00000-0000-0000-0000-123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | <domain here>/Groups/sysadmin (2 rows)
It does look that there is something wrong in the association of users to their group IDS. Just to make sure I'm not missing anything - Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission?
Yair
On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Wednesday, August 13, 2014 11:47:40 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Ok so before I open a bug ticket I want to confirm I'm not doing any thing wrong here. I upgraded to 3.4 now it says "Active: false " on LDAP groups.
Again I tried to add the sysadmin group from the directory server and set the power user and super user roles on the group it shows up as "<domain name>/Groups/sysadmin" I adder the permisions by clicking on the configure link on the top of the screen and set them in the "System Permissions" tab
Sounds good so far. I assume also you see the permissiosn in the permissions sub tab when you click the group.
I added a user (pmarino) to the system which shows in the "Directory Group" tab shows "sysadmin groups <domian name>" among others however it only shows in the Permissions tab the permissions inherited by "Everyone" it does not show any permissions inherited by the sysadmin group.
This is not good - I mean, should have worked.
just to prove it didnt work I logged out and attempted to log back in as the user (pmarino) it wouldn't let me log in
I logged back in as the internal admin user then I added the SuperUser permissions directly to the pmarino account and logged back out again. Now when I logged in as pmarino it gave me the access I expected.
Can I please ask you to provide some database info ?
It will be awesome if you can provide the following SQL queries results -
select group_ids, groups from users where username ilike '%pmarino%';
In addition, please perform - select id, name from ad_groups;
Thanks for your help.
P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the bugs) should have fixed your issue as well.
Here is the relevant portion of the engine log " 2014-08-13 16:00:38,801 INFO [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) [1e7fa420] Running command: AddGroupCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:00:38,813 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call Stack: null, Custom Event ID: -1, Message: User '<domain name>/Groups/sysadmin' was added successfully to the system. 2014-08-13 16:09:01,352 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:09:01,371 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role SuperUser on System by admin. 2014-08-13 16:10:40,963 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System, ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:10:40,979 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb, Call Stack: null, Custom Event ID: -1, Message: User/Group <domain name>/Groups/sysadmin was granted permission for Role PowerUserRole on System by admin. 2014-08-13 16:20:53,891 INFO [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4) [58e00be1] Running command: AddUserCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:20:53,919 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added successfully to the system. 2014-08-13 16:35:52,202 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino failed to log in. 2014-08-13 16:35:52,202 WARN [org.ovirt.engine.core.bll.LoginAdminUserCommand] (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed. Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION 2014-08-13 16:39:48,048 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System 2014-08-13 16:39:48,069 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID: 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group pmarino was granted permission for Role SuperUser on System by admin. 2014-08-13 16:40:43,357 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User pmarino logged in.
"
On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote: > > > ----- Original Message ----- >> From: "Yair Zaslavsky" <yzaslavs@redhat.com> >> To: "Itamar Heim" <iheim@redhat.com> >> Cc: users@ovirt.org >> Sent: Monday, August 11, 2014 8:13:53 PM >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> I have checked the codebase of 3.3 - >> the "active" field is used for presentation purpose only. > > Presentation wise only - means that it is not used for our permissions > calculation , for example. > >> Alon has addressed our plans for this in his previous comments. >> I hope this clarifies more.. >> >> Yair >> >> >> ----- Original Message ----- >> > From: "Itamar Heim" <iheim@redhat.com> >> > To: "Alon Bar-Lev" <alonbl@redhat.com>, "Paul Robert Marino" >> > <prmarino1@gmail.com> >> > Cc: users@ovirt.org >> > Sent: Sunday, August 10, 2014 11:54:05 PM >> > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> > >> > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote: >> > > >> > > >> > > ----- Original Message ----- >> > >> From: "Paul Robert Marino" <prmarino1@gmail.com> >> > >> To: "Alon Bar-Lev" <alonbl@redhat.com> >> > >> Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org >> > >> Sent: Sunday, August 10, 2014 10:43:14 PM >> > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> > >> >> > >> Sorry for my delayed response to this >> > >> >> > >> I am using ovirt 3.3. >> > >> I am using Kerberos 5, and all of the DNS requirements are in >> > >> place. >> > >> Finally 389 server is the upstream project for RHDS and one of the >> > >> upstream projects for IPA. >> > >> So I chose to set it as RHDS because its an identical match. >> > >> >> > >> User authentication works just fine my problem is adding roles to >> > >> groups. >> > >> I can assign a role to a group but the group always shows an >> > >> inactive >> > >> status; however if I assign a role directly to to a user it works >> > >> fine. >> > >> In addition if I drill down into a user it knows what groups in >> > >> the >> > >> 389 server the user is a member of. >> > >> >> > >> finally I can't see any error in the logs when adding a role to a >> > >> group >> > >> >> > > >> > > Please open a bug, I am unsure that it will be addressed before >> > > 3.5, >> > > as >> > > we >> > > have done major rework for the authentication and authorization to >> > > make >> > > it >> > > much more versatile. Even if there will be a fix it will be >> > > provided >> > > to >> > > 3.4.z. >> > > >> > > It will be best if you want to test this scenario in 3.5 release >> > > candidate >> > > and the new ldap provider, so we can address the issue before 3.5 >> > > release >> > > if exists. >> > > >> > >> > could also be one of these fixed in 3.4: >> > 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it >> > does not inherit the group permissions >> > 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs >> > to >> > a group indirectly, it does not inherit the group permissions >> > >> > >> >> > >> >> > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> >> > >> wrote: >> > >>> >> > >>> >> > >>> ----- Original Message ----- >> > >>>> From: "Maurice James" <mjames@media-node.com> >> > >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> >> > >>>> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org >> > >>>> Sent: Saturday, August 9, 2014 3:47:04 AM >> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> > >>>> >> > >>>> Does this still require the use of kerberos? Will 389-ds work on >> > >>>> its >> > >>>> own? >> > >>> >> > >>> In 3.5 we introduced pure ldap support[1], obsoleting the >> > >>> kerberos/ldap >> > >>> mix. >> > >>> >> > >>> It will be great to receive feedback[2]. >> > >>> >> > >>> 389ds is not supported directly, I think it is similar to IPA as >> > >>> it >> > >>> uses >> > >>> 389. Maybe I should rename the profile of ipa to 389 if it works >> > >>> properly. >> > >>> >> > >>> Regards, >> > >>> Alon >> > >>> >> > >>> [1] >> > >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... >> > >>> [2] >> > >>> http://lists.ovirt.org/pipermail/devel/2014-August/008367.html >> > >>> >> > >>>> >> > >>>> ----- Original Message ----- >> > >>>> From: "Alon Bar-Lev" <alonbl@redhat.com> >> > >>>> To: "Itamar Heim" <iheim@redhat.com> >> > >>>> Cc: users@ovirt.org >> > >>>> Sent: Friday, August 8, 2014 3:45:07 PM >> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> > >>>> >> > >>>> >> > >>>> >> > >>>> ----- Original Message ----- >> > >>>>> From: "Itamar Heim" <iheim@redhat.com> >> > >>>>> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org >> > >>>>> Sent: Friday, August 8, 2014 10:37:11 PM >> > >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive >> > >>>>> groups >> > >>>>> >> > >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: >> > >>>>>> I have ovirt engine running and connected to a 389 server with >> > >>>>>> the >> > >>>>>> memberof plugin enabled and working properly. >> > >>>>>> >> > >>>>>> I can add users and assign them to roles without any issues. >> > >>>>>> >> > >>>>>> when I look at a user I can see all the LDAP groups they are a >> > >>>>>> member >> > >>>>>> of. >> > >>>>>> >> > >>>>>> when I run engine-manage-domains -action=validate it tells me >> > >>>>>> the >> > >>>>>> domain is valid. >> > >>>>>> >> > >>>>>> here is my problem when I try to assign a role to an LDAP >> > >>>>>> group >> > >>>>>> it >> > >>>>>> looks like it works but in the general tab when under the >> > >>>>>> group >> > >>>>>> it >> > >>>>>> tells me the status is Inactive. >> > >>>>>> >> > >>>>>> dose any one know how to enable the group? >> > >>>>>> _______________________________________________ >> > >>>>>> Users mailing list >> > >>>>>> Users@ovirt.org >> > >>>>>> http://lists.ovirt.org/mailman/listinfo/users >> > >>>>>> >> > >>>>> >> > >>>>> 3.4 or new 3.5 Generic LDAP provider? >> > >>>> >> > >>>> >> > >>>> On case this is 3.5 it is known issue, all groups will be seen >> > >>>> as >> > >>>> inactive, >> > >>>> this field will probably be removed from UI, as groups are no >> > >>>> longer >> > >>>> fetched >> > >>>> periodically. >> > >>>> This field is totally ignored. >> > >>>> >> > >>>> Alon >> > >>>> _______________________________________________ >> > >>>> Users mailing list >> > >>>> Users@ovirt.org >> > >>>> http://lists.ovirt.org/mailman/listinfo/users >> > >>>> >> > >>> _______________________________________________ >> > >>> Users mailing list >> > >>> Users@ovirt.org >> > >>> http://lists.ovirt.org/mailman/listinfo/users >> > >> >> > > _______________________________________________ >> > > Users mailing list >> > > Users@ovirt.org >> > > http://lists.ovirt.org/mailman/listinfo/users >> > > >> > >> > _______________________________________________ >> > Users mailing list >> > Users@ovirt.org >> > http://lists.ovirt.org/mailman/listinfo/users >> > >> _______________________________________________ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users
I think we now have enough for a proper ticket. I will create one latter today. also since I have RHEV support for my production instances I will also create a matching case with Red Hat. On Sun, Aug 17, 2014 at 11:27 AM, Paul Robert Marino <prmarino1@gmail.com> wrote:
Ok I dug in a little further it looks like them memberof plugin in 389 server is making them lowercase which from an LDAP and or Posix perspective is not a problem but this seems to be the root cause of the issue of the difference. while this behavior is strange it is not invalid because DN's are case insensitive.
The easiest way to fix this is to change the query of the group from the ad_groups table to an ilike. The potential problem here is it conflicts with SAM in windows where group names are case sensitive. This is definitely a conflict in design between AD and LDAP's core design. Interestingly I can add roles to the group and there is no problem it sets it correctly so somewhere else in the code an ilike is being uses to query the groups table.
On Sun, Aug 17, 2014 at 11:05 AM, Paul Robert Marino <prmarino1@gmail.com> wrote:
I found why the group_ids field is wrong
If you look at the ad_groups table then mane for the group is "<domain here>/Groups/sysadmin" however if you look at the groups field in the users table it says "<domain here>/groups/sysadmin" I tried updating the name field in the ad_groups table to match "<domain here>/groups/sysadmin" then removed and added a user now the if for that group in the group_ids field is being set correctly.
This is at least a usable workaround for now. now we need to find the root cause.
On Sun, Aug 17, 2014 at 10:39 AM, Paul Robert Marino <prmarino1@gmail.com> wrote:
confirmed that does seem to be the cause I updated the group_ids field of a user to the appropriate Id's from ad_groups and it fixed that user. in answer to your question "Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission?" Ive tried it ever different way I can think of the results are always the same.
On Sun, Aug 17, 2014 at 9:46 AM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Sunday, August 17, 2014 4:33:30 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
here are the results of the queries you asked for
group_ids
|
groups
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---- 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000 | <domain here>/groups/sysadmin,<domain here>/groups/pmarino,<domain here>/groups/pd managers,<domain here>/groups/qa managers,<domain here>/groups/accounting managers,<domain here>/directory administrat ors (1 row)
engine=# select id, name from ad_groups; id | name --------------------------------------+--------------------------------------- eee00000-0000-0000-0000-123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | <domain here>/Groups/sysadmin (2 rows)
It does look that there is something wrong in the association of users to their group IDS. Just to make sure I'm not missing anything - Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission?
Yair
On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message ----- > From: "Paul Robert Marino" <prmarino1@gmail.com> > To: "Yair Zaslavsky" <yzaslavs@redhat.com> > Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org > Sent: Wednesday, August 13, 2014 11:47:40 PM > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > > Ok so before I open a bug ticket I want to confirm I'm not doing any > thing wrong here. > I upgraded to 3.4 > now it says "Active: false " on LDAP groups. > > Again I tried to add the sysadmin group from the directory server and > set the power user and super user roles on the group > it shows up as "<domain name>/Groups/sysadmin" > I adder the permisions by clicking on the configure link on the top of > the screen and set them in the "System Permissions" tab
Sounds good so far. I assume also you see the permissiosn in the permissions sub tab when you click the group.
> > I added a user (pmarino) to the system which shows in the "Directory > Group" tab shows "sysadmin groups <domian name>" among others > however it only shows in the Permissions tab the permissions inherited > by "Everyone" it does not show any permissions inherited by the > sysadmin group.
This is not good - I mean, should have worked.
> > just to prove it didnt work I logged out and attempted to log back in > as the user (pmarino) it wouldn't let me log in > > I logged back in as the internal admin user then I added the SuperUser > permissions directly to the pmarino account and logged back out again. > Now when I logged in as pmarino it gave me the access I expected.
Can I please ask you to provide some database info ?
It will be awesome if you can provide the following SQL queries results -
select group_ids, groups from users where username ilike '%pmarino%';
In addition, please perform - select id, name from ad_groups;
Thanks for your help.
P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the solution to the bugs) should have fixed your issue as well.
> > > > Here is the relevant portion of the engine log > " > 2014-08-13 16:00:38,801 INFO > [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) > [1e7fa420] Running command: AddGroupCommand internal: false. Entities > affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System > 2014-08-13 16:00:38,813 INFO > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call > Stack: null, Custom Event ID: -1, Message: User '<domain > name>/Groups/sysadmin' was added successfully to the system. > 2014-08-13 16:09:01,352 INFO > [org.ovirt.engine.core.bll.AddSystemPermissionCommand] > (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: > AddSystemPermissionCommand internal: false. Entities affected : ID: > aaa00000-0000-0000-0000-123456789aaa Type: System, ID: > aaa00000-0000-0000-0000-123456789aaa Type: System > 2014-08-13 16:09:01,371 INFO > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: > 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group > <domain name>/Groups/sysadmin was granted permission for Role > SuperUser on System by admin. > 2014-08-13 16:10:40,963 INFO > [org.ovirt.engine.core.bll.AddSystemPermissionCommand] > (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: > AddSystemPermissionCommand internal: false. Entities affected : ID: > aaa00000-0000-0000-0000-123456789aaa Type: System, ID: > aaa00000-0000-0000-0000-123456789aaa Type: System > 2014-08-13 16:10:40,979 INFO > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb, > Call Stack: null, Custom Event ID: -1, Message: User/Group <domain > name>/Groups/sysadmin was granted permission for Role PowerUserRole on > System by admin. > 2014-08-13 16:20:53,891 INFO > [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4) > [58e00be1] Running command: AddUserCommand internal: false. Entities > affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System > 2014-08-13 16:20:53,919 INFO > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call > Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added > successfully to the system. > 2014-08-13 16:35:52,202 INFO > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null, > Custom Event ID: -1, Message: User pmarino failed to log in. > 2014-08-13 16:35:52,202 WARN > [org.ovirt.engine.core.bll.LoginAdminUserCommand] > (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed. > Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION > 2014-08-13 16:39:48,048 INFO > [org.ovirt.engine.core.bll.AddSystemPermissionCommand] > (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command: > AddSystemPermissionCommand internal: false. Entities affected : ID: > aaa00000-0000-0000-0000-123456789aaa Type: System > 2014-08-13 16:39:48,069 INFO > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID: > 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group > pmarino was granted permission for Role SuperUser on System by admin. > 2014-08-13 16:40:43,357 INFO > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom > Event ID: -1, Message: User pmarino logged in. > > " > > On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzaslavs@redhat.com> > wrote: > > > > > > ----- Original Message ----- > >> From: "Yair Zaslavsky" <yzaslavs@redhat.com> > >> To: "Itamar Heim" <iheim@redhat.com> > >> Cc: users@ovirt.org > >> Sent: Monday, August 11, 2014 8:13:53 PM > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > >> > >> I have checked the codebase of 3.3 - > >> the "active" field is used for presentation purpose only. > > > > Presentation wise only - means that it is not used for our permissions > > calculation , for example. > > > >> Alon has addressed our plans for this in his previous comments. > >> I hope this clarifies more.. > >> > >> Yair > >> > >> > >> ----- Original Message ----- > >> > From: "Itamar Heim" <iheim@redhat.com> > >> > To: "Alon Bar-Lev" <alonbl@redhat.com>, "Paul Robert Marino" > >> > <prmarino1@gmail.com> > >> > Cc: users@ovirt.org > >> > Sent: Sunday, August 10, 2014 11:54:05 PM > >> > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > >> > > >> > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote: > >> > > > >> > > > >> > > ----- Original Message ----- > >> > >> From: "Paul Robert Marino" <prmarino1@gmail.com> > >> > >> To: "Alon Bar-Lev" <alonbl@redhat.com> > >> > >> Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org > >> > >> Sent: Sunday, August 10, 2014 10:43:14 PM > >> > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > >> > >> > >> > >> Sorry for my delayed response to this > >> > >> > >> > >> I am using ovirt 3.3. > >> > >> I am using Kerberos 5, and all of the DNS requirements are in > >> > >> place. > >> > >> Finally 389 server is the upstream project for RHDS and one of the > >> > >> upstream projects for IPA. > >> > >> So I chose to set it as RHDS because its an identical match. > >> > >> > >> > >> User authentication works just fine my problem is adding roles to > >> > >> groups. > >> > >> I can assign a role to a group but the group always shows an > >> > >> inactive > >> > >> status; however if I assign a role directly to to a user it works > >> > >> fine. > >> > >> In addition if I drill down into a user it knows what groups in > >> > >> the > >> > >> 389 server the user is a member of. > >> > >> > >> > >> finally I can't see any error in the logs when adding a role to a > >> > >> group > >> > >> > >> > > > >> > > Please open a bug, I am unsure that it will be addressed before > >> > > 3.5, > >> > > as > >> > > we > >> > > have done major rework for the authentication and authorization to > >> > > make > >> > > it > >> > > much more versatile. Even if there will be a fix it will be > >> > > provided > >> > > to > >> > > 3.4.z. > >> > > > >> > > It will be best if you want to test this scenario in 3.5 release > >> > > candidate > >> > > and the new ldap provider, so we can address the issue before 3.5 > >> > > release > >> > > if exists. > >> > > > >> > > >> > could also be one of these fixed in 3.4: > >> > 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it > >> > does not inherit the group permissions > >> > 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs > >> > to > >> > a group indirectly, it does not inherit the group permissions > >> > > >> > >> > >> > >> > >> > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alonbl@redhat.com> > >> > >> wrote: > >> > >>> > >> > >>> > >> > >>> ----- Original Message ----- > >> > >>>> From: "Maurice James" <mjames@media-node.com> > >> > >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> > >> > >>>> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org > >> > >>>> Sent: Saturday, August 9, 2014 3:47:04 AM > >> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > >> > >>>> > >> > >>>> Does this still require the use of kerberos? Will 389-ds work on > >> > >>>> its > >> > >>>> own? > >> > >>> > >> > >>> In 3.5 we introduced pure ldap support[1], obsoleting the > >> > >>> kerberos/ldap > >> > >>> mix. > >> > >>> > >> > >>> It will be great to receive feedback[2]. > >> > >>> > >> > >>> 389ds is not supported directly, I think it is similar to IPA as > >> > >>> it > >> > >>> uses > >> > >>> 389. Maybe I should rename the profile of ipa to 389 if it works > >> > >>> properly. > >> > >>> > >> > >>> Regards, > >> > >>> Alon > >> > >>> > >> > >>> [1] > >> > >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... > >> > >>> [2] > >> > >>> http://lists.ovirt.org/pipermail/devel/2014-August/008367.html > >> > >>> > >> > >>>> > >> > >>>> ----- Original Message ----- > >> > >>>> From: "Alon Bar-Lev" <alonbl@redhat.com> > >> > >>>> To: "Itamar Heim" <iheim@redhat.com> > >> > >>>> Cc: users@ovirt.org > >> > >>>> Sent: Friday, August 8, 2014 3:45:07 PM > >> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups > >> > >>>> > >> > >>>> > >> > >>>> > >> > >>>> ----- Original Message ----- > >> > >>>>> From: "Itamar Heim" <iheim@redhat.com> > >> > >>>>> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org > >> > >>>>> Sent: Friday, August 8, 2014 10:37:11 PM > >> > >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive > >> > >>>>> groups > >> > >>>>> > >> > >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: > >> > >>>>>> I have ovirt engine running and connected to a 389 server with > >> > >>>>>> the > >> > >>>>>> memberof plugin enabled and working properly. > >> > >>>>>> > >> > >>>>>> I can add users and assign them to roles without any issues. > >> > >>>>>> > >> > >>>>>> when I look at a user I can see all the LDAP groups they are a > >> > >>>>>> member > >> > >>>>>> of. > >> > >>>>>> > >> > >>>>>> when I run engine-manage-domains -action=validate it tells me > >> > >>>>>> the > >> > >>>>>> domain is valid. > >> > >>>>>> > >> > >>>>>> here is my problem when I try to assign a role to an LDAP > >> > >>>>>> group > >> > >>>>>> it > >> > >>>>>> looks like it works but in the general tab when under the > >> > >>>>>> group > >> > >>>>>> it > >> > >>>>>> tells me the status is Inactive. > >> > >>>>>> > >> > >>>>>> dose any one know how to enable the group? > >> > >>>>>> _______________________________________________ > >> > >>>>>> Users mailing list > >> > >>>>>> Users@ovirt.org > >> > >>>>>> http://lists.ovirt.org/mailman/listinfo/users > >> > >>>>>> > >> > >>>>> > >> > >>>>> 3.4 or new 3.5 Generic LDAP provider? > >> > >>>> > >> > >>>> > >> > >>>> On case this is 3.5 it is known issue, all groups will be seen > >> > >>>> as > >> > >>>> inactive, > >> > >>>> this field will probably be removed from UI, as groups are no > >> > >>>> longer > >> > >>>> fetched > >> > >>>> periodically. > >> > >>>> This field is totally ignored. > >> > >>>> > >> > >>>> Alon > >> > >>>> _______________________________________________ > >> > >>>> Users mailing list > >> > >>>> Users@ovirt.org > >> > >>>> http://lists.ovirt.org/mailman/listinfo/users > >> > >>>> > >> > >>> _______________________________________________ > >> > >>> Users mailing list > >> > >>> Users@ovirt.org > >> > >>> http://lists.ovirt.org/mailman/listinfo/users > >> > >> > >> > > _______________________________________________ > >> > > Users mailing list > >> > > Users@ovirt.org > >> > > http://lists.ovirt.org/mailman/listinfo/users > >> > > > >> > > >> > _______________________________________________ > >> > Users mailing list > >> > Users@ovirt.org > >> > http://lists.ovirt.org/mailman/listinfo/users > >> > > >> _______________________________________________ > >> Users mailing list > >> Users@ovirt.org > >> http://lists.ovirt.org/mailman/listinfo/users > >> > > _______________________________________________ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users >
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: users@ovirt.org Sent: Sunday, August 17, 2014 6:32:15 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
I think we now have enough for a proper ticket. I will create one latter today. also since I have RHEV support for my production instances I will also create a matching case with Red Hat.
Thank you very much for your help here! Please add a link to this mailing list thread when you open the ticket. Many thanks, Yair
On Sun, Aug 17, 2014 at 11:27 AM, Paul Robert Marino <prmarino1@gmail.com> wrote:
Ok I dug in a little further it looks like them memberof plugin in 389 server is making them lowercase which from an LDAP and or Posix perspective is not a problem but this seems to be the root cause of the issue of the difference. while this behavior is strange it is not invalid because DN's are case insensitive.
The easiest way to fix this is to change the query of the group from the ad_groups table to an ilike. The potential problem here is it conflicts with SAM in windows where group names are case sensitive. This is definitely a conflict in design between AD and LDAP's core design. Interestingly I can add roles to the group and there is no problem it sets it correctly so somewhere else in the code an ilike is being uses to query the groups table.
On Sun, Aug 17, 2014 at 11:05 AM, Paul Robert Marino <prmarino1@gmail.com> wrote:
I found why the group_ids field is wrong
If you look at the ad_groups table then mane for the group is "<domain here>/Groups/sysadmin" however if you look at the groups field in the users table it says "<domain here>/groups/sysadmin" I tried updating the name field in the ad_groups table to match "<domain here>/groups/sysadmin" then removed and added a user now the if for that group in the group_ids field is being set correctly.
This is at least a usable workaround for now. now we need to find the root cause.
On Sun, Aug 17, 2014 at 10:39 AM, Paul Robert Marino <prmarino1@gmail.com> wrote:
confirmed that does seem to be the cause I updated the group_ids field of a user to the appropriate Id's from ad_groups and it fixed that user. in answer to your question "Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission?" Ive tried it ever different way I can think of the results are always the same.
On Sun, Aug 17, 2014 at 9:46 AM, Yair Zaslavsky <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Paul Robert Marino" <prmarino1@gmail.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Sunday, August 17, 2014 4:33:30 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
here are the results of the queries you asked for
group_ids
|
groups
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------- --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---- 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000 | <domain here>/groups/sysadmin,<domain here>/groups/pmarino,<domain here>/groups/pd managers,<domain here>/groups/qa managers,<domain here>/groups/accounting managers,<domain here>/directory administrat ors (1 row)
engine=# select id, name from ad_groups; id | name --------------------------------------+--------------------------------------- eee00000-0000-0000-0000-123456789eee | Everyone 2a8a8401-fc9e-11e3-8742-861538ea406a | <domain here>/Groups/sysadmin (2 rows)
It does look that there is something wrong in the association of users to their group IDS. Just to make sure I'm not missing anything - Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission?
Yair
On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky <yzaslavs@redhat.com> wrote: > > > ----- Original Message ----- >> From: "Paul Robert Marino" <prmarino1@gmail.com> >> To: "Yair Zaslavsky" <yzaslavs@redhat.com> >> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org >> Sent: Wednesday, August 13, 2014 11:47:40 PM >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> Ok so before I open a bug ticket I want to confirm I'm not doing any >> thing wrong here. >> I upgraded to 3.4 >> now it says "Active: false " on LDAP groups. >> >> Again I tried to add the sysadmin group from the directory server >> and >> set the power user and super user roles on the group >> it shows up as "<domain name>/Groups/sysadmin" >> I adder the permisions by clicking on the configure link on the top >> of >> the screen and set them in the "System Permissions" tab > > Sounds good so far. > I assume also you see the permissiosn in the permissions sub tab when > you > click the group. > >> >> I added a user (pmarino) to the system which shows in the "Directory >> Group" tab shows "sysadmin groups <domian name>" among >> others >> however it only shows in the Permissions tab the permissions >> inherited >> by "Everyone" it does not show any permissions inherited by the >> sysadmin group. > > This is not good - I mean, should have worked. > >> >> just to prove it didnt work I logged out and attempted to log back >> in >> as the user (pmarino) it wouldn't let me log in >> >> I logged back in as the internal admin user then I added the >> SuperUser >> permissions directly to the pmarino account and logged back out >> again. >> Now when I logged in as pmarino it gave me the access I expected. > > Can I please ask you to provide some database info ? > > It will be awesome if you can provide the following SQL queries > results - > > select group_ids, groups from users where username ilike '%pmarino%'; > > In addition, please perform - select id, name from ad_groups; > > Thanks for your help. > > P.S - As far as I understand the two bugs mentioend by Itamar (I > mean, the > solution to the bugs) should have fixed your issue as well. > > > >> >> >> >> Here is the relevant portion of the engine log >> " >> 2014-08-13 16:00:38,801 INFO >> [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) >> [1e7fa420] Running command: AddGroupCommand internal: false. >> Entities >> affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System >> 2014-08-13 16:00:38,813 INFO >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call >> Stack: null, Custom Event ID: -1, Message: User '<domain >> name>/Groups/sysadmin' was added successfully to the system. >> 2014-08-13 16:09:01,352 INFO >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand] >> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: >> AddSystemPermissionCommand internal: false. Entities affected : ID: >> aaa00000-0000-0000-0000-123456789aaa Type: System, ID: >> aaa00000-0000-0000-0000-123456789aaa Type: System >> 2014-08-13 16:09:01,371 INFO >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: >> 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group >> <domain name>/Groups/sysadmin was granted permission for Role >> SuperUser on System by admin. >> 2014-08-13 16:10:40,963 INFO >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand] >> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: >> AddSystemPermissionCommand internal: false. Entities affected : ID: >> aaa00000-0000-0000-0000-123456789aaa Type: System, ID: >> aaa00000-0000-0000-0000-123456789aaa Type: System >> 2014-08-13 16:10:40,979 INFO >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: >> b42abcb, >> Call Stack: null, Custom Event ID: -1, Message: User/Group <domain >> name>/Groups/sysadmin was granted permission for Role PowerUserRole >> on >> System by admin. >> 2014-08-13 16:20:53,891 INFO >> [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4) >> [58e00be1] Running command: AddUserCommand internal: false. Entities >> affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System >> 2014-08-13 16:20:53,919 INFO >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call >> Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added >> successfully to the system. >> 2014-08-13 16:35:52,202 INFO >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null, >> Custom Event ID: -1, Message: User pmarino failed to log in. >> 2014-08-13 16:35:52,202 WARN >> [org.ovirt.engine.core.bll.LoginAdminUserCommand] >> (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser >> failed. >> Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION >> 2014-08-13 16:39:48,048 INFO >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand] >> (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command: >> AddSystemPermissionCommand internal: false. Entities affected : ID: >> aaa00000-0000-0000-0000-123456789aaa Type: System >> 2014-08-13 16:39:48,069 INFO >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID: >> 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group >> pmarino was granted permission for Role SuperUser on System by >> admin. >> 2014-08-13 16:40:43,357 INFO >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, >> Custom >> Event ID: -1, Message: User pmarino logged in. >> >> " >> >> On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky >> <yzaslavs@redhat.com> >> wrote: >> > >> > >> > ----- Original Message ----- >> >> From: "Yair Zaslavsky" <yzaslavs@redhat.com> >> >> To: "Itamar Heim" <iheim@redhat.com> >> >> Cc: users@ovirt.org >> >> Sent: Monday, August 11, 2014 8:13:53 PM >> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> >> >> I have checked the codebase of 3.3 - >> >> the "active" field is used for presentation purpose only. >> > >> > Presentation wise only - means that it is not used for our >> > permissions >> > calculation , for example. >> > >> >> Alon has addressed our plans for this in his previous comments. >> >> I hope this clarifies more.. >> >> >> >> Yair >> >> >> >> >> >> ----- Original Message ----- >> >> > From: "Itamar Heim" <iheim@redhat.com> >> >> > To: "Alon Bar-Lev" <alonbl@redhat.com>, "Paul Robert Marino" >> >> > <prmarino1@gmail.com> >> >> > Cc: users@ovirt.org >> >> > Sent: Sunday, August 10, 2014 11:54:05 PM >> >> > Subject: Re: [ovirt-users] ovirt with 389 server inactive >> >> > groups >> >> > >> >> > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote: >> >> > > >> >> > > >> >> > > ----- Original Message ----- >> >> > >> From: "Paul Robert Marino" <prmarino1@gmail.com> >> >> > >> To: "Alon Bar-Lev" <alonbl@redhat.com> >> >> > >> Cc: "Maurice James" <mjames@media-node.com>, users@ovirt.org >> >> > >> Sent: Sunday, August 10, 2014 10:43:14 PM >> >> > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive >> >> > >> groups >> >> > >> >> >> > >> Sorry for my delayed response to this >> >> > >> >> >> > >> I am using ovirt 3.3. >> >> > >> I am using Kerberos 5, and all of the DNS requirements are >> >> > >> in >> >> > >> place. >> >> > >> Finally 389 server is the upstream project for RHDS and one >> >> > >> of the >> >> > >> upstream projects for IPA. >> >> > >> So I chose to set it as RHDS because its an identical match. >> >> > >> >> >> > >> User authentication works just fine my problem is adding >> >> > >> roles to >> >> > >> groups. >> >> > >> I can assign a role to a group but the group always shows an >> >> > >> inactive >> >> > >> status; however if I assign a role directly to to a user it >> >> > >> works >> >> > >> fine. >> >> > >> In addition if I drill down into a user it knows what groups >> >> > >> in >> >> > >> the >> >> > >> 389 server the user is a member of. >> >> > >> >> >> > >> finally I can't see any error in the logs when adding a role >> >> > >> to a >> >> > >> group >> >> > >> >> >> > > >> >> > > Please open a bug, I am unsure that it will be addressed >> >> > > before >> >> > > 3.5, >> >> > > as >> >> > > we >> >> > > have done major rework for the authentication and >> >> > > authorization to >> >> > > make >> >> > > it >> >> > > much more versatile. Even if there will be a fix it will be >> >> > > provided >> >> > > to >> >> > > 3.4.z. >> >> > > >> >> > > It will be best if you want to test this scenario in 3.5 >> >> > > release >> >> > > candidate >> >> > > and the new ldap provider, so we can address the issue before >> >> > > 3.5 >> >> > > release >> >> > > if exists. >> >> > > >> >> > >> >> > could also be one of these fixed in 3.4: >> >> > 3.4.0 - Bug 1065615 - When adding a user that belongs to a >> >> > group, it >> >> > does not inherit the group permissions >> >> > 3.4.1 - Bug 1069562 - When assigning permissions to user that >> >> > belongs >> >> > to >> >> > a group indirectly, it does not inherit the group permissions >> >> > >> >> > >> >> >> > >> >> >> > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev >> >> > >> <alonbl@redhat.com> >> >> > >> wrote: >> >> > >>> >> >> > >>> >> >> > >>> ----- Original Message ----- >> >> > >>>> From: "Maurice James" <mjames@media-node.com> >> >> > >>>> To: "Alon Bar-Lev" <alonbl@redhat.com> >> >> > >>>> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org >> >> > >>>> Sent: Saturday, August 9, 2014 3:47:04 AM >> >> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive >> >> > >>>> groups >> >> > >>>> >> >> > >>>> Does this still require the use of kerberos? Will 389-ds >> >> > >>>> work on >> >> > >>>> its >> >> > >>>> own? >> >> > >>> >> >> > >>> In 3.5 we introduced pure ldap support[1], obsoleting the >> >> > >>> kerberos/ldap >> >> > >>> mix. >> >> > >>> >> >> > >>> It will be great to receive feedback[2]. >> >> > >>> >> >> > >>> 389ds is not supported directly, I think it is similar to >> >> > >>> IPA as >> >> > >>> it >> >> > >>> uses >> >> > >>> 389. Maybe I should rename the profile of ipa to 389 if it >> >> > >>> works >> >> > >>> properly. >> >> > >>> >> >> > >>> Regards, >> >> > >>> Alon >> >> > >>> >> >> > >>> [1] >> >> > >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... >> >> > >>> [2] >> >> > >>> http://lists.ovirt.org/pipermail/devel/2014-August/008367.html >> >> > >>> >> >> > >>>> >> >> > >>>> ----- Original Message ----- >> >> > >>>> From: "Alon Bar-Lev" <alonbl@redhat.com> >> >> > >>>> To: "Itamar Heim" <iheim@redhat.com> >> >> > >>>> Cc: users@ovirt.org >> >> > >>>> Sent: Friday, August 8, 2014 3:45:07 PM >> >> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive >> >> > >>>> groups >> >> > >>>> >> >> > >>>> >> >> > >>>> >> >> > >>>> ----- Original Message ----- >> >> > >>>>> From: "Itamar Heim" <iheim@redhat.com> >> >> > >>>>> To: "Paul Robert Marino" <prmarino1@gmail.com>, >> >> > >>>>> users@ovirt.org >> >> > >>>>> Sent: Friday, August 8, 2014 10:37:11 PM >> >> > >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive >> >> > >>>>> groups >> >> > >>>>> >> >> > >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: >> >> > >>>>>> I have ovirt engine running and connected to a 389 >> >> > >>>>>> server with >> >> > >>>>>> the >> >> > >>>>>> memberof plugin enabled and working properly. >> >> > >>>>>> >> >> > >>>>>> I can add users and assign them to roles without any >> >> > >>>>>> issues. >> >> > >>>>>> >> >> > >>>>>> when I look at a user I can see all the LDAP groups they >> >> > >>>>>> are a >> >> > >>>>>> member >> >> > >>>>>> of. >> >> > >>>>>> >> >> > >>>>>> when I run engine-manage-domains -action=validate it >> >> > >>>>>> tells me >> >> > >>>>>> the >> >> > >>>>>> domain is valid. >> >> > >>>>>> >> >> > >>>>>> here is my problem when I try to assign a role to an >> >> > >>>>>> LDAP >> >> > >>>>>> group >> >> > >>>>>> it >> >> > >>>>>> looks like it works but in the general tab when under >> >> > >>>>>> the >> >> > >>>>>> group >> >> > >>>>>> it >> >> > >>>>>> tells me the status is Inactive. >> >> > >>>>>> >> >> > >>>>>> dose any one know how to enable the group? >> >> > >>>>>> _______________________________________________ >> >> > >>>>>> Users mailing list >> >> > >>>>>> Users@ovirt.org >> >> > >>>>>> http://lists.ovirt.org/mailman/listinfo/users >> >> > >>>>>> >> >> > >>>>> >> >> > >>>>> 3.4 or new 3.5 Generic LDAP provider? >> >> > >>>> >> >> > >>>> >> >> > >>>> On case this is 3.5 it is known issue, all groups will be >> >> > >>>> seen >> >> > >>>> as >> >> > >>>> inactive, >> >> > >>>> this field will probably be removed from UI, as groups are >> >> > >>>> no >> >> > >>>> longer >> >> > >>>> fetched >> >> > >>>> periodically. >> >> > >>>> This field is totally ignored. >> >> > >>>> >> >> > >>>> Alon >> >> > >>>> _______________________________________________ >> >> > >>>> Users mailing list >> >> > >>>> Users@ovirt.org >> >> > >>>> http://lists.ovirt.org/mailman/listinfo/users >> >> > >>>> >> >> > >>> _______________________________________________ >> >> > >>> Users mailing list >> >> > >>> Users@ovirt.org >> >> > >>> http://lists.ovirt.org/mailman/listinfo/users >> >> > >> >> >> > > _______________________________________________ >> >> > > Users mailing list >> >> > > Users@ovirt.org >> >> > > http://lists.ovirt.org/mailman/listinfo/users >> >> > > >> >> > >> >> > _______________________________________________ >> >> > Users mailing list >> >> > Users@ovirt.org >> >> > http://lists.ovirt.org/mailman/listinfo/users >> >> > >> >> _______________________________________________ >> >> Users mailing list >> >> Users@ovirt.org >> >> http://lists.ovirt.org/mailman/listinfo/users >> >> >> > _______________________________________________ >> > Users mailing list >> > Users@ovirt.org >> > http://lists.ovirt.org/mailman/listinfo/users >>
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Maurice James" <mjames@media-node.com> Cc: users@ovirt.org Sent: Saturday, August 9, 2014 9:33:16 AM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
----- Original Message -----
From: "Maurice James" <mjames@media-node.com> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: "Itamar Heim" <iheim@redhat.com>, users@ovirt.org Sent: Saturday, August 9, 2014 3:47:04 AM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
Does this still require the use of kerberos? Will 389-ds work on its own?
In 3.5 we introduced pure ldap support[1], obsoleting the kerberos/ldap mix.
It will be great to receive feedback[2].
389ds is not supported directly, I think it is similar to IPA as it uses 389. Maybe I should rename the profile of ipa to 389 if it works properly.
Sorry for the very late response, I was on PTO - Prior to 3.5 - 389ds was supported via the RHDS provider AFAIK, 389ds is "upstream" version for RHDS...
Regards, Alon
[1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;... [2] http://lists.ovirt.org/pipermail/devel/2014-August/008367.html
----- Original Message ----- From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Itamar Heim" <iheim@redhat.com> Cc: users@ovirt.org Sent: Friday, August 8, 2014 3:45:07 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
----- Original Message -----
From: "Itamar Heim" <iheim@redhat.com> To: "Paul Robert Marino" <prmarino1@gmail.com>, users@ovirt.org Sent: Friday, August 8, 2014 10:37:11 PM Subject: Re: [ovirt-users] ovirt with 389 server inactive groups
On 08/07/2014 07:06 PM, Paul Robert Marino wrote:
I have ovirt engine running and connected to a 389 server with the memberof plugin enabled and working properly.
I can add users and assign them to roles without any issues.
when I look at a user I can see all the LDAP groups they are a member of.
when I run engine-manage-domains -action=validate it tells me the domain is valid.
here is my problem when I try to assign a role to an LDAP group it looks like it works but in the general tab when under the group it tells me the status is Inactive.
dose any one know how to enable the group? _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
3.4 or new 3.5 Generic LDAP provider?
On case this is 3.5 it is known issue, all groups will be seen as inactive, this field will probably be removed from UI, as groups are no longer fetched periodically. This field is totally ignored.
Alon _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (5)
-
Alon Bar-Lev -
Itamar Heim -
Maurice James -
Paul Robert Marino -
Yair Zaslavsky