From: "Juan Jose" <jj197005(a)gmail.com&gt; To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt;, "Yair Zaslavsky" <yzaslavs(a)redhat.com&gt; Sent: Wednesday, December 10, 2014 12:30:34 PM Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue Hello Alon and Yair, Many thanks for your help, finally It works properly. My problem, after last Alon indications was that my user "Juanjo" was defined with SuperUser role in the previous domain configuration. I have loggen in with admin user from internal and I have removed old configuration and I have configured my user "Juanjo" with all administrators roles in folder "Permission" and I can log in in administration portal without problems and it works properly. My final configuration I have is an emulated *AD based on Samba 4* and the final configuration files are:

ovirt-engine-extension-aaa-ldap.noarch 1.0.1-0.0.master.20141209141731.git0437701.el6

*/etc/ovirt-engine/extensions.d/siee-local-authn.properties*: ovirt.engine.extension.name = siee-local-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = siee ovirt.engine.aaa.authn.authz.plugin = siee-local-authz config.profile.file.1 = /etc/ovirt-engine/aaa/siee.properties */etc/ovirt-engine/extensions.d/siee-local-authz.properties*: ovirt.engine.extension.name = siee-local-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/siee.properties */etc/ovirt-engine/aaa/siee.properties*: include = <ad.properties> # # Active directory domain name. # vars.domain = siee.local # # Search user and its password. # vars.user = searcher@${global:vars.domain} vars.password = xxxx # # Optional DNS servers, if enterprise # DNS server cannot resolve the domain srvrecord. # #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain} pool.default.serverset.type = srvrecord pool.default.serverset.srvrecord.domain = ${global:vars.domain} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Uncomment if using custom DNS #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns} #pool.default.socketfactory.resolver.uRL = ${global:vars.dns} # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks #pool.default.ssl.truststore.password = changeit

*/etc/krb5.conf*:

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = SIEE.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = no default_tkt_enctypes = arcfour-hmac-md5 udp_preference_limit = 1 #[realms] #[domain_realm] # .siee.local = SIEE.LOCAL # siee.local = SIEE.LOCAL Many thanks again to everybody, Juanjo. On Tue, Dec 9, 2014 at 5:31 PM, Alon Bar-Lev <alonbl(a)redhat.com&gt; wrote: > > > ----- Original Message ----- > > From: "Juan Jose" <jj197005(a)gmail.com&gt; > > To: "Alon Bar-Lev" <alonbl(a)redhat.com&gt;, "Yair Zaslavsky" < > yzaslavs(a)redhat.com&gt; > > Sent: Tuesday, December 9, 2014 5:42:56 PM > > Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue > > > > Hello Alon, > > > > In my firsts e-mails I had already said that I have an emulation of AD > > based on Samba 4. I have tested the last version ov > > ovirt-engine-extension-aaa-ldap package and I think the problem is the > same > > although the error is "User is not authorized to perform this action". > > > > I attach the enginle.log. > > USER_NOT_AUTHORIZED_TO_PERFORM_ACTION means user is not superuser or can > manage objects as far as I know. > > I see siee0(a)siee.local is trying to login which is CN=siee0 > siee0,CN=Users,DC=siee,DC=local > > Login succeeds. > > I do not see any groups it belongs to. > > Are you sure you added this user role within the webadmin or that user > belongs to groups that were added to engine with such roles? > > > > > In case that the new oVirt version 3.5 doesn't work with an AD emulation > > based on Samba 4, is it possible to do user authentication with an > OpenLDAP > > directly with this 3.5 version?, if it is so, could you give me the link > to > > the documentation to configure OpenLDAP authentication? > > Sure, just use the > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple copy recursive > into /etc/ovirt-engine, then modify /etc/ovirt-engine/aaa/ldap1.properties > set vars.server, vars.user, vars.password. > > Until 3.5.1 you should also > /etc/ovirt-engine/extensions.d/domain1*.properties and replace ../aaa to > /etc/ovirt-engine/aaa > > > > Many thanks in advanced, > > > > Juanjo. > > > > On Tue, Dec 9, 2014 at 3:16 PM, Alon Bar-Lev <alonbl(a)redhat.com&gt; wrote: > > > > > > > > > > > ----- Original Message ----- > > > > From: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; > > > > To: "Juan Jose" <jj197005(a)gmail.com&gt; > > > > Cc: "users" <users(a)ovirt.org&gt; > > > > Sent: Tuesday, December 9, 2014 3:59:33 PM > > > > Subject: Re: [ovirt-users] Adding domain to oVirt to 3.5 issue > > > > > > > > We start over... > > > > > > > > This is not active directory... it is samba. > > > > > > > > Attribute(name=vendorName, values={'Samba Team (http://samba.org)'}) > > > > > > > > Only now I realized this, maybe you mentioned it earlier not sure. > > > > > > > > Of course this was never tested, so probably not working. > > > > > > > > I see that samba does not return a list of extended operations, I > will > > > > workaround this and we can see what's else differ from active > directory. > > > > > > Can you please checkout the following rpm[1]? > > > > > > [1] > > > > http://jenkins.ovirt.org/job/ovirt-engine-extension-aaa-ldap_master_creat... > > > > > >