Unable to add permissions for LDAP users
--_000_SN1PR10MB071807A20FF1DCCB62983C19D5C70SN1PR10MB0718namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can su= ccessfully authenticate as an LDAP user. I can also login as admin@internal= and search for, find, and select LDAP users but I cannot add permissions f= or them. Each time I get the error "User admin@internal-authz failed to gra= nt permission for Role UserRole on System to User/Group <UNKNOWN>." I have no control over the LDAP server, which uses custom objectClasses and= uses groupOfNames instead of PosixGroups. I assume I need to set sequence = variables to accommodate our group configuration but I'm at a loss as to wh= ere to begin. the The config I have is as follows: include =3D <rfc2307-generic.properties> vars.server =3D labauth.lan.lab.org pool.authz.auth.type =3D none pool.default.serverset.type =3D single pool.default.serverset.single.server =3D ${global:vars.server} pool.default.ssl.startTLS =3D true pool.default.ssl.insecure =3D true pool.default.connection-options.connectTimeoutMillis =3D 10000 pool.default.connection-options.responseTimeoutMillis =3D 90000 sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-vars sequence.my-basedn-init-vars.010.description =3D set baseDN sequence.my-basedn-init-vars.010.type =3D var-set sequence.my-basedn-init-vars.010.var-set.variable =3D simple_baseDN sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB sequence-init.init.101-my-objectclass-init-vars =3D my-objectclass-init-var= s sequence.my-objectclass-init-vars.020.description =3D set objectClass sequence.my-objectclass-init-vars.020.type =3D var-set sequence.my-objectclass-init-vars.020.var-set.variable =3D simple_filterUse= rObject sequence.my-objectclass-init-vars.020.var-set.value =3D (objectClass=3DlabP= erson)(uid=3D*) search.default.search-request.derefPolicy =3D NEVER sequence-init.init.900-local-init-vars =3D local-init-vars sequence.local-init-vars.010.description =3D override name space sequence.local-init-vars.010.type =3D var-set sequence.local-init-vars.010.var-set.variable =3D simple_namespaceDefault sequence.local-init-vars.010.var-set.value =3D * sequence.local-init-vars.020.description =3D apply filter to users sequence.local-init-vars.020.type =3D var-set sequence.local-init-vars.020.var-set.variable =3D simple_filterUserObject sequence.local-init-vars.020.var-set.value =3D ${seq:simple_filterUserObjec= t}(employeeStatus=3D3) sequence.local-init-vars.030.description =3D apply filter to groups sequence.local-init-vars.030.type =3D var-set sequence.local-init-vars.030.var-set.variable =3D simple_filterGroupObject sequence.local-init-vars.030.var-set.value =3D (objectClass=3DgroupOfUnique= Names) --_000_SN1PR10MB071807A20FF1DCCB62983C19D5C70SN1PR10MB0718namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> <style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;margi= n-bottom:0;} --></style> </head> <body dir=3D"ltr"> <div id=3D"divtagdefaultwrapper" style=3D"font-size:12pt;color:#000000;font= -family:Calibri,Arial,Helvetica,sans-serif;"> <p>I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can= successfully authenticate as an LDAP user. I can also login as admin@inter= nal and search for, find, and select LDAP users but I cannot add permission= s for them. Each time I get the error "<span>User admin@internal-authz failed to grant permission for= Role UserRole on System to User/Group <UNKNOWN>.</span>"</p> <p><br> </p> <p>I have no control over the LDAP server, which uses custom objectClasses = and uses groupOfNames instead of PosixGroups. I assume I need to set sequen= ce variables to accommodate our group configuration but I'm at a loss as to= where to begin. the The config I have is as follows:</p> <p><br> </p> <p></p> <div>include =3D <rfc2307-generic.properties><br> <br> vars.server =3D labauth.lan.lab.org<br> <br> pool.authz.auth.type =3D none<br> pool.default.serverset.type =3D single<br> pool.default.serverset.single.server =3D ${global:vars.server}<br> pool.default.ssl.startTLS =3D true<br> pool.default.ssl.insecure =3D true<br> <br> pool.default.connection-options.connectTimeoutMillis =3D 10000<br> pool.default.connection-options.responseTimeoutMillis =3D 90000<br> sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-vars<br> sequence.my-basedn-init-vars.010.description =3D set baseDN<br> sequence.my-basedn-init-vars.010.type =3D var-set<br> sequence.my-basedn-init-vars.010.var-set.variable =3D simple_baseDN<br> sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB<br> <br> sequence-init.init.101-my-objectclass-init-vars =3D my-objectclass-init-var= s<br> sequence.my-objectclass-init-vars.020.description =3D set objectClass<br> sequence.my-objectclass-init-vars.020.type =3D var-set<br> sequence.my-objectclass-init-vars.020.var-set.variable =3D simple_filterUse= rObject<br> sequence.my-objectclass-init-vars.020.var-set.value =3D (objectClass=3DlabP= erson)(uid=3D*)<br> <br> search.default.search-request.derefPolicy =3D NEVER<br> <br> sequence-init.init.900-local-init-vars =3D local-init-vars<br> sequence.local-init-vars.010.description =3D override name space<br> sequence.local-init-vars.010.type =3D var-set<br> sequence.local-init-vars.010.var-set.variable =3D simple_namespaceDefault<b= r> sequence.local-init-vars.010.var-set.value =3D *<br> <br> sequence.local-init-vars.020.description =3D apply filter to users<br> sequence.local-init-vars.020.type =3D var-set<br> sequence.local-init-vars.020.var-set.variable =3D simple_filterUserObject<b= r> sequence.local-init-vars.020.var-set.value =3D ${seq:simple_filterUserObjec= t}(employeeStatus=3D3)<br> <br> sequence.local-init-vars.030.description =3D apply filter to groups<br> sequence.local-init-vars.030.type =3D var-set<br> sequence.local-init-vars.030.var-set.variable =3D simple_filterGroupObject<= br> sequence.local-init-vars.030.var-set.value =3D (objectClass=3DgroupOfUnique= Names)<br> <br> <br> </div> <p></p> </div> </body> </html> --_000_SN1PR10MB071807A20FF1DCCB62983C19D5C70SN1PR10MB0718namp_--
On 10/06/2016 01:47 PM, Michael Burch wrote:
I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can successfully authenticate as an LDAP user. I can also login as admin@internal and search for, find, and select LDAP users but I cannot add permissions for them. Each time I get the error "User admin@internal-authz failed to grant permission for Role UserRole on System to User/Group <UNKNOWN>."
This error usually means bad unique attribute used.
I have no control over the LDAP server, which uses custom objectClasses and uses groupOfNames instead of PosixGroups. I assume I need to set sequence variables to accommodate our group configuration but I'm at a loss as to where to begin. the The config I have is as follows:
include = <rfc2307-generic.properties>
vars.server = labauth.lan.lab.org
pool.authz.auth.type = none pool.default.serverset.type = single pool.default.serverset.single.server = ${global:vars.server} pool.default.ssl.startTLS = true pool.default.ssl.insecure = true
pool.default.connection-options.connectTimeoutMillis = 10000 pool.default.connection-options.responseTimeoutMillis = 90000 sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars sequence.my-basedn-init-vars.010.description = set baseDN sequence.my-basedn-init-vars.010.type = var-set sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
sequence-init.init.101-my-objectclass-init-vars = my-objectclass-init-vars sequence.my-objectclass-init-vars.020.description = set objectClass sequence.my-objectclass-init-vars.020.type = var-set sequence.my-objectclass-init-vars.020.var-set.variable = simple_filterUserObject sequence.my-objectclass-init-vars.020.var-set.value = (objectClass=labPerson)(uid=*)
search.default.search-request.derefPolicy = NEVER
sequence-init.init.900-local-init-vars = local-init-vars sequence.local-init-vars.010.description = override name space sequence.local-init-vars.010.type = var-set sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault sequence.local-init-vars.010.var-set.value = *
What's this^ for? I think it's unusable.
sequence.local-init-vars.020.description = apply filter to users sequence.local-init-vars.020.type = var-set sequence.local-init-vars.020.var-set.variable = simple_filterUserObject sequence.local-init-vars.020.var-set.value = ${seq:simple_filterUserObject}(employeeStatus=3)
sequence.local-init-vars.030.description = apply filter to groups sequence.local-init-vars.030.type = var-set sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject sequence.local-init-vars.030.var-set.value = (objectClass=groupOfUniqueNames)
This looks as hard to maintain file. I would suggest you to insert into this file just following: include = <rfc2307-mycustom.properties> vars.server = labauth.lan.lab.org pool.authz.auth.type = none pool.default.serverset.type = single pool.default.serverset.single.server = ${global:vars.server} pool.default.ssl.startTLS = true pool.default.ssl.insecure = true pool.default.connection-options.connectTimeoutMillis = 10000 pool.default.connection-options.responseTimeoutMillis = 90000 # Set custom base DN sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars sequence.my-basedn-init-vars.010.description = set baseDN sequence.my-basedn-init-vars.010.type = var-set sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB And then create in directory '/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file 'rfc2307-mycustom.properties' with content: include = <rfc2307.properties> sequence-init.init.100-rfc2307-mycustom-init-vars = rfc2307-mycustom-init-vars sequence.rfc2307-mycustom-init-vars.010.description = set unique attr sequence.rfc2307-mycustom-init-vars.010.type = var-set sequence.rfc2307-mycustom-init-vars.010.var-set.variable = rfc2307_attrsUniqueId sequence.rfc2307-mycustom-init-vars.010.var-set.value = FIND_THIS_ONE sequence.rfc2307-mycustom-init-vars.020.type = var-set sequence.rfc2307-mycustom-init-vars.020.var-set.variable = simple_filterUserObject sequence.rfc2307-mycustom-init-vars.020.var-set.value = (objectClass=labPerson)(employeeStatus=3)(${seq:simple_attrsUserName}=*) The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I guess). It can be extended attribute(+,++). $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H ldap://labauth.lan.lab.org 'objectClass=labPerson' maybe (or even with two +): $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H ldap://labauth.lan.lab.org 'objectClass=labPerson' + The question is if even your implementation has unique attribute, does it? Also may you share what's your LDAP provider? And maybe if you share content of some user it would help as well.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --qKUkRRsJKPkPGLV9qaud4bBRD5cEbiBoQ Content-Type: multipart/mixed; boundary="QeOaACIuVvOH7wmPKPM0PSkjJqc0I1b8T"; protected-headers="v1" From: Richard Neuboeck <hawk@tbi.univie.ac.at> To: Ondra Machacek <omachace@redhat.com>, users <users@ovirt.org> Message-ID: <fc8ab02e-6353-43f9-5133-decb2d39495f@tbi.univie.ac.at> Subject: Re: [ovirt-users] Unable to add permissions for LDAP users References: <SN1PR10MB071807A20FF1DCCB62983C19D5C70@SN1PR10MB0718.namprd10.prod.outlook.com> <32d6b45e-b3b2-eeae-1b7b-87af2d9c3bbd@redhat.com> In-Reply-To: <32d6b45e-b3b2-eeae-1b7b-87af2d9c3bbd@redhat.com> --QeOaACIuVvOH7wmPKPM0PSkjJqc0I1b8T Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hi, I seem to experience the same problem right now and am at a bit of a loss as to where to dig for some more troubleshooting information. I would highly appreciate some help. Here is what I have and what I did: ovirt-engine-4.1.0.4-1.el7.centos.noarch ovirt-engine-extension-aaa-ldap-1.3.0-1.el7.noarch I executed ovirt-engine-extension-aaa-ldap-setup. My LDAP provider is 389ds (FreeIPA). I can successfully run a search and also login from the setup script. After running the setup I rebootet the Engine VM to make sure everything is restarted. In the web UI configuration for 'System Permissions' I'm able to find users from LDAP but when I try to 'Add' a selected user the UI shows me this error: 'User admin@internal-authz failed to grant permission for Role SuperUser on System to User/Group <UNKNOWN>.'. In then engine.log the following lines are generated: 2017-03-09 14:02:49,308+01 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-4) [1ebae5e0-e5f6-49ba-ac80-95266c582893] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_PERMISSIONS with role type USER, ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER 2017-03-09 14:02:49,319+01 ERROR [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-4) [1ebae5e0-e5f6-49ba-ac80-95266c582893] Transaction rolled-back for command 'org.ovirt.engine.core.bll.AddSystemPermissionCommand'. 2017-03-09 14:02:49,328+01 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-6-thread-4) [1ebae5e0-e5f6-49ba-ac80-95266c582893] EVENT_ID: USER_ADD_SYSTEM_PERMISSION_FAILED(867), Correlation ID: 1ebae5e0-e5f6-49ba-ac80-95266c582893, Call Stack: null, Custom Event ID: -1, Message: User admin@internal-authz failed to grant permission for Role SuperUser on System to User/Group <UNKNOWN>. So far I've re-run the ldap-setup routine. I made sure all newly generated files in /etc/ovirt-engine/[aaa|extensions.d] are owned by ovirt:ovirt (instead of root) and have 0600 as permission (instead of 0644). That didn't change anything. I've also found an older bug report but for oVirt 3.5 https://bugzilla.redhat.com/show_bug.cgi?id=3D1121954 That didn't reveal any new either. Any ideas what I could try next? Thanks! Cheers Richard On 10/06/2016 04:36 PM, Ondra Machacek wrote:
I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can successfully authenticate as an LDAP user. I can also login as admin@internal and search for, find, and select LDAP users but I cannot add permissions for them. Each time I get the error "User admin@internal-authz failed to grant permission for Role UserRole on System to User/Group <UNKNOWN>." =20 This error usually means bad unique attribute used. =20
I have no control over the LDAP server, which uses custom objectClasses and uses groupOfNames instead of PosixGroups. I assume I need to set sequence variables to accommodate our group configuration but I'm at a loss as to where to begin. the The config I have is as follows:
include =3D <rfc2307-generic.properties>
vars.server =3D labauth.lan.lab.org
pool.authz.auth.type =3D none pool.default.serverset.type =3D single pool.default.serverset.single.server =3D ${global:vars.server} pool.default.ssl.startTLS =3D true pool.default.ssl.insecure =3D true
pool.default.connection-options.connectTimeoutMillis =3D 10000 pool.default.connection-options.responseTimeoutMillis =3D 90000 sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-vars sequence.my-basedn-init-vars.010.description =3D set baseDN sequence.my-basedn-init-vars.010.type =3D var-set sequence.my-basedn-init-vars.010.var-set.variable =3D simple_baseDN sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB
sequence-init.init.101-my-objectclass-init-vars =3D my-objectclass-init-vars sequence.my-objectclass-init-vars.020.description =3D set objectClass sequence.my-objectclass-init-vars.020.type =3D var-set sequence.my-objectclass-init-vars.020.var-set.variable =3D simple_filterUserObject sequence.my-objectclass-init-vars.020.var-set.value =3D (objectClass=3DlabPerson)(uid=3D*)
search.default.search-request.derefPolicy =3D NEVER
sequence-init.init.900-local-init-vars =3D local-init-vars sequence.local-init-vars.010.description =3D override name space sequence.local-init-vars.010.type =3D var-set sequence.local-init-vars.010.var-set.variable =3D simple_namespaceDefault sequence.local-init-vars.010.var-set.value =3D * =20 What's this^ for? I think it's unusable. =20
sequence.local-init-vars.020.description =3D apply filter to users sequence.local-init-vars.020.type =3D var-set sequence.local-init-vars.020.var-set.variable =3D simple_filterUserObject sequence.local-init-vars.020.var-set.value =3D ${seq:simple_filterUserObject}(employeeStatus=3D3)
sequence.local-init-vars.030.description =3D apply filter to groups sequence.local-init-vars.030.type =3D var-set sequence.local-init-vars.030.var-set.variable =3D simple_filterGroupObject sequence.local-init-vars.030.var-set.value =3D (objectClass=3DgroupOfUniqueNames) =20 This looks as hard to maintain file. I would suggest you to insert into this file just following: =20 include =3D <rfc2307-mycustom.properties> =20 vars.server =3D labauth.lan.lab.org =20
On 10/06/2016 01:47 PM, Michael Burch wrote: pool.authz.auth.type =3D none pool.default.serverset.type =3D single pool.default.serverset.single.server =3D ${global:vars.server} pool.default.ssl.startTLS =3D true pool.default.ssl.insecure =3D true =20 pool.default.connection-options.connectTimeoutMillis =3D 10000 pool.default.connection-options.responseTimeoutMillis =3D 90000 =20 # Set custom base DN sequence-init.init.100-my-basedn-init-vars =3D my-basedn-init-vars sequence.my-basedn-init-vars.010.description =3D set baseDN sequence.my-basedn-init-vars.010.type =3D var-set sequence.my-basedn-init-vars.010.var-set.variable =3D simple_baseDN sequence.my-basedn-init-vars.010.var-set.value =3D o=3DLANLAB =20 And then create in directory '/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file 'rfc2307-mycustom.properties' with content: =20 include =3D <rfc2307.properties> =20 sequence-init.init.100-rfc2307-mycustom-init-vars =3D rfc2307-mycustom-init-vars sequence.rfc2307-mycustom-init-vars.010.description =3D set unique attr=
sequence.rfc2307-mycustom-init-vars.010.type =3D var-set sequence.rfc2307-mycustom-init-vars.010.var-set.variable =3D rfc2307_attrsUniqueId sequence.rfc2307-mycustom-init-vars.010.var-set.value =3D FIND_THIS_ONE=
=20 sequence.rfc2307-mycustom-init-vars.020.type =3D var-set sequence.rfc2307-mycustom-init-vars.020.var-set.variable =3D simple_filterUserObject sequence.rfc2307-mycustom-init-vars.020.var-set.value =3D (objectClass=3DlabPerson)(employeeStatus=3D3)(${seq:simple_attrsUserNam= e}=3D*) =20 =20 =20 The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I guess). It can be extended attribute(+,++). =20 $ LDAPTLS_REQCERT=3Dnever ldapsearch -ZZ -x -b 'o=3DLANLAB' -H ldap://labauth.lan.lab.org 'objectClass=3DlabPerson' =20 maybe (or even with two +): $ LDAPTLS_REQCERT=3Dnever ldapsearch -ZZ -x -b 'o=3DLANLAB' -H ldap://labauth.lan.lab.org 'objectClass=3DlabPerson' + =20 The question is if even your implementation has unique attribute, does it? =20 Also may you share what's your LDAP provider? And maybe if you share content of some user it would help as well. =20
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--=20 /dev/null --QeOaACIuVvOH7wmPKPM0PSkjJqc0I1b8T-- --qKUkRRsJKPkPGLV9qaud4bBRD5cEbiBoQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJYwVcPAAoJEA7XCanqEVqIPl8QAIQFBRHbiGNiFao6ajVRmsxv GaEOdE/1etNOcKEy8c39SmF0bQD6KYUNqUBnJ01Pgmfn65+QfzgjnloUcWrckB6x 2xooYVj8H7IO1HJbRXFjpP++XiJNxxkptJcDNGdnhojjcslNAd1Y970J+OrU5XCI lIvbSSLnwl5HM9Eu7lOdcB3KYPmmBh4g+N0WWVVEv06IGRm3uMgdeoXvG7wx7Sv/ EqL+oDuDXNy0127btyi8I4LCGYzNpnh3XOwTvcDgbWBK51CAgPsNvHg1opLPaWPI q2rPQpdKFui99KG5i7sWh33BVNWn1jX5qZPGYj3cLq9y6NkIEHX9k0cTiktcWkn5 sWYlFvsA3tTMj4WUjqefJiIakmQ8Y4EeTncY1QLcnEZHx3ltlU0bEtPkafh891G2 l3vgcnL5gc1Q5cPpZhfSngVg5GBYNrUwiqtsQJYNp5UWnWgRu5l8U3dMkKw87krf 4YtlGu9iMLvaOVGI1S8NrldpKBQ+nmAzfV3GOeKBztTizpmuyxgue9j6gkQL331d dRBHfZfDWX2Lq6GqbDlkALTn7pbC1DzB5us8BPuEk6J8HSVwhPb9lz2vIBhq+ors 08/YrWSyjY4/a85tHoPEjurbmXZcDobaidkBSg1HpBCthCsX217/ujKCaFiPpvDg vzJlHQWA92qIejXYi58d =tlBm -----END PGP SIGNATURE----- --qKUkRRsJKPkPGLV9qaud4bBRD5cEbiBoQ--
On Thu, Mar 9, 2017 at 2:22 PM, Richard Neuboeck <hawk@tbi.univie.ac.at> wrote:
Hi,
I seem to experience the same problem right now and am at a bit of a loss as to where to dig for some more troubleshooting information. I would highly appreciate some help.
Here is what I have and what I did:
ovirt-engine-4.1.0.4-1.el7.centos.noarch ovirt-engine-extension-aaa-ldap-1.3.0-1.el7.noarch
I executed ovirt-engine-extension-aaa-ldap-setup. My LDAP provider is 389ds (FreeIPA).
So what's your provider 389ds or FreeIPA? Note that both use differrent unique ID. IPA is using 'ipaUniqueID', and 389ds is using 'nsuniqueid'. DId you tried both?
I can successfully run a search and also login from the setup script.
After running the setup I rebootet the Engine VM to make sure everything is restarted.
In the web UI configuration for 'System Permissions' I'm able to find users from LDAP but when I try to 'Add' a selected user the UI shows me this error: 'User admin@internal-authz failed to grant permission for Role SuperUser on System to User/Group <UNKNOWN>.'.
In then engine.log the following lines are generated: 2017-03-09 14:02:49,308+01 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-4) [1ebae5e0-e5f6-49ba-ac80-95266c582893] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_PERMISSIONS with role type USER, ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER 2017-03-09 14:02:49,319+01 ERROR [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-4) [1ebae5e0-e5f6-49ba-ac80-95266c582893] Transaction rolled-back for command 'org.ovirt.engine.core.bll.AddSystemPermissionCommand'. 2017-03-09 14:02:49,328+01 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-6-thread-4) [1ebae5e0-e5f6-49ba-ac80-95266c582893] EVENT_ID: USER_ADD_SYSTEM_PERMISSION_FAILED(867), Correlation ID: 1ebae5e0-e5f6-49ba-ac80-95266c582893, Call Stack: null, Custom Event ID: -1, Message: User admin@internal-authz failed to grant permission for Role SuperUser on System to User/Group <UNKNOWN>.
So far I've re-run the ldap-setup routine. I made sure all newly generated files in /etc/ovirt-engine/[aaa|extensions.d] are owned by ovirt:ovirt (instead of root) and have 0600 as permission (instead of 0644). That didn't change anything.
I've also found an older bug report but for oVirt 3.5 https://bugzilla.redhat.com/show_bug.cgi?id=1121954 That didn't reveal any new either.
Any ideas what I could try next?
Thanks! Cheers Richard
On 10/06/2016 04:36 PM, Ondra Machacek wrote:
On 10/06/2016 01:47 PM, Michael Burch wrote:
I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can successfully authenticate as an LDAP user. I can also login as admin@internal and search for, find, and select LDAP users but I cannot add permissions for them. Each time I get the error "User admin@internal-authz failed to grant permission for Role UserRole on System to User/Group <UNKNOWN>."
This error usually means bad unique attribute used.
I have no control over the LDAP server, which uses custom objectClasses and uses groupOfNames instead of PosixGroups. I assume I need to set sequence variables to accommodate our group configuration but I'm at a loss as to where to begin. the The config I have is as follows:
include = <rfc2307-generic.properties>
vars.server = labauth.lan.lab.org
pool.authz.auth.type = none pool.default.serverset.type = single pool.default.serverset.single.server = ${global:vars.server} pool.default.ssl.startTLS = true pool.default.ssl.insecure = true
pool.default.connection-options.connectTimeoutMillis = 10000 pool.default.connection-options.responseTimeoutMillis = 90000 sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars sequence.my-basedn-init-vars.010.description = set baseDN sequence.my-basedn-init-vars.010.type = var-set sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
sequence-init.init.101-my-objectclass-init-vars = my-objectclass-init-vars sequence.my-objectclass-init-vars.020.description = set objectClass sequence.my-objectclass-init-vars.020.type = var-set sequence.my-objectclass-init-vars.020.var-set.variable = simple_filterUserObject sequence.my-objectclass-init-vars.020.var-set.value = (objectClass=labPerson)(uid=*)
search.default.search-request.derefPolicy = NEVER
sequence-init.init.900-local-init-vars = local-init-vars sequence.local-init-vars.010.description = override name space sequence.local-init-vars.010.type = var-set sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault sequence.local-init-vars.010.var-set.value = *
What's this^ for? I think it's unusable.
sequence.local-init-vars.020.description = apply filter to users sequence.local-init-vars.020.type = var-set sequence.local-init-vars.020.var-set.variable = simple_filterUserObject sequence.local-init-vars.020.var-set.value = ${seq:simple_filterUserObject}(employeeStatus=3)
sequence.local-init-vars.030.description = apply filter to groups sequence.local-init-vars.030.type = var-set sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject sequence.local-init-vars.030.var-set.value = (objectClass=groupOfUniqueNames)
This looks as hard to maintain file. I would suggest you to insert into this file just following:
include = <rfc2307-mycustom.properties>
vars.server = labauth.lan.lab.org
pool.authz.auth.type = none pool.default.serverset.type = single pool.default.serverset.single.server = ${global:vars.server} pool.default.ssl.startTLS = true pool.default.ssl.insecure = true
pool.default.connection-options.connectTimeoutMillis = 10000 pool.default.connection-options.responseTimeoutMillis = 90000
# Set custom base DN sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars sequence.my-basedn-init-vars.010.description = set baseDN sequence.my-basedn-init-vars.010.type = var-set sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
And then create in directory '/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file 'rfc2307-mycustom.properties' with content:
include = <rfc2307.properties>
sequence-init.init.100-rfc2307-mycustom-init-vars = rfc2307-mycustom-init-vars sequence.rfc2307-mycustom-init-vars.010.description = set unique attr sequence.rfc2307-mycustom-init-vars.010.type = var-set sequence.rfc2307-mycustom-init-vars.010.var-set.variable = rfc2307_attrsUniqueId sequence.rfc2307-mycustom-init-vars.010.var-set.value = FIND_THIS_ONE
sequence.rfc2307-mycustom-init-vars.020.type = var-set sequence.rfc2307-mycustom-init-vars.020.var-set.variable = simple_filterUserObject sequence.rfc2307-mycustom-init-vars.020.var-set.value = (objectClass=labPerson)(employeeStatus=3)(${seq:simple_attrsUserName}=*)
The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I guess). It can be extended attribute(+,++).
$ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H ldap://labauth.lan.lab.org 'objectClass=labPerson'
maybe (or even with two +): $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H ldap://labauth.lan.lab.org 'objectClass=labPerson' +
The question is if even your implementation has unique attribute, does it?
Also may you share what's your LDAP provider? And maybe if you share content of some user it would help as well.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- /dev/null
participants (3)
-
Michael Burch -
Ondra Machacek -
Richard Neuboeck