[Users] webadmin login issues with AD

Yair Zaslavsky yzaslavs at redhat.com
Sun Mar 3 06:45:25 UTC 2013



----- Original Message -----
> From: "Keith Mitchell" <kamitch at cisco.com>
> To: "Itamar Heim" <iheim at redhat.com>
> Cc: users at ovirt.org, "Juan Antonio Hernandez Fernandez" <jhernand at redhat.com>, "Yair Zaslavsky" <yzaslavs at redhat.com>
> Sent: Sunday, March 3, 2013 7:15:16 AM
> Subject: Re: [Users] webadmin login issues with AD
> 
> On 3/2/13 11:57 PM, Itamar Heim wrote:
> > On 03/03/2013 06:41, Keith Mitchell wrote:
> >> On 3/2/13 2:51 PM, Itamar Heim wrote:
> >>> On 01/03/2013 18:54, Keith Mitchell wrote:
> >>>>
> >>>> I'm trying to get rhevm 3.1 (which seems to be pretty much ovirt
> >>>> 3.1
> >>>> from what I can tell) authenticating against our active
> >>>> directory
> >>>> infrastructure bu am having some difficulty that I don't quite
> >>>> understand and was hoping someone may know what is happening.
> >>>>
> >>>> The server where rhevm/ovirt is running is a RHEL6 based server
> >>>> that has
> >>>> NIS configured (with user home directories mounted via
> >>>> nfs/automounter).  The userids in nis match the userids in our
> >>>> ActiveDirectory server (in fact the passwords should match too
> >>>> since
> >>>> there is a sync between the two).
> >>>>
> >>>> I added the Activedirectory server into ovirt (through
> >>>> rhevm-manage-domains) and it is added/validated successfully. As
> >>>> the
> >>>> local admin user I can go in and search agains the active
> >>>> directory, add
> >>>> permissions, etc.
> >>>>
> >>>> But... If I try to log into the webadmin/user portals with one
> >>>> of the
> >>>> active directory accounts it seems to hang... and I noticed that
> >>>> it
> >>>> seems to be trying to mount the home directory of a bunch of
> >>>> users via
> >>>> the automounter (perhaps its trying to mount everyones home
> >>>> directory...
> >>>> can't tell).  This takes a super long time since the home
> >>>> directories
> >>>> are all across the world and nfs access to some of these
> >>>> filesystems is
> >>>> really slow... i'm not sure it will ever complete... certainly
> >>>> not
> >>>> before the user gives up.

Hi,
Currently, both search of users in specific domain + login perform both authentication + authorization check + running ldap queries (
authorization is a part of the login).
It seems really odd to me that login takes you quite some time, and search of users/groups does not.
What other info can you provide about the user you try to login to? Did you give permissions to many entities?

> >>>>
> >>>> Anyone know what would cause this?  I wouldn't think this should
> >>>> happen.  I was thinking it should just authenticate the password
> >>>> and
> >>>> then look at the permissions granted inside overt/rhevm.
> >>>
> >>> there is no need for the engine (rhev) machine to be part of the
> >>> AD
> >>> domain for AD authentication to work, and i don't see why this
> >>> should
> >>> happen.
> >>> yair/juan - thoughts?
> >>>
> >> Turns out the home directory mounting thing had nothing to do with
> >> my
> >> login issues or ovirt... The home directory issue was due to an
> >> issue
> >> with mod_dnssd (part of apache) in RHEL6.
> >>
> >> But even after fixing that, I still have login issues.  Whenever I
> >> try
> >> to authenticate against active directory the webadmin/user gui
> >> seems to
> >> hang.  I've looked at the network trace and it looks like the
> >> active
> >> directory authentication succeeded without issue, but the login
> >> screen
> >> just hangs.
> >>
> >> I can log in with the local admin user fine and I don't see
> >> anything in
> >> the engine.log files.  Perhaps there may be some debug I can turn
> >> on to
> >> help identify what it is doing?
> >>
> >>
> >>
> >
> > does the rest api works for an AD user?
> > (user at domain is the user name format. url is http://xxx/api)
> That seems to hang too.
> 
> 



More information about the Users mailing list