[ovirt-users] Can not configure with simple LDAP.

Alon Bar-Lev alonbl at redhat.com
Mon Sep 22 06:15:04 EDT 2014

You need to add the following:

+       <logger category="org.ovirt.engineextensions.aaa.ldap">
+        <level name="FINEST"/>
+       </logger>
        <logger category="org.ovirt.engine.core.bll">

Look at the + lines, please add these (without the  +) just before: <logger category="org.ovirt.engine.core.bll">


----- Original Message -----
> From: "Fumihide Tani" <RXC05271 at nifty.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: users at ovirt.org
> Sent: Monday, September 22, 2014 1:10:57 PM
> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
> (2014/09/22 15:00), Alon Bar-Lev wrote:
> >
> > ----- Original Message -----
> >> From: "Fumihide Tani" <RXC05271 at nifty.com>
> >> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >> Cc: users at ovirt.org
> >> Sent: Monday, September 22, 2014 4:16:17 AM
> >> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
> >>
> >> (2014/09/22 0:16), Alon Bar-Lev wrote:
> >>> ----- Original Message -----
> >>>> From: "Fumihide Tani" <RXC05271 at nifty.com>
> >>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>> Cc: users at ovirt.org
> >>>> Sent: Sunday, September 21, 2014 6:00:48 PM
> >>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
> >>>>
> >>>> Hi, Alon,
> >>>>
> >>>> Following Alon's advice, I added authz-company.properties file to the
> >>>> configuration directory.
> >>>> Then OpenLDAP users can searched from oVirt Web admin. and I could add
> >>>> it's
> >>>> users
> >>>> to the portal successfully.
> >>>>
> >>>> But I have another problem.
> >>>> These OpenLDAP users that I added can not login to ovirt web user
> >>>> portal.
> >>>>
> >>>> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as
> >>>> "First
> >>>> Name")
> >>>> Password: (I specified it as OpenLDAP's userPassword for "Fumihide")
> >>>> Domain: rxc05271.com (I selected instead of "internal")
> >>>>
> >>>> ?
> >>> 1. What error do you get at ui?
> >> "The user name or password is incorrect."
> >>
> >>> 2. Please look at engine.log while attempting to login, if you see
> >>> something helpful.
> >> 2014-09-22 09:53:27,669 INFO
> >> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
> >> (ajp-- Cant login user "Fumihide" with authentication
> >> profile "rxc05271.com" because the authentication failed.
> >> 2014-09-22 09:53:27,685 ERROR
> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> >> (ajp-- Correlation ID: null, Call Stack: null, Custom
> >> Event
> >> ID: -1, Message: User Fumihide cannot login, please verify the username
> >> and
> >> password.
> >> 2014-09-22 09:53:27,693 ERROR
> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> >> (ajp-- Correlation ID: null, Call Stack: null, Custom
> >> Event
> >> ID: -1, Message: User Fumihide failed to log in.
> >> 2014-09-22 09:53:27,693 WARN
> >> [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
> >> (ajp-- CanDoAction of action LoginUser failed.
> >>
> >>> 3. Please make sure that the following is a success:
> >>> $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN>
> >>> uid=<LOGIN_NAME>
> >> [root at ovirt ~]# ldapsearch -H ldapi:/// -x -W -D
> >> "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x
> >> '(uid=tani)'
> >> Enter LDAP Password:
> >> # extended LDIF
> >> #
> >> # LDAPv3
> >> # base <dc=rxc05271,dc=com> with scope subtree
> >> # filter: (uid=tani)
> >> # requesting: ALL
> >> #
> >>
> >> # tani, Users, rxc05271.com
> >> dn: uid=tani,ou=Users,dc=rxc05271,dc=com
> >> objectClass: inetOrgPerson
> >> objectClass: uidObject
> >> uid: tani
> >> cn: Fumihide Tani
> >> givenName: Fumihide
> >> mail: tani at rxc05271.com
> >> sn: Tani
> >> userPassword:: a3VtaXRhbg==
> >>
> >> # search result
> >> search: 2
> >> result: 0 Success
> >>
> >> # numResponses: 2
> >> # numEntries: 1
> >> [root at ovirt ~]#
> >>
> >>> 4. If working please modify
> >>> /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in
> >>> ---
> >>>          <file-handler name="ENGINE" autoflush="true">
> >>> -        <level name="INFO"/>
> >>> -        <level name="FINEST"/>
> >>> <snip>
> >>> +       <logger category="org.ovirt.engineextensions.aaa.ldap">
> >>> +        <level name="FINEST"/>
> >>> +       </logger>
> >>>           <logger category="org.ovirt.engine.core.bll">
> >>> ---
> >>> Restart engine, attempt login, send me the output.
> >> 2014-09-22 10:03:57,517 INFO
> >> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
> >> (ajp-- Cant login user "Fumihide" with authentication
> >> profile "rxc05271.com" because the authentication failed.
> >> 2014-09-22 10:03:57,534 ERROR
> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> >> (ajp-- Correlation ID: null, Call Stack: null, Custom
> >> Event
> >> ID: -1, Message: User Fumihide cannot login, please verify the username
> >> and
> >> password.
> >> 2014-09-22 10:03:57,545 ERROR
> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> >> (ajp-- Correlation ID: null, Call Stack: null, Custom
> >> Event
> >> ID: -1, Message: User Fumihide failed to log in.
> >> 2014-09-22 10:03:57,545 WARN
> >> [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
> >> (ajp-- CanDoAction of action LoginUser failed.
> >>
> >> (logger level is not changed to FINEST? outputs is same as above.)
> >>
> > I had a mistake above... the file-handler level should be set to finest.
> >
> > <file-handler name="ENGINE" autoflush="true">
> >      <level name="FINEST"/>
> >
> > can you confirm?
> > or best send me the engine.xml.in file and I can see what's wrong.
> >
> > thanks!
> I set file-handler's level name to "FINEST". but outputs are same as before.
> I attached the ovirt-engine.xml.in
> Regards,
> >
> >
> >> Thanks,
> >> Fumihide Tani
> >>
> >>
> >>>> Please advice me, it's so thanksfull.
> >>>>
> >>>> Fumihide Tani
> >>>>
> >>>>
> >>>> (2014/09/21 17:13), Alon Bar-Lev wrote:
> >>>>> ----- Original Message -----
> >>>>>> From: "Fumihide Tani" <RXC05271 at nifty.com>
> >>>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>>>> Cc: users at ovirt.org
> >>>>>> Sent: Sunday, September 21, 2014 11:11:11 AM
> >>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
> >>>>>>
> >>>>>> Hi, Alon
> >>>>>>
> >>>>>> Very thanks for your help.
> >>>>>> My problem was solved and the AAA is working now.
> >>>>>> I could add LDAP user. :)
> >>>>> Great.
> >>>>> Can you please send me a patch or modified README to make it better?
> >>>>>
> >>>>> Alon
> >>>>>
> >>>>>> Fumihide Tani
> >>>>>>
> >>>>>> (2014/09/21 16:19), Alon Bar-Lev wrote:
> >>>>>>> ----- Original Message -----
> >>>>>>>> From: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>>>>>> To: "Fumihide Tani" <RXC05271 at nifty.com>
> >>>>>>>> Cc: users at ovirt.org
> >>>>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM
> >>>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
> >>>>>>>>
> >>>>>>>> Hi,
> >>>>>>>>
> >>>>>>>> You need to create authz extension as well (authz-company).
> >>>>>>>> The configuration you provided is establishing authentication only
> >>>>>>>> (authn)
> >>>>>>>> which refer to authz-company but you did not add it.
> >>>>>>>>
> >>>>>>>> The terms are:
> >>>>>>>> 1. authn - who the user is.
> >>>>>>>> 2. authz - what user is permitted.
> >>>>>>>> 3. profile - combination of the two.
> >>>>>>>>
> >>>>>>>> -----------------------------
> >>>>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties
> >>>>>>>> ovirt.engine.extension.name = authz-company
> >>>>>>>> ovirt.engine.extension.bindings.method = jbossmodule
> >>>>>>>> ovirt.engine.extension.binding.jbossmodule.module =
> >>>>>>>> org.ovirt.engine-extensions.aaa.ldap
> >>>>>>>> ovirt.engine.extension.binding.jbossmodule.class =
> >>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> >>>>>>> Sorry:
> >>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> >>>>>>>> ovirt.engine.extension.provides =
> >>>>>>>> org.ovirt.engine.api.extensions.aaa.Authz
> >>>>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties
> >>>>>>>> --------------------------------------------------
> >>>>>>>>
> >>>>>>>> Regards,
> >>>>>>>> Alon
> >>>>
> >>
> >>

