[ovirt-users] Can not configure with simple LDAP.

Fumihide Tani RXC05271 at nifty.com
Sun Sep 21 06:55:28 UTC 2014


Hello,

I'm running oVirt Engine, OpenLDAP and BIND on same machine. and running oVirt
host (hypervisor) on another machine.
I tried to configure OpenLDAP using ovirt-engine-extension-aaa-ldap, but No
LDAP users can search and add from Web Admin Portal.

CentOS release 6.5 (Final)
ovirt-engine.noarch 3.5.0-0.0.master.20140821064931.gitb794d66.el6
ovirt-engine-extension-aaa-ldap.noarch
0.0.0-0.0.master.20140904095149.gitc7bd415.el6
openldap-clients.x86_64 2.4.23-34.el6_5.1
openldap-servers.x86_64 2.4.23-34.el6_5.1
cyrus-sasl-gssapi.x86_64 2.1.23-13.el6_3.1
bind.x86_64 32:9.8.2-0.23.rc1.el6_5.1

My setup procedures:
-------------------------------------------------------------------------------
# yum -y install openldap-servers openldap-clients
# yum -y install cyrus-sasl-gssapi
-------------------------------------------------------------------------------
# rm -rf /etc/openldap/slapd.d
# rm -rf /var/lib/ldap/*
-------------------------------------------------------------------------------
(Copy slapd.conf template)
# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
-------------------------------------------------------------------------------
# vi /etc/openldap/slapd.conf
....(snip)....
# remove comment out
moduleload memberof.la
....(snip)....
# modify value
by dn.exact="cn=Manager,dc=rxc05271,dc=com" read
....(snip)....
# add next two lines right under "database definitions"
authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=Manager,dc=rxc05271,dc=com"
....(snip)....
# modify value
suffix "dc=rxc05271,dc=com"
....(snip)....
# modify value
rootdn "cn=Manager,dc=rxc05271,dc=com"
....(snip)....
# remove comment out
rootpw secret
....(snip)....
# add next line to end of the file
overlay memberof
loglevel 4
-------------------------------------------------------------------------------
(Enabling SSL/TLS)
# vi /etc/sysconfig/ldap
SLAPD_LDAPS=yes
-------------------------------------------------------------------------------
(Enabling OpenLDAP log output)
# echo "local4.* /var/log/ldap.log" > /etc/rsyslog.d/ldaplog.conf
# service rsyslog restart
-------------------------------------------------------------------------------
# service slapd start
# chkconfig slapd on
-------------------------------------------------------------------------------
# vi ldapconfig.ldif
dn: dc=rxc05271,dc=com
objectClass: dcObject
objectClass: organization
dc: rxc05271
o: RXC05271

dn: ou=Groups,dc=rxc05271,dc=com
objectclass: organizationalUnit
ou: Groups

dn: ou=Users,dc=rxc05271,dc=com
objectclass: organizationalUnit
ou: Users

dn: uid=tani,ou=Users,dc=rxc05271,dc=com
objectclass: inetOrgPerson
objectclass: uidObject
uid: tani
cn: Tani
givenName: Fumihide
mail: tani at rxc05271.com
sn: 0

dn: cn=Power-Users,ou=Groups,dc=rxc05271,dc=com
objectclass: groupOfNames
cn: Power-Users
member: uid=tani,ou=Users,dc=rxc05271,dc=com
-------------------------------------------------------------------------------
# ldapadd -x -D "cn=Manager,dc=rxc05271,dc=com" -w secret -f ldapconfig.ldif
-------------------------------------------------------------------------------
# vi setsasl.ldif
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,noplain,minssf=1
-
-------------------------------------------------------------------------------
# ldapmodify -x -D "cn=Manager,dc=rxc05271,dc=com" -w secret -f setsasl.ldif
-------------------------------------------------------------------------------
# ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=tani)" -b dc=rxc05271,dc=com memberOf
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
version: 1

dn: uid=tani,ou=Users,dc=rxc05271,dc=com
memberOf: cn=Power-Users,ou=Groups,dc=rxc05271,dc=com
-------------------------------------------------------------------------------
# yum install ovirt-engine-extension-aaa-ldap
-------------------------------------------------------------------------------
# vi /etc/ovirt-engine/extensions.d/authn-company.properties
ovirt.engine.extension.name = authn-company
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = rxc05271.com
ovirt.engine.aaa.authn.authz.plugin = authz-company
config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties
-------------------------------------------------------------------------------
# vi /etc/ovirt-engine/aaa/rxc05271.properties
include = <openldap.properties>

vars.user = cn=Manager,dc=rxc05271,dc=com
vars.password = 12345678
vars.server = ldap.rxc05271.com

pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = /etc/openldap/certs/ldap.jks
pool.default.ssl.truststore.password = 12345678

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
-------------------------------------------------------------------------------
(Add DNS records)
# vi /var/named/rxc05271.com.db
(snip)
ldap IN A 192.168.0.5
_ldap._tcp.rxc05271.com. IN SRV 10 0 389 ovirt.rxc05271.com.
# vi /var/named/0.168.192.in-addr.arpa.db
(snip)
5 IN PTR ldap.rxc05271.com.
# service named restart
-------------------------------------------------------------------------------
# service ovirt-engine restart
-------------------------------------------------------------------------------
(ldap.log outputs after ovirt-engine restart)
[root at ovirt ~]# cat /var/log/ldap.log
Sep 21 14:33:20 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:20 ovirt slapd[19276]: connection_get(18)
Sep 21 14:33:20 ovirt slapd[19276]: connection_get(17)
Sep 21 14:33:20 ovirt slapd[19276]: connection_get(19)
Sep 21 14:33:20 ovirt slapd[19276]: connection_get(20)
Sep 21 14:33:20 ovirt slapd[19276]: connection_get(21)
Sep 21 14:33:20 ovirt slapd[19276]: connection_get(23)
Sep 21 14:33:20 ovirt slapd[19276]: connection_get(22)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:25 ovirt slapd[19276]: ==> bdb_bind: dn: cn=Manager,dc=rxc05271,dc=com
Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text=""
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17)
Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17)
Sep 21 14:33:25 ovirt slapd[19276]: ==> bdb_bind: dn: cn=Manager,dc=rxc05271,dc=com
Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text=""
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18)
Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18)
Sep 21 14:33:25 ovirt slapd[19276]: ==> bdb_bind: dn: cn=Manager,dc=rxc05271,dc=com
Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text=""
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19)
Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19)
Sep 21 14:33:25 ovirt slapd[19276]: ==> bdb_bind: dn: cn=Manager,dc=rxc05271,dc=com
Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text=""
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15)
Sep 21 14:33:25 ovirt slapd[19276]: SRCH "" 0 0
Sep 21 14:33:25 ovirt slapd[19276]: 1 0 0
Sep 21 14:33:25 ovirt slapd[19276]: filter: (objectClass=*)
Sep 21 14:33:25 ovirt slapd[19276]: attrs:
Sep 21 14:33:25 ovirt slapd[19276]: *
Sep 21 14:33:25 ovirt slapd[19276]: +
Sep 21 14:33:25 ovirt slapd[19276]: altServer
Sep 21 14:33:25 ovirt slapd[19276]: changelog
Sep 21 14:33:25 ovirt slapd[19276]: firstChangeNumber
Sep 21 14:33:25 ovirt slapd[19276]: lastChangeNumber
Sep 21 14:33:25 ovirt slapd[19276]: lastPurgedChangeNumber
Sep 21 14:33:25 ovirt slapd[19276]: namingContexts
Sep 21 14:33:25 ovirt slapd[19276]: subschemaSubentry
Sep 21 14:33:25 ovirt slapd[19276]: supportedAuthPasswordSchemes
Sep 21 14:33:25 ovirt slapd[19276]: supportedControl
Sep 21 14:33:25 ovirt slapd[19276]: supportedExtension
Sep 21 14:33:25 ovirt slapd[19276]: supportedFeatures
Sep 21 14:33:25 ovirt slapd[19276]: supportedLDAPVersion
Sep 21 14:33:25 ovirt slapd[19276]: supportedSASLMechanisms
Sep 21 14:33:25 ovirt slapd[19276]: vendorName
Sep 21 14:33:25 ovirt slapd[19276]: vendorVersion
Sep 21 14:33:25 ovirt slapd[19276]:
Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text=""
Sep 21 14:33:25 ovirt slapd[19276]: connection_get(20)
Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20)
Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text=""
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21)
Sep 21 14:33:26 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21)
Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text=""
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22)
Sep 21 14:33:26 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22)
Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text=""
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23)
Sep 21 14:33:26 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23)
Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text=""
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20)
Sep 21 14:33:26 ovirt slapd[19276]: SRCH "" 0 0
Sep 21 14:33:26 ovirt slapd[19276]: 1 0 0
Sep 21 14:33:26 ovirt slapd[19276]: filter: (objectClass=*)
Sep 21 14:33:26 ovirt slapd[19276]: attrs:
Sep 21 14:33:26 ovirt slapd[19276]: *
Sep 21 14:33:26 ovirt slapd[19276]: +
Sep 21 14:33:26 ovirt slapd[19276]: altServer
Sep 21 14:33:26 ovirt slapd[19276]: changelog
Sep 21 14:33:26 ovirt slapd[19276]: firstChangeNumber
Sep 21 14:33:26 ovirt slapd[19276]: lastChangeNumber
Sep 21 14:33:26 ovirt slapd[19276]: lastPurgedChangeNumber
Sep 21 14:33:26 ovirt slapd[19276]: namingContexts
Sep 21 14:33:26 ovirt slapd[19276]: subschemaSubentry
Sep 21 14:33:26 ovirt slapd[19276]: supportedAuthPasswordSchemes
Sep 21 14:33:26 ovirt slapd[19276]: supportedControl
Sep 21 14:33:26 ovirt slapd[19276]: supportedExtension
Sep 21 14:33:26 ovirt slapd[19276]: supportedFeatures
Sep 21 14:33:26 ovirt slapd[19276]: supportedLDAPVersion
Sep 21 14:33:26 ovirt slapd[19276]: supportedSASLMechanisms
Sep 21 14:33:26 ovirt slapd[19276]: vendorName
Sep 21 14:33:26 ovirt slapd[19276]: vendorVersion
Sep 21 14:33:26 ovirt slapd[19276]:
Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text=""
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(17)
Sep 21 14:33:26 ovirt slapd[19276]: connection_get(17)
Sep 21 14:33:26 ovirt slapd[19276]: SRCH "" 0 0
Sep 21 14:33:26 ovirt slapd[19276]: 0 0 0
Sep 21 14:33:26 ovirt slapd[19276]: filter: (&(objectClass=*))
Sep 21 14:33:26 ovirt slapd[19276]: attrs:
Sep 21 14:33:26 ovirt slapd[19276]: namingContexts
Sep 21 14:33:26 ovirt slapd[19276]:
Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text=""
-------------------------------------------------------------------------------
(engine.log outputs after ovirt-engine restart)
# cat /var/log/ovirt-engine/engine.log | grep extensions
2014-09-21 14:33:25,591 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-15) Creating LDAP pool 'authz' for 'authn-company'
2014-09-21 14:33:25,962 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-15) Creating LDAP pool 'authn' for 'authn-company'
2014-09-21 14:33:26,195 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-15) Start of enabled extensions list
2014-09-21 14:33:26,196 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-15) Instance name: 'builtin-authn-internal', Extension name: 'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true'
2014-09-21 14:33:26,196 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-15) Instance name: 'authn-company', Extension name: 'aaa.ldap.authn', Version: '0.0.0_master', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-0.0.0-0.0.master.20140904095149.gitc7bd415.el6', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/authn-company.properties', Initialized: 'true'
2014-09-21 14:33:26,197 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-15) Instance name: 'internal', Extension name: 'Internal Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true'
2014-09-21 14:33:26,197 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-15) End of enabled extensions list
-------------------------------------------------------------------------------

I could not find out any erros in engine.log as well as ldap.log.
And I can not search add ldap users from Web Admin Portal.
Click "Users" tab, then click "Add".
I can select "internal (internal)" only on [Add Users and Groups] in "Search"
field.
I do not know where the cause is. I'm missing another settings required?

Thanks,
Fumihide Tani





More information about the Users mailing list