[ovirt-users] Can not configure with simple LDAP.

Alon Bar-Lev alonbl at redhat.com
Mon Sep 22 11:41:20 UTC 2014 

Not sure what adds crlf to your file... please use *NIX editor, please use dos2unix to remove these,

Per our previous discussion, you should modify:
      <file-handler name="ENGINE" autoflush="true">
        <level name="INFO"/>
Into:
      <file-handler name="ENGINE" autoflush="true">
        <level name="FINEST"/>

You should see a difference.
Thanks!

----- Original Message -----
> From: "Fumihide Tani" <RXC05271 at nifty.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: users at ovirt.org
> Sent: Monday, September 22, 2014 2:36:05 PM
> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
> 
> Hi, Alon,
> 
> I modified ovirt-engine.xml.in and restarted ovirt-engine.
> Attached is the modified ovirt-engine.xml.in.
> The engine.log outputs are fllowing: (Unfortunately it became the same
> result.)
> 
> -----
> 2014-09-22 19:48:11,245 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
> (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication
> profile "rxc05271.com" because the authentication failed.
> 2014-09-22 19:48:11,257 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event
> ID: -1, Message: User Fumihide cannot login, please verify the username and
> password.
> 2014-09-22 19:48:11,265 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event
> ID: -1, Message: User Fumihide failed to log in.
> 2014-09-22 19:48:11,266 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
> (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed.
> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
> -----
> 
> As a cause of fail to OpenLDAP user login,
> I suspect that the my openldap password encryption method setting not meet
> with the ovirt.
> Is there any method to verify?
> 
> Thanks,
> 
> (2014/09/22 19:15), Alon Bar-Lev wrote:
> > You need to add the following:
> >
> > +       <logger category="org.ovirt.engineextensions.aaa.ldap">
> > +        <level name="FINEST"/>
> > +       </logger>
> >          <logger category="org.ovirt.engine.core.bll">
> >
> > Look at the + lines, please add these (without the  +) just before: <logger
> > category="org.ovirt.engine.core.bll">
> >
> > Thanks!
> >
> > ----- Original Message -----
> >> From: "Fumihide Tani" <RXC05271 at nifty.com>
> >> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >> Cc: users at ovirt.org
> >> Sent: Monday, September 22, 2014 1:10:57 PM
> >> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
> >>
> >> (2014/09/22 15:00), Alon Bar-Lev wrote:
> >>> ----- Original Message -----
> >>>> From: "Fumihide Tani" <RXC05271 at nifty.com>
> >>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>> Cc: users at ovirt.org
> >>>> Sent: Monday, September 22, 2014 4:16:17 AM
> >>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
> >>>>
> >>>> (2014/09/22 0:16), Alon Bar-Lev wrote:
> >>>>> ----- Original Message -----
> >>>>>> From: "Fumihide Tani" <RXC05271 at nifty.com>
> >>>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>>>> Cc: users at ovirt.org
> >>>>>> Sent: Sunday, September 21, 2014 6:00:48 PM
> >>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
> >>>>>>
> >>>>>> Hi, Alon,
> >>>>>>
> >>>>>> Following Alon's advice, I added authz-company.properties file to the
> >>>>>> configuration directory.
> >>>>>> Then OpenLDAP users can searched from oVirt Web admin. and I could add
> >>>>>> it's
> >>>>>> users
> >>>>>> to the portal successfully.
> >>>>>>
> >>>>>> But I have another problem.
> >>>>>> These OpenLDAP users that I added can not login to ovirt web user
> >>>>>> portal.
> >>>>>>
> >>>>>> User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as
> >>>>>> "First
> >>>>>> Name")
> >>>>>> Password: (I specified it as OpenLDAP's userPassword for "Fumihide")
> >>>>>> Domain: rxc05271.com (I selected instead of "internal")
> >>>>>>
> >>>>>> ?
> >>>>> 1. What error do you get at ui?
> >>>> "The user name or password is incorrect."
> >>>>
> >>>>> 2. Please look at engine.log while attempting to login, if you see
> >>>>> something helpful.
> >>>> 2014-09-22 09:53:27,669 INFO
> >>>> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
> >>>> (ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication
> >>>> profile "rxc05271.com" because the authentication failed.
> >>>> 2014-09-22 09:53:27,685 ERROR
> >>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> >>>> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom
> >>>> Event
> >>>> ID: -1, Message: User Fumihide cannot login, please verify the username
> >>>> and
> >>>> password.
> >>>> 2014-09-22 09:53:27,693 ERROR
> >>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> >>>> (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom
> >>>> Event
> >>>> ID: -1, Message: User Fumihide failed to log in.
> >>>> 2014-09-22 09:53:27,693 WARN
> >>>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
> >>>> (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed.
> >>>> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
> >>>>
> >>>>> 3. Please make sure that the following is a success:
> >>>>> $ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN>
> >>>>> uid=<LOGIN_NAME>
> >>>> [root at ovirt ~]# ldapsearch -H ldapi:/// -x -W -D
> >>>> "uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x
> >>>> '(uid=tani)'
> >>>> Enter LDAP Password:
> >>>> # extended LDIF
> >>>> #
> >>>> # LDAPv3
> >>>> # base <dc=rxc05271,dc=com> with scope subtree
> >>>> # filter: (uid=tani)
> >>>> # requesting: ALL
> >>>> #
> >>>>
> >>>> # tani, Users, rxc05271.com
> >>>> dn: uid=tani,ou=Users,dc=rxc05271,dc=com
> >>>> objectClass: inetOrgPerson
> >>>> objectClass: uidObject
> >>>> uid: tani
> >>>> cn: Fumihide Tani
> >>>> givenName: Fumihide
> >>>> mail: tani at rxc05271.com
> >>>> sn: Tani
> >>>> userPassword:: a3VtaXRhbg==
> >>>>
> >>>> # search result
> >>>> search: 2
> >>>> result: 0 Success
> >>>>
> >>>> # numResponses: 2
> >>>> # numEntries: 1
> >>>> [root at ovirt ~]#
> >>>>
> >>>>> 4. If working please modify
> >>>>> /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in
> >>>>> ---
> >>>>>           <file-handler name="ENGINE" autoflush="true">
> >>>>> -        <level name="INFO"/>
> >>>>> -        <level name="FINEST"/>
> >>>>> <snip>
> >>>>> +       <logger category="org.ovirt.engineextensions.aaa.ldap">
> >>>>> +        <level name="FINEST"/>
> >>>>> +       </logger>
> >>>>>            <logger category="org.ovirt.engine.core.bll">
> >>>>> ---
> >>>>> Restart engine, attempt login, send me the output.
> >>>> 2014-09-22 10:03:57,517 INFO
> >>>> [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
> >>>> (ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication
> >>>> profile "rxc05271.com" because the authentication failed.
> >>>> 2014-09-22 10:03:57,534 ERROR
> >>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> >>>> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom
> >>>> Event
> >>>> ID: -1, Message: User Fumihide cannot login, please verify the username
> >>>> and
> >>>> password.
> >>>> 2014-09-22 10:03:57,545 ERROR
> >>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> >>>> (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom
> >>>> Event
> >>>> ID: -1, Message: User Fumihide failed to log in.
> >>>> 2014-09-22 10:03:57,545 WARN
> >>>> [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
> >>>> (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed.
> >>>> Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
> >>>>
> >>>> (logger level is not changed to FINEST? outputs is same as above.)
> >>>>
> >>> I had a mistake above... the file-handler level should be set to finest.
> >>>
> >>> <file-handler name="ENGINE" autoflush="true">
> >>>       <level name="FINEST"/>
> >>>
> >>> can you confirm?
> >>> or best send me the engine.xml.in file and I can see what's wrong.
> >>>
> >>> thanks!
> >> I set file-handler's level name to "FINEST". but outputs are same as
> >> before.
> >> I attached the ovirt-engine.xml.in
> >>
> >> Regards,
> >>
> >>>
> >>>> Thanks,
> >>>> Fumihide Tani
> >>>>
> >>>>
> >>>>>> Please advice me, it's so thanksfull.
> >>>>>>
> >>>>>> Fumihide Tani
> >>>>>>
> >>>>>>
> >>>>>> (2014/09/21 17:13), Alon Bar-Lev wrote:
> >>>>>>> ----- Original Message -----
> >>>>>>>> From: "Fumihide Tani" <RXC05271 at nifty.com>
> >>>>>>>> To: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>>>>>> Cc: users at ovirt.org
> >>>>>>>> Sent: Sunday, September 21, 2014 11:11:11 AM
> >>>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
> >>>>>>>>
> >>>>>>>> Hi, Alon
> >>>>>>>>
> >>>>>>>> Very thanks for your help.
> >>>>>>>> My problem was solved and the AAA is working now.
> >>>>>>>> I could add LDAP user. :)
> >>>>>>> Great.
> >>>>>>> Can you please send me a patch or modified README to make it better?
> >>>>>>>
> >>>>>>> Alon
> >>>>>>>
> >>>>>>>> Fumihide Tani
> >>>>>>>>
> >>>>>>>> (2014/09/21 16:19), Alon Bar-Lev wrote:
> >>>>>>>>> ----- Original Message -----
> >>>>>>>>>> From: "Alon Bar-Lev" <alonbl at redhat.com>
> >>>>>>>>>> To: "Fumihide Tani" <RXC05271 at nifty.com>
> >>>>>>>>>> Cc: users at ovirt.org
> >>>>>>>>>> Sent: Sunday, September 21, 2014 10:19:11 AM
> >>>>>>>>>> Subject: Re: [ovirt-users] Can not configure with simple LDAP.
> >>>>>>>>>>
> >>>>>>>>>> Hi,
> >>>>>>>>>>
> >>>>>>>>>> You need to create authz extension as well (authz-company).
> >>>>>>>>>> The configuration you provided is establishing authentication only
> >>>>>>>>>> (authn)
> >>>>>>>>>> which refer to authz-company but you did not add it.
> >>>>>>>>>>
> >>>>>>>>>> The terms are:
> >>>>>>>>>> 1. authn - who the user is.
> >>>>>>>>>> 2. authz - what user is permitted.
> >>>>>>>>>> 3. profile - combination of the two.
> >>>>>>>>>>
> >>>>>>>>>> -----------------------------
> >>>>>>>>>> # vi /etc/ovirt-engine/extensions.d/authz-company.properties
> >>>>>>>>>> ovirt.engine.extension.name = authz-company
> >>>>>>>>>> ovirt.engine.extension.bindings.method = jbossmodule
> >>>>>>>>>> ovirt.engine.extension.binding.jbossmodule.module =
> >>>>>>>>>> org.ovirt.engine-extensions.aaa.ldap
> >>>>>>>>>> ovirt.engine.extension.binding.jbossmodule.class =
> >>>>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> >>>>>>>>> Sorry:
> >>>>>>>>> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> >>>>>>>>>> ovirt.engine.extension.provides =
> >>>>>>>>>> org.ovirt.engine.api.extensions.aaa.Authz
> >>>>>>>>>> config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties
> >>>>>>>>>> --------------------------------------------------
> >>>>>>>>>>
> >>>>>>>>>> Regards,
> >>>>>>>>>> Alon
> >>>>
> >>
> >
> 
>

More information about the Users mailing list