[ovirt-users] Extension aaa: No search for principal
Daniel Helgenberger
daniel.helgenberger at m-box.de
Fri Sep 11 10:28:10 UTC 2015
Hello,
I am stuck in configuring ovirt-engine-extension-aaa-ldap with AD for
ovirt 3.5.4. I am following the [readme.md] and so far it was quite
strait forward:
> include = <ad.properties>
>
> #
> # Active directory domain name.
> #
> vars.domain = int.corp.de
>
> #
> # Search user and its password.
> #
> vars.user = bind@${global:vars.domain}
> vars.password = [redacted]
>
> #
> # Optional DNS servers, if enterprise
> # DNS server cannot resolve the domain srvrecord.
> #
> #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
>
> pool.default.serverset.type = srvrecord
> pool.default.serverset.srvrecord.domain = ${global:vars.domain}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> # Uncomment if using custom DNS
> #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url = ${global:vars.dns}
> #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
>
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.domain}.jks
> #pool.default.ssl.truststore.password = changeit
The config seems to work; at least the domain and binddn part. I can
browse and add users to ovirt as suggested in step (3). All quotes are
from engine.log:
> 2015-09-11 11:54:50,261 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-8-thread-24) [73bff0e9] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_PERMISSIONS with role type USER, ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
> 2015-09-11 11:54:50,268 INFO [org.ovirt.engine.core.bll.aaa.AddUserCommand] (org.ovirt.thread.pool-8-thread-24) [21867e72] Running command: AddUserCommand internal: true. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_USERS with role type ADMIN
> 2015-09-11 11:54:50,301 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 21867e72, Call Stack: null, Custom Event ID: -1, Message: User 'Administrator' was added successfully to the system.
> 2015-09-11 11:54:50,379 INFO [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 73bff0e9, Call Stack: null, Custom Event ID: -1, Message: User/Group Administrator was granted permission for Role SuperUser on System by admin at internal.
Yet, when loging in as a user administrator I get:
> {Extkey[name=EXTENSION_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2, Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=No search for principal 'administrator at int.corp.com'}
Followed by a java stack trace.
I did not find any configurable search path.
The config seems to load:
> 2015-09-11 12:01:34,897 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Loading extension 'builtin-authn-internal'
> 2015-09-11 12:01:34,903 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'builtin-authn-internal' loaded
> 2015-09-11 12:01:34,905 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Loading extension 'internal'
> 2015-09-11 12:01:34,907 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'internal' loaded
> 2015-09-11 12:01:34,919 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Loading extension 'corp-authn'
> 2015-09-11 12:01:34,967 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'corp-authn' loaded
> 2015-09-11 12:01:34,971 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Loading extension 'corp-authz'
> 2015-09-11 12:01:34,981 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'corp-authz' loaded
> 2015-09-11 12:01:34,982 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Initializing extension 'corp-authn'
> 2015-09-11 12:01:34,983 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authn::corp-authn] Creating LDAP pool 'authz'
> 2015-09-11 12:01:35,120 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authn::corp-authn] Creating LDAP pool 'authn'
> 2015-09-11 12:01:35,159 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'corp-authn' initialized
> 2015-09-11 12:01:35,160 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Initializing extension 'builtin-authn-internal'
> 2015-09-11 12:01:35,161 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'builtin-authn-internal' initialized
> 2015-09-11 12:01:35,162 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Initializing extension 'corp-authz'
> 2015-09-11 12:01:35,162 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Creating LDAP pool 'authz'
> 2015-09-11 12:01:35,185 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Creating LDAP pool 'gc'
> 2015-09-11 12:01:35,222 INFO [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Available Namespaces: [DC=int,DC=corp,DC=de]
> 2015-09-11 12:01:35,223 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'corp-authz' initialized
> 2015-09-11 12:01:35,224 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Initializing extension 'internal'
> 2015-09-11 12:01:35,224 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'internal' initialized
> 2015-09-11 12:01:35,225 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Start of enabled extensions list
> 2015-09-11 12:01:35,225 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'corp-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/corp-authn.properties', Initialized: 'true'
> 2015-09-11 12:01:35,227 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'builtin-authn-internal', Extension name: 'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true'
> 2015-09-11 12:01:35,228 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'corp-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/corp-authz.properties', Initialized: 'true'
> 2015-09-11 12:01:35,230 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'internal', Extension name: 'Internal Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true'
> 2015-09-11 12:01:35,231 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) End of enabled extensions list
Versions:
ovirt engine 3.5.4
AD: Windows Server 2012r2
Please let me know if you need further logs.
Thanks,
[readme.md]
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README
--
Daniel Helgenberger
m box bewegtbild GmbH
P: +49/30/2408781-22
F: +49/30/2408781-10
ACKERSTR. 19
D-10115 BERLIN
www.m-box.de www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner
Handeslregister: Amtsgericht Charlottenburg / HRB 112767
More information about the Users
mailing list