[ovirt-users] Extension aaa: No search for principal

Daniel Helgenberger daniel.helgenberger at m-box.de
Fri Sep 11 12:45:55 UTC 2015



On 11.09.2015 12:48, Alon Bar-Lev wrote:
> Hi!
>
> Thank you for the information, for some reason the administrator user cannot be resolved to userPrincipalName during login, is it specific for Administrator or any user?

Thanks for getting back to me Alon.

>
> Can you please attach the extension configuration for both authn/authz as well?

here you go, but I did northing apart form changing the profile naming. 
Please note I performed anonymization and replaced my domain with 'corp' 
(as you might have guessed). If this had any side effects I can mail you 
the original logs as well.

# cat /etc/ovirt-engine/extensions.d/corp-authn.properties
> ovirt.engine.extension.name = corp-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name = corp
> ovirt.engine.aaa.authn.authz.plugin = corp-authz
> config.profile.file.1 = ../aaa/corp.properties

# cat /etc/ovirt-engine/extensions.d/corp-authz.properties
> ovirt.engine.extension.name = corp-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = ../aaa/corp.properties

>
> I will also need debug log with ALL level, see [1] for instructions.
please find engine log with debugging on attached. I did a number of 
logins in the logged timeframe as well as engine restarts; and hope it 
is sufficient.

Thanks!

>
> Thanks!
> Alon
>
> [1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0#l377
>
> ----- Original Message -----
>> From: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
>> To: Users at ovirt.org
>> Sent: Friday, September 11, 2015 1:28:10 PM
>> Subject: [ovirt-users] Extension aaa: No search for principal
>>
>> Hello,
>>
>> I am stuck in configuring ovirt-engine-extension-aaa-ldap with AD for
>> ovirt 3.5.4. I am following the [readme.md] and so far it was quite
>> strait forward:
>>> include = <ad.properties>
>>>
>>> #
>>> # Active directory domain name.
>>> #
>>> vars.domain = int.corp.de
>>>
>>> #
>>> # Search user and its password.
>>> #
>>> vars.user = bind@${global:vars.domain}
>>> vars.password = [redacted]
>>>
>>> #
>>> # Optional DNS servers, if enterprise
>>> # DNS server cannot resolve the domain srvrecord.
>>> #
>>> #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
>>>
>>> pool.default.serverset.type = srvrecord
>>> pool.default.serverset.srvrecord.domain = ${global:vars.domain}
>>> pool.default.auth.simple.bindDN = ${global:vars.user}
>>> pool.default.auth.simple.password = ${global:vars.password}
>>>
>>> # Uncomment if using custom DNS
>>> #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
>>> = ${global:vars.dns}
>>> #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
>>>
>>> # Create keystore, import certificate chain and uncomment
>>> # if using ssl/tls.
>>> #pool.default.ssl.startTLS = true
>>> #pool.default.ssl.truststore.file =
>>> ${local:_basedir}/${global:vars.domain}.jks
>>> #pool.default.ssl.truststore.password = changeit
>>
>>
>>
>> The config seems to work; at least the domain and binddn part. I can
>> browse and add users to ovirt as suggested in step (3). All quotes are
>> from engine.log:
>>
>>> 2015-09-11 11:54:50,261 INFO
>>> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
>>> (org.ovirt.thread.pool-8-thread-24) [73bff0e9] Running command:
>>> AddSystemPermissionCommand internal: false. Entities affected :  ID:
>>> aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
>>> MANIPULATE_PERMISSIONS with role type USER,  ID:
>>> aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
>>> ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
>>> 2015-09-11 11:54:50,268 INFO
>>> [org.ovirt.engine.core.bll.aaa.AddUserCommand]
>>> (org.ovirt.thread.pool-8-thread-24) [21867e72] Running command:
>>> AddUserCommand internal: true. Entities affected :  ID:
>>> aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
>>> MANIPULATE_USERS with role type ADMIN
>>> 2015-09-11 11:54:50,301 INFO
>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>> (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 21867e72,
>>> Call Stack: null, Custom Event ID: -1, Message: User 'Administrator' was
>>> added successfully to the system.
>>> 2015-09-11 11:54:50,379 INFO
>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>> (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 73bff0e9,
>>> Call Stack: null, Custom Event ID: -1, Message: User/Group Administrator
>>> was granted permission for Role SuperUser on System by admin at internal.
>>
>> Yet, when loging in as a user administrator I get:
>>
>>> {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
>>> java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
>>> Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
>>> java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=No
>>> search for principal 'administrator at int.corp.com'}
>>
>> Followed by a java stack trace.
>> I did not find any configurable search path.
>>
>> The config seems to load:
>>> 2015-09-11 12:01:34,897 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Loading extension 'builtin-authn-internal'
>>> 2015-09-11 12:01:34,903 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'builtin-authn-internal' loaded
>>> 2015-09-11 12:01:34,905 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Loading extension 'internal'
>>> 2015-09-11 12:01:34,907 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'internal' loaded
>>> 2015-09-11 12:01:34,919 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Loading extension 'corp-authn'
>>> 2015-09-11 12:01:34,967 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'corp-authn' loaded
>>> 2015-09-11 12:01:34,971 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Loading extension 'corp-authz'
>>> 2015-09-11 12:01:34,981 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'corp-authz' loaded
>>> 2015-09-11 12:01:34,982 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Initializing extension 'corp-authn'
>>> 2015-09-11 12:01:34,983 INFO
>>> [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2)
>>> [ovirt-engine-extension-aaa-ldap.authn::corp-authn] Creating LDAP pool
>>> 'authz'
>>> 2015-09-11 12:01:35,120 INFO
>>> [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2)
>>> [ovirt-engine-extension-aaa-ldap.authn::corp-authn] Creating LDAP pool
>>> 'authn'
>>> 2015-09-11 12:01:35,159 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'corp-authn' initialized
>>> 2015-09-11 12:01:35,160 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Initializing extension 'builtin-authn-internal'
>>> 2015-09-11 12:01:35,161 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'builtin-authn-internal' initialized
>>> 2015-09-11 12:01:35,162 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Initializing extension 'corp-authz'
>>> 2015-09-11 12:01:35,162 INFO
>>> [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2)
>>> [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Creating LDAP pool
>>> 'authz'
>>> 2015-09-11 12:01:35,185 INFO
>>> [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2)
>>> [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Creating LDAP pool
>>> 'gc'
>>> 2015-09-11 12:01:35,222 INFO
>>> [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread
>>> 1-2) [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Available
>>> Namespaces: [DC=int,DC=corp,DC=de]
>>> 2015-09-11 12:01:35,223 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'corp-authz' initialized
>>> 2015-09-11 12:01:35,224 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Initializing extension 'internal'
>>> 2015-09-11 12:01:35,224 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'internal' initialized
>>> 2015-09-11 12:01:35,225 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Start of enabled extensions list
>>> 2015-09-11 12:01:35,225 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Instance name: 'corp-authn', Extension name:
>>> 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2', Notes: 'Display
>>> name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0',
>>> Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface
>>> Version: '0',  File:
>>> '/etc/ovirt-engine/extensions.d/corp-authn.properties', Initialized:
>>> 'true'
>>> 2015-09-11 12:01:35,227 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Instance name: 'builtin-authn-internal', Extension name:
>>> 'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License: 'ASL
>>> 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
>>> interface Version: '0',  File: 'N/A', Initialized: 'true'
>>> 2015-09-11 12:01:35,228 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Instance name: 'corp-authz', Extension name:
>>> 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2', Notes: 'Display
>>> name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0',
>>> Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface
>>> Version: '0',  File:
>>> '/etc/ovirt-engine/extensions.d/corp-authz.properties', Initialized:
>>> 'true'
>>> 2015-09-11 12:01:35,230 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Instance name: 'internal', Extension name: 'Internal Authz
>>> (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home:
>>> 'http://www.ovirt.org', Author 'The oVirt Project', Build interface
>>> Version: '0',  File: 'N/A', Initialized: 'true'
>>> 2015-09-11 12:01:35,231 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) End of enabled extensions list
>>
>> Versions:
>> ovirt engine 3.5.4
>> AD: Windows Server 2012r2
>>
>> Please let me know if you need further logs.
>>
>> Thanks,
>>
>> [readme.md]
>> https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README
>> --
>>
>> Daniel Helgenberger
>> m box bewegtbild GmbH
>>
>> P: +49/30/2408781-22
>> F: +49/30/2408781-10
>>
>> ACKERSTR. 19
>> D-10115 BERLIN
>>
>>
>> www.m-box.de www.monkeymen.tv
>>
>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>

-- 
Daniel Helgenberger
m box bewegtbild GmbH

P: +49/30/2408781-22
F: +49/30/2408781-10

ACKERSTR. 19
D-10115 BERLIN


www.m-box.de  www.monkeymen.tv

Geschäftsführer: Martin Retschitzegger / Michaela Göllner
Handeslregister: Amtsgericht Charlottenburg / HRB 112767
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aaa-ldap-egnine.log.xz
Type: application/x-xz
Size: 29048 bytes
Desc: aaa-ldap-egnine.log.xz
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150911/6e7fbdaf/attachment-0001.xz>


More information about the Users mailing list