[ovirt-users] Extension aaa: No search for principal
Daniel Helgenberger
daniel.helgenberger at m-box.de
Fri Sep 11 14:33:21 UTC 2015
sorry, forgot one:
On 11.09.2015 12:48, Alon Bar-Lev wrote:
> Hi!
>
> Thank you for the information, for some reason the administrator user cannot be resolved to userPrincipalName during login, is it specific for Administrator or any user?
This is the default domain administrator account witch exits in any
forest. But just in case I created a new domain user just for the
purpose; same outcome
>
> Can you please attach the extension configuration for both authn/authz as well?
>
> I will also need debug log with ALL level, see [1] for instructions.
>
> Thanks!
> Alon
>
> [1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0#l377
>
> ----- Original Message -----
>> From: "Daniel Helgenberger" <daniel.helgenberger at m-box.de>
>> To: Users at ovirt.org
>> Sent: Friday, September 11, 2015 1:28:10 PM
>> Subject: [ovirt-users] Extension aaa: No search for principal
>>
>> Hello,
>>
>> I am stuck in configuring ovirt-engine-extension-aaa-ldap with AD for
>> ovirt 3.5.4. I am following the [readme.md] and so far it was quite
>> strait forward:
>>> include = <ad.properties>
>>>
>>> #
>>> # Active directory domain name.
>>> #
>>> vars.domain = int.corp.de
>>>
>>> #
>>> # Search user and its password.
>>> #
>>> vars.user = bind@${global:vars.domain}
>>> vars.password = [redacted]
>>>
>>> #
>>> # Optional DNS servers, if enterprise
>>> # DNS server cannot resolve the domain srvrecord.
>>> #
>>> #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
>>>
>>> pool.default.serverset.type = srvrecord
>>> pool.default.serverset.srvrecord.domain = ${global:vars.domain}
>>> pool.default.auth.simple.bindDN = ${global:vars.user}
>>> pool.default.auth.simple.password = ${global:vars.password}
>>>
>>> # Uncomment if using custom DNS
>>> #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
>>> = ${global:vars.dns}
>>> #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
>>>
>>> # Create keystore, import certificate chain and uncomment
>>> # if using ssl/tls.
>>> #pool.default.ssl.startTLS = true
>>> #pool.default.ssl.truststore.file =
>>> ${local:_basedir}/${global:vars.domain}.jks
>>> #pool.default.ssl.truststore.password = changeit
>>
>>
>>
>> The config seems to work; at least the domain and binddn part. I can
>> browse and add users to ovirt as suggested in step (3). All quotes are
>> from engine.log:
>>
>>> 2015-09-11 11:54:50,261 INFO
>>> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
>>> (org.ovirt.thread.pool-8-thread-24) [73bff0e9] Running command:
>>> AddSystemPermissionCommand internal: false. Entities affected : ID:
>>> aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
>>> MANIPULATE_PERMISSIONS with role type USER, ID:
>>> aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
>>> ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
>>> 2015-09-11 11:54:50,268 INFO
>>> [org.ovirt.engine.core.bll.aaa.AddUserCommand]
>>> (org.ovirt.thread.pool-8-thread-24) [21867e72] Running command:
>>> AddUserCommand internal: true. Entities affected : ID:
>>> aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
>>> MANIPULATE_USERS with role type ADMIN
>>> 2015-09-11 11:54:50,301 INFO
>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>> (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 21867e72,
>>> Call Stack: null, Custom Event ID: -1, Message: User 'Administrator' was
>>> added successfully to the system.
>>> 2015-09-11 11:54:50,379 INFO
>>> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>>> (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 73bff0e9,
>>> Call Stack: null, Custom Event ID: -1, Message: User/Group Administrator
>>> was granted permission for Role SuperUser on System by admin at internal.
>>
>> Yet, when loging in as a user administrator I get:
>>
>>> {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
>>> java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
>>> Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
>>> java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=No
>>> search for principal 'administrator at int.corp.com'}
>>
>> Followed by a java stack trace.
>> I did not find any configurable search path.
>>
>> The config seems to load:
>>> 2015-09-11 12:01:34,897 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Loading extension 'builtin-authn-internal'
>>> 2015-09-11 12:01:34,903 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'builtin-authn-internal' loaded
>>> 2015-09-11 12:01:34,905 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Loading extension 'internal'
>>> 2015-09-11 12:01:34,907 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'internal' loaded
>>> 2015-09-11 12:01:34,919 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Loading extension 'corp-authn'
>>> 2015-09-11 12:01:34,967 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'corp-authn' loaded
>>> 2015-09-11 12:01:34,971 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Loading extension 'corp-authz'
>>> 2015-09-11 12:01:34,981 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'corp-authz' loaded
>>> 2015-09-11 12:01:34,982 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Initializing extension 'corp-authn'
>>> 2015-09-11 12:01:34,983 INFO
>>> [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2)
>>> [ovirt-engine-extension-aaa-ldap.authn::corp-authn] Creating LDAP pool
>>> 'authz'
>>> 2015-09-11 12:01:35,120 INFO
>>> [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2)
>>> [ovirt-engine-extension-aaa-ldap.authn::corp-authn] Creating LDAP pool
>>> 'authn'
>>> 2015-09-11 12:01:35,159 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'corp-authn' initialized
>>> 2015-09-11 12:01:35,160 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Initializing extension 'builtin-authn-internal'
>>> 2015-09-11 12:01:35,161 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'builtin-authn-internal' initialized
>>> 2015-09-11 12:01:35,162 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Initializing extension 'corp-authz'
>>> 2015-09-11 12:01:35,162 INFO
>>> [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2)
>>> [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Creating LDAP pool
>>> 'authz'
>>> 2015-09-11 12:01:35,185 INFO
>>> [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-2)
>>> [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Creating LDAP pool
>>> 'gc'
>>> 2015-09-11 12:01:35,222 INFO
>>> [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread
>>> 1-2) [ovirt-engine-extension-aaa-ldap.authz::corp-authz] Available
>>> Namespaces: [DC=int,DC=corp,DC=de]
>>> 2015-09-11 12:01:35,223 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'corp-authz' initialized
>>> 2015-09-11 12:01:35,224 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Initializing extension 'internal'
>>> 2015-09-11 12:01:35,224 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Extension 'internal' initialized
>>> 2015-09-11 12:01:35,225 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Start of enabled extensions list
>>> 2015-09-11 12:01:35,225 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Instance name: 'corp-authn', Extension name:
>>> 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2', Notes: 'Display
>>> name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0',
>>> Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface
>>> Version: '0', File:
>>> '/etc/ovirt-engine/extensions.d/corp-authn.properties', Initialized:
>>> 'true'
>>> 2015-09-11 12:01:35,227 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Instance name: 'builtin-authn-internal', Extension name:
>>> 'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License: 'ASL
>>> 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
>>> interface Version: '0', File: 'N/A', Initialized: 'true'
>>> 2015-09-11 12:01:35,228 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Instance name: 'corp-authz', Extension name:
>>> 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2', Notes: 'Display
>>> name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0',
>>> Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface
>>> Version: '0', File:
>>> '/etc/ovirt-engine/extensions.d/corp-authz.properties', Initialized:
>>> 'true'
>>> 2015-09-11 12:01:35,230 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) Instance name: 'internal', Extension name: 'Internal Authz
>>> (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home:
>>> 'http://www.ovirt.org', Author 'The oVirt Project', Build interface
>>> Version: '0', File: 'N/A', Initialized: 'true'
>>> 2015-09-11 12:01:35,231 INFO
>>> [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
>>> thread 1-2) End of enabled extensions list
>>
>> Versions:
>> ovirt engine 3.5.4
>> AD: Windows Server 2012r2
>>
>> Please let me know if you need further logs.
>>
>> Thanks,
>>
>> [readme.md]
>> https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README
>> --
>>
>> Daniel Helgenberger
>> m box bewegtbild GmbH
>>
>> P: +49/30/2408781-22
>> F: +49/30/2408781-10
>>
>> ACKERSTR. 19
>> D-10115 BERLIN
>>
>>
>> www.m-box.de www.monkeymen.tv
>>
>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
--
Daniel Helgenberger
m box bewegtbild GmbH
P: +49/30/2408781-22
F: +49/30/2408781-10
ACKERSTR. 19
D-10115 BERLIN
www.m-box.de www.monkeymen.tv
Geschäftsführer: Martin Retschitzegger / Michaela Göllner
Handeslregister: Amtsgericht Charlottenburg / HRB 112767
More information about the Users
mailing list