[ovirt-users] LDAP Authentication
Ondra Machacek
omachace at redhat.com
Wed Sep 23 07:18:16 UTC 2015
Hi,
your user nbudoor at abc.net doesn't have appropriate permissions to login.
First you need to login as 'admin at internal' and assign him some
permissions, then you will be able to login.
Ondra
On 09/23/2015 09:15 AM, Budur Nagaraju wrote:
> HI All,
>
> After rectifying this able to search the domain in the users in UI,
> but unable to login getting the below error ,
>
>
> 2015-09-23 12:41:47,482 WARN
> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed
> for user nbudoor at abc.net <mailto:nbudoor at abc.net>. Reasons:
> USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>
> Thanks,
> Nagaraju
>
>
>
>
>
> On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek <omachace at redhat.com
> <mailto:omachace at redhat.com>> wrote:
>
> Hi,
>
> as Alon already said, you have trailing space in your configuration
>
> 'my.abc.net <http://my.abc.net> ' <-- space at the end
>
> Please remove this space and try again.
>
> Ondra
>
>
> On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
>> HI Alon,
>>
>> Tried all the options but no luck ,
>>
>> I have copied the logs in the pastebin below is the link ,
>> warning message is that unable to resolve the DNS ,let me know
>> any help would I get .
>>
>> http://pastebin.com/7qN9QnHK
>>
>> Thanks,
>> Nagaraju
>>
>>
>> On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger
>> <daniel.helgenberger at m-box.de
>> <mailto:daniel.helgenberger at m-box.de>> wrote:
>>
>> Hello Budur,
>>
>> I've done this recently. Alon, no offense, but the docs are
>> not quite strait forward...
>>
>> Requirements:
>> - LDAP server (obviously) - called here ldap.mydomain.com
>> <http://ldap.mydomain.com>
>> - LDAP bind account - called here ldap at mydomain.com
>> <mailto:ldap at mydomain.com>, password 'Passw at rd'
>> - At least one existing account in ladp, called
>> user at mydomain.com <mailto:user at mydomain.com>
>>
>> Please note, the most common issue will be DNS.
>>
>> I'll describe in short what steps need to be taken. All this
>> needs to be done on your engine host. In the end this was
>> quite easy :)
>>
>> 1. Install the packages: ovirt-engine-extension-aaa-ldap and
>> openldap-clients (these are only for testing your setup)
>> 2. Test if ldap is working in general. (The extension uses
>> the global catalog at least for AD, this was news to me):
>> # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H
>> ldap://ldap.mydomain.com:3268/
>> <http://ldap.mydomain.com:3268/> -x \
>> -D 'ldap at mydomain.com <mailto:ldap at mydomain.com>' -w
>> Passw at rd -b '' '(userPrincipalName=user at mydomian.com
>> <mailto:user at mydomian.com>)' cn userPrincipalName
>>
>> If this command does not return details of the user, do
>> debug your ldap and continue once this works. Example:
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <> with scope subtree
>> # filter: (userPrincipalName=user at mydomain.com
>> <mailto:user at mydomain.com>)
>> # requesting: cn userPrincipalName
>> # with pagedResults control: size=1024
>> #
>>
>> # Some Name, some-ou, mydomain.com <http://mydomain.com>
>> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com
>> cn: Some Name
>> userPrincipalName: user at mydomain.com <mailto:user at mydomain.com>
>>
>> # search result
>> search: 2
>> result: 0 Success
>> control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=
>> pagedresults: cookie=
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>>
>> 3. Copy the examples as mentioned from the readme.
>> 4. You only need to modify
>> /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest
>> as is.
>> 5. There, set:
>>
>> vars.domain = ldap.mydomain.com <http://ldap.mydomain.com>
>> vars.user = ldap@${global:vars.domain}
>> vars.password = Passw at rd
>>
>> 6. Restart ovirt engine service
>> 7. Log in as admin at einternal and add user rights and roles
>> from the new provider
>>
>> Hope this helps.
>>
>> On 22.09.2015 16 <tel:22.09.2015%2016>:46, Budur Nagaraju wrote:
>> >
>> > below are the three files which I have modified.
>> >
>> >
>> > [root at cstlb2 extensions.d]# cat profile1-authn.properties
>> > ovirt.engine.extension.name
>> <http://ovirt.engine.extension.name>
>> <http://ovirt.engine.extension.name> = cloudspin-authn
>> > ovirt.engine.extension.bindings.method = jbossmodule
>> > ovirt.engine.extension.binding.jbossmodule.module =
>> > org.ovirt.engine-extensions.aaa.ldap
>> > ovirt.engine.extension.binding.jbossmodule.class =
>> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
>> > ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Authn
>> > ovirt.engine.aaa.authn.profile.name
>> <http://ovirt.engine.aaa.authn.profile.name>
>> <http://ovirt.engine.aaa.authn.profile.name>
>> > = cloudspin
>> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
>> >
>> >
>> > [root at cstlb2 extensions.d]# ls
>> > profile1-authn.properties profile1-authz.properties
>> > [root at cstlb2 extensions.d]# cat profile1-authz.properties
>> > ovirt.engine.extension.name
>> <http://ovirt.engine.extension.name>
>> <http://ovirt.engine.extension.name> = cloudspin-authz
>> > ovirt.engine.extension.bindings.method = jbossmodule
>> > ovirt.engine.extension.binding.jbossmodule.module =
>> > org.ovirt.engine-extensions.aaa.ldap
>> > ovirt.engine.extension.binding.jbossmodule.class =
>> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>> > ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Authz
>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
>> > [root at cstlb2 extensions.d]#
>> >
>> >
>> >
>> > [root at cstlb2 aaa]# pwd
>> > /etc/ovirt-engine/aaa
>> > [root at cstlb2 aaa]# ls
>> > ldap1.properties
>> > [root at cstlb2 aaa]# cat ldap1.properties
>> > #
>> > # Select one
>> > #
>> > include = <openldap.properties>
>> > #include = <389ds.properties>
>> > #include = <rhds.properties>
>> > #include = <ipa.properties>
>> > #include = <iplanet.properties>
>> > #include = <rfc2307.properties>
>> > #include = <rfc2307-openldap.properties>
>> >
>> > #
>> > # Server
>> > #
>> > vars.server = my.abc.net <http://my.abc.net>
>> <http://my.abc.net>
>> >
>> > #
>> > # Search user and its password.
>> > #
>> > vars.user =
>> >
>> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
>> > vars.password = company
>> >
>> > pool.default.serverset.single.server = ${global:vars.server}
>> > pool.default.auth.simple.bindDN = ${global:vars.user}
>> > pool.default.auth.simple.password = ${global:vars.password}
>> >
>> > # Create keystore, import certificate chain and uncomment
>> > # if using ssl/tls.
>> > #pool.default.ssl.startTLS = true
>> > #pool.default.ssl.truststore.file =
>> ${local:_basedir}/${global:vars.server}.jks
>> > #pool.default.ssl.truststore.password = changeit
>> > [root at cstlb2 aaa]#
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev
>> <alonbl at redhat.com <mailto:alonbl at redhat.com>
>> > <mailto:alonbl at redhat.com <mailto:alonbl at redhat.com>>> wrote:
>> >
>> >
>> >
>> > ----- Original Message -----
>> > > From: "Budur Nagaraju" <nbudoor at gmail.com <mailto:nbudoor at gmail.com>
>> <mailto:nbudoor at gmail.com <mailto:nbudoor at gmail.com>>>
>> > > To: "Alon Bar-Lev" <alonbl at redhat.com
>> <mailto:alonbl at redhat.com> <mailto:alonbl at redhat.com
>> <mailto:alonbl at redhat.com>>>
>> > > Cc:users at ovirt.org <mailto:Cc%3Ausers at ovirt.org>
>> <mailto:users at ovirt.org <mailto:users at ovirt.org>>
>> > > Sent: Tuesday, September 22, 2015 5:35:16 PM
>> > > Subject: Re: [ovirt-users] LDAP Authentication
>> > >
>> > > its too complicated ,you have any script or video ?
>> >
>> > in 3.6 we have a setup script.
>> > for now:
>> >
>> > cp -r /usr/share/ovirt-engine/examples/simple/.
>> /etc/ovirt-engine/
>> >
>> > this is written in the README.
>> >
>> > then customize files at /etc/ovirt-engine/extnesions.d/*
>> > /etc/ovirt-engine/aaa/* to match your setup
>> >
>> > >
>> > >
>> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <alonbl at redhat.com
>> <mailto:alonbl at redhat.com> <mailto:alonbl at redhat.com
>> <mailto:alonbl at redhat.com>>> wrote:
>> > >
>> > > >
>> > > >
>> > > > ----- Original Message -----
>> > > > > From: "Budur Nagaraju" <nbudoor at gmail.com
>> <mailto:nbudoor at gmail.com> <mailto:nbudoor at gmail.com
>> <mailto:nbudoor at gmail.com>>>
>> > > > > To: "Alon Bar-Lev" <alonbl at redhat.com
>> <mailto:alonbl at redhat.com> <mailto:alonbl at redhat.com
>> <mailto:alonbl at redhat.com>>>
>> > > > > Cc:users at ovirt.org <mailto:Cc%3Ausers at ovirt.org>
>> <mailto:users at ovirt.org <mailto:users at ovirt.org>>
>> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM
>> > > > > Subject: Re: [ovirt-users] LDAP Authentication
>> > > > >
>> > > > > HI Alon,
>> > > > >
>> > > > > Below is the configuration which I have done ,but
>> unable to search the
>> > > > > users in UI
>> > > > > can you pls help me ?
>> > > >
>> > > > you need three files, see the
>> > > >
>> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
>> > > >
>> > > > >
>> > > > >
>> > > > > [root at cstlb2 aaa]# cat ldap1.properties
>> > > > > #
>> > > > > # Select one
>> > > > > #
>> > > > > include = <openldap.properties>
>> > > > > #include = <389ds.properties>
>> > > > > #include = <rhds.properties>
>> > > > > #include = <ipa.properties>
>> > > > > #include = <iplanet.properties>
>> > > > > #include = <rfc2307.properties>
>> > > > > #include = <rfc2307-openldap.properties>
>> > > > >
>> > > > > #
>> > > > > # Server
>> > > > > #
>> > > > > vars.server =my.abc.net <http://my.abc.net>
>> <http://my.abc.net>
>> > > > >
>> > > > > #
>> > > > > # Search user and its password.
>> > > > > #
>> > > > > vars.user =
>> > > > >
>> > > >
>> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
>> > > > > vars.password = company1
>> > > > >
>> > > > > pool.default.serverset.single.server =
>> ${global:vars.server}
>> > > > > pool.default.auth.simple.bindDN = ${global:vars.user}
>> > > > > pool.default.auth.simple.password =
>> ${global:vars.password}
>> > > > >
>> > > > > # Create keystore, import certificate chain and
>> uncomment
>> > > > > # if using ssl/tls.
>> > > > > #pool.default.ssl.startTLS = true
>> > > > > #pool.default.ssl.truststore.file =
>> > > > > ${local:_basedir}/${global:vars.server}.jks
>> > > > > #pool.default.ssl.truststore.password = changeit
>> > > > > [root at cstlb2 aaa]#
>> > > > >
>> > > > >
>> > > > >
>> > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <alonbl at redhat.com
>> <mailto:alonbl at redhat.com> <mailto:alonbl at redhat.com
>> <mailto:alonbl at redhat.com>>> wrote:
>> > > > >
>> > > > > >
>> > > > > >
>> > > > > > ----- Original Message -----
>> > > > > > > From: "Budur Nagaraju" <nbudoor at gmail.com
>> <mailto:nbudoor at gmail.com> <mailto:nbudoor at gmail.com
>> <mailto:nbudoor at gmail.com>>>
>> > > > > > > To:users at ovirt.org
>> <mailto:To:users at ovirt.org> <mailto:users at ovirt.org
>> <mailto:users at ovirt.org>>
>> > > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM
>> > > > > > > Subject: [ovirt-users] LDAP Authentication
>> > > > > > >
>> > > > > > > HI All,
>> > > > > > >
>> > > > > > > Can someone help me in configuring LDAP
>> authentication for Ovirt ?
>> > > > > >
>> > > > > > Please review:
>> > > > > >http://www.ovirt.org/Features/AAA
>> > > > > >
>> > > > > >
>> > >
>> >https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>> >
>>
>> --
>> Daniel Helgenberger
>> m box bewegtbild GmbH
>>
>> P: +49/30/2408781-22
>> F: +49/30/2408781-10
>>
>> ACKERSTR. 19
>> D-10115 BERLIN
>>
>>
>> www.m-box.de <http://www.m-box.de> www.monkeymen.tv
>> <http://www.monkeymen.tv>
>>
>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org <mailto:Users at ovirt.org>
>> http://lists.ovirt.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150923/1941fa46/attachment-0001.html>
More information about the Users
mailing list