[ovirt-users] LDAP Authentication

Ondra Machacek omachace at redhat.com
Wed Sep 23 07:24:10 UTC 2015


With UserRole you can only login to UserPortal, not webadmin. Do you 
have this issue when you try to login to UserPortal?

On 09/23/2015 09:22 AM, Budur Nagaraju wrote:
> Provided the "user role" permissions  still same issue
>
> On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek <omachace at redhat.com 
> <mailto:omachace at redhat.com>> wrote:
>
>     Hi,
>
>     your user nbudoor at abc.net <mailto:nbudoor at abc.net> doesn't have
>     appropriate permissions to login.
>     First you need to login as 'admin at internal' and assign him some
>     permissions, then you will be able to login.
>
>     Ondra
>
>
>     On 09/23/2015 09:15 AM, Budur Nagaraju wrote:
>>     HI All,
>>
>>     After rectifying this  able to search the domain in the users in UI,
>>     but unable to login getting the below error ,
>>
>>
>>     2015-09-23 12:41:47,482 WARN
>>     [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
>>     (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser
>>     failed for user nbudoor at abc.net <mailto:nbudoor at abc.net>.
>>     Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>>
>>     Thanks,
>>     Nagaraju
>>
>>
>>
>>
>>
>>     On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek
>>     <omachace at redhat.com <mailto:omachace at redhat.com>> wrote:
>>
>>         Hi,
>>
>>         as Alon already said, you have trailing space in your
>>         configuration
>>
>>         'my.abc.net <http://my.abc.net> ' <-- space at the end
>>
>>         Please remove this space and try again.
>>
>>         Ondra
>>
>>
>>         On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
>>>         HI Alon,
>>>
>>>         Tried all the options but no luck ,
>>>
>>>         I have copied the logs in the pastebin  below is the link ,
>>>         warning message is that unable to resolve the DNS ,let me
>>>         know any help would I get .
>>>
>>>         http://pastebin.com/7qN9QnHK
>>>
>>>         Thanks,
>>>         Nagaraju
>>>
>>>
>>>         On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger
>>>         <daniel.helgenberger at m-box.de
>>>         <mailto:daniel.helgenberger at m-box.de>> wrote:
>>>
>>>             Hello Budur,
>>>
>>>             I've done this recently. Alon, no offense, but the docs
>>>             are not quite strait forward...
>>>
>>>             Requirements:
>>>              - LDAP server (obviously) - called here
>>>             ldap.mydomain.com <http://ldap.mydomain.com>
>>>              - LDAP bind account - called here ldap at mydomain.com
>>>             <mailto:ldap at mydomain.com>, password 'Passw at rd'
>>>              - At least one existing account in ladp, called
>>>             user at mydomain.com <mailto:user at mydomain.com>
>>>
>>>             Please note, the most common issue will be DNS.
>>>
>>>             I'll describe in short what steps need to be taken. All
>>>             this needs to be done on your engine host. In the end
>>>             this was quite easy :)
>>>
>>>             1. Install the packages: ovirt-engine-extension-aaa-ldap
>>>             and openldap-clients (these are only for testing your setup)
>>>             2. Test if ldap is working in general. (The extension
>>>             uses the global catalog at least for AD, this was news
>>>             to me):
>>>               # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H
>>>             ldap://ldap.mydomain.com:3268/
>>>             <http://ldap.mydomain.com:3268/> -x \
>>>                   -D 'ldap at mydomain.com <mailto:ldap at mydomain.com>'
>>>             -w Passw at rd -b '' '(userPrincipalName=user at mydomian.com
>>>             <mailto:user at mydomian.com>)' cn userPrincipalName
>>>
>>>               If this command does not return details of the user,
>>>             do debug your ldap and continue once this works. Example:
>>>
>>>             # extended LDIF
>>>             #
>>>             # LDAPv3
>>>             # base <> with scope subtree
>>>             # filter: (userPrincipalName=user at mydomain.com
>>>             <mailto:user at mydomain.com>)
>>>             # requesting: cn userPrincipalName
>>>             # with pagedResults control: size=1024
>>>             #
>>>
>>>             # Some Name, some-ou, mydomain.com <http://mydomain.com>
>>>             dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com
>>>             cn: Some Name
>>>             userPrincipalName: user at mydomain.com
>>>             <mailto:user at mydomain.com>
>>>
>>>             # search result
>>>             search: 2
>>>             result: 0 Success
>>>             control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=
>>>             pagedresults: cookie=
>>>
>>>             # numResponses: 2
>>>             # numEntries: 1
>>>
>>>
>>>             3. Copy the examples as mentioned from the readme.
>>>             4. You only need to modify
>>>             /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the
>>>             rest as is.
>>>             5. There, set:
>>>
>>>               vars.domain = ldap.mydomain.com <http://ldap.mydomain.com>
>>>               vars.user = ldap@${global:vars.domain}
>>>               vars.password = Passw at rd
>>>
>>>             6. Restart ovirt engine service
>>>             7. Log in as admin at einternal and add user rights and
>>>             roles from the new provider
>>>
>>>             Hope this helps.
>>>
>>>             On 22.09.2015 16 <tel:22.09.2015%2016>:46, Budur
>>>             Nagaraju wrote:
>>>             >
>>>             > below are the three files which I have modified.
>>>             >
>>>             >
>>>             > [root at cstlb2 extensions.d]# cat profile1-authn.properties
>>>             > ovirt.engine.extension.name
>>>             <http://ovirt.engine.extension.name>
>>>             <http://ovirt.engine.extension.name> = cloudspin-authn
>>>             > ovirt.engine.extension.bindings.method = jbossmodule
>>>             > ovirt.engine.extension.binding.jbossmodule.module =
>>>             > org.ovirt.engine-extensions.aaa.ldap
>>>             > ovirt.engine.extension.binding.jbossmodule.class =
>>>             > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
>>>             > ovirt.engine.extension.provides =
>>>             org.ovirt.engine.api.extensions.aaa.Authn
>>>             > ovirt.engine.aaa.authn.profile.name
>>>             <http://ovirt.engine.aaa.authn.profile.name>
>>>             <http://ovirt.engine.aaa.authn.profile.name>
>>>             > = cloudspin
>>>             > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
>>>             > config.profile.file.1 =
>>>             /etc/ovirt-engine/aaa/ldap1.properties
>>>             >
>>>             >
>>>             > [root at cstlb2 extensions.d]# ls
>>>             > profile1-authn.properties profile1-authz.properties
>>>             > [root at cstlb2 extensions.d]# cat profile1-authz.properties
>>>             > ovirt.engine.extension.name
>>>             <http://ovirt.engine.extension.name>
>>>             <http://ovirt.engine.extension.name> = cloudspin-authz
>>>             > ovirt.engine.extension.bindings.method = jbossmodule
>>>             > ovirt.engine.extension.binding.jbossmodule.module =
>>>             > org.ovirt.engine-extensions.aaa.ldap
>>>             > ovirt.engine.extension.binding.jbossmodule.class =
>>>             > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>>>             > ovirt.engine.extension.provides =
>>>             org.ovirt.engine.api.extensions.aaa.Authz
>>>             > config.profile.file.1 =
>>>             /etc/ovirt-engine/aaa/ldap1.properties
>>>             > [root at cstlb2 extensions.d]#
>>>             >
>>>             >
>>>             >
>>>             > [root at cstlb2 aaa]# pwd
>>>             > /etc/ovirt-engine/aaa
>>>             > [root at cstlb2 aaa]# ls
>>>             > ldap1.properties
>>>             > [root at cstlb2 aaa]# cat ldap1.properties
>>>             > #
>>>             > # Select one
>>>             > #
>>>             > include = <openldap.properties>
>>>             > #include = <389ds.properties>
>>>             > #include = <rhds.properties>
>>>             > #include = <ipa.properties>
>>>             > #include = <iplanet.properties>
>>>             > #include = <rfc2307.properties>
>>>             > #include = <rfc2307-openldap.properties>
>>>             >
>>>             > #
>>>             > # Server
>>>             > #
>>>             > vars.server = my.abc.net <http://my.abc.net>
>>>             <http://my.abc.net>
>>>             >
>>>             > #
>>>             > # Search user and its password.
>>>             > #
>>>             > vars.user =
>>>             >
>>>             uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
>>>             > vars.password = company
>>>             >
>>>             > pool.default.serverset.single.server =
>>>             ${global:vars.server}
>>>             > pool.default.auth.simple.bindDN = ${global:vars.user}
>>>             > pool.default.auth.simple.password =
>>>             ${global:vars.password}
>>>             >
>>>             > # Create keystore, import certificate chain and uncomment
>>>             > # if using ssl/tls.
>>>             > #pool.default.ssl.startTLS = true
>>>             > #pool.default.ssl.truststore.file =
>>>             ${local:_basedir}/${global:vars.server}.jks
>>>             > #pool.default.ssl.truststore.password = changeit
>>>             > [root at cstlb2 aaa]#
>>>             >
>>>             >
>>>             >
>>>             >
>>>             >
>>>             >
>>>             > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev
>>>             <alonbl at redhat.com <mailto:alonbl at redhat.com>
>>>             > <mailto:alonbl at redhat.com <mailto:alonbl at redhat.com>>> wrote:
>>>             >
>>>             >
>>>             >
>>>             >     ----- Original Message -----
>>>             >     > From: "Budur Nagaraju" <nbudoor at gmail.com
>>>             <mailto:nbudoor at gmail.com> <mailto:nbudoor at gmail.com
>>>             <mailto:nbudoor at gmail.com>>>
>>>             >     > To: "Alon Bar-Lev" <alonbl at redhat.com
>>>             <mailto:alonbl at redhat.com> <mailto:alonbl at redhat.com
>>>             <mailto:alonbl at redhat.com>>>
>>>             >     > Cc:users at ovirt.org <mailto:Cc%3Ausers at ovirt.org>
>>>             <mailto:users at ovirt.org <mailto:users at ovirt.org>>
>>>             >     > Sent: Tuesday, September 22, 2015 5:35:16 PM
>>>             >     > Subject: Re: [ovirt-users] LDAP Authentication
>>>             >     >
>>>             >     > its too complicated ,you have any script or video ?
>>>             >
>>>             >     in 3.6 we have a setup script.
>>>             >     for now:
>>>             >
>>>             >     cp -r /usr/share/ovirt-engine/examples/simple/.
>>>             /etc/ovirt-engine/
>>>             >
>>>             >     this is written in the README.
>>>             >
>>>             >     then customize files at
>>>             /etc/ovirt-engine/extnesions.d/*
>>>             >  /etc/ovirt-engine/aaa/* to match your setup
>>>             >
>>>             >     >
>>>             >     >
>>>             >     > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev
>>>             <alonbl at redhat.com <mailto:alonbl at redhat.com>
>>>             <mailto:alonbl at redhat.com <mailto:alonbl at redhat.com>>>
>>>             wrote:
>>>             >     >
>>>             >     > >
>>>             >     > >
>>>             >     > > ----- Original Message -----
>>>             >     > > > From: "Budur Nagaraju" <nbudoor at gmail.com
>>>             <mailto:nbudoor at gmail.com> <mailto:nbudoor at gmail.com
>>>             <mailto:nbudoor at gmail.com>>>
>>>             >     > > > To: "Alon Bar-Lev" <alonbl at redhat.com
>>>             <mailto:alonbl at redhat.com> <mailto:alonbl at redhat.com
>>>             <mailto:alonbl at redhat.com>>>
>>>             >     > > > Cc:users at ovirt.org
>>>             <mailto:Cc:users at ovirt.org> <mailto:users at ovirt.org
>>>             <mailto:users at ovirt.org>>
>>>             >     > > > Sent: Tuesday, September 22, 2015 5:24:36 PM
>>>             >     > > > Subject: Re: [ovirt-users] LDAP Authentication
>>>             >     > > >
>>>             >     > > > HI Alon,
>>>             >     > > >
>>>             >     > > > Below is the configuration which I have done
>>>             ,but unable to search the
>>>             >     > > > users in UI
>>>             >     > > > can you pls help me ?
>>>             >     > >
>>>             >     > > you need three files, see the
>>>             >     > >
>>>             /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
>>>             >     > >
>>>             >     > > >
>>>             >     > > >
>>>             >     > > > [root at cstlb2 aaa]# cat ldap1.properties
>>>             >     > > > #
>>>             >     > > > # Select one
>>>             >     > > > #
>>>             >     > > > include = <openldap.properties>
>>>             >     > > > #include = <389ds.properties>
>>>             >     > > > #include = <rhds.properties>
>>>             >     > > > #include = <ipa.properties>
>>>             >     > > > #include = <iplanet.properties>
>>>             >     > > > #include = <rfc2307.properties>
>>>             >     > > > #include = <rfc2307-openldap.properties>
>>>             >     > > >
>>>             >     > > > #
>>>             >     > > > # Server
>>>             >     > > > #
>>>             >     > > > vars.server =my.abc.net <http://my.abc.net>
>>>             <http://my.abc.net>
>>>             >     > > >
>>>             >     > > > #
>>>             >     > > > # Search user and its password.
>>>             >     > > > #
>>>             >     > > > vars.user =
>>>             >     > > >
>>>             >     > >
>>>             uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
>>>             >     > > > vars.password = company1
>>>             >     > > >
>>>             >     > > > pool.default.serverset.single.server =
>>>             ${global:vars.server}
>>>             >     > > > pool.default.auth.simple.bindDN =
>>>             ${global:vars.user}
>>>             >     > > > pool.default.auth.simple.password =
>>>             ${global:vars.password}
>>>             >     > > >
>>>             >     > > > # Create keystore, import certificate chain
>>>             and uncomment
>>>             >     > > > # if using ssl/tls.
>>>             >     > > > #pool.default.ssl.startTLS = true
>>>             >     > > > #pool.default.ssl.truststore.file =
>>>             >     > > > ${local:_basedir}/${global:vars.server}.jks
>>>             >     > > > #pool.default.ssl.truststore.password = changeit
>>>             >     > > > [root at cstlb2 aaa]#
>>>             >     > > >
>>>             >     > > >
>>>             >     > > >
>>>             >     > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev
>>>             <alonbl at redhat.com <mailto:alonbl at redhat.com>
>>>             <mailto:alonbl at redhat.com <mailto:alonbl at redhat.com>>>
>>>             wrote:
>>>             >     > > >
>>>             >     > > > >
>>>             >     > > > >
>>>             >     > > > > ----- Original Message -----
>>>             >     > > > > > From: "Budur Nagaraju" <nbudoor at gmail.com
>>>             <mailto:nbudoor at gmail.com> <mailto:nbudoor at gmail.com
>>>             <mailto:nbudoor at gmail.com>>>
>>>             >     > > > > > To:users at ovirt.org
>>>             <mailto:To:users at ovirt.org> <mailto:users at ovirt.org
>>>             <mailto:users at ovirt.org>>
>>>             >     > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM
>>>             >     > > > > > Subject: [ovirt-users] LDAP Authentication
>>>             >     > > > > >
>>>             >     > > > > > HI All,
>>>             >     > > > > >
>>>             >     > > > > > Can someone help me in configuring LDAP
>>>             authentication for Ovirt ?
>>>             >     > > > >
>>>             >     > > > > Please review:
>>>             >     > > > >http://www.ovirt.org/Features/AAA
>>>             >     > > > >
>>>             >     > > > >
>>>             >     >
>>>             >https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
>>>             >     > > > >
>>>             >     > > >
>>>             >     > >
>>>             >     >
>>>             >
>>>             >
>>>
>>>             --
>>>             Daniel Helgenberger
>>>             m box bewegtbild GmbH
>>>
>>>             P: +49/30/2408781-22
>>>             F: +49/30/2408781-10
>>>
>>>             ACKERSTR. 19
>>>             D-10115 BERLIN
>>>
>>>
>>>             www.m-box.de <http://www.m-box.de> www.monkeymen.tv
>>>             <http://www.monkeymen.tv>
>>>
>>>             Geschäftsführer: Martin Retschitzegger / Michaela Göllner
>>>             Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>>>
>>>
>>>
>>>
>>>         _______________________________________________
>>>         Users mailing list
>>>         Users at ovirt.org <mailto:Users at ovirt.org>
>>>         http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150923/a83c923a/attachment-0001.html>


More information about the Users mailing list