[ovirt-users] LDAP Authentication

Ondra Machacek omachace at redhat.com
Wed Sep 23 07:37:40 UTC 2015


Should work well, strange.
The 'warn' message you sent was unsuccessfull login to webadmin as I can 
see 'LoginAdminUserCommand', in UserPortal it's 'LoginUserCommand'.
Please try to assign UserRole to some vm to another user in domain if it 
will work properly, if not please open bz.

On 09/23/2015 09:29 AM, Budur Nagaraju wrote:
> yeah  facing issues while logging to the user portal.
>
> On Wed, Sep 23, 2015 at 12:54 PM, Ondra Machacek <omachace at redhat.com 
> <mailto:omachace at redhat.com>> wrote:
>
>     With UserRole you can only login to UserPortal, not webadmin. Do
>     you have this issue when you try to login to UserPortal?
>
>
>     On 09/23/2015 09:22 AM, Budur Nagaraju wrote:
>>     Provided the "user role" permissions still same issue
>>
>>     On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek
>>     <omachace at redhat.com <mailto:omachace at redhat.com>> wrote:
>>
>>         Hi,
>>
>>         your user nbudoor at abc.net <mailto:nbudoor at abc.net> doesn't
>>         have appropriate permissions to login.
>>         First you need to login as 'admin at internal' and assign him
>>         some permissions, then you will be able to login.
>>
>>         Ondra
>>
>>
>>         On 09/23/2015 09:15 AM, Budur Nagaraju wrote:
>>>         HI All,
>>>
>>>         After rectifying this  able to search the domain in the
>>>         users in UI,
>>>         but unable to login getting the below error ,
>>>
>>>
>>>         2015-09-23 12:41:47,482 WARN
>>>         [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
>>>         (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser
>>>         failed for user nbudoor at abc.net <mailto:nbudoor at abc.net>.
>>>         Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>>>
>>>         Thanks,
>>>         Nagaraju
>>>
>>>
>>>
>>>
>>>
>>>         On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek
>>>         <omachace at redhat.com <mailto:omachace at redhat.com>> wrote:
>>>
>>>             Hi,
>>>
>>>             as Alon already said, you have trailing space in your
>>>             configuration
>>>
>>>             'my.abc.net <http://my.abc.net> ' <-- space at the end
>>>
>>>             Please remove this space and try again.
>>>
>>>             Ondra
>>>
>>>
>>>             On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
>>>>             HI Alon,
>>>>
>>>>             Tried all the options but no luck ,
>>>>
>>>>             I have copied the logs in the pastebin  below is the
>>>>             link , warning message is that unable to resolve the
>>>>             DNS ,let me know any help would I get .
>>>>
>>>>             http://pastebin.com/7qN9QnHK
>>>>
>>>>             Thanks,
>>>>             Nagaraju
>>>>
>>>>
>>>>             On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger
>>>>             <daniel.helgenberger at m-box.de
>>>>             <mailto:daniel.helgenberger at m-box.de>> wrote:
>>>>
>>>>                 Hello Budur,
>>>>
>>>>                 I've done this recently. Alon, no offense, but the
>>>>                 docs are not quite strait forward...
>>>>
>>>>                 Requirements:
>>>>                  - LDAP server (obviously) - called here
>>>>                 ldap.mydomain.com <http://ldap.mydomain.com>
>>>>                  - LDAP bind account - called here
>>>>                 ldap at mydomain.com <mailto:ldap at mydomain.com>,
>>>>                 password 'Passw at rd'
>>>>                  - At least one existing account in ladp, called
>>>>                 user at mydomain.com <mailto:user at mydomain.com>
>>>>
>>>>                 Please note, the most common issue will be DNS.
>>>>
>>>>                 I'll describe in short what steps need to be taken.
>>>>                 All this needs to be done on your engine host. In
>>>>                 the end this was quite easy :)
>>>>
>>>>                 1. Install the packages:
>>>>                 ovirt-engine-extension-aaa-ldap and
>>>>                 openldap-clients (these are only for testing your
>>>>                 setup)
>>>>                 2. Test if ldap is working in general. (The
>>>>                 extension uses the global catalog at least for AD,
>>>>                 this was news to me):
>>>>                   # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no
>>>>                 -H ldap://ldap.mydomain.com:3268/
>>>>                 <http://ldap.mydomain.com:3268/> -x \
>>>>                       -D 'ldap at mydomain.com
>>>>                 <mailto:ldap at mydomain.com>' -w Passw at rd -b ''
>>>>                 '(userPrincipalName=user at mydomian.com
>>>>                 <mailto:user at mydomian.com>)' cn userPrincipalName
>>>>
>>>>                   If this command does not return details of the
>>>>                 user, do debug your ldap and continue once this
>>>>                 works. Example:
>>>>
>>>>                 # extended LDIF
>>>>                 #
>>>>                 # LDAPv3
>>>>                 # base <> with scope subtree
>>>>                 # filter: (userPrincipalName=user at mydomain.com
>>>>                 <mailto:user at mydomain.com>)
>>>>                 # requesting: cn userPrincipalName
>>>>                 # with pagedResults control: size=1024
>>>>                 #
>>>>
>>>>                 # Some Name, some-ou, mydomain.com
>>>>                 <http://mydomain.com>
>>>>                 dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com
>>>>                 cn: Some Name
>>>>                 userPrincipalName: user at mydomain.com
>>>>                 <mailto:user at mydomain.com>
>>>>
>>>>                 # search result
>>>>                 search: 2
>>>>                 result: 0 Success
>>>>                 control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=
>>>>                 pagedresults: cookie=
>>>>
>>>>                 # numResponses: 2
>>>>                 # numEntries: 1
>>>>
>>>>
>>>>                 3. Copy the examples as mentioned from the readme.
>>>>                 4. You only need to modify
>>>>                 /etc/ovirt-engine/aaa/int.m-box.de.properties;
>>>>                 leave the rest as is.
>>>>                 5. There, set:
>>>>
>>>>                   vars.domain = ldap.mydomain.com
>>>>                 <http://ldap.mydomain.com>
>>>>                   vars.user = ldap@${global:vars.domain}
>>>>                   vars.password = Passw at rd
>>>>
>>>>                 6. Restart ovirt engine service
>>>>                 7. Log in as admin at einternal and add user rights
>>>>                 and roles from the new provider
>>>>
>>>>                 Hope this helps.
>>>>
>>>>                 On 22.09.2015 16 <tel:22.09.2015%2016>:46, Budur
>>>>                 Nagaraju wrote:
>>>>                 >
>>>>                 > below are the three files which I have modified.
>>>>                 >
>>>>                 >
>>>>                 > [root at cstlb2 extensions.d]# cat
>>>>                 profile1-authn.properties
>>>>                 > ovirt.engine.extension.name
>>>>                 <http://ovirt.engine.extension.name>
>>>>                 <http://ovirt.engine.extension.name> = cloudspin-authn
>>>>                 > ovirt.engine.extension.bindings.method = jbossmodule
>>>>                 > ovirt.engine.extension.binding.jbossmodule.module =
>>>>                 > org.ovirt.engine-extensions.aaa.ldap
>>>>                 > ovirt.engine.extension.binding.jbossmodule.class =
>>>>                 > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
>>>>                 > ovirt.engine.extension.provides =
>>>>                 org.ovirt.engine.api.extensions.aaa.Authn
>>>>                 > ovirt.engine.aaa.authn.profile.name
>>>>                 <http://ovirt.engine.aaa.authn.profile.name>
>>>>                 <http://ovirt.engine.aaa.authn.profile.name>
>>>>                 > = cloudspin
>>>>                 > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
>>>>                 > config.profile.file.1 =
>>>>                 /etc/ovirt-engine/aaa/ldap1.properties
>>>>                 >
>>>>                 >
>>>>                 > [root at cstlb2 extensions.d]# ls
>>>>                 > profile1-authn.properties profile1-authz.properties
>>>>                 > [root at cstlb2 extensions.d]# cat
>>>>                 profile1-authz.properties
>>>>                 > ovirt.engine.extension.name
>>>>                 <http://ovirt.engine.extension.name>
>>>>                 <http://ovirt.engine.extension.name> = cloudspin-authz
>>>>                 > ovirt.engine.extension.bindings.method = jbossmodule
>>>>                 > ovirt.engine.extension.binding.jbossmodule.module =
>>>>                 > org.ovirt.engine-extensions.aaa.ldap
>>>>                 > ovirt.engine.extension.binding.jbossmodule.class =
>>>>                 > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>>>>                 > ovirt.engine.extension.provides =
>>>>                 org.ovirt.engine.api.extensions.aaa.Authz
>>>>                 > config.profile.file.1 =
>>>>                 /etc/ovirt-engine/aaa/ldap1.properties
>>>>                 > [root at cstlb2 extensions.d]#
>>>>                 >
>>>>                 >
>>>>                 >
>>>>                 > [root at cstlb2 aaa]# pwd
>>>>                 > /etc/ovirt-engine/aaa
>>>>                 > [root at cstlb2 aaa]# ls
>>>>                 > ldap1.properties
>>>>                 > [root at cstlb2 aaa]# cat ldap1.properties
>>>>                 > #
>>>>                 > # Select one
>>>>                 > #
>>>>                 > include = <openldap.properties>
>>>>                 > #include = <389ds.properties>
>>>>                 > #include = <rhds.properties>
>>>>                 > #include = <ipa.properties>
>>>>                 > #include = <iplanet.properties>
>>>>                 > #include = <rfc2307.properties>
>>>>                 > #include = <rfc2307-openldap.properties>
>>>>                 >
>>>>                 > #
>>>>                 > # Server
>>>>                 > #
>>>>                 > vars.server = my.abc.net <http://my.abc.net>
>>>>                 <http://my.abc.net>
>>>>                 >
>>>>                 > #
>>>>                 > # Search user and its password.
>>>>                 > #
>>>>                 > vars.user =
>>>>                 >
>>>>                 uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
>>>>                 > vars.password = company
>>>>                 >
>>>>                 > pool.default.serverset.single.server =
>>>>                 ${global:vars.server}
>>>>                 > pool.default.auth.simple.bindDN = ${global:vars.user}
>>>>                 > pool.default.auth.simple.password =
>>>>                 ${global:vars.password}
>>>>                 >
>>>>                 > # Create keystore, import certificate chain and
>>>>                 uncomment
>>>>                 > # if using ssl/tls.
>>>>                 > #pool.default.ssl.startTLS = true
>>>>                 > #pool.default.ssl.truststore.file =
>>>>                 ${local:_basedir}/${global:vars.server}.jks
>>>>                 > #pool.default.ssl.truststore.password = changeit
>>>>                 > [root at cstlb2 aaa]#
>>>>                 >
>>>>                 >
>>>>                 >
>>>>                 >
>>>>                 >
>>>>                 >
>>>>                 > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev
>>>>                 <alonbl at redhat.com <mailto:alonbl at redhat.com>
>>>>                 > <mailto:alonbl at redhat.com
>>>>                 <mailto:alonbl at redhat.com>>> wrote:
>>>>                 >
>>>>                 >
>>>>                 >
>>>>                 >     ----- Original Message -----
>>>>                 >   > From: "Budur Nagaraju" <nbudoor at gmail.com
>>>>                 <mailto:nbudoor at gmail.com>
>>>>                 <mailto:nbudoor at gmail.com <mailto:nbudoor at gmail.com>>>
>>>>                 >     > To: "Alon Bar-Lev" <alonbl at redhat.com
>>>>                 <mailto:alonbl at redhat.com>
>>>>                 <mailto:alonbl at redhat.com <mailto:alonbl at redhat.com>>>
>>>>                 >     > Cc:users at ovirt.org
>>>>                 <mailto:Cc:users at ovirt.org> <mailto:users at ovirt.org
>>>>                 <mailto:users at ovirt.org>>
>>>>                 >     > Sent: Tuesday, September 22, 2015 5:35:16 PM
>>>>                 >     > Subject: Re: [ovirt-users] LDAP Authentication
>>>>                 >     >
>>>>                 >     > its too complicated ,you have any script or
>>>>                 video ?
>>>>                 >
>>>>                 >     in 3.6 we have a setup script.
>>>>                 >     for now:
>>>>                 >
>>>>                 >     cp -r
>>>>                 /usr/share/ovirt-engine/examples/simple/.
>>>>                 /etc/ovirt-engine/
>>>>                 >
>>>>                 >     this is written in the README.
>>>>                 >
>>>>                 >     then customize files at
>>>>                 /etc/ovirt-engine/extnesions.d/*
>>>>                 >  /etc/ovirt-engine/aaa/* to match your setup
>>>>                 >
>>>>                 >     >
>>>>                 >     >
>>>>                 >   > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev
>>>>                 <alonbl at redhat.com <mailto:alonbl at redhat.com>
>>>>                 <mailto:alonbl at redhat.com
>>>>                 <mailto:alonbl at redhat.com>>> wrote:
>>>>                 >     >
>>>>                 >     > >
>>>>                 >     > >
>>>>                 >     > > ----- Original Message -----
>>>>                 >  > > > From: "Budur Nagaraju" <nbudoor at gmail.com
>>>>                 <mailto:nbudoor at gmail.com>
>>>>                 <mailto:nbudoor at gmail.com <mailto:nbudoor at gmail.com>>>
>>>>                 >     > > > To: "Alon Bar-Lev" <alonbl at redhat.com
>>>>                 <mailto:alonbl at redhat.com>
>>>>                 <mailto:alonbl at redhat.com <mailto:alonbl at redhat.com>>>
>>>>                 >     > > > Cc:users at ovirt.org
>>>>                 <mailto:Cc:users at ovirt.org> <mailto:users at ovirt.org
>>>>                 <mailto:users at ovirt.org>>
>>>>                 >     > > > Sent: Tuesday, September 22, 2015
>>>>                 5:24:36 PM
>>>>                 >     > > > Subject: Re: [ovirt-users] LDAP
>>>>                 Authentication
>>>>                 >     > > >
>>>>                 >     > > > HI Alon,
>>>>                 >     > > >
>>>>                 >     > > > Below is the configuration which I have
>>>>                 done ,but unable to search the
>>>>                 >     > > > users in UI
>>>>                 >     > > > can you pls help me ?
>>>>                 >     > >
>>>>                 >     > > you need three files, see the
>>>>                 >     > >
>>>>                 /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
>>>>                 >     > >
>>>>                 >     > > >
>>>>                 >     > > >
>>>>                 >     > > > [root at cstlb2 aaa]# cat ldap1.properties
>>>>                 >     > > > #
>>>>                 >     > > > # Select one
>>>>                 >     > > > #
>>>>                 >     > > > include = <openldap.properties>
>>>>                 >     > > > #include = <389ds.properties>
>>>>                 >     > > > #include = <rhds.properties>
>>>>                 >     > > > #include = <ipa.properties>
>>>>                 >     > > > #include = <iplanet.properties>
>>>>                 >     > > > #include = <rfc2307.properties>
>>>>                 >     > > > #include = <rfc2307-openldap.properties>
>>>>                 >     > > >
>>>>                 >     > > > #
>>>>                 >     > > > # Server
>>>>                 >     > > > #
>>>>                 >     > > > vars.server =my.abc.net
>>>>                 <http://my.abc.net> <http://my.abc.net>
>>>>                 > > > >
>>>>                 >     > > > #
>>>>                 >     > > > # Search user and its password.
>>>>                 >     > > > #
>>>>                 >     > > > vars.user =
>>>>                 >     > > >
>>>>                 >     > >
>>>>                 uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
>>>>                 >     > > > vars.password = company1
>>>>                 >     > > >
>>>>                 >     > > > pool.default.serverset.single.server =
>>>>                 ${global:vars.server}
>>>>                 >     > > > pool.default.auth.simple.bindDN =
>>>>                 ${global:vars.user}
>>>>                 >     > > > pool.default.auth.simple.password =
>>>>                 ${global:vars.password}
>>>>                 >     > > >
>>>>                 >     > > > # Create keystore, import certificate
>>>>                 chain and uncomment
>>>>                 >     > > > # if using ssl/tls.
>>>>                 >     > > > #pool.default.ssl.startTLS = true
>>>>                 >     > > > #pool.default.ssl.truststore.file =
>>>>                 >     > > > ${local:_basedir}/${global:vars.server}.jks
>>>>                 >     > > > #pool.default.ssl.truststore.password =
>>>>                 changeit
>>>>                 >     > > > [root at cstlb2 aaa]#
>>>>                 >     > > >
>>>>                 >     > > >
>>>>                 >     > > >
>>>>                 >   > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon
>>>>                 Bar-Lev <alonbl at redhat.com
>>>>                 <mailto:alonbl at redhat.com>
>>>>                 <mailto:alonbl at redhat.com
>>>>                 <mailto:alonbl at redhat.com>>> wrote:
>>>>                 >     > > >
>>>>                 >     > > > >
>>>>                 >     > > > >
>>>>                 >     > > > > ----- Original Message -----
>>>>                 >   > > > > > From: "Budur Nagaraju"
>>>>                 <nbudoor at gmail.com <mailto:nbudoor at gmail.com>
>>>>                 <mailto:nbudoor at gmail.com <mailto:nbudoor at gmail.com>>>
>>>>                 >     > > > > > To:users at ovirt.org
>>>>                 <mailto:To:users at ovirt.org> <mailto:users at ovirt.org
>>>>                 <mailto:users at ovirt.org>>
>>>>                 >     > > > > > Sent: Tuesday, September 22, 2015
>>>>                 4:34:46 PM
>>>>                 >     > > > > > Subject: [ovirt-users] LDAP
>>>>                 Authentication
>>>>                 >     > > > > >
>>>>                 >     > > > > > HI All,
>>>>                 >     > > > > >
>>>>                 >     > > > > > Can someone help me in configuring
>>>>                 LDAP authentication for Ovirt ?
>>>>                 >     > > > >
>>>>                 >     > > > > Please review:
>>>>                 >     > > > >http://www.ovirt.org/Features/AAA
>>>>                 >     > > > >
>>>>                 >     > > > >
>>>>                 >     >
>>>>                 >https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
>>>>                 >     > > > >
>>>>                 >     > > >
>>>>                 >     > >
>>>>                 >     >
>>>>                 >
>>>>                 >
>>>>
>>>>                 --
>>>>                 Daniel Helgenberger
>>>>                 m box bewegtbild GmbH
>>>>
>>>>                 P: +49/30/2408781-22
>>>>                 F: +49/30/2408781-10
>>>>
>>>>                 ACKERSTR. 19
>>>>                 D-10115 BERLIN
>>>>
>>>>
>>>>                 www.m-box.de <http://www.m-box.de> www.monkeymen.tv
>>>>                 <http://www.monkeymen.tv>
>>>>
>>>>                 Geschäftsführer: Martin Retschitzegger / Michaela
>>>>                 Göllner
>>>>                 Handeslregister: Amtsgericht Charlottenburg / HRB
>>>>                 112767
>>>>
>>>>
>>>>
>>>>
>>>>             _______________________________________________
>>>>             Users mailing list
>>>>             Users at ovirt.org <mailto:Users at ovirt.org>
>>>>             http://lists.ovirt.org/mailman/listinfo/users
>>>
>>>
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150923/6a408a47/attachment-0001.html>


More information about the Users mailing list