[ovirt-users] LDAP Authentication

Budur Nagaraju nbudoor at gmail.com
Wed Sep 23 07:39:50 UTC 2015


When I give "superuser" permission  then able to login and its taking too
long time to login.
Pls suggest any thing needs to be dome ?

On Wed, Sep 23, 2015 at 1:07 PM, Ondra Machacek <omachace at redhat.com> wrote:

> Should work well, strange.
> The 'warn' message you sent was unsuccessfull login to webadmin as I can
> see 'LoginAdminUserCommand', in UserPortal it's 'LoginUserCommand'.
> Please try to assign UserRole to some vm to another user in domain if it
> will work properly, if not please open bz.
>
>
> On 09/23/2015 09:29 AM, Budur Nagaraju wrote:
>
> yeah  facing issues while logging to the user portal.
>
> On Wed, Sep 23, 2015 at 12:54 PM, Ondra Machacek <omachace at redhat.com>
> wrote:
>
>> With UserRole you can only login to UserPortal, not webadmin. Do you have
>> this issue when you try to login to UserPortal?
>>
>>
>> On 09/23/2015 09:22 AM, Budur Nagaraju wrote:
>>
>> Provided the "user role" permissions  still same issue
>>
>> On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek < <omachace at redhat.com>
>> omachace at redhat.com> wrote:
>>
>>> Hi,
>>>
>>> your user nbudoor at abc.net doesn't have appropriate permissions to login.
>>> First you need to login as 'admin at internal' and assign him some
>>> permissions, then you will be able to login.
>>>
>>> Ondra
>>>
>>>
>>> On 09/23/2015 09:15 AM, Budur Nagaraju wrote:
>>>
>>> HI All,
>>>
>>> After rectifying this  able to search the domain in the users in UI,
>>> but unable to login getting the below error ,
>>>
>>>
>>> 2015-09-23 12:41:47,482 WARN
>>> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
>>> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for
>>> user <nbudoor at abc.net>nbudoor at abc.net. Reasons:
>>> USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
>>>
>>> Thanks,
>>> Nagaraju
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek < <omachace at redhat.com>
>>> omachace at redhat.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> as Alon already said, you have trailing space in your configuration
>>>>
>>>> 'my.abc.net ' <-- space at the end
>>>>
>>>> Please remove this space and try again.
>>>>
>>>> Ondra
>>>>
>>>>
>>>> On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
>>>>
>>>> HI Alon,
>>>>
>>>> Tried all the options but no luck ,
>>>>
>>>> I have copied the logs in the pastebin  below is the link , warning
>>>> message is that unable to resolve the DNS ,let me know any help would I get
>>>> .
>>>>
>>>> <http://pastebin.com/7qN9QnHK>http://pastebin.com/7qN9QnHK
>>>>
>>>> Thanks,
>>>> Nagaraju
>>>>
>>>>
>>>> On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger <
>>>> <daniel.helgenberger at m-box.de>daniel.helgenberger at m-box.de> wrote:
>>>>
>>>>> Hello Budur,
>>>>>
>>>>> I've done this recently. Alon, no offense, but the docs are not quite
>>>>> strait forward...
>>>>>
>>>>> Requirements:
>>>>>  - LDAP server (obviously) - called here ldap.mydomain.com
>>>>>  - LDAP bind account - called here <ldap at mydomain.com>
>>>>> ldap at mydomain.com, password 'Passw at rd'
>>>>>  - At least one existing account in ladp, called <user at mydomain.com>
>>>>> user at mydomain.com
>>>>>
>>>>> Please note, the most common issue will be DNS.
>>>>>
>>>>> I'll describe in short what steps need to be taken. All this needs to
>>>>> be done on your engine host. In the end this was quite easy :)
>>>>>
>>>>> 1. Install the packages: ovirt-engine-extension-aaa-ldap and
>>>>> openldap-clients (these are only for testing your setup)
>>>>> 2. Test if ldap is working in general. (The extension uses the global
>>>>> catalog at least for AD, this was news to me):
>>>>>   # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://
>>>>> ldap.mydomain.com:3268/ -x \
>>>>>       -D ' <ldap at mydomain.com>ldap at mydomain.com' -w Passw at rd -b ''
>>>>> '(userPrincipalName=user at mydomian.com)' cn userPrincipalName
>>>>>
>>>>>   If this command does not return details of the user, do debug your
>>>>> ldap and continue once this works. Example:
>>>>>
>>>>> # extended LDIF
>>>>> #
>>>>> # LDAPv3
>>>>> # base <> with scope subtree
>>>>> # filter: (userPrincipalName= <user at mydomain.com>user at mydomain.com)
>>>>> # requesting: cn userPrincipalName
>>>>> # with pagedResults control: size=1024
>>>>> #
>>>>>
>>>>> # Some Name, some-ou, mydomain.com
>>>>> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com
>>>>> cn: Some Name
>>>>> userPrincipalName: <user at mydomain.com>user at mydomain.com
>>>>>
>>>>> # search result
>>>>> search: 2
>>>>> result: 0 Success
>>>>> control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=
>>>>> pagedresults: cookie=
>>>>>
>>>>> # numResponses: 2
>>>>> # numEntries: 1
>>>>>
>>>>>
>>>>> 3. Copy the examples as mentioned from the readme.
>>>>> 4. You only need to modify
>>>>> /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is.
>>>>> 5. There, set:
>>>>>
>>>>>   vars.domain = ldap.mydomain.com
>>>>>   vars.user = ldap@${global:vars.domain}
>>>>>   vars.password = Passw at rd
>>>>>
>>>>> 6. Restart ovirt engine service
>>>>> 7. Log in as admin at einternal and add user rights and roles from the
>>>>> new provider
>>>>>
>>>>> Hope this helps.
>>>>>
>>>>> On 22.09.2015 16 <22.09.2015%2016>:46, Budur Nagaraju wrote:
>>>>> >
>>>>> > below are the three files which I have modified.
>>>>> >
>>>>> >
>>>>> > [root at cstlb2 extensions.d]# cat profile1-authn.properties
>>>>> > ovirt.engine.extension.name < <http://ovirt.engine.extension.name>
>>>>> http://ovirt.engine.extension.name> = cloudspin-authn
>>>>> > ovirt.engine.extension.bindings.method = jbossmodule
>>>>> > ovirt.engine.extension.binding.jbossmodule.module =
>>>>> > org.ovirt.engine-extensions.aaa.ldap
>>>>> > ovirt.engine.extension.binding.jbossmodule.class =
>>>>> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
>>>>> > ovirt.engine.extension.provides =
>>>>> org.ovirt.engine.api.extensions.aaa.Authn
>>>>> > ovirt.engine.aaa.authn.profile.name <
>>>>> <http://ovirt.engine.aaa.authn.profile.name>
>>>>> http://ovirt.engine.aaa.authn.profile.name>
>>>>> > = cloudspin
>>>>> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
>>>>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
>>>>> >
>>>>> >
>>>>> > [root at cstlb2 extensions.d]# ls
>>>>> > profile1-authn.properties  profile1-authz.properties
>>>>> > [root at cstlb2 extensions.d]# cat profile1-authz.properties
>>>>> > ovirt.engine.extension.name < <http://ovirt.engine.extension.name>
>>>>> http://ovirt.engine.extension.name> = cloudspin-authz
>>>>> > ovirt.engine.extension.bindings.method = jbossmodule
>>>>> > ovirt.engine.extension.binding.jbossmodule.module =
>>>>> > org.ovirt.engine-extensions.aaa.ldap
>>>>> > ovirt.engine.extension.binding.jbossmodule.class =
>>>>> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>>>>> > ovirt.engine.extension.provides =
>>>>> org.ovirt.engine.api.extensions.aaa.Authz
>>>>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
>>>>> > [root at cstlb2 extensions.d]#
>>>>> >
>>>>> >
>>>>> >
>>>>> > [root at cstlb2 aaa]# pwd
>>>>> > /etc/ovirt-engine/aaa
>>>>> > [root at cstlb2 aaa]# ls
>>>>> > ldap1.properties
>>>>> > [root at cstlb2 aaa]# cat ldap1.properties
>>>>> > #
>>>>> > # Select one
>>>>> > #
>>>>> > include = <openldap.properties>
>>>>> > #include = <389ds.properties>
>>>>> > #include = <rhds.properties>
>>>>> > #include = <ipa.properties>
>>>>> > #include = <iplanet.properties>
>>>>> > #include = <rfc2307.properties>
>>>>> > #include = <rfc2307-openldap.properties>
>>>>> >
>>>>> > #
>>>>> > # Server
>>>>> > #
>>>>> > vars.server = my.abc.net < <http://my.abc.net>http://my.abc.net>
>>>>> >
>>>>> > #
>>>>> > # Search user and its password.
>>>>> > #
>>>>> > vars.user =
>>>>> >
>>>>> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
>>>>> > vars.password = company
>>>>> >
>>>>> > pool.default.serverset.single.server = ${global:vars.server}
>>>>> > pool.default.auth.simple.bindDN = ${global:vars.user}
>>>>> > pool.default.auth.simple.password = ${global:vars.password}
>>>>> >
>>>>> > # Create keystore, import certificate chain and uncomment
>>>>> > # if using ssl/tls.
>>>>> > #pool.default.ssl.startTLS = true
>>>>> > #pool.default.ssl.truststore.file =
>>>>> ${local:_basedir}/${global:vars.server}.jks
>>>>> > #pool.default.ssl.truststore.password = changeit
>>>>> > [root at cstlb2 aaa]#
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev < <alonbl at redhat.com>
>>>>> alonbl at redhat.com
>>>>> > <mailto: <alonbl at redhat.com>alonbl at redhat.com>> wrote:
>>>>> >
>>>>> >
>>>>> >
>>>>> >     ----- Original Message -----
>>>>> >     > From: "Budur Nagaraju" < <nbudoor at gmail.com>nbudoor at gmail.com
>>>>> <mailto: <nbudoor at gmail.com>nbudoor at gmail.com>>
>>>>> >     > To: "Alon Bar-Lev" < <alonbl at redhat.com>alonbl at redhat.com
>>>>> <mailto: <alonbl at redhat.com>alonbl at redhat.com>>
>>>>> >     > <Cc:users at ovirt.org>Cc:users at ovirt.org <mailto:
>>>>> <users at ovirt.org>users at ovirt.org>
>>>>> >     > Sent: Tuesday, September 22, 2015 5:35:16 PM
>>>>> >     > Subject: Re: [ovirt-users] LDAP Authentication
>>>>> >     >
>>>>> >     > its too complicated ,you have any script or video ?
>>>>> >
>>>>> >     in 3.6 we have a setup script.
>>>>> >     for now:
>>>>> >
>>>>> >     cp -r /usr/share/ovirt-engine/examples/simple/.
>>>>> /etc/ovirt-engine/
>>>>> >
>>>>> >     this is written in the README.
>>>>> >
>>>>> >     then customize files at /etc/ovirt-engine/extnesions.d/*
>>>>> >     /etc/ovirt-engine/aaa/* to match your setup
>>>>> >
>>>>> >     >
>>>>> >     >
>>>>> >     > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <
>>>>> <alonbl at redhat.com>alonbl at redhat.com <mailto: <alonbl at redhat.com>
>>>>> alonbl at redhat.com>> wrote:
>>>>> >     >
>>>>> >     > >
>>>>> >     > >
>>>>> >     > > ----- Original Message -----
>>>>> >     > > > From: "Budur Nagaraju" < <nbudoor at gmail.com>
>>>>> nbudoor at gmail.com <mailto: <nbudoor at gmail.com>nbudoor at gmail.com>>
>>>>> >     > > > To: "Alon Bar-Lev" < <alonbl at redhat.com>alonbl at redhat.com
>>>>> <mailto: <alonbl at redhat.com>alonbl at redhat.com>>
>>>>> >     > > > <Cc:users at ovirt.org>Cc:users at ovirt.org <mailto:
>>>>> <users at ovirt.org>users at ovirt.org>
>>>>> >     > > > Sent: Tuesday, September 22, 2015 5:24:36 PM
>>>>> >     > > > Subject: Re: [ovirt-users] LDAP Authentication
>>>>> >     > > >
>>>>> >     > > > HI Alon,
>>>>> >     > > >
>>>>> >     > > > Below is the configuration which I have done ,but unable
>>>>> to search the
>>>>> >     > > > users in UI
>>>>> >     > > > can you pls help me ?
>>>>> >     > >
>>>>> >     > > you need three files, see the
>>>>> >     > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
>>>>> >     > >
>>>>> >     > > >
>>>>> >     > > >
>>>>> >     > > > [root at cstlb2 aaa]# cat ldap1.properties
>>>>> >     > > > #
>>>>> >     > > > # Select one
>>>>> >     > > > #
>>>>> >     > > > include = <openldap.properties>
>>>>> >     > > > #include = <389ds.properties>
>>>>> >     > > > #include = <rhds.properties>
>>>>> >     > > > #include = <ipa.properties>
>>>>> >     > > > #include = <iplanet.properties>
>>>>> >     > > > #include = <rfc2307.properties>
>>>>> >     > > > #include = <rfc2307-openldap.properties>
>>>>> >     > > >
>>>>> >     > > > #
>>>>> >     > > > # Server
>>>>> >     > > > #
>>>>> >     > > > vars.server =my.abc.net < <http://my.abc.net>
>>>>> http://my.abc.net>
>>>>> >     > > >
>>>>> >     > > > #
>>>>> >     > > > # Search user and its password.
>>>>> >     > > > #
>>>>> >     > > > vars.user =
>>>>> >     > > >
>>>>> >     > >
>>>>> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
>>>>> >     > > > vars.password = company1
>>>>> >     > > >
>>>>> >     > > > pool.default.serverset.single.server =
>>>>> ${global:vars.server}
>>>>> >     > > > pool.default.auth.simple.bindDN = ${global:vars.user}
>>>>> >     > > > pool.default.auth.simple.password = ${global:vars.password}
>>>>> >     > > >
>>>>> >     > > > # Create keystore, import certificate chain and uncomment
>>>>> >     > > > # if using ssl/tls.
>>>>> >     > > > #pool.default.ssl.startTLS = true
>>>>> >     > > > #pool.default.ssl.truststore.file =
>>>>> >     > > > ${local:_basedir}/${global:vars.server}.jks
>>>>> >     > > > #pool.default.ssl.truststore.password = changeit
>>>>> >     > > > [root at cstlb2 aaa]#
>>>>> >     > > >
>>>>> >     > > >
>>>>> >     > > >
>>>>> >     > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <
>>>>> <alonbl at redhat.com>alonbl at redhat.com <mailto: <alonbl at redhat.com>
>>>>> alonbl at redhat.com>> wrote:
>>>>> >     > > >
>>>>> >     > > > >
>>>>> >     > > > >
>>>>> >     > > > > ----- Original Message -----
>>>>> >     > > > > > From: "Budur Nagaraju" < <nbudoor at gmail.com>
>>>>> nbudoor at gmail.com <mailto: <nbudoor at gmail.com>nbudoor at gmail.com>>
>>>>> >     > > > > > <To:users at ovirt.org>To:users at ovirt.org <mailto:
>>>>> <users at ovirt.org>users at ovirt.org>
>>>>> >     > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM
>>>>> >     > > > > > Subject: [ovirt-users] LDAP Authentication
>>>>> >     > > > > >
>>>>> >     > > > > > HI All,
>>>>> >     > > > > >
>>>>> >     > > > > > Can someone help me in configuring LDAP authentication
>>>>> for Ovirt ?
>>>>> >     > > > >
>>>>> >     > > > > Please review:
>>>>> >     > > > > <http://www.ovirt.org/Features/AAA>
>>>>> http://www.ovirt.org/Features/AAA
>>>>> >     > > > >
>>>>> >     > > > >
>>>>> >     > >
>>>>> <https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0>
>>>>> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
>>>>> >     > > > >
>>>>> >     > > >
>>>>> >     > >
>>>>> >     >
>>>>> >
>>>>> >
>>>>>
>>>>> --
>>>>> Daniel Helgenberger
>>>>> m box bewegtbild GmbH
>>>>>
>>>>> P: +49/30/2408781-22
>>>>> F: +49/30/2408781-10
>>>>>
>>>>> ACKERSTR. 19
>>>>> D-10115 BERLIN
>>>>>
>>>>>
>>>>> <http://www.m-box.de>www.m-box.de  <http://www.monkeymen.tv>
>>>>> www.monkeymen.tv
>>>>>
>>>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
>>>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing listUsers at ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20150923/a4625b4d/attachment-0001.html>


More information about the Users mailing list