[ovirt-users] LDAP Authentication

Alon Bar-Lev alonbl at redhat.com
Wed Sep 23 17:18:06 UTC 2015


SuperUser is required to login user to webadmin.
Not sure what is "too long time"... within any logs nobody can help you.

----- Original Message -----
> From: "Budur Nagaraju" <nbudoor at gmail.com>
> To: "Ondra Machacek" <omachace at redhat.com>
> Cc: users at ovirt.org
> Sent: Wednesday, September 23, 2015 10:39:50 AM
> Subject: Re: [ovirt-users] LDAP Authentication
> 
> When I give "superuser" permission then able to login and its taking too long
> time to login.
> Pls suggest any thing needs to be dome ?
> 
> On Wed, Sep 23, 2015 at 1:07 PM, Ondra Machacek < omachace at redhat.com >
> wrote:
> 
> 
> 
> Should work well, strange.
> The 'warn' message you sent was unsuccessfull login to webadmin as I can see
> 'LoginAdminUserCommand', in UserPortal it's 'LoginUserCommand'.
> Please try to assign UserRole to some vm to another user in domain if it will
> work properly, if not please open bz.
> 
> 
> On 09/23/2015 09:29 AM, Budur Nagaraju wrote:
> 
> 
> 
> yeah facing issues while logging to the user portal.
> 
> On Wed, Sep 23, 2015 at 12:54 PM, Ondra Machacek < omachace at redhat.com >
> wrote:
> 
> 
> 
> With UserRole you can only login to UserPortal, not webadmin. Do you have
> this issue when you try to login to UserPortal?
> 
> 
> On 09/23/2015 09:22 AM, Budur Nagaraju wrote:
> 
> 
> 
> Provided the "user role" permissions still same issue
> 
> On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek < omachace at redhat.com >
> wrote:
> 
> 
> 
> Hi,
> 
> your user nbudoor at abc.net doesn't have appropriate permissions to login.
> First you need to login as 'admin at internal' and assign him some permissions,
> then you will be able to login.
> 
> Ondra
> 
> 
> On 09/23/2015 09:15 AM, Budur Nagaraju wrote:
> 
> 
> 
> HI All,
> 
> After rectifying this able to search the domain in the users in UI,
> but unable to login getting the below error ,
> 
> 
> 2015-09-23 12:41:47,482 WARN
> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user
> nbudoor at abc.net . Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
> 
> Thanks,
> Nagaraju
> 
> 
> 
> 
> 
> On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek < omachace at redhat.com >
> wrote:
> 
> 
> 
> Hi,
> 
> as Alon already said, you have trailing space in your configuration
> 
> ' my.abc.net ' <-- space at the end
> 
> Please remove this space and try again.
> 
> Ondra
> 
> 
> On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
> 
> 
> 
> HI Alon,
> 
> Tried all the options but no luck ,
> 
> I have copied the logs in the pastebin below is the link , warning message is
> that unable to resolve the DNS ,let me know any help would I get .
> 
> http://pastebin.com/7qN9QnHK
> 
> Thanks,
> Nagaraju
> 
> 
> On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger <
> daniel.helgenberger at m-box.de > wrote:
> 
> 
> Hello Budur,
> 
> I've done this recently. Alon, no offense, but the docs are not quite strait
> forward...
> 
> Requirements:
> - LDAP server (obviously) - called here ldap.mydomain.com
> - LDAP bind account - called here ldap at mydomain.com , password 'Passw at rd'
> - At least one existing account in ladp, called user at mydomain.com
> 
> Please note, the most common issue will be DNS.
> 
> I'll describe in short what steps need to be taken. All this needs to be done
> on your engine host. In the end this was quite easy :)
> 
> 1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients
> (these are only for testing your setup)
> 2. Test if ldap is working in general. (The extension uses the global catalog
> at least for AD, this was news to me):
> # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://
> ldap.mydomain.com:3268/ -x \
> -D ' ldap at mydomain.com ' -w Passw at rd -b '' '(userPrincipalName=
> user at mydomian.com )' cn userPrincipalName
> 
> If this command does not return details of the user, do debug your ldap and
> continue once this works. Example:
> 
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope subtree
> # filter: (userPrincipalName= user at mydomain.com )
> # requesting: cn userPrincipalName
> # with pagedResults control: size=1024
> #
> 
> # Some Name, some-ou, mydomain.com
> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com
> cn: Some Name
> userPrincipalName: user at mydomain.com
> 
> # search result
> search: 2
> result: 0 Success
> control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=
> pagedresults: cookie=
> 
> # numResponses: 2
> # numEntries: 1
> 
> 
> 3. Copy the examples as mentioned from the readme.
> 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties;
> leave the rest as is.
> 5. There, set:
> 
> vars.domain = ldap.mydomain.com
> vars.user = ldap@${global:vars.domain}
> vars.password = Passw at rd
> 
> 6. Restart ovirt engine service
> 7. Log in as admin at einternal and add user rights and roles from the new
> provider
> 
> Hope this helps.
> 
> On 22.09.2015 16 :46, Budur Nagaraju wrote:
> > 
> > below are the three files which I have modified.
> > 
> > 
> > [root at cstlb2 extensions.d]# cat profile1-authn.properties
> > ovirt.engine.extension.name < http://ovirt.engine.extension.name > =
> > cloudspin-authn
> > ovirt.engine.extension.bindings.method = jbossmodule
> > ovirt.engine.extension.binding.jbossmodule.module =
> > org.ovirt.engine-extensions.aaa.ldap
> > ovirt.engine.extension.binding.jbossmodule.class =
> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> > ovirt.engine.aaa.authn.profile.name <
> > http://ovirt.engine.aaa.authn.profile.name >
> > = cloudspin
> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
> > 
> > 
> > [root at cstlb2 extensions.d]# ls
> > profile1-authn.properties profile1-authz.properties
> > [root at cstlb2 extensions.d]# cat profile1-authz.properties
> > ovirt.engine.extension.name < http://ovirt.engine.extension.name > =
> > cloudspin-authz
> > ovirt.engine.extension.bindings.method = jbossmodule
> > ovirt.engine.extension.binding.jbossmodule.module =
> > org.ovirt.engine-extensions.aaa.ldap
> > ovirt.engine.extension.binding.jbossmodule.class =
> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
> > [root at cstlb2 extensions.d]#
> > 
> > 
> > 
> > [root at cstlb2 aaa]# pwd
> > /etc/ovirt-engine/aaa
> > [root at cstlb2 aaa]# ls
> > ldap1.properties
> > [root at cstlb2 aaa]# cat ldap1.properties
> > #
> > # Select one
> > #
> > include = <openldap.properties>
> > #include = <389ds.properties>
> > #include = <rhds.properties>
> > #include = <ipa.properties>
> > #include = <iplanet.properties>
> > #include = <rfc2307.properties>
> > #include = <rfc2307-openldap.properties>
> > 
> > #
> > # Server
> > #
> > vars.server = my.abc.net < http://my.abc.net >
> > 
> > #
> > # Search user and its password.
> > #
> > vars.user =
> > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
> > vars.password = company
> > 
> > pool.default.serverset.single.server = ${global:vars.server}
> > pool.default.auth.simple.bindDN = ${global:vars.user}
> > pool.default.auth.simple.password = ${global:vars.password}
> > 
> > # Create keystore, import certificate chain and uncomment
> > # if using ssl/tls.
> > #pool.default.ssl.startTLS = true
> > #pool.default.ssl.truststore.file =
> > ${local:_basedir}/${global:vars.server}.jks
> > #pool.default.ssl.truststore.password = changeit
> > [root at cstlb2 aaa]#
> > 
> > 
> > 
> > 
> > 
> > 
> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev < alonbl at redhat.com
> > <mailto: alonbl at redhat.com >> wrote:
> > 
> > 
> > 
> > ----- Original Message -----
> > > From: "Budur Nagaraju" < nbudoor at gmail.com <mailto: nbudoor at gmail.com >>
> > > To: "Alon Bar-Lev" < alonbl at redhat.com <mailto: alonbl at redhat.com >>
> > > Cc:users at ovirt.org <mailto: users at ovirt.org >
> > > Sent: Tuesday, September 22, 2015 5:35:16 PM
> > > Subject: Re: [ovirt-users] LDAP Authentication
> > > 
> > > its too complicated ,you have any script or video ?
> > 
> > in 3.6 we have a setup script.
> > for now:
> > 
> > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
> > 
> > this is written in the README.
> > 
> > then customize files at /etc/ovirt-engine/extnesions.d/*
> > /etc/ovirt-engine/aaa/* to match your setup
> > 
> > > 
> > > 
> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev < alonbl at redhat.com
> > > <mailto: alonbl at redhat.com >> wrote:
> > > 
> > > > 
> > > > 
> > > > ----- Original Message -----
> > > > > From: "Budur Nagaraju" < nbudoor at gmail.com <mailto: nbudoor at gmail.com
> > > > > >>
> > > > > To: "Alon Bar-Lev" < alonbl at redhat.com <mailto: alonbl at redhat.com >>
> > > > > Cc:users at ovirt.org <mailto: users at ovirt.org >
> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM
> > > > > Subject: Re: [ovirt-users] LDAP Authentication
> > > > > 
> > > > > HI Alon,
> > > > > 
> > > > > Below is the configuration which I have done ,but unable to search
> > > > > the
> > > > > users in UI
> > > > > can you pls help me ?
> > > > 
> > > > you need three files, see the
> > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
> > > > 
> > > > > 
> > > > > 
> > > > > [root at cstlb2 aaa]# cat ldap1.properties
> > > > > #
> > > > > # Select one
> > > > > #
> > > > > include = <openldap.properties>
> > > > > #include = <389ds.properties>
> > > > > #include = <rhds.properties>
> > > > > #include = <ipa.properties>
> > > > > #include = <iplanet.properties>
> > > > > #include = <rfc2307.properties>
> > > > > #include = <rfc2307-openldap.properties>
> > > > > 
> > > > > #
> > > > > # Server
> > > > > #
> > > > > vars.server = my.abc.net < http://my.abc.net >
> > > > > 
> > > > > #
> > > > > # Search user and its password.
> > > > > #
> > > > > vars.user =
> > > > > 
> > > > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
> > > > > vars.password = company1
> > > > > 
> > > > > pool.default.serverset.single.server = ${global:vars.server}
> > > > > pool.default.auth.simple.bindDN = ${global:vars.user}
> > > > > pool.default.auth.simple.password = ${global:vars.password}
> > > > > 
> > > > > # Create keystore, import certificate chain and uncomment
> > > > > # if using ssl/tls.
> > > > > #pool.default.ssl.startTLS = true
> > > > > #pool.default.ssl.truststore.file =
> > > > > ${local:_basedir}/${global:vars.server}.jks
> > > > > #pool.default.ssl.truststore.password = changeit
> > > > > [root at cstlb2 aaa]#
> > > > > 
> > > > > 
> > > > > 
> > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev < alonbl at redhat.com
> > > > > <mailto: alonbl at redhat.com >> wrote:
> > > > > 
> > > > > > 
> > > > > > 
> > > > > > ----- Original Message -----
> > > > > > > From: "Budur Nagaraju" < nbudoor at gmail.com <mailto:
> > > > > > > nbudoor at gmail.com >>
> > > > > > > To:users at ovirt.org <mailto: users at ovirt.org >
> > > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM
> > > > > > > Subject: [ovirt-users] LDAP Authentication
> > > > > > > 
> > > > > > > HI All,
> > > > > > > 
> > > > > > > Can someone help me in configuring LDAP authentication for Ovirt
> > > > > > > ?
> > > > > > 
> > > > > > Please review:
> > > > > > http://www.ovirt.org/Features/AAA
> > > > > > 
> > > > > > 
> > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
> > > > > > 
> > > > > 
> > > > 
> > > 
> > 
> > 
> 
> --
> Daniel Helgenberger
> m box bewegtbild GmbH
> 
> P: +49/30/2408781-22
> F: +49/30/2408781-10
> 
> ACKERSTR. 19
> D-10115 BERLIN
> 
> 
> www.m-box.de www.monkeymen.tv
> 
> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
> 
> 
> 
> _______________________________________________
> Users mailing list Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 



More information about the Users mailing list