[ovirt-users] Unable to add permissions for LDAP users

Ondra Machacek omachace at redhat.com
Thu Oct 6 14:36:52 UTC 2016 

On 10/06/2016 01:47 PM, Michael Burch wrote:
> I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. I can
> successfully authenticate as an LDAP user. I can also login as
> admin at internal and search for, find, and select LDAP users but I cannot
> add permissions for them. Each time I get the error "User
> admin at internal-authz failed to grant permission for Role UserRole on
> System to User/Group <UNKNOWN>."

This error usually means bad unique attribute used.

>
>
> I have no control over the LDAP server, which uses custom objectClasses
> and uses groupOfNames instead of PosixGroups. I assume I need to set
> sequence variables to accommodate our group configuration but I'm at a
> loss as to where to begin. the The config I have is as follows:
>
>
> include = <rfc2307-generic.properties>
>
> vars.server = labauth.lan.lab.org
>
> pool.authz.auth.type = none
> pool.default.serverset.type = single
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.ssl.startTLS = true
> pool.default.ssl.insecure = true
>
> pool.default.connection-options.connectTimeoutMillis = 10000
> pool.default.connection-options.responseTimeoutMillis = 90000
> sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
> sequence.my-basedn-init-vars.010.description = set baseDN
> sequence.my-basedn-init-vars.010.type = var-set
> sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
> sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
>
> sequence-init.init.101-my-objectclass-init-vars = my-objectclass-init-vars
> sequence.my-objectclass-init-vars.020.description = set objectClass
> sequence.my-objectclass-init-vars.020.type = var-set
> sequence.my-objectclass-init-vars.020.var-set.variable =
> simple_filterUserObject
> sequence.my-objectclass-init-vars.020.var-set.value =
> (objectClass=labPerson)(uid=*)
>
> search.default.search-request.derefPolicy = NEVER
>
> sequence-init.init.900-local-init-vars = local-init-vars
> sequence.local-init-vars.010.description = override name space
> sequence.local-init-vars.010.type = var-set
> sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault
> sequence.local-init-vars.010.var-set.value = *

What's this^ for? I think it's unusable.

>
> sequence.local-init-vars.020.description = apply filter to users
> sequence.local-init-vars.020.type = var-set
> sequence.local-init-vars.020.var-set.variable = simple_filterUserObject
> sequence.local-init-vars.020.var-set.value =
> ${seq:simple_filterUserObject}(employeeStatus=3)
>
> sequence.local-init-vars.030.description = apply filter to groups
> sequence.local-init-vars.030.type = var-set
> sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject
> sequence.local-init-vars.030.var-set.value =
> (objectClass=groupOfUniqueNames)

This looks as hard to maintain file. I would suggest you to insert into 
this file just following:

  include = <rfc2307-mycustom.properties>

  vars.server = labauth.lan.lab.org

  pool.authz.auth.type = none
  pool.default.serverset.type = single
  pool.default.serverset.single.server = ${global:vars.server}
  pool.default.ssl.startTLS = true
  pool.default.ssl.insecure = true

  pool.default.connection-options.connectTimeoutMillis = 10000
  pool.default.connection-options.responseTimeoutMillis = 90000

  # Set custom base DN
  sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
  sequence.my-basedn-init-vars.010.description = set baseDN
  sequence.my-basedn-init-vars.010.type = var-set
  sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
  sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB

And then create in directory 
'/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file 
'rfc2307-mycustom.properties' with content:

include = <rfc2307.properties>

sequence-init.init.100-rfc2307-mycustom-init-vars = 
rfc2307-mycustom-init-vars
sequence.rfc2307-mycustom-init-vars.010.description = set unique attr
sequence.rfc2307-mycustom-init-vars.010.type = var-set
sequence.rfc2307-mycustom-init-vars.010.var-set.variable = 
rfc2307_attrsUniqueId
sequence.rfc2307-mycustom-init-vars.010.var-set.value = FIND_THIS_ONE

sequence.rfc2307-mycustom-init-vars.020.type = var-set
sequence.rfc2307-mycustom-init-vars.020.var-set.variable = 
simple_filterUserObject
sequence.rfc2307-mycustom-init-vars.020.var-set.value = 
(objectClass=labPerson)(employeeStatus=3)(${seq:simple_attrsUserName}=*)


The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I 
guess). It can be extended attribute(+,++).

  $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H 
ldap://labauth.lan.lab.org 'objectClass=labPerson'

  maybe (or even with two +):
$ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H 
ldap://labauth.lan.lab.org 'objectClass=labPerson' +

The question is if even your implementation has unique attribute, does
it?

Also may you share what's your LDAP provider? And maybe if you share
content of some user it would help as well.

>
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list