[ovirt-users] Unable to add permissions for LDAP users

Richard Neuboeck hawk at tbi.univie.ac.at
Thu Mar 9 13:22:22 UTC 2017 

Hi,

I seem to experience the same problem right now and am at a bit of a
loss as to where to dig for some more troubleshooting information. I
would highly appreciate some help.

Here is what I have and what I did:

ovirt-engine-4.1.0.4-1.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-1.3.0-1.el7.noarch

I executed ovirt-engine-extension-aaa-ldap-setup. My LDAP provider
is 389ds (FreeIPA). I can successfully run a search and also login
from the setup script.

After running the setup I rebootet the Engine VM to make sure
everything is restarted.

In the web UI configuration for 'System Permissions' I'm able to
find users from LDAP but when I try to 'Add' a selected user the UI
shows me this error: 'User admin at internal-authz failed to grant
permission for Role SuperUser on System to User/Group <UNKNOWN>.'.

In then engine.log the following lines are generated:
2017-03-09 14:02:49,308+01 INFO
[org.ovirt.engine.core.bll.AddSystemPermissionCommand]
(org.ovirt.thread.pool-6-thread-4)
[1ebae5e0-e5f6-49ba-ac80-95266c582893] Running command:
AddSystemPermissionCommand internal: false. Entities affected :  ID:
aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
MANIPULATE_PERMISSIONS with role type USER,  ID:
aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
2017-03-09 14:02:49,319+01 ERROR
[org.ovirt.engine.core.bll.AddSystemPermissionCommand]
(org.ovirt.thread.pool-6-thread-4)
[1ebae5e0-e5f6-49ba-ac80-95266c582893] Transaction rolled-back for
command 'org.ovirt.engine.core.bll.AddSystemPermissionCommand'.
2017-03-09 14:02:49,328+01 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(org.ovirt.thread.pool-6-thread-4)
[1ebae5e0-e5f6-49ba-ac80-95266c582893] EVENT_ID:
USER_ADD_SYSTEM_PERMISSION_FAILED(867), Correlation ID:
1ebae5e0-e5f6-49ba-ac80-95266c582893, Call Stack: null, Custom Event
ID: -1, Message: User admin at internal-authz failed to grant
permission for Role SuperUser on System to User/Group <UNKNOWN>.


So far I've re-run the ldap-setup routine. I made sure all newly
generated files in /etc/ovirt-engine/[aaa|extensions.d] are owned by
ovirt:ovirt (instead of root) and have 0600 as permission (instead
of 0644). That didn't change anything.

I've also found an older bug report but for oVirt 3.5
https://bugzilla.redhat.com/show_bug.cgi?id=1121954
That didn't reveal any new either.

Any ideas what I could try next?

Thanks!
Cheers
Richard




On 10/06/2016 04:36 PM, Ondra Machacek wrote:
> On 10/06/2016 01:47 PM, Michael Burch wrote:
>> I'm using the latest ovirt on CentOS7 with the aaa-ldap extension.
>> I can
>> successfully authenticate as an LDAP user. I can also login as
>> admin at internal and search for, find, and select LDAP users but I
>> cannot
>> add permissions for them. Each time I get the error "User
>> admin at internal-authz failed to grant permission for Role UserRole on
>> System to User/Group <UNKNOWN>."
> 
> This error usually means bad unique attribute used.
> 
>>
>>
>> I have no control over the LDAP server, which uses custom
>> objectClasses
>> and uses groupOfNames instead of PosixGroups. I assume I need to set
>> sequence variables to accommodate our group configuration but I'm
>> at a
>> loss as to where to begin. the The config I have is as follows:
>>
>>
>> include = <rfc2307-generic.properties>
>>
>> vars.server = labauth.lan.lab.org
>>
>> pool.authz.auth.type = none
>> pool.default.serverset.type = single
>> pool.default.serverset.single.server = ${global:vars.server}
>> pool.default.ssl.startTLS = true
>> pool.default.ssl.insecure = true
>>
>> pool.default.connection-options.connectTimeoutMillis = 10000
>> pool.default.connection-options.responseTimeoutMillis = 90000
>> sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
>> sequence.my-basedn-init-vars.010.description = set baseDN
>> sequence.my-basedn-init-vars.010.type = var-set
>> sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
>> sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
>>
>> sequence-init.init.101-my-objectclass-init-vars =
>> my-objectclass-init-vars
>> sequence.my-objectclass-init-vars.020.description = set objectClass
>> sequence.my-objectclass-init-vars.020.type = var-set
>> sequence.my-objectclass-init-vars.020.var-set.variable =
>> simple_filterUserObject
>> sequence.my-objectclass-init-vars.020.var-set.value =
>> (objectClass=labPerson)(uid=*)
>>
>> search.default.search-request.derefPolicy = NEVER
>>
>> sequence-init.init.900-local-init-vars = local-init-vars
>> sequence.local-init-vars.010.description = override name space
>> sequence.local-init-vars.010.type = var-set
>> sequence.local-init-vars.010.var-set.variable =
>> simple_namespaceDefault
>> sequence.local-init-vars.010.var-set.value = *
> 
> What's this^ for? I think it's unusable.
> 
>>
>> sequence.local-init-vars.020.description = apply filter to users
>> sequence.local-init-vars.020.type = var-set
>> sequence.local-init-vars.020.var-set.variable =
>> simple_filterUserObject
>> sequence.local-init-vars.020.var-set.value =
>> ${seq:simple_filterUserObject}(employeeStatus=3)
>>
>> sequence.local-init-vars.030.description = apply filter to groups
>> sequence.local-init-vars.030.type = var-set
>> sequence.local-init-vars.030.var-set.variable =
>> simple_filterGroupObject
>> sequence.local-init-vars.030.var-set.value =
>> (objectClass=groupOfUniqueNames)
> 
> This looks as hard to maintain file. I would suggest you to insert
> into this file just following:
> 
>  include = <rfc2307-mycustom.properties>
> 
>  vars.server = labauth.lan.lab.org
> 
>  pool.authz.auth.type = none
>  pool.default.serverset.type = single
>  pool.default.serverset.single.server = ${global:vars.server}
>  pool.default.ssl.startTLS = true
>  pool.default.ssl.insecure = true
> 
>  pool.default.connection-options.connectTimeoutMillis = 10000
>  pool.default.connection-options.responseTimeoutMillis = 90000
> 
>  # Set custom base DN
>  sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
>  sequence.my-basedn-init-vars.010.description = set baseDN
>  sequence.my-basedn-init-vars.010.type = var-set
>  sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
>  sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
> 
> And then create in directory
> '/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file
> 'rfc2307-mycustom.properties' with content:
> 
> include = <rfc2307.properties>
> 
> sequence-init.init.100-rfc2307-mycustom-init-vars =
> rfc2307-mycustom-init-vars
> sequence.rfc2307-mycustom-init-vars.010.description = set unique attr
> sequence.rfc2307-mycustom-init-vars.010.type = var-set
> sequence.rfc2307-mycustom-init-vars.010.var-set.variable =
> rfc2307_attrsUniqueId
> sequence.rfc2307-mycustom-init-vars.010.var-set.value = FIND_THIS_ONE
> 
> sequence.rfc2307-mycustom-init-vars.020.type = var-set
> sequence.rfc2307-mycustom-init-vars.020.var-set.variable =
> simple_filterUserObject
> sequence.rfc2307-mycustom-init-vars.020.var-set.value =
> (objectClass=labPerson)(employeeStatus=3)(${seq:simple_attrsUserName}=*)
> 
> 
> 
> The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I
> guess). It can be extended attribute(+,++).
> 
>  $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H
> ldap://labauth.lan.lab.org 'objectClass=labPerson'
> 
>  maybe (or even with two +):
> $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H
> ldap://labauth.lan.lab.org 'objectClass=labPerson' +
> 
> The question is if even your implementation has unique attribute, does
> it?
> 
> Also may you share what's your LDAP provider? And maybe if you share
> content of some user it would help as well.
> 
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users


-- 
/dev/null

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170309/97b407b5/attachment.sig>

More information about the Users mailing list