[ovirt-users] Unable to add permissions for LDAP users

Richard Neuboeck hawk at tbi.univie.ac.at
Fri Mar 10 09:53:35 UTC 2017


On 03/10/2017 09:46 AM, Ondra Machacek wrote:

> So what's your provider 389ds or FreeIPA?
> 
> Note that both use differrent unique ID. IPA is using 'ipaUniqueID',
> and 389ds is using 'nsuniqueid'. DId you tried both?

Thanks for pointing that out! It works perfectly if I use IPA.
I didn't know they have different identifiers (though it might have
been obvious to me since there is a separate IPA option...). I clung
to the thought that FreeIPA uses 389ds internally.

Thanks a lot!
Richard

> 
>     I can successfully run a search and also login
>     from the setup script.
> 
>     After running the setup I rebootet the Engine VM to make sure
>     everything is restarted.
> 
>     In the web UI configuration for 'System Permissions' I'm able to
>     find users from LDAP but when I try to 'Add' a selected user the UI
>     shows me this error: 'User admin at internal-authz failed to grant
>     permission for Role SuperUser on System to User/Group <UNKNOWN>.'.
> 
>     In then engine.log the following lines are generated:
>     2017-03-09 14:02:49,308+01 INFO
>     [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
>     (org.ovirt.thread.pool-6-thread-4)
>     [1ebae5e0-e5f6-49ba-ac80-95266c582893] Running command:
>     AddSystemPermissionCommand internal: false. Entities affected :  ID:
>     aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
>     MANIPULATE_PERMISSIONS with role type USER,  ID:
>     aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
>     ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
>     2017-03-09 14:02:49,319+01 ERROR
>     [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
>     (org.ovirt.thread.pool-6-thread-4)
>     [1ebae5e0-e5f6-49ba-ac80-95266c582893] Transaction rolled-back for
>     command 'org.ovirt.engine.core.bll.AddSystemPermissionCommand'.
>     2017-03-09 14:02:49,328+01 ERROR
>     [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
>     (org.ovirt.thread.pool-6-thread-4)
>     [1ebae5e0-e5f6-49ba-ac80-95266c582893] EVENT_ID:
>     USER_ADD_SYSTEM_PERMISSION_FAILED(867), Correlation ID:
>     1ebae5e0-e5f6-49ba-ac80-95266c582893, Call Stack: null, Custom Event
>     ID: -1, Message: User admin at internal-authz failed to grant
>     permission for Role SuperUser on System to User/Group <UNKNOWN>.
> 
> 
>     So far I've re-run the ldap-setup routine. I made sure all newly
>     generated files in /etc/ovirt-engine/[aaa|extensions.d] are owned by
>     ovirt:ovirt (instead of root) and have 0600 as permission (instead
>     of 0644). That didn't change anything.
> 
>     I've also found an older bug report but for oVirt 3.5
>     https://bugzilla.redhat.com/show_bug.cgi?id=1121954
>     <https://bugzilla.redhat.com/show_bug.cgi?id=1121954>
>     That didn't reveal any new either.
> 
>     Any ideas what I could try next?
> 
>     Thanks!
>     Cheers
>     Richard
> 
> 
> 
> 
>     On 10/06/2016 04:36 PM, Ondra Machacek wrote:
>     > On 10/06/2016 01:47 PM, Michael Burch wrote:
>     >> I'm using the latest ovirt on CentOS7 with the aaa-ldap
>     extension.
>     >> I can
>     >> successfully authenticate as an LDAP user. I can also login as
>     >> admin at internal and search for, find, and select LDAP users but I
>     >> cannot
>     >> add permissions for them. Each time I get the error "User
>     >> admin at internal-authz failed to grant permission for Role
>     UserRole on
>     >> System to User/Group <UNKNOWN>."
>     >
>     > This error usually means bad unique attribute used.
>     >
>     >>
>     >>
>     >> I have no control over the LDAP server, which uses custom
>     >> objectClasses
>     >> and uses groupOfNames instead of PosixGroups. I assume I need
>     to set
>     >> sequence variables to accommodate our group configuration but I'm
>     >> at a
>     >> loss as to where to begin. the The config I have is as follows:
>     >>
>     >>
>     >> include = <rfc2307-generic.properties>
>     >>
>     >> vars.server = labauth.lan.lab.org <http://labauth.lan.lab.org>
>     >>
>     >> pool.authz.auth.type = none
>     >> pool.default.serverset.type = single
>     >> pool.default.serverset.single.server = ${global:vars.server}
>     >> pool.default.ssl.startTLS = true
>     >> pool.default.ssl.insecure = true
>     >>
>     >> pool.default.connection-options.connectTimeoutMillis = 10000
>     >> pool.default.connection-options.responseTimeoutMillis = 90000
>     >> sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
>     >> sequence.my-basedn-init-vars.010.description = set baseDN
>     >> sequence.my-basedn-init-vars.010.type = var-set
>     >> sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
>     >> sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
>     >>
>     >> sequence-init.init.101-my-objectclass-init-vars =
>     >> my-objectclass-init-vars
>     >> sequence.my-objectclass-init-vars.020.description = set
>     objectClass
>     >> sequence.my-objectclass-init-vars.020.type = var-set
>     >> sequence.my-objectclass-init-vars.020.var-set.variable =
>     >> simple_filterUserObject
>     >> sequence.my-objectclass-init-vars.020.var-set.value =
>     >> (objectClass=labPerson)(uid=*)
>     >>
>     >> search.default.search-request.derefPolicy = NEVER
>     >>
>     >> sequence-init.init.900-local-init-vars = local-init-vars
>     >> sequence.local-init-vars.010.description = override name space
>     >> sequence.local-init-vars.010.type = var-set
>     >> sequence.local-init-vars.010.var-set.variable =
>     >> simple_namespaceDefault
>     >> sequence.local-init-vars.010.var-set.value = *
>     >
>     > What's this^ for? I think it's unusable.
>     >
>     >>
>     >> sequence.local-init-vars.020.description = apply filter to users
>     >> sequence.local-init-vars.020.type = var-set
>     >> sequence.local-init-vars.020.var-set.variable =
>     >> simple_filterUserObject
>     >> sequence.local-init-vars.020.var-set.value =
>     >> ${seq:simple_filterUserObject}(employeeStatus=3)
>     >>
>     >> sequence.local-init-vars.030.description = apply filter to groups
>     >> sequence.local-init-vars.030.type = var-set
>     >> sequence.local-init-vars.030.var-set.variable =
>     >> simple_filterGroupObject
>     >> sequence.local-init-vars.030.var-set.value =
>     >> (objectClass=groupOfUniqueNames)
>     >
>     > This looks as hard to maintain file. I would suggest you to insert
>     > into this file just following:
>     >
>     >  include = <rfc2307-mycustom.properties>
>     >
>     >  vars.server = labauth.lan.lab.org <http://labauth.lan.lab.org>
>     >
>     >  pool.authz.auth.type = none
>     >  pool.default.serverset.type = single
>     >  pool.default.serverset.single.server = ${global:vars.server}
>     >  pool.default.ssl.startTLS = true
>     >  pool.default.ssl.insecure = true
>     >
>     >  pool.default.connection-options.connectTimeoutMillis = 10000
>     >  pool.default.connection-options.responseTimeoutMillis = 90000
>     >
>     >  # Set custom base DN
>     >  sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
>     >  sequence.my-basedn-init-vars.010.description = set baseDN
>     >  sequence.my-basedn-init-vars.010.type = var-set
>     >  sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
>     >  sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
>     >
>     > And then create in directory
>     > '/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file
>     > 'rfc2307-mycustom.properties' with content:
>     >
>     > include = <rfc2307.properties>
>     >
>     > sequence-init.init.100-rfc2307-mycustom-init-vars =
>     > rfc2307-mycustom-init-vars
>     > sequence.rfc2307-mycustom-init-vars.010.description = set
>     unique attr
>     > sequence.rfc2307-mycustom-init-vars.010.type = var-set
>     > sequence.rfc2307-mycustom-init-vars.010.var-set.variable =
>     > rfc2307_attrsUniqueId
>     > sequence.rfc2307-mycustom-init-vars.010.var-set.value =
>     FIND_THIS_ONE
>     >
>     > sequence.rfc2307-mycustom-init-vars.020.type = var-set
>     > sequence.rfc2307-mycustom-init-vars.020.var-set.variable =
>     > simple_filterUserObject
>     > sequence.rfc2307-mycustom-init-vars.020.var-set.value =
>     >
>     (objectClass=labPerson)(employeeStatus=3)(${seq:simple_attrsUserName}=*)
>     >
>     >
>     >
>     > The FIND_*THIS_ONE* replace with the unique attribute of
>     labPerson(I
>     > guess). It can be extended attribute(+,++).
>     >
>     >  $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H
>     > ldap://labauth.lan.lab.org <http://labauth.lan.lab.org>
>     'objectClass=labPerson'
>     >
>     >  maybe (or even with two +):
>     > $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H
>     > ldap://labauth.lan.lab.org <http://labauth.lan.lab.org>
>     'objectClass=labPerson' +
>     >
>     > The question is if even your implementation has unique
>     attribute, does
>     > it?
>     >
>     > Also may you share what's your LDAP provider? And maybe if you
>     share
>     > content of some user it would help as well.
>     >
>     >>
>     >>
>     >>
>     >>
>     >> _______________________________________________
>     >> Users mailing list
>     >> Users at ovirt.org <mailto:Users at ovirt.org>
>     >> http://lists.ovirt.org/mailman/listinfo/users
>     <http://lists.ovirt.org/mailman/listinfo/users>
>     >>
>     > _______________________________________________
>     > Users mailing list
>     > Users at ovirt.org <mailto:Users at ovirt.org>
>     > http://lists.ovirt.org/mailman/listinfo/users
>     <http://lists.ovirt.org/mailman/listinfo/users>
> 
> 
>     --
>     /dev/null
> 
> 


-- 
/dev/null



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170310/7a60b518/attachment.sig>


More information about the Users mailing list