[ovirt-users] Unable to add permissions for LDAP users
Richard Neuboeck
hawk at tbi.univie.ac.at
Fri Mar 10 09:53:35 UTC 2017
On 03/10/2017 09:46 AM, Ondra Machacek wrote:
> So what's your provider 389ds or FreeIPA?
>
> Note that both use differrent unique ID. IPA is using 'ipaUniqueID',
> and 389ds is using 'nsuniqueid'. DId you tried both?
Thanks for pointing that out! It works perfectly if I use IPA.
I didn't know they have different identifiers (though it might have
been obvious to me since there is a separate IPA option...). I clung
to the thought that FreeIPA uses 389ds internally.
Thanks a lot!
Richard
>
> I can successfully run a search and also login
> from the setup script.
>
> After running the setup I rebootet the Engine VM to make sure
> everything is restarted.
>
> In the web UI configuration for 'System Permissions' I'm able to
> find users from LDAP but when I try to 'Add' a selected user the UI
> shows me this error: 'User admin at internal-authz failed to grant
> permission for Role SuperUser on System to User/Group <UNKNOWN>.'.
>
> In then engine.log the following lines are generated:
> 2017-03-09 14:02:49,308+01 INFO
> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
> (org.ovirt.thread.pool-6-thread-4)
> [1ebae5e0-e5f6-49ba-ac80-95266c582893] Running command:
> AddSystemPermissionCommand internal: false. Entities affected : ID:
> aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
> MANIPULATE_PERMISSIONS with role type USER, ID:
> aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group
> ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
> 2017-03-09 14:02:49,319+01 ERROR
> [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
> (org.ovirt.thread.pool-6-thread-4)
> [1ebae5e0-e5f6-49ba-ac80-95266c582893] Transaction rolled-back for
> command 'org.ovirt.engine.core.bll.AddSystemPermissionCommand'.
> 2017-03-09 14:02:49,328+01 ERROR
> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> (org.ovirt.thread.pool-6-thread-4)
> [1ebae5e0-e5f6-49ba-ac80-95266c582893] EVENT_ID:
> USER_ADD_SYSTEM_PERMISSION_FAILED(867), Correlation ID:
> 1ebae5e0-e5f6-49ba-ac80-95266c582893, Call Stack: null, Custom Event
> ID: -1, Message: User admin at internal-authz failed to grant
> permission for Role SuperUser on System to User/Group <UNKNOWN>.
>
>
> So far I've re-run the ldap-setup routine. I made sure all newly
> generated files in /etc/ovirt-engine/[aaa|extensions.d] are owned by
> ovirt:ovirt (instead of root) and have 0600 as permission (instead
> of 0644). That didn't change anything.
>
> I've also found an older bug report but for oVirt 3.5
> https://bugzilla.redhat.com/show_bug.cgi?id=1121954
> <https://bugzilla.redhat.com/show_bug.cgi?id=1121954>
> That didn't reveal any new either.
>
> Any ideas what I could try next?
>
> Thanks!
> Cheers
> Richard
>
>
>
>
> On 10/06/2016 04:36 PM, Ondra Machacek wrote:
> > On 10/06/2016 01:47 PM, Michael Burch wrote:
> >> I'm using the latest ovirt on CentOS7 with the aaa-ldap
> extension.
> >> I can
> >> successfully authenticate as an LDAP user. I can also login as
> >> admin at internal and search for, find, and select LDAP users but I
> >> cannot
> >> add permissions for them. Each time I get the error "User
> >> admin at internal-authz failed to grant permission for Role
> UserRole on
> >> System to User/Group <UNKNOWN>."
> >
> > This error usually means bad unique attribute used.
> >
> >>
> >>
> >> I have no control over the LDAP server, which uses custom
> >> objectClasses
> >> and uses groupOfNames instead of PosixGroups. I assume I need
> to set
> >> sequence variables to accommodate our group configuration but I'm
> >> at a
> >> loss as to where to begin. the The config I have is as follows:
> >>
> >>
> >> include = <rfc2307-generic.properties>
> >>
> >> vars.server = labauth.lan.lab.org <http://labauth.lan.lab.org>
> >>
> >> pool.authz.auth.type = none
> >> pool.default.serverset.type = single
> >> pool.default.serverset.single.server = ${global:vars.server}
> >> pool.default.ssl.startTLS = true
> >> pool.default.ssl.insecure = true
> >>
> >> pool.default.connection-options.connectTimeoutMillis = 10000
> >> pool.default.connection-options.responseTimeoutMillis = 90000
> >> sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
> >> sequence.my-basedn-init-vars.010.description = set baseDN
> >> sequence.my-basedn-init-vars.010.type = var-set
> >> sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
> >> sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
> >>
> >> sequence-init.init.101-my-objectclass-init-vars =
> >> my-objectclass-init-vars
> >> sequence.my-objectclass-init-vars.020.description = set
> objectClass
> >> sequence.my-objectclass-init-vars.020.type = var-set
> >> sequence.my-objectclass-init-vars.020.var-set.variable =
> >> simple_filterUserObject
> >> sequence.my-objectclass-init-vars.020.var-set.value =
> >> (objectClass=labPerson)(uid=*)
> >>
> >> search.default.search-request.derefPolicy = NEVER
> >>
> >> sequence-init.init.900-local-init-vars = local-init-vars
> >> sequence.local-init-vars.010.description = override name space
> >> sequence.local-init-vars.010.type = var-set
> >> sequence.local-init-vars.010.var-set.variable =
> >> simple_namespaceDefault
> >> sequence.local-init-vars.010.var-set.value = *
> >
> > What's this^ for? I think it's unusable.
> >
> >>
> >> sequence.local-init-vars.020.description = apply filter to users
> >> sequence.local-init-vars.020.type = var-set
> >> sequence.local-init-vars.020.var-set.variable =
> >> simple_filterUserObject
> >> sequence.local-init-vars.020.var-set.value =
> >> ${seq:simple_filterUserObject}(employeeStatus=3)
> >>
> >> sequence.local-init-vars.030.description = apply filter to groups
> >> sequence.local-init-vars.030.type = var-set
> >> sequence.local-init-vars.030.var-set.variable =
> >> simple_filterGroupObject
> >> sequence.local-init-vars.030.var-set.value =
> >> (objectClass=groupOfUniqueNames)
> >
> > This looks as hard to maintain file. I would suggest you to insert
> > into this file just following:
> >
> > include = <rfc2307-mycustom.properties>
> >
> > vars.server = labauth.lan.lab.org <http://labauth.lan.lab.org>
> >
> > pool.authz.auth.type = none
> > pool.default.serverset.type = single
> > pool.default.serverset.single.server = ${global:vars.server}
> > pool.default.ssl.startTLS = true
> > pool.default.ssl.insecure = true
> >
> > pool.default.connection-options.connectTimeoutMillis = 10000
> > pool.default.connection-options.responseTimeoutMillis = 90000
> >
> > # Set custom base DN
> > sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars
> > sequence.my-basedn-init-vars.010.description = set baseDN
> > sequence.my-basedn-init-vars.010.type = var-set
> > sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN
> > sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB
> >
> > And then create in directory
> > '/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file
> > 'rfc2307-mycustom.properties' with content:
> >
> > include = <rfc2307.properties>
> >
> > sequence-init.init.100-rfc2307-mycustom-init-vars =
> > rfc2307-mycustom-init-vars
> > sequence.rfc2307-mycustom-init-vars.010.description = set
> unique attr
> > sequence.rfc2307-mycustom-init-vars.010.type = var-set
> > sequence.rfc2307-mycustom-init-vars.010.var-set.variable =
> > rfc2307_attrsUniqueId
> > sequence.rfc2307-mycustom-init-vars.010.var-set.value =
> FIND_THIS_ONE
> >
> > sequence.rfc2307-mycustom-init-vars.020.type = var-set
> > sequence.rfc2307-mycustom-init-vars.020.var-set.variable =
> > simple_filterUserObject
> > sequence.rfc2307-mycustom-init-vars.020.var-set.value =
> >
> (objectClass=labPerson)(employeeStatus=3)(${seq:simple_attrsUserName}=*)
> >
> >
> >
> > The FIND_*THIS_ONE* replace with the unique attribute of
> labPerson(I
> > guess). It can be extended attribute(+,++).
> >
> > $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H
> > ldap://labauth.lan.lab.org <http://labauth.lan.lab.org>
> 'objectClass=labPerson'
> >
> > maybe (or even with two +):
> > $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H
> > ldap://labauth.lan.lab.org <http://labauth.lan.lab.org>
> 'objectClass=labPerson' +
> >
> > The question is if even your implementation has unique
> attribute, does
> > it?
> >
> > Also may you share what's your LDAP provider? And maybe if you
> share
> > content of some user it would help as well.
> >
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at ovirt.org <mailto:Users at ovirt.org>
> >> http://lists.ovirt.org/mailman/listinfo/users
> <http://lists.ovirt.org/mailman/listinfo/users>
> >>
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org <mailto:Users at ovirt.org>
> > http://lists.ovirt.org/mailman/listinfo/users
> <http://lists.ovirt.org/mailman/listinfo/users>
>
>
> --
> /dev/null
>
>
--
/dev/null
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ovirt.org/pipermail/users/attachments/20170310/7a60b518/attachment.sig>
More information about the Users
mailing list