Re: [ovirt-users] FreeIPA authentication broken

2018-04-24 Thread Ondra Machacek 

Right, you are missing file /etc/ovirt-engine/aaa/IPA.properties

It's not subdirectory of /etc/ovirt-engine/extensions.d, but it's in
/etc/ovirt-engine/ in 'aaa' subdirectory, can you check what's there?
Please check also the correct permissions of that file, it should be
'600' and owned by ovirt user.

On 04/23/2018 10:25 PM, Kristian Petersen wrote:
Looks like it can't find the IPA.properties file.  I tried following the 
path it is complaining about but there are only files in 
/etc/ovirt-engine/extensions.d on the engine VM.  No subdirectories.  
However, that directory appears to contain the files it is looking for.  
Both IPA-authn.properties and IPA.properties are there as are the 
internal properties files.  Is there a config file we can edit to tell 
it to look in the right place?



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] FreeIPA authentication broken

2018-04-23 Thread Kristian Petersen 
Looks like it can't find the IPA.properties file.  I tried following the
path it is complaining about but there are only files in
/etc/ovirt-engine/extensions.d
on the engine VM.  No subdirectories.  However, that directory appears to
contain the files it is looking for.  Both IPA-authn.properties and
IPA.properties are there as are the internal properties files.  Is there a
config file we can edit to tell it to look in the right place?

On Mon, Apr 23, 2018 at 2:13 PM, Kristian Petersen 
wrote:

> After running ovirt-engine-extensions-tool --log-level=FINEST
> --log-file=/tmp/aaa.log aaa login-user --user-name nesretep --profile IPA...
>
> *Contents of /tmp/aaa.log:*
> 2018-04-23 14:10:58,771-06 FINEVersion: ovirt-engine-4.2.1.7 ()
> 2018-04-23 14:10:58,856-06 INFO===
> =
> 2018-04-23 14:10:58,856-06 INFO
> Initialization 
> 2018-04-23 14:10:58,857-06 INFO===
> =
> 2018-04-23 14:10:58,858-06 FINELoading extension file
> 'internal-authz.properties'
> 2018-04-23 14:10:58,882-06 INFOLoading extension 'internal-authz'
> 2018-04-23 14:10:58,884-06 FINEST  Invoke Input BEGIN
> 2018-04-23 14:10:58,886-06 FINEST  
> {Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
> org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[
> 485778ab-bede-4f1a-b823-7
> 7b262a2f28d];]=EXTENSION_LOAD[b0f2460e-7971-4a9c-b4e1-c1db1362a47a],
> Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.
> extensions.ExtMap;uuid=EXTENSION_INVOKE_C
> ONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[
> name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.
> extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-
> 4cf1-bf08-297bc8903676];]=*skip*, 
> Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
> org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-
> 918a3197ad83];]=
> org.slf4j.impl.JDK14LoggerAdapter(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace),
> Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
> java.util.Collec
> tion;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
> Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=
> EXTENSION_PROV
> IDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.
> engine.api.extensions.aaa.Authz], Extkey[name=EXTENSION_LOCALE;type=class
> java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0
> ce0-404a-b85e-8765d778bb29];]=en_US, 
> Extkey[name=EXTENSION_CONFIGURATION_FILE;type=class
> java.lang.String;uuid=EXTENSION_CONFIGURATION_FILE[
> 4fb0ffd3-983c-4f3f-98ff-9660bd67af6a];]
> =/etc/ovirt-engine/extensions.d/internal-authz.properties,
> Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=
> EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae
> -5068a226b0fc];]=***, Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_
> MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extk
> ey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=
> EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
> Extkey[name=EXTENSION_INSTANCE
> _NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[
> 65c67ff6-aeca-4bd5-a245-8674327f011b];]=internal-authz}}
> 2018-04-23 14:10:58,887-06 FINEST  Invoke Input END
> 2018-04-23 14:10:58,891-06 FINEST  Invoke Output BEGIN
> 2018-04-23 14:10:58,892-06 FINEST  {Extkey[name=AAA_AUTHZ_STATUS;type=class
> java.lang.Integer;uuid=AAA_AUTHZ_STATUS[566f0ba5-8329-4de1-952a-7a81e4bedd3e];]=0,
> Extkey[name=EXTENSIO
> N_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[
> 0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=0}
> 2018-04-23 14:10:58,892-06 FINEST  Invoke Output END
> 2018-04-23 14:10:58,893-06 INFOExtension 'internal-authz' loaded
> 2018-04-23 14:10:58,894-06 FINEConfig BEGIN
> 2018-04-23 14:10:58,894-06 FINEovirt.engine.extension.provides:
> org.ovirt.engine.api.extensions.aaa.Authz
> 2018-04-23 14:10:58,895-06 FINE
> ovirt.engine.extension.binding.jbossmodule.class:
> org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
> 2018-04-23 14:10:58,896-06 FINEovirt.engine.extension.bindings.method:
> jbossmodule
> 2018-04-23 14:10:58,897-06 FINEconfig.datasource.file:
> /etc/ovirt-engine/aaa/internal.properties
> 2018-04-23 14:10:58,897-06 FINEovirt.engine.extension.name:
> internal-authz
> 2018-04-23 14:10:58,898-06 FINE
> ovirt.engine.extension.binding.jbossmodule.module:
> org.ovirt.engine.extension.aaa.jdbc
> 2018-04-23 14:10:58,898-06 FINEConfig END
> 2018-04-23 14:10:58,899-06 FINELoading extension file
> 'internal-authn.properties'
> 2018-04-23 14:10:58,900-06 INFOLoading extension 'internal-authn'

Re: [ovirt-users] FreeIPA authentication broken

2018-04-23 Thread Kristian Petersen 
After running ovirt-engine-extensions-tool --log-level=FINEST
--log-file=/tmp/aaa.log aaa login-user --user-name nesretep --profile IPA...

*Contents of /tmp/aaa.log:*
2018-04-23 14:10:58,771-06 FINEVersion: ovirt-engine-4.2.1.7 ()
2018-04-23 14:10:58,856-06 INFO
   
2018-04-23 14:10:58,856-06 INFO
Initialization 
2018-04-23 14:10:58,857-06 INFO
   
2018-04-23 14:10:58,858-06 FINELoading extension file
'internal-authz.properties'
2018-04-23 14:10:58,882-06 INFOLoading extension 'internal-authz'
2018-04-23 14:10:58,884-06 FINEST  Invoke Input BEGIN
2018-04-23 14:10:58,886-06 FINEST
 {Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-7
7b262a2f28d];]=EXTENSION_LOAD[b0f2460e-7971-4a9c-b4e1-c1db1362a47a],
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_C
ONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-
4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=
org.slf4j.impl.JDK14LoggerAdapter(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace),
Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
java.util.Collec
tion;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
Extkey[name=EXTENSION_PROVIDES;type=interface
java.util.Collection;uuid=EXTENSION_PROV
IDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authz],
Extkey[name=EXTENSION_LOCALE;type=class
java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0
ce0-404a-b85e-8765d778bb29];]=en_US,
Extkey[name=EXTENSION_CONFIGURATION_FILE;type=class
java.lang.String;uuid=EXTENSION_CONFIGURATION_FILE[4fb0ffd3-983c-4f3f-98ff-9660bd67af6a];]
=/etc/ovirt-engine/extensions.d/internal-authz.properties,
Extkey[name=EXTENSION_CONFIGURATION;type=class
java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae
-5068a226b0fc];]=***,
Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
Extk
ey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
Extkey[name=EXTENSION_INSTANCE
_NAME;type=class
java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=internal-authz}}

2018-04-23 14:10:58,887-06 FINEST  Invoke Input END
2018-04-23 14:10:58,891-06 FINEST  Invoke Output BEGIN
2018-04-23 14:10:58,892-06 FINEST  {Extkey[name=AAA_AUTHZ_STATUS;type=class
java.lang.Integer;uuid=AAA_AUTHZ_STATUS[566f0ba5-8329-4de1-952a-7a81e4bedd3e];]=0,
Extkey[name=EXTENSIO
N_INVOKE_RESULT;type=class
java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=0}

2018-04-23 14:10:58,892-06 FINEST  Invoke Output END
2018-04-23 14:10:58,893-06 INFOExtension 'internal-authz' loaded
2018-04-23 14:10:58,894-06 FINEConfig BEGIN
2018-04-23 14:10:58,894-06 FINEovirt.engine.extension.provides:
org.ovirt.engine.api.extensions.aaa.Authz
2018-04-23 14:10:58,895-06 FINE
   ovirt.engine.extension.binding.jbossmodule.class:
org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension
2018-04-23 14:10:58,896-06 FINEovirt.engine.extension.bindings.method:
jbossmodule
2018-04-23 14:10:58,897-06 FINEconfig.datasource.file:
/etc/ovirt-engine/aaa/internal.properties
2018-04-23 14:10:58,897-06 FINEovirt.engine.extension.name:
internal-authz
2018-04-23 14:10:58,898-06 FINE
   ovirt.engine.extension.binding.jbossmodule.module:
org.ovirt.engine.extension.aaa.jdbc
2018-04-23 14:10:58,898-06 FINEConfig END
2018-04-23 14:10:58,899-06 FINELoading extension file
'internal-authn.properties'
2018-04-23 14:10:58,900-06 INFOLoading extension 'internal-authn'
2018-04-23 14:10:58,900-06 FINEST  Invoke Input BEGIN
2018-04-23 14:10:58,901-06 FINEST
 {Extkey[name=EXTENSION_INVOKE_COMMAND;type=class
org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-7
7b262a2f28d];]=EXTENSION_LOAD[b0f2460e-7971-4a9c-b4e1-c1db1362a47a],
Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_C
ONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-
4cf1-bf08-297bc8903676];]=*skip*,
Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface

Re: [ovirt-users] FreeIPA authentication broken

2018-04-23 Thread Ondra Machacek 

On 04/23/2018 04:30 PM, Kristian Petersen wrote:

Hey everyone,

I had FreeIPA authentication set up on my oVirt instance and it was 
working great.  Then something happened that disconnected my NFS storage 
and caused a problem with my hosted-engine.  Once I got it back up and 
running again, my FreeIPA authentication was sill a choice for 
authentication, but it always rejects my password even though it is 
correct.  I have tried running the setup again to no avail.  Nothing 
shows up in the httpd error log when the login fails.  The engine.log 
from ovirt-engine in /var/log shows the following upon attempting to 
authenticate with a user from freeIPA:


2018-04-23 08:08:24,384-06 WARN  
[org.ovirt.engineextensions.aaa.ldap.Framework] (default task-34) [] 
Ignoring records from pool: 'authz'
2018-04-23 08:08:24,384-06 ERROR 
[org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default 
task-34) [] Cannot authenticate user 'nesretep@IPA' connecting from 
'UNKNOWN': The username or password is incorrect.


Can you try to run this command:

 $ ovirt-engine-extensions-tool --log-level=FINEST 
--log-file=/tmp/aaa.log aaa login-user --user-name nesretep --profile IPA


and share /tmp/aaa.log?



I'm not sure why 'authz' is being ignored but it is certainly why IPA 
authentication isn't working as 'username@authz' is how IPA logins show 
up in oVirt when they do work.  Any ideas where to look next?

--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] FreeIPA authentication broken

2018-04-23 Thread Kristian Petersen 
Hey everyone,

I had FreeIPA authentication set up on my oVirt instance and it was working
great.  Then something happened that disconnected my NFS storage and caused
a problem with my hosted-engine.  Once I got it back up and running again,
my FreeIPA authentication was sill a choice for authentication, but it
always rejects my password even though it is correct.  I have tried running
the setup again to no avail.  Nothing shows up in the httpd error log when
the login fails.  The engine.log from ovirt-engine in /var/log shows the
following upon attempting to authenticate with a user from freeIPA:

2018-04-23 08:08:24,384-06 WARN
[org.ovirt.engineextensions.aaa.ldap.Framework] (default task-34) []
Ignoring records from pool: 'authz'
2018-04-23 08:08:24,384-06 ERROR
[org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default
task-34) [] Cannot authenticate user 'nesretep@IPA' connecting from
'UNKNOWN': The username or password is incorrect.

I'm not sure why 'authz' is being ignored but it is certainly why IPA
authentication isn't working as 'username@authz' is how IPA logins show up
in oVirt when they do work.  Any ideas where to look next?
-- 
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] FreeIPA with ovirt 4.1

2017-02-15 Thread Ondra Machacek 
Looking at the error message again it says 'Unsupported command',
Can you please share your properties files? I think that you have
misconfugred it, I guess you use for example AuthzExtension instead
of AuthnExtension or vice versa, maybe misconfigured mapping.

On Fri, Feb 10, 2017 at 6:28 PM, Slava Bendersky <volga...@networklab.ca> wrote:
> Hello Ondra,
> I tried increase logging and command fail
>
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0216: Management resource '[
> (\"subsystem\" => \"logging\"),
> (\"logger\" => \"org.ovirt.engine.core.sso\")
> ]' not found",
> "rolled-back" => true
> }
>
>
> Slava,
>
> 
> From: "Ondra Machacek" <omach...@redhat.com>
> To: "Slava Bendersky" <volga...@networklab.ca>
> Cc: "users" <users@ovirt.org>
> Sent: Thursday, February 9, 2017 2:31:16 PM
>
> Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1
>
> Can you please enable DEBUG log of the SSO package and try login and
> then share the logs, please?
>
> You can enable the debug log as following (use admin@internal password):
>
> /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh
> --controller=127.0.0.1:8706 --connect --user=admin@internal
> "/subsystem=logging/logger=org.ovirt.engine.core.sso:add" &&
> /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh
> --controller=127.0.0.1:8706 --connect --user=admin@internal
> "/subsystem=logging/logger=org.ovirt.engine.core.sso:write-attribute(name=level,value=DEBUG)"
>
> After tests you can disable it later as follows:
>
>  $ /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh
> --controller=127.0.0.1:8706 --connect --user=admin@internal
> "/subsystem=logging/logger=org.ovirt.engine.core.sso:remove"
>
> On Thu, Feb 9, 2017 at 3:08 PM, Slava Bendersky <volga...@networklab.ca>
> wrote:
>> Hello Everyone,
>> Anything else possible to check ?
>>
>> Slava.
>>
>> 
>> From: "Slava Bendersky" <volga...@networklab.ca>
>> To: "Ondra Machacek" <omach...@redhat.com>
>> Cc: "users" <users@ovirt.org>
>> Sent: Saturday, February 4, 2017 2:27:31 PM
>>
>> Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1
>>
>> Hello Ondra,
>> Log is empty
>>
>> [root@vhe00 ~]# ls -la  /var/log/httpd/ssl_error_log
>> -rw-r--r--. 1 root root 0 Feb  2 04:45 /var/log/httpd/ssl_error_log
>>
>> Slava.
>>
>> 
>> From: "Ondra Machacek" <omach...@redhat.com>
>> To: "Slava Bendersky" <volga...@networklab.ca>
>> Cc: "users" <users@ovirt.org>, "Ravi" <rn...@redhat.com>
>> Sent: Saturday, February 4, 2017 10:35:31 AM
>> Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1
>>
>>
>>
>> On Feb 4, 2017 1:21 AM, "Slava Bendersky" <volga...@networklab.ca> wrote:
>>
>> Hello Everyone,
>> Having trouble implement  FreeIPA authentication with GSSAPI SSO  and
>> ovirt
>> 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I
>> log to web admin with internal user and added FeeIPA user as SuperUser
>> role.
>> Also I added under System FreeIPA group authorized to login on any attempt
>> to login with FreeIPA credentials getting message
>>
>>
>> 2017-02-04 00:03:08,464Z ERROR
>> [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default
>> task-6)
>> [] Internal Server Error: Unsupported command
>> 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils]
>> (default task-6) [] Unsupported command
>> 2017-02-04 00:03:08,659Z ERROR
>> [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3)
>> []
>> server_error: Unsupported command
>>
>>
>> Ravi, do you know what this can cause?
>>
>>
>>
>> Also when in extensions.d directory contain the following files. If I
>> remove
>> mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up
>> in drop down list. Any http don't have influence on this.
>>
>>
>> That is correct behavior, we dont show profiles, which uses http for
>> authn.
>>
>>
>> [root@vhe00 extensions.d]# pwd
>> /etc/ovirt-engine/extensions.d
>>
>> [root@vhe00 extensions.d]# ls
>> mydomain.lan-authn.properties mydomain.lan-http-authn.properties
>> mydomain.lan.properties  internal-authz.properties
>> mydomain.lan-authz.properties mydomain.lan-http-mapping.properties
>> internal-authn.properties
>> [root@vhe00 extensions.d]#
>>
>>
>> If possible clarify how it should be and what is possible issue.
>>
>>
>> Can you please take a look to /var/log/httpd/ssl_error_log if any errors
>> there?
>>
>>
>>
>>
>> Slava.
>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] FreeIPA with ovirt 4.1

2017-02-10 Thread Slava Bendersky 
Hello Ondra, 
I tried increase logging and command fail 

"outcome" => "failed", 
"failure-description" => "WFLYCTL0216: Management resource '[ 
(\"subsystem\" => \"logging\"), 
(\"logger\" => \"org.ovirt.engine.core.sso\") 
]' not found", 
"rolled-back" => true 
} 


Slava, 


From: "Ondra Machacek" <omach...@redhat.com> 
To: "Slava Bendersky" <volga...@networklab.ca> 
Cc: "users" <users@ovirt.org> 
Sent: Thursday, February 9, 2017 2:31:16 PM 
Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 

Can you please enable DEBUG log of the SSO package and try login and 
then share the logs, please? 

You can enable the debug log as following (use admin@internal password): 

/usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh 
--controller=127.0.0.1:8706 --connect --user=admin@internal 
"/subsystem=logging/logger=org.ovirt.engine.core.sso:add" && 
/usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh 
--controller=127.0.0.1:8706 --connect --user=admin@internal 
"/subsystem=logging/logger=org.ovirt.engine.core.sso:write-attribute(name=level,value=DEBUG)"
 

After tests you can disable it later as follows: 

$ /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh 
--controller=127.0.0.1:8706 --connect --user=admin@internal 
"/subsystem=logging/logger=org.ovirt.engine.core.sso:remove" 

On Thu, Feb 9, 2017 at 3:08 PM, Slava Bendersky <volga...@networklab.ca> wrote: 
> Hello Everyone, 
> Anything else possible to check ? 
> 
> Slava. 
> 
> ________ 
> From: "Slava Bendersky" <volga...@networklab.ca> 
> To: "Ondra Machacek" <omach...@redhat.com> 
> Cc: "users" <users@ovirt.org> 
> Sent: Saturday, February 4, 2017 2:27:31 PM 
> 
> Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 
> 
> Hello Ondra, 
> Log is empty 
> 
> [root@vhe00 ~]# ls -la /var/log/httpd/ssl_error_log 
> -rw-r--r--. 1 root root 0 Feb 2 04:45 /var/log/httpd/ssl_error_log 
> 
> Slava. 
> 
>  
> From: "Ondra Machacek" <omach...@redhat.com> 
> To: "Slava Bendersky" <volga...@networklab.ca> 
> Cc: "users" <users@ovirt.org>, "Ravi" <rn...@redhat.com> 
> Sent: Saturday, February 4, 2017 10:35:31 AM 
> Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 
> 
> 
> 
> On Feb 4, 2017 1:21 AM, "Slava Bendersky" <volga...@networklab.ca> wrote: 
> 
> Hello Everyone, 
> Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 
> 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I 
> log to web admin with internal user and added FeeIPA user as SuperUser role. 
> Also I added under System FreeIPA group authorized to login on any attempt 
> to login with FreeIPA credentials getting message 
> 
> 
> 2017-02-04 00:03:08,464Z ERROR 
> [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) 
> [] Internal Server Error: Unsupported command 
> 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] 
> (default task-6) [] Unsupported command 
> 2017-02-04 00:03:08,659Z ERROR 
> [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] 
> server_error: Unsupported command 
> 
> 
> Ravi, do you know what this can cause? 
> 
> 
> 
> Also when in extensions.d directory contain the following files. If I remove 
> mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up 
> in drop down list. Any http don't have influence on this. 
> 
> 
> That is correct behavior, we dont show profiles, which uses http for authn. 
> 
> 
> [root@vhe00 extensions.d]# pwd 
> /etc/ovirt-engine/extensions.d 
> 
> [root@vhe00 extensions.d]# ls 
> mydomain.lan-authn.properties mydomain.lan-http-authn.properties 
> mydomain.lan.properties internal-authz.properties 
> mydomain.lan-authz.properties mydomain.lan-http-mapping.properties 
> internal-authn.properties 
> [root@vhe00 extensions.d]# 
> 
> 
> If possible clarify how it should be and what is possible issue. 
> 
> 
> Can you please take a look to /var/log/httpd/ssl_error_log if any errors 
> there? 
> 
> 
> 
> 
> Slava. 
> 
> ___ 
> Users mailing list 
> Users@ovirt.org 
> http://lists.ovirt.org/mailman/listinfo/users 
> 
> 
> 
> ___ 
> Users mailing list 
> Users@ovirt.org 
> http://lists.ovirt.org/mailman/listinfo/users 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] FreeIPA with ovirt 4.1

2017-02-09 Thread Ondra Machacek 
Can you please enable DEBUG log of the SSO package and try login and
then share the logs, please?

You can enable the debug log as following (use admin@internal password):

/usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh
--controller=127.0.0.1:8706 --connect --user=admin@internal
"/subsystem=logging/logger=org.ovirt.engine.core.sso:add" &&
/usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh
--controller=127.0.0.1:8706 --connect --user=admin@internal
"/subsystem=logging/logger=org.ovirt.engine.core.sso:write-attribute(name=level,value=DEBUG)"

After tests you can disable it later as follows:

 $ /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh
--controller=127.0.0.1:8706 --connect --user=admin@internal
"/subsystem=logging/logger=org.ovirt.engine.core.sso:remove"

On Thu, Feb 9, 2017 at 3:08 PM, Slava Bendersky <volga...@networklab.ca> wrote:
> Hello Everyone,
> Anything else possible to check ?
>
> Slava.
>
> 
> From: "Slava Bendersky" <volga...@networklab.ca>
> To: "Ondra Machacek" <omach...@redhat.com>
> Cc: "users" <users@ovirt.org>
> Sent: Saturday, February 4, 2017 2:27:31 PM
>
> Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1
>
> Hello Ondra,
> Log is empty
>
> [root@vhe00 ~]# ls -la  /var/log/httpd/ssl_error_log
> -rw-r--r--. 1 root root 0 Feb  2 04:45 /var/log/httpd/ssl_error_log
>
> Slava.
>
> 
> From: "Ondra Machacek" <omach...@redhat.com>
> To: "Slava Bendersky" <volga...@networklab.ca>
> Cc: "users" <users@ovirt.org>, "Ravi" <rn...@redhat.com>
> Sent: Saturday, February 4, 2017 10:35:31 AM
> Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1
>
>
>
> On Feb 4, 2017 1:21 AM, "Slava Bendersky" <volga...@networklab.ca> wrote:
>
> Hello Everyone,
> Having trouble implement  FreeIPA authentication with GSSAPI SSO  and ovirt
> 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I
> log to web admin with internal user and added FeeIPA user as SuperUser role.
> Also I added under System FreeIPA group authorized to login on any attempt
> to login with FreeIPA credentials getting message
>
>
> 2017-02-04 00:03:08,464Z ERROR
> [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6)
> [] Internal Server Error: Unsupported command
> 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils]
> (default task-6) [] Unsupported command
> 2017-02-04 00:03:08,659Z ERROR
> [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) []
> server_error: Unsupported command
>
>
> Ravi, do you know what this can cause?
>
>
>
> Also when in extensions.d directory contain the following files. If I remove
> mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up
> in drop down list. Any http don't have influence on this.
>
>
> That is correct behavior, we dont show profiles, which uses http for authn.
>
>
> [root@vhe00 extensions.d]# pwd
> /etc/ovirt-engine/extensions.d
>
> [root@vhe00 extensions.d]# ls
> mydomain.lan-authn.properties mydomain.lan-http-authn.properties
> mydomain.lan.properties  internal-authz.properties
> mydomain.lan-authz.properties mydomain.lan-http-mapping.properties
> internal-authn.properties
> [root@vhe00 extensions.d]#
>
>
> If possible clarify how it should be and what is possible issue.
>
>
> Can you please take a look to /var/log/httpd/ssl_error_log if any errors
> there?
>
>
>
>
> Slava.
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] FreeIPA with ovirt 4.1

2017-02-09 Thread Slava Bendersky 
Hello Everyone, 
Anything else possible to check ? 

Slava. 


From: "Slava Bendersky" <volga...@networklab.ca> 
To: "Ondra Machacek" <omach...@redhat.com> 
Cc: "users" <users@ovirt.org> 
Sent: Saturday, February 4, 2017 2:27:31 PM 
Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 

Hello Ondra, 
Log is empty 

[root@vhe00 ~]# ls -la /var/log/httpd/ssl_error_log 
-rw-r--r--. 1 root root 0 Feb 2 04:45 /var/log/httpd/ssl_error_log 

Slava. 


From: "Ondra Machacek" <omach...@redhat.com> 
To: "Slava Bendersky" <volga...@networklab.ca> 
Cc: "users" <users@ovirt.org>, "Ravi" <rn...@redhat.com> 
Sent: Saturday, February 4, 2017 10:35:31 AM 
Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 



On Feb 4, 2017 1:21 AM, "Slava Bendersky" < [ mailto:volga...@networklab.ca | 
volga...@networklab.ca ] > wrote: 



Hello Everyone, 
Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. 
I ran setup and it finished OK then it wrote the files bellow. Next I log to 
web admin with internal user and added FeeIPA user as SuperUser role. Also I 
added under System FreeIPA group authorized to login on any attempt to login 
with FreeIPA credentials getting message 


2017-02-04 00:03:08,464Z ERROR 
[org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) [] 
Internal Server Error: Unsupported command 
2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] 
(default task-6) [] Unsupported command 
2017-02-04 00:03:08,659Z ERROR 
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] 
server_error: Unsupported command 




Ravi, do you know what this can cause? 


BQ_BEGIN



Also when in extensions.d directory contain the following files. If I remove 
mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up in 
drop down list. Any http don't have influence on this. 

BQ_END


That is correct behavior, we dont show profiles, which uses http for authn. 


BQ_BEGIN


[root@vhe00 extensions.d]# pwd 
/etc/ovirt-engine/extensions.d 

[root@vhe00 extensions.d]# ls 
mydomain.lan-authn.properties mydomain.lan -http-authn.properties mydomain.lan 
.properties internal-authz.properties 
mydomain.lan -authz.properties mydomain.lan -http-mapping.properties 
internal-authn.properties 
[root@vhe00 extensions.d]# 


If possible clarify how it should be and what is possible issue. 

BQ_END


Can you please take a look to /var/log/httpd/ssl_error_log if any errors there? 


BQ_BEGIN




Slava. 

___ 
Users mailing list 
[ mailto:Users@ovirt.org | Users@ovirt.org ] 
[ http://lists.ovirt.org/mailman/listinfo/users | 
http://lists.ovirt.org/mailman/listinfo/users ] 


BQ_END



___ 
Users mailing list 
Users@ovirt.org 
http://lists.ovirt.org/mailman/listinfo/users 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] FreeIPA with ovirt 4.1

2017-02-04 Thread Slava Bendersky 
Hello Ondra, 
Log is empty 

[root@vhe00 ~]# ls -la /var/log/httpd/ssl_error_log 
-rw-r--r--. 1 root root 0 Feb 2 04:45 /var/log/httpd/ssl_error_log 

Slava. 


From: "Ondra Machacek" <omach...@redhat.com> 
To: "Slava Bendersky" <volga...@networklab.ca> 
Cc: "users" <users@ovirt.org>, "Ravi" <rn...@redhat.com> 
Sent: Saturday, February 4, 2017 10:35:31 AM 
Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 



On Feb 4, 2017 1:21 AM, "Slava Bendersky" < [ mailto:volga...@networklab.ca | 
volga...@networklab.ca ] > wrote: 



Hello Everyone, 
Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. 
I ran setup and it finished OK then it wrote the files bellow. Next I log to 
web admin with internal user and added FeeIPA user as SuperUser role. Also I 
added under System FreeIPA group authorized to login on any attempt to login 
with FreeIPA credentials getting message 


2017-02-04 00:03:08,464Z ERROR 
[org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) [] 
Internal Server Error: Unsupported command 
2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] 
(default task-6) [] Unsupported command 
2017-02-04 00:03:08,659Z ERROR 
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] 
server_error: Unsupported command 




Ravi, do you know what this can cause? 


BQ_BEGIN



Also when in extensions.d directory contain the following files. If I remove 
mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up in 
drop down list. Any http don't have influence on this. 

BQ_END


That is correct behavior, we dont show profiles, which uses http for authn. 


BQ_BEGIN


[root@vhe00 extensions.d]# pwd 
/etc/ovirt-engine/extensions.d 

[root@vhe00 extensions.d]# ls 
mydomain.lan-authn.properties mydomain.lan -http-authn.properties mydomain.lan 
.properties internal-authz.properties 
mydomain.lan -authz.properties mydomain.lan -http-mapping.properties 
internal-authn.properties 
[root@vhe00 extensions.d]# 


If possible clarify how it should be and what is possible issue. 

BQ_END


Can you please take a look to /var/log/httpd/ssl_error_log if any errors there? 


BQ_BEGIN




Slava. 

___ 
Users mailing list 
[ mailto:Users@ovirt.org | Users@ovirt.org ] 
[ http://lists.ovirt.org/mailman/listinfo/users | 
http://lists.ovirt.org/mailman/listinfo/users ] 


BQ_END


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] FreeIPA with ovirt 4.1

2017-02-04 Thread Ondra Machacek 
On Feb 4, 2017 1:21 AM, "Slava Bendersky"  wrote:

Hello Everyone,
Having trouble implement  FreeIPA authentication with GSSAPI SSO  and ovirt
4.1. I ran setup and it finished OK then it wrote the files bellow. Next I
log to web admin with internal user and added FeeIPA user as SuperUser
role. Also I added under System FreeIPA group authorized to login on any
attempt to login with FreeIPA credentials getting message


2017-02-04 00:03:08,464Z ERROR
[org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet]
(default task-6) [] Internal Server Error: Unsupported command
2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils]
(default task-6) [] Unsupported command
2017-02-04 00:03:08,659Z ERROR
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet]
(default task-3) [] server_error: Unsupported command


Ravi, do you know what this can cause?



Also when in extensions.d directory contain the following files. If I
remove mydomain.lan-authn.properties then in web ui FreeIPA domain not
showing up in drop down list. Any http don't have influence on this.


That is correct behavior, we dont show profiles, which uses http for authn.


[root@vhe00 extensions.d]# pwd
/etc/ovirt-engine/extensions.d

[root@vhe00 extensions.d]# ls
mydomain.lan-authn.properties mydomain.lan-http-authn.properties
mydomain.lan.properties  internal-authz.properties
mydomain.lan-authz.properties mydomain.lan-http-mapping.properties
 internal-authn.properties
[root@vhe00 extensions.d]#


If possible clarify how it should be and what is possible issue.


Can you please take a look to /var/log/httpd/ssl_error_log if any errors
there?




Slava.

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] FreeIPA with ovirt 4.1

2017-02-03 Thread Slava Bendersky 
Hello Everyone, 
Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. 
I ran setup and it finished OK then it wrote the files bellow. Next I log to 
web admin with internal user and added FeeIPA user as SuperUser role. Also I 
added under System FreeIPA group authorized to login on any attempt to login 
with FreeIPA credentials getting message 


2017-02-04 00:03:08,464Z ERROR 
[org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) [] 
Internal Server Error: Unsupported command 
2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] 
(default task-6) [] Unsupported command 
2017-02-04 00:03:08,659Z ERROR 
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] 
server_error: Unsupported command 


Also when in extensions.d directory contain the following files. If I remove 
mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up in 
drop down list. Any http don't have influence on this. 

[root@vhe00 extensions.d]# pwd 
/etc/ovirt-engine/extensions.d 

[root@vhe00 extensions.d]# ls 
mydomain.lan-authn.properties mydomain.lan -http-authn.properties mydomain.lan 
.properties internal-authz.properties 
mydomain.lan -authz.properties mydomain.lan -http-mapping.properties 
internal-authn.properties 
[root@vhe00 extensions.d]# 


If possible clarify how it should be and what is possible issue. 



Slava. 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] FreeIPA

2015-09-23 Thread Ondra Machacek 
-0238
2015-09-23 09:38:09,180 INFO 
[org.ovirt.engine.core.vdsbroker.vdsbroker.HSMGetAllTasksInfoVDSCommand] 
(org.ovirt.thread.pool-8-thread-16) [205b10f8] START, 
HSMGetAllTasksInfoVDSCommand(HostName = node3.acloud.pt, HostId = 
0ffde0bc-c610-43ee-8ded-e8d2beb7e0f6), log id: 2c5dc746
2015-09-23 09:38:09,216 INFO 
[org.ovirt.engine.core.vdsbroker.vdsbroker.HSMGetAllTasksInfoVDSCommand] 
(org.ovirt.thread.pool-8-thread-16) [205b10f8] FINISH, 
HSMGetAllTasksInfoVDSCommand, return: [], log id: 2c5dc746
2015-09-23 09:38:09,216 INFO 
[org.ovirt.engine.core.vdsbroker.irsbroker.SPMGetAllTasksInfoVDSCommand] 
(org.ovirt.thread.pool-8-thread-16) [205b10f8] FINISH, 
SPMGetAllTasksInfoVDSCommand, return: [], log id: 6735b7ad
2015-09-23 09:38:09,217 INFO 
[org.ovirt.engine.core.bll.tasks.AsyncTaskManager] 
(org.ovirt.thread.pool-8-thread-16) [205b10f8] Discovered no tasks on 
Storage Pool Default
2015-09-23 09:38:13,937 INFO 
[org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] 
(DefaultQuartzScheduler_Worker-30) START, 
GlusterVolumesListVDSCommand(HostName = node3.acloud.pt, HostId = 
0ffde0bc-c610-43ee-8ded-e8d2beb7e0f6), log id: 663177d4
2015-09-23 09:38:13,964 INFO 
[org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] 
(DefaultQuartzScheduler_Worker-30) FINISH, 
GlusterVolumesListVDSCommand, return: {}, log id: 663177d4
2015-09-23 09:38:19,184 INFO 
[org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] 
(DefaultQuartzScheduler_Worker-40) START, 
GlusterVolumesListVDSCommand(HostName = node3.acloud.pt, HostId = 
0ffde0bc-c610-43ee-8ded-e8d2beb7e0f6), log id: 4db78ebd
2015-09-23 09:38:19,232 INFO 
[org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] 
(DefaultQuartzScheduler_Worker-40) FINISH, 
GlusterVolumesListVDSCommand, return: {}, log id: 4db78ebd
2015-09-23 09:38:24,382 INFO 
[org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] 
(DefaultQuartzScheduler_Worker-50) START, 
GlusterVolumesListVDSCommand(HostName = node3.acloud.pt, HostId = 
0ffde0bc-c610-43ee-8ded-e8d2beb7e0f6), log id: 3beec320
2015-09-23 09:38:24,410 INFO 
[org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] 
(DefaultQuartzScheduler_Worker-50) FINISH, 
GlusterVolumesListVDSCommand, return: {}, log id: 3beec320



Thanks


*De: *"Ondra Machacek" <omach...@redhat.com>
*Para: *supo...@logicworks.pt, users@ovirt.org
*Enviadas: *Quarta-feira, 23 De Setembro de 2015 7:40:12
*Assunto: *Re: [ovirt-users] FreeIPA

Just for clarification - ovirt-engine-extension-aaa-ldap-setup is 
available from oVirt 3.6


Can you send engine.log, hard to say what's wrong from configuration, 
it looks good.


On 09/22/2015 09:55 PM, Ravi Nori wrote:

Once you have installed ovirt-engine-extension-aaa-ldap and
ovirt-engine-extension-aaa-ldap-setup

You can run ovirt-engine-extension-aaa-ldap-setup and follow the
steps to set up ldap.

Once that is done you can login to webadmin and add users/groups
from ipa

On 09/22/2015 11:57 AM, supo...@logicworks.pt wrote:

Here is what I'm trying to do:

Ovirt engine : engine.domain.tld
Freeipa 4.1.0 : ipa.domain.tld

I have installed on the engine:

/ovirt-engine-extension-aaa-ldap/

/openldap-clients/

/etc/ovirt-engine/aaa/profile1.properties:
#
# Select one
#
#include = 
#include = <389ds.properties>
#include = 
include = 
#include = 
#include = 
#include = 

#
# Server
#
vars.server = ipa.domain.tld

#
# Search user and its password.
#
vars.user = uid=search,cn=users,cn=accounts,dc=domain,dc=tld
vars.password =/ipa_admin_password/

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file = 
${local:_basedir}/${global:vars.server}.jks
#pool.default.ssl.truststore.password = changeit


On the engine cannot find any users configured on the ipa server.

Any help?

Thanks

Jose




*De: *"Alon Bar-Lev" <alo...@redhat.com>
*Para: *supo...@logicworks.pt
*Cc: *"users" <users@ovirt.org>
*Enviadas: *Sexta-feira, 18 De Setembro de 2015 15:48:22
*Assunto: *Re: [ovirt-users] FreeIPA



- Original Message -
> From: supo...@logicworks.pt
> To: "users" &

Re: [ovirt-users] FreeIPA

2015-09-23 Thread Ondra Machacek 

Try this[1] easier approach.

[1] 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=aed09b5793e0352dc20812b4746dbd2d7898f292#l389


On 09/23/2015 03:58 PM, supo...@logicworks.pt wrote:

well, when I run
# /usr/share/ovirt-engine-jboss-as/bin/jboss-cli.sh --connect 
--timeout=3 --controller=localhost:8706 --user=admin@internal 
--commands="if (outcome != success) of 
/subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:read-attribute(name=level),/subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:add,end-if,/subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:write-attribute(name=level,value=ALL)"


get this error: Duplicate argument '--command'/'--commands'.

can't see why


*De: *"Ondra Machacek" <omach...@redhat.com>
*Para: *supo...@logicworks.pt
*Cc: *users@ovirt.org
*Enviadas: *Quarta-feira, 23 De Setembro de 2015 12:50:46
*Assunto: *Re: [ovirt-users] FreeIPA

You don't have to do anything on IPA side, just create users/groups.

OK, nothing in the log at INFO level, initialization succeed, so can 
you please send the debug log? See here[1] how to enable.


Thank you.

[1] 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l389


On 09/23/2015 10:48 AM, supo...@logicworks.pt wrote:


Is there anything to do on the IPA side? Or is just add users?
On the oVirt Engine, Users Tab, when click on add I can see
profile1 (profile1-aurhz) but the GO button is still in gray.
I think something is wrong with the autehtication on the IPA server.

Here is the engine log :

2015-09-23 09:37:57,927 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-2) Extension 'builtin-authn-internal' initialized
2015-09-23 09:37:57,927 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-2) Initializing extension 'internal'
2015-09-23 09:37:57,928 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-2) Extension 'internal' initialized
2015-09-23 09:37:57,928 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-2) Start of enabled extensions list
2015-09-23 09:37:57,928 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-2) Instance name: 'profile1-authn', Extension
name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2',
Notes: 'Display name:
ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0',
Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface Version: '0',  File:
'/etc/ovirt-engine/extensions.d/profile1-authn.properties',
Initialized: 'true'
2015-09-23 09:37:57,929 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-2) Instance name: 'profile1-authz', Extension
name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2',
Notes: 'Display name:
ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0',
Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
interface Version: '0',  File:
'/etc/ovirt-engine/extensions.d/profile1-authz.properties',
Initialized: 'true'
2015-09-23 09:37:57,929 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-2) Instance name: 'builtin-authn-internal',
Extension name: 'Internal Authn (Built-in)', Version: 'N/A',
Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org',
Author 'The oVirt Project', Build interface Version: '0',  File:
'N/A', Initialized: 'true'
2015-09-23 09:37:57,930 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-2) Instance name: 'internal', Extension name:
'Internal Authz (Built-in)', Version: 'N/A', Notes: '', License:
'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
Project', Build interface Version: '0',  File: 'N/A', Initialized:
'true'
2015-09-23 09:37:57,930 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-2) End of enabled extensions list
2015-09-23 09:37:58,103 INFO
[org.ovirt.engine.core.bll.tasks.AsyncTaskManager] (MSC service
thread 1-1) Initialization of AsyncTaskManager completed successfully.
2015-09-23 09:37:58,105 INFO
[org.ovirt.engine.core.vdsbroker.ResourceManager] (MSC service
thread 1-1) Start initializing ResourceManager
2015-09-23 09:37:58,217 INFO
[org.ovirt.engine.core.vdsbroker.VdsManager] (MSC service thread
1-1) Entered VdsManager constructor
2015-09-23 09:37:58,268 INFO
[org.ovirt.engine.core.vdsbroker.VdsManager] (MSC service thread
1-1) Initialize vdsBroker (192.168.6.201,54,321)
20

Re: [ovirt-users] FreeIPA

2015-09-23 Thread Ondra Machacek 
1-1) Instance name: 'profile1-authn', Extension name: 
'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2', Notes: 
'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 
'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', 
Build interface Version: '0',  File: 
'/etc/ovirt-engine/extensions.d/profile1-authn.properties', 
Initialized: 'true'
2015-09-23 16:24:50,542 INFO 
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service 
thread 1-1) Instance name: 'profile1-authz', Extension name: 
'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2', Notes: 
'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 
'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', 
Build interface Version: '0',  File: 
'/etc/ovirt-engine/extensions.d/profile1-authz.properties', 
Initialized: 'true'




*De: *"Ondra Machacek" <omach...@redhat.com>
*Para: *supo...@logicworks.pt
*Cc: *users@ovirt.org
*Enviadas: *Quarta-feira, 23 De Setembro de 2015 15:02:54
*Assunto: *Re: [ovirt-users] FreeIPA

Try this[1] easier approach.

[1] 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=aed09b5793e0352dc20812b4746dbd2d7898f292#l389


On 09/23/2015 03:58 PM, supo...@logicworks.pt wrote:

well, when I run
# /usr/share/ovirt-engine-jboss-as/bin/jboss-cli.sh --connect
--timeout=3 --controller=localhost:8706 --user=admin@internal
--commands="if (outcome != success) of

/subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:read-attribute(name=level),/subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:add,end-if,/subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:write-attribute(name=level,value=ALL)"

get this error: Duplicate argument '--command'/'--commands'.

can't see why


*De: *"Ondra Machacek" <omach...@redhat.com>
*Para: *supo...@logicworks.pt
*Cc: *users@ovirt.org
*Enviadas: *Quarta-feira, 23 De Setembro de 2015 12:50:46
*Assunto: *Re: [ovirt-users] FreeIPA

You don't have to do anything on IPA side, just create users/groups.

OK, nothing in the log at INFO level, initialization succeed, so
can you please send the debug log? See here[1] how to enable.

Thank you.

[1]

https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l389

On 09/23/2015 10:48 AM, supo...@logicworks.pt wrote:


Is there anything to do on the IPA side? Or is just add users?
On the oVirt Engine, Users Tab, when click on add I can see
profile1 (profile1-aurhz) but the GO button is still in gray.
I think something is wrong with the autehtication on the IPA
server.

Here is the engine log :

2015-09-23 09:37:57,927 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-2) Extension 'builtin-authn-internal' initialized
2015-09-23 09:37:57,927 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-2) Initializing extension 'internal'
2015-09-23 09:37:57,928 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-2) Extension 'internal' initialized
2015-09-23 09:37:57,928 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-2) Start of enabled extensions list
2015-09-23 09:37:57,928 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-2) Instance name: 'profile1-authn', Extension
name: 'ovirt-engine-extension-aaa-ldap.authn', Version:
'1.0.2', Notes: 'Display name:
ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL
2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
Project', Build interface Version: '0',  File:
'/etc/ovirt-engine/extensions.d/profile1-authn.properties',
Initialized: 'true'
2015-09-23 09:37:57,929 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-2) Instance name: 'profile1-authz', Extension
name: 'ovirt-engine-extension-aaa-ldap.authz', Version:
'1.0.2', Notes: 'Display name:
ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL
2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
Project', Build interface Version: '0',  File:
'/etc/ovirt-engine/extensions.d/profile1-authz.properties',
Initialized: 'true'
2015-09-23 09:37:57,929 INFO
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC
service thread 1-2) Instance name: 'builtin-authn-internal',
Extension name: 'Internal Aut

Re: [ovirt-users] FreeIPA

2015-09-23 Thread suporte 
well, when I run 
# /usr/share/ovirt-engine-jboss-as/bin/jboss-cli.sh --connect --timeout=3 
--controller=localhost:8706 --user=admin@internal --commands="if (outcome != 
success) of 
/subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:read-attribute(name=level),/subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:add,end-if,/subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:write-attribute(name=level,value=ALL)"
 

get this error: Duplicate argument '--command'/'--commands'. 

can't see why 

- Mensagem original -

De: "Ondra Machacek" <omach...@redhat.com> 
Para: supo...@logicworks.pt 
Cc: users@ovirt.org 
Enviadas: Quarta-feira, 23 De Setembro de 2015 12:50:46 
Assunto: Re: [ovirt-users] FreeIPA 

You don't have to do anything on IPA side, just create users/groups. 

OK, nothing in the log at INFO level, initialization succeed, so can you please 
send the debug log? See here[1] how to enable. 

Thank you. 

[1] 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l389
 

On 09/23/2015 10:48 AM, supo...@logicworks.pt wrote: 




Is there anything to do on the IPA side? Or is just add users? 
On the oVirt Engine, Users Tab, when click on add I can see profile1 
(profile1-aurhz) but the GO button is still in gray. 
I think something is wrong with the autehtication on the IPA server. 

Here is the engine log : 

2015-09-23 09:37:57,927 INFO 
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
1-2) Extension 'builtin-authn-internal' initialized 
2015-09-23 09:37:57,927 INFO 
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
1-2) Initializing extension 'internal' 
2015-09-23 09:37:57,928 INFO 
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
1-2) Extension 'internal' initialized 
2015-09-23 09:37:57,928 INFO 
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
1-2) Start of enabled extensions list 
2015-09-23 09:37:57,928 INFO 
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
1-2) Instance name: 'profile1-authn', Extension name: 
'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2', Notes: 'Display 
name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', Home: ' 
http://www.ovirt.org ', Author 'The oVirt Project', Build interface Version: 
'0', File: '/etc/ovirt-engine/extensions.d/profile1-authn.properties', 
Initialized: 'true' 
2015-09-23 09:37:57,929 INFO 
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
1-2) Instance name: 'profile1-authz', Extension name: 
'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2', Notes: 'Display 
name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', Home: ' 
http://www.ovirt.org ', Author 'The oVirt Project', Build interface Version: 
'0', File: '/etc/ovirt-engine/extensions.d/profile1-authz.properties', 
Initialized: 'true' 
2015-09-23 09:37:57,929 INFO 
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
1-2) Instance name: 'builtin-authn-internal', Extension name: 'Internal Authn 
(Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: ' 
http://www.ovirt.org ', Author 'The oVirt Project', Build interface Version: 
'0', File: 'N/A', Initialized: 'true' 
2015-09-23 09:37:57,930 INFO 
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
1-2) Instance name: 'internal', Extension name: 'Internal Authz (Built-in)', 
Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: ' http://www.ovirt.org ', 
Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', 
Initialized: 'true' 
2015-09-23 09:37:57,930 INFO 
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 
1-2) End of enabled extensions list 
2015-09-23 09:37:58,103 INFO [org.ovirt.engine.core.bll.tasks.AsyncTaskManager] 
(MSC service thread 1-1) Initialization of AsyncTaskManager completed 
successfully. 
2015-09-23 09:37:58,105 INFO [org.ovirt.engine.core.vdsbroker.ResourceManager] 
(MSC service thread 1-1) Start initializing ResourceManager 
2015-09-23 09:37:58,217 INFO [org.ovirt.engine.core.vdsbroker.VdsManager] (MSC 
service thread 1-1) Entered VdsManager constructor 
2015-09-23 09:37:58,268 INFO [org.ovirt.engine.core.vdsbroker.VdsManager] (MSC 
service thread 1-1) Initialize vdsBroker (192.168.6.201,54,321) 
2015-09-23 09:37:58,402 INFO [org.ovirt.engine.core.vdsbroker.ResourceManager] 
(MSC service thread 1-1) VDS 0ffde0bc-c610-43ee-8ded-e8d2beb7e0f6 was added to 
the Resource Manager 
2015-09-23 09:37:58,429 INFO [org.ovirt.engine.core.vdsbroker.ResourceManager] 
(MSC service thread 1-1) Finished initializing ResourceManager 
2015-09-23 09:37:58,430 INFO [org.ovirt.engine.core.bll.OvfDataUpdater] (MSC 
service thread 1-1) Initialization of OvfDataUpdater completed successfully. 
20

Re: [ovirt-users] FreeIPA

2015-09-23 Thread Ondra Machacek 

great!
It depends on what guest you are using, for fedora you can install from 
epel package ovirt-guest-agent.
There are also for ubuntu[1], suse[2] and maybe other which I am not 
aware of.


For windows there is guest tools[3] since oVirt 3.5 I think.

[1] http://www.ovirt.org/Feature/GuestAgentUbuntu
[2] http://www.ovirt.org/Feature/GuestAgentOpenSUSE
[3] http://www.ovirt.org/Features/oVirt_Windows_Guest_Tools

On 09/23/2015 06:26 PM, supo...@logicworks.pt wrote:

Fantastic Ondra, nice Hawk Eye

It's working.
When I enter with a user name and click on console I get:
Could not connect to the agent on the guest, it may be unresponsive or 
not installed.

As a result, some features may not work.


What kind of agent shoul I install on the guests?

Thaks a lot


*De: *"Ondra Machacek" <omach...@redhat.com>
*Para: *supo...@logicworks.pt
*Cc: *users@ovirt.org
*Enviadas: *Quarta-feira, 23 De Setembro de 2015 16:39:05
*Assunto: *Re: [ovirt-users] FreeIPA

As you can see in exception you have trailing space at the end of your 
fqdn of IPA, please remove the trailing space in properties file.


it's:

'ipa.acloud.pt ' <- trailing space

and should be:

'ipa.acloud.pt'

On 09/23/2015 05:30 PM, supo...@logicworks.pt wrote:

I can ping ipa server from engine, the log:

2015-09-23 16:24:50,504 WARN
[org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service
thread 1-1)
[ovirt-engine-extension-aaa-ldap.authn::profile1-authn] Cannot
initialize LDAP framework, deferring initialization. Error: An
error occurred while attempting to resolve address 'ipa.acloud.pt
': java.net.UnknownHostException: ipa.acloud.pt : Name or service
not known
2015-09-23 16:24:50,504 DEBUG
[org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service
thread 1-1) Ignoring Exception: LDAPException(resultCode=91
(connect error), errorMessage='An error occurred while attempting
to resolve address 'ipa.acloud.pt ':
java.net.UnknownHostException: ipa.acloud.pt : Name or service not
known')
at
com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:754)
[unboundid-ldapsdk.jar:2.3.7]
at
com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:709)
[unboundid-ldapsdk.jar:2.3.7]
at
com.unboundid.ldap.sdk.LDAPConnection.(LDAPConnection.java:533)
[unboundid-ldapsdk.jar:2.3.7]
at

com.unboundid.ldap.sdk.SingleServerSet.getConnection(SingleServerSet.java:229)
[unboundid-ldapsdk.jar:2.3.7]
at
com.unboundid.ldap.sdk.ServerSet.getConnection(ServerSet.java:98)
[unboundid-ldapsdk.jar:2.3.7]
at

com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1088)
[unboundid-ldapsdk.jar:2.3.7]
at

com.unboundid.ldap.sdk.LDAPConnectionPool.(LDAPConnectionPool.java:1026)
[unboundid-ldapsdk.jar:2.3.7]
at

com.unboundid.ldap.sdk.LDAPConnectionPool.(LDAPConnectionPool.java:913)
[unboundid-ldapsdk.jar:2.3.7]
at

org.ovirt.engineextensions.aaa.ldap.Framework.createConnectionPool(Framework.java:595)
[ovirt-engine-extension-aaa-ldap.jar:]
at
org.ovirt.engineextensions.aaa.ldap.Framework.createPool(Framework.java:632)
[ovirt-engine-extension-aaa-ldap.jar:]
at

org.ovirt.engineextensions.aaa.ldap.Framework.runSequence(Framework.java:1362)
[ovirt-engine-extension-aaa-ldap.jar:]
at
org.ovirt.engineextensions.aaa.ldap.Framework.open(Framework.java:667)
[ovirt-engine-extension-aaa-ldap.jar:]
at

org.ovirt.engineextensions.aaa.ldap.AuthnExtension.ensureFramework(AuthnExtension.java:49)
[ovirt-engine-extension-aaa-ldap.jar:]
at

org.ovirt.engineextensions.aaa.ldap.AuthnExtension.doInit(AuthnExtension.java:130)
[ovirt-engine-extension-aaa-ldap.jar:]
at

org.ovirt.engineextensions.aaa.ldap.AuthnExtension.invoke(AuthnExtension.java:66)
[ovirt-engine-extension-aaa-ldap.jar:]
at
com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:749)
[unboundid-ldapsdk.jar:2.3.7]
2015-09-23 16:24:50,514 DEBUG
[org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service
thread 1-1) open Entry
2015-09-23 16:24:50,514 DEBUG
[org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service
thread 1-1) runSequence Entry name='simple-open-pools'
2015-09-23 16:24:50,514 DEBUG
[org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service
thread 1-1) Running sequence simple-open-pools/010/pool-create
create authz pool
2015-09-23 16:24:50,515 TRACE
[org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service
thread 1-1) VARS-BEGIN
2015-09-23 16:24:50,515 TRACE
[org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service
threa

Re: [ovirt-users] FreeIPA

2015-09-23 Thread suporte 
Fantastic Ondra, nice Hawk Eye 

It's working. 
When I enter with a user name and click on console I get: 
Could not connect to the agent on the guest, it may be unresponsive or not 
installed. 
As a result, some features may not work. 


What kind of agent shoul I install on the guests? 

Thaks a lot 

- Mensagem original -

De: "Ondra Machacek" <omach...@redhat.com> 
Para: supo...@logicworks.pt 
Cc: users@ovirt.org 
Enviadas: Quarta-feira, 23 De Setembro de 2015 16:39:05 
Assunto: Re: [ovirt-users] FreeIPA 

As you can see in exception you have trailing space at the end of your fqdn of 
IPA, please remove the trailing space in properties file. 

it's: 

'ipa.acloud.pt ' <- trailing space 

and should be: 

'ipa.acloud.pt' 

On 09/23/2015 05:30 PM, supo...@logicworks.pt wrote: 



I can ping ipa server from engine, the log: 

2015-09-23 16:24:50,504 WARN 
[org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) 
[ovirt-engine-extension-aaa-ldap.authn::profile1-authn] Cannot initialize LDAP 
framework, deferring initialization. Error: An error occurred while attempting 
to resolve address 'ipa.acloud.pt ': java.net.UnknownHostException: 
ipa.acloud.pt : Name or service not known 
2015-09-23 16:24:50,504 DEBUG 
[org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) 
Ignoring Exception: LDAPException(resultCode=91 (connect error), 
errorMessage='An error occurred while attempting to resolve address 
'ipa.acloud.pt ': java.net.UnknownHostException: ipa.acloud.pt : Name or 
service not known') 
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:754) 
[unboundid-ldapsdk.jar:2.3.7] 
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:709) 
[unboundid-ldapsdk.jar:2.3.7] 
at com.unboundid.ldap.sdk.LDAPConnection.(LDAPConnection.java:533) 
[unboundid-ldapsdk.jar:2.3.7] 
at 
com.unboundid.ldap.sdk.SingleServerSet.getConnection(SingleServerSet.java:229) 
[unboundid-ldapsdk.jar:2.3.7] 
at com.unboundid.ldap.sdk.ServerSet.getConnection(ServerSet.java:98) 
[unboundid-ldapsdk.jar:2.3.7] 
at 
com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1088)
 [unboundid-ldapsdk.jar:2.3.7] 
at 
com.unboundid.ldap.sdk.LDAPConnectionPool.(LDAPConnectionPool.java:1026) 
[unboundid-ldapsdk.jar:2.3.7] 
at 
com.unboundid.ldap.sdk.LDAPConnectionPool.(LDAPConnectionPool.java:913) 
[unboundid-ldapsdk.jar:2.3.7] 
at 
org.ovirt.engineextensions.aaa.ldap.Framework.createConnectionPool(Framework.java:595)
 [ovirt-engine-extension-aaa-ldap.jar:] 
at org.ovirt.engineextensions.aaa.ldap.Framework.createPool(Framework.java:632) 
[ovirt-engine-extension-aaa-ldap.jar:] 
at 
org.ovirt.engineextensions.aaa.ldap.Framework.runSequence(Framework.java:1362) 
[ovirt-engine-extension-aaa-ldap.jar:] 
at org.ovirt.engineextensions.aaa.ldap.Framework.open(Framework.java:667) 
[ovirt-engine-extension-aaa-ldap.jar:] 
at 
org.ovirt.engineextensions.aaa.ldap.AuthnExtension.ensureFramework(AuthnExtension.java:49)
 [ovirt-engine-extension-aaa-ldap.jar:] 
at 
org.ovirt.engineextensions.aaa.ldap.AuthnExtension.doInit(AuthnExtension.java:130)
 [ovirt-engine-extension-aaa-ldap.jar:] 
at 
org.ovirt.engineextensions.aaa.ldap.AuthnExtension.invoke(AuthnExtension.java:66)
 [ovirt-engine-extension-aaa-ldap.jar:] 
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:749) 
[unboundid-ldapsdk.jar:2.3.7] 
2015-09-23 16:24:50,514 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] 
(MSC service thread 1-1) open Entry 
2015-09-23 16:24:50,514 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] 
(MSC service thread 1-1) runSequence Entry name='simple-open-pools' 
2015-09-23 16:24:50,514 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] 
(MSC service thread 1-1) Running sequence simple-open-pools/010/pool-create 
create authz pool 
2015-09-23 16:24:50,515 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] 
(MSC service thread 1-1) VARS-BEGIN 
2015-09-23 16:24:50,515 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] 
(MSC service thread 1-1) authz_enable = 1 
2015-09-23 16:24:50,515 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] 
(MSC service thread 1-1) capability_credentialsChange = false 
2015-09-23 16:24:50,515 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] 
(MSC service thread 1-1) capability_resucrsiveGroupResolution = false 
2015-09-23 16:24:50,515 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] 
(MSC service thread 1-1) maxFilterSize = 50 
2015-09-23 16:24:50,515 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] 
(MSC service thread 1-1) sensitiveKeys = , password, passwordNew 
2015-09-23 16:24:50,515 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] 
(MSC service thread 1-1) simple_attrGroupMemberDN = member 
2015-09-23 16:24:50,516 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] 
(MSC service thread 1-1) simple_attrMemberOf = memberOf 
2015-09-23

Re: [ovirt-users] FreeIPA

2015-09-23 Thread Ondra Machacek 
Just for clarification - ovirt-engine-extension-aaa-ldap-setup is 
available from oVirt 3.6


Can you send engine.log, hard to say what's wrong from configuration, it 
looks good.


On 09/22/2015 09:55 PM, Ravi Nori wrote:
Once you have installed ovirt-engine-extension-aaa-ldap and 
ovirt-engine-extension-aaa-ldap-setup


You can run ovirt-engine-extension-aaa-ldap-setup and follow the steps 
to set up ldap.


Once that is done you can login to webadmin and add users/groups from ipa

On 09/22/2015 11:57 AM, supo...@logicworks.pt wrote:

Here is what I'm trying to do:

Ovirt engine : engine.domain.tld
Freeipa 4.1.0 : ipa.domain.tld

I have installed on the engine:
/ovirt-engine-extension-aaa-ldap/
/openldap-clients/

/etc/ovirt-engine/aaa/profile1.properties:
#
# Select one
#
#include = 
#include = <389ds.properties>
#include = 
include = 
#include = 
#include = 
#include = 

#
# Server
#
vars.server = ipa.domain.tld

#
# Search user and its password.
#
vars.user = uid=search,cn=users,cn=accounts,dc=domain,dc=tld
vars.password =/ipa_admin_password/

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks
#pool.default.ssl.truststore.password = changeit


On the engine cannot find any users configured on the ipa server.

Any help?

Thanks

Jose



*De: *"Alon Bar-Lev" <alo...@redhat.com>
*Para: *supo...@logicworks.pt
*Cc: *"users" <users@ovirt.org>
*Enviadas: *Sexta-feira, 18 De Setembro de 2015 15:48:22
*Assunto: *Re: [ovirt-users] FreeIPA



- Original Message -
> From: supo...@logicworks.pt
> To: "users" <users@ovirt.org>
> Sent: Friday, September 18, 2015 5:45:18 PM
> Subject: [ovirt-users] FreeIPA
>
> Hi,
>
> Is there any documentation about FreeIPA integration with oVirt 3.5 
and how

> to configure it?
>

Hi,

Please find documentation at [1][2].

Regards,
Alon Bar-Lev.

[1] http://www.ovirt.org/Features/AAA
[2] 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] FreeIPA

2015-09-23 Thread suporte 
 INFO 
[org.ovirt.engine.core.vdsbroker.vdsbroker.HSMGetAllTasksInfoVDSCommand] 
(org.ovirt.thread.pool-8-thread-16) [205b10f8] FINISH, 
HSMGetAllTasksInfoVDSCommand, return: [], log id: 2c5dc746 
2015-09-23 09:38:09,216 INFO 
[org.ovirt.engine.core.vdsbroker.irsbroker.SPMGetAllTasksInfoVDSCommand] 
(org.ovirt.thread.pool-8-thread-16) [205b10f8] FINISH, 
SPMGetAllTasksInfoVDSCommand, return: [], log id: 6735b7ad 
2015-09-23 09:38:09,217 INFO [org.ovirt.engine.core.bll.tasks.AsyncTaskManager] 
(org.ovirt.thread.pool-8-thread-16) [205b10f8] Discovered no tasks on Storage 
Pool Default 
2015-09-23 09:38:13,937 INFO 
[org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] 
(DefaultQuartzScheduler_Worker-30) START, GlusterVolumesListVDSCommand(HostName 
= node3.acloud.pt, HostId = 0ffde0bc-c610-43ee-8ded-e8d2beb7e0f6), log id: 
663177d4 
2015-09-23 09:38:13,964 INFO 
[org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] 
(DefaultQuartzScheduler_Worker-30) FINISH, GlusterVolumesListVDSCommand, 
return: {}, log id: 663177d4 
2015-09-23 09:38:19,184 INFO 
[org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] 
(DefaultQuartzScheduler_Worker-40) START, GlusterVolumesListVDSCommand(HostName 
= node3.acloud.pt, HostId = 0ffde0bc-c610-43ee-8ded-e8d2beb7e0f6), log id: 
4db78ebd 
2015-09-23 09:38:19,232 INFO 
[org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] 
(DefaultQuartzScheduler_Worker-40) FINISH, GlusterVolumesListVDSCommand, 
return: {}, log id: 4db78ebd 
2015-09-23 09:38:24,382 INFO 
[org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] 
(DefaultQuartzScheduler_Worker-50) START, GlusterVolumesListVDSCommand(HostName 
= node3.acloud.pt, HostId = 0ffde0bc-c610-43ee-8ded-e8d2beb7e0f6), log id: 
3beec320 
2015-09-23 09:38:24,410 INFO 
[org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] 
(DefaultQuartzScheduler_Worker-50) FINISH, GlusterVolumesListVDSCommand, 
return: {}, log id: 3beec320 


Thanks 

- Mensagem original -

De: "Ondra Machacek" <omach...@redhat.com> 
Para: supo...@logicworks.pt, users@ovirt.org 
Enviadas: Quarta-feira, 23 De Setembro de 2015 7:40:12 
Assunto: Re: [ovirt-users] FreeIPA 

Just for clarification - ovirt-engine-extension-aaa-ldap-setup is available 
from oVirt 3.6 

Can you send engine.log, hard to say what's wrong from configuration, it looks 
good. 

On 09/22/2015 09:55 PM, Ravi Nori wrote: 



Once you have installed ovirt-engine-extension-aaa-ldap and 
ovirt-engine-extension-aaa-ldap-setup 

You can run ovirt-engine-extension-aaa-ldap-setup and follow the steps to set 
up ldap. 

Once that is done you can login to webadmin and add users/groups from ipa 

On 09/22/2015 11:57 AM, supo...@logicworks.pt wrote: 



Here is what I'm trying to do: 

Ovirt engine : engine.domain.tld 
Freeipa 4.1.0 : ipa.domain.tld 

I have installed on the engine: 
ovirt-engine-extension-aaa-ldap 
openldap-clients /etc/ovirt-engine/aaa/profile1.properties:
#
# Select one
#
#include = 
#include = <389ds.properties>
#include = 
include = 
#include = 
#include = 
#include = 

#
# Server
#
vars.server = ipa.domain.tld

#
# Search user and its password.
#
vars.user = uid=search,cn=users,cn=accounts,dc=domain,dc=tld
vars.password = ipa_admin_password pool.default.serverset.single.server = 
${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks
#pool.default.ssl.truststore.password = changeit


On the engine cannot find any users configured on the ipa server.

Any help?

Thanks

Jose 


- Mensagem original -

De: "Alon Bar-Lev" <alo...@redhat.com> 
Para: supo...@logicworks.pt 
Cc: "users" <users@ovirt.org> 
Enviadas: Sexta-feira, 18 De Setembro de 2015 15:48:22 
Assunto: Re: [ovirt-users] FreeIPA 



- Original Message - 
> From: supo...@logicworks.pt 
> To: "users" <users@ovirt.org> 
> Sent: Friday, September 18, 2015 5:45:18 PM 
> Subject: [ovirt-users] FreeIPA 
> 
> Hi, 
> 
> Is there any documentation about FreeIPA integration with oVirt 3.5 and how 
> to configure it? 
> 

Hi, 

Please find documentation at [1][2]. 

Regards, 
Alon Bar-Lev. 

[1] http://www.ovirt.org/Features/AAA 
[2] 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
 



___
Users mailing list Users@ovirt.org 
http://lists.ovirt.org/mailman/listinfo/users 





___
Users mailing list Users@ovirt.org 
http://lists.ovirt.org/mailman/listinfo/users 




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] FreeIPA

2015-09-22 Thread Ravi Nori 
Once you have installed ovirt-engine-extension-aaa-ldap and 
ovirt-engine-extension-aaa-ldap-setup


You can run ovirt-engine-extension-aaa-ldap-setup and follow the steps 
to set up ldap.


Once that is done you can login to webadmin and add users/groups from ipa

On 09/22/2015 11:57 AM, supo...@logicworks.pt wrote:

Here is what I'm trying to do:

Ovirt engine : engine.domain.tld
Freeipa 4.1.0 : ipa.domain.tld

I have installed on the engine:
/ovirt-engine-extension-aaa-ldap/
/openldap-clients/

/etc/ovirt-engine/aaa/profile1.properties:
#
# Select one
#
#include = 
#include = <389ds.properties>
#include = 
include = 
#include = 
#include = 
#include = 

#
# Server
#
vars.server = ipa.domain.tld

#
# Search user and its password.
#
vars.user = uid=search,cn=users,cn=accounts,dc=domain,dc=tld
vars.password =/ipa_admin_password/

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks
#pool.default.ssl.truststore.password = changeit


On the engine cannot find any users configured on the ipa server.

Any help?

Thanks

Jose



*De: *"Alon Bar-Lev" <alo...@redhat.com>
*Para: *supo...@logicworks.pt
*Cc: *"users" <users@ovirt.org>
*Enviadas: *Sexta-feira, 18 De Setembro de 2015 15:48:22
*Assunto: *Re: [ovirt-users] FreeIPA



- Original Message -
> From: supo...@logicworks.pt
> To: "users" <users@ovirt.org>
> Sent: Friday, September 18, 2015 5:45:18 PM
> Subject: [ovirt-users] FreeIPA
>
> Hi,
>
> Is there any documentation about FreeIPA integration with oVirt 3.5 
and how

> to configure it?
>

Hi,

Please find documentation at [1][2].

Regards,
Alon Bar-Lev.

[1] http://www.ovirt.org/Features/AAA
[2] 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] FreeIPA

2015-09-22 Thread suporte 
Here is what I'm trying to do: 

Ovirt engine : engine.domain.tld 
Freeipa 4.1.0 : ipa.domain.tld 

I have installed on the engine: 
ovirt-engine-extension-aaa-ldap 
openldap-clients 

/etc/ovirt-engine/aaa/profile1.properties: 
# 
# Select one 
# 
#include =  
#include = <389ds.properties> 
#include =  
include =  
#include =  
#include =  
#include =  

# 
# Server 
# 
vars.server = ipa.domain.tld 

# 
# Search user and its password. 
# 
vars.user = uid=search,cn=users,cn=accounts,dc=domain,dc=tld 
vars.password = ipa_admin_password 

pool.default.serverset.single.server = ${global:vars.server} 
pool.default.auth.simple.bindDN = ${global:vars.user} 
pool.default.auth.simple.password = ${global:vars.password} 

# Create keystore, import certificate chain and uncomment 
# if using ssl/tls. 
#pool.default.ssl.startTLS = true 
#pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks 
#pool.default.ssl.truststore.password = changeit 


On the engine cannot find any users configured on the ipa server. 

Any help? 

Thanks 

Jose 


- Mensagem original -

De: "Alon Bar-Lev" <alo...@redhat.com> 
Para: supo...@logicworks.pt 
Cc: "users" <users@ovirt.org> 
Enviadas: Sexta-feira, 18 De Setembro de 2015 15:48:22 
Assunto: Re: [ovirt-users] FreeIPA 



- Original Message - 
> From: supo...@logicworks.pt 
> To: "users" <users@ovirt.org> 
> Sent: Friday, September 18, 2015 5:45:18 PM 
> Subject: [ovirt-users] FreeIPA 
> 
> Hi, 
> 
> Is there any documentation about FreeIPA integration with oVirt 3.5 and how 
> to configure it? 
> 

Hi, 

Please find documentation at [1][2]. 

Regards, 
Alon Bar-Lev. 

[1] http://www.ovirt.org/Features/AAA 
[2] 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
 

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users