Re: [ovirt-users] FreeIPA authentication broken
Right, you are missing file /etc/ovirt-engine/aaa/IPA.properties It's not subdirectory of /etc/ovirt-engine/extensions.d, but it's in /etc/ovirt-engine/ in 'aaa' subdirectory, can you check what's there? Please check also the correct permissions of that file, it should be '600' and owned by ovirt user. On 04/23/2018 10:25 PM, Kristian Petersen wrote: Looks like it can't find the IPA.properties file. I tried following the path it is complaining about but there are only files in /etc/ovirt-engine/extensions.d on the engine VM. No subdirectories. However, that directory appears to contain the files it is looking for. Both IPA-authn.properties and IPA.properties are there as are the internal properties files. Is there a config file we can edit to tell it to look in the right place? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] FreeIPA authentication broken
Looks like it can't find the IPA.properties file. I tried following the path it is complaining about but there are only files in /etc/ovirt-engine/extensions.d on the engine VM. No subdirectories. However, that directory appears to contain the files it is looking for. Both IPA-authn.properties and IPA.properties are there as are the internal properties files. Is there a config file we can edit to tell it to look in the right place? On Mon, Apr 23, 2018 at 2:13 PM, Kristian Petersenwrote: > After running ovirt-engine-extensions-tool --log-level=FINEST > --log-file=/tmp/aaa.log aaa login-user --user-name nesretep --profile IPA... > > *Contents of /tmp/aaa.log:* > 2018-04-23 14:10:58,771-06 FINEVersion: ovirt-engine-4.2.1.7 () > 2018-04-23 14:10:58,856-06 INFO=== > = > 2018-04-23 14:10:58,856-06 INFO > Initialization > 2018-04-23 14:10:58,857-06 INFO=== > = > 2018-04-23 14:10:58,858-06 FINELoading extension file > 'internal-authz.properties' > 2018-04-23 14:10:58,882-06 INFOLoading extension 'internal-authz' > 2018-04-23 14:10:58,884-06 FINEST Invoke Input BEGIN > 2018-04-23 14:10:58,886-06 FINEST > {Extkey[name=EXTENSION_INVOKE_COMMAND;type=class > org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[ > 485778ab-bede-4f1a-b823-7 > 7b262a2f28d];]=EXTENSION_LOAD[b0f2460e-7971-4a9c-b4e1-c1db1362a47a], > Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api. > extensions.ExtMap;uuid=EXTENSION_INVOKE_C > ONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[ > name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api. > extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6- > 4cf1-bf08-297bc8903676];]=*skip*, > Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface > org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695- > 918a3197ad83];]= > org.slf4j.impl.JDK14LoggerAdapter(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace), > Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface > java.util.Collec > tion;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], > Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid= > EXTENSION_PROV > IDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt. > engine.api.extensions.aaa.Authz], Extkey[name=EXTENSION_LOCALE;type=class > java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0 > ce0-404a-b85e-8765d778bb29];]=en_US, > Extkey[name=EXTENSION_CONFIGURATION_FILE;type=class > java.lang.String;uuid=EXTENSION_CONFIGURATION_FILE[ > 4fb0ffd3-983c-4f3f-98ff-9660bd67af6a];] > =/etc/ovirt-engine/extensions.d/internal-authz.properties, > Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid= > EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae > -5068a226b0fc];]=***, Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class > java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_ > MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extk > ey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid= > EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, > Extkey[name=EXTENSION_INSTANCE > _NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[ > 65c67ff6-aeca-4bd5-a245-8674327f011b];]=internal-authz}} > 2018-04-23 14:10:58,887-06 FINEST Invoke Input END > 2018-04-23 14:10:58,891-06 FINEST Invoke Output BEGIN > 2018-04-23 14:10:58,892-06 FINEST {Extkey[name=AAA_AUTHZ_STATUS;type=class > java.lang.Integer;uuid=AAA_AUTHZ_STATUS[566f0ba5-8329-4de1-952a-7a81e4bedd3e];]=0, > Extkey[name=EXTENSIO > N_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[ > 0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=0} > 2018-04-23 14:10:58,892-06 FINEST Invoke Output END > 2018-04-23 14:10:58,893-06 INFOExtension 'internal-authz' loaded > 2018-04-23 14:10:58,894-06 FINEConfig BEGIN > 2018-04-23 14:10:58,894-06 FINEovirt.engine.extension.provides: > org.ovirt.engine.api.extensions.aaa.Authz > 2018-04-23 14:10:58,895-06 FINE > ovirt.engine.extension.binding.jbossmodule.class: > org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension > 2018-04-23 14:10:58,896-06 FINEovirt.engine.extension.bindings.method: > jbossmodule > 2018-04-23 14:10:58,897-06 FINEconfig.datasource.file: > /etc/ovirt-engine/aaa/internal.properties > 2018-04-23 14:10:58,897-06 FINEovirt.engine.extension.name: > internal-authz > 2018-04-23 14:10:58,898-06 FINE > ovirt.engine.extension.binding.jbossmodule.module: > org.ovirt.engine.extension.aaa.jdbc > 2018-04-23 14:10:58,898-06 FINEConfig END > 2018-04-23 14:10:58,899-06 FINELoading extension file > 'internal-authn.properties' > 2018-04-23 14:10:58,900-06 INFOLoading extension 'internal-authn'
Re: [ovirt-users] FreeIPA authentication broken
After running ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa login-user --user-name nesretep --profile IPA... *Contents of /tmp/aaa.log:* 2018-04-23 14:10:58,771-06 FINEVersion: ovirt-engine-4.2.1.7 () 2018-04-23 14:10:58,856-06 INFO 2018-04-23 14:10:58,856-06 INFO Initialization 2018-04-23 14:10:58,857-06 INFO 2018-04-23 14:10:58,858-06 FINELoading extension file 'internal-authz.properties' 2018-04-23 14:10:58,882-06 INFOLoading extension 'internal-authz' 2018-04-23 14:10:58,884-06 FINEST Invoke Input BEGIN 2018-04-23 14:10:58,886-06 FINEST {Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-7 7b262a2f28d];]=EXTENSION_LOAD[b0f2460e-7971-4a9c-b4e1-c1db1362a47a], Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_C ONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6- 4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]= org.slf4j.impl.JDK14LoggerAdapter(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace), Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface java.util.Collec tion;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[], Extkey[name=EXTENSION_PROVIDES;type=interface java.util.Collection;uuid=EXTENSION_PROV IDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authz], Extkey[name=EXTENSION_LOCALE;type=class java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0 ce0-404a-b85e-8765d778bb29];]=en_US, Extkey[name=EXTENSION_CONFIGURATION_FILE;type=class java.lang.String;uuid=EXTENSION_CONFIGURATION_FILE[4fb0ffd3-983c-4f3f-98ff-9660bd67af6a];] =/etc/ovirt-engine/extensions.d/internal-authz.properties, Extkey[name=EXTENSION_CONFIGURATION;type=class java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae -5068a226b0fc];]=***, Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0, Extk ey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0, Extkey[name=EXTENSION_INSTANCE _NAME;type=class java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=internal-authz}} 2018-04-23 14:10:58,887-06 FINEST Invoke Input END 2018-04-23 14:10:58,891-06 FINEST Invoke Output BEGIN 2018-04-23 14:10:58,892-06 FINEST {Extkey[name=AAA_AUTHZ_STATUS;type=class java.lang.Integer;uuid=AAA_AUTHZ_STATUS[566f0ba5-8329-4de1-952a-7a81e4bedd3e];]=0, Extkey[name=EXTENSIO N_INVOKE_RESULT;type=class java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=0} 2018-04-23 14:10:58,892-06 FINEST Invoke Output END 2018-04-23 14:10:58,893-06 INFOExtension 'internal-authz' loaded 2018-04-23 14:10:58,894-06 FINEConfig BEGIN 2018-04-23 14:10:58,894-06 FINEovirt.engine.extension.provides: org.ovirt.engine.api.extensions.aaa.Authz 2018-04-23 14:10:58,895-06 FINE ovirt.engine.extension.binding.jbossmodule.class: org.ovirt.engine.extension.aaa.jdbc.binding.api.AuthzExtension 2018-04-23 14:10:58,896-06 FINEovirt.engine.extension.bindings.method: jbossmodule 2018-04-23 14:10:58,897-06 FINEconfig.datasource.file: /etc/ovirt-engine/aaa/internal.properties 2018-04-23 14:10:58,897-06 FINEovirt.engine.extension.name: internal-authz 2018-04-23 14:10:58,898-06 FINE ovirt.engine.extension.binding.jbossmodule.module: org.ovirt.engine.extension.aaa.jdbc 2018-04-23 14:10:58,898-06 FINEConfig END 2018-04-23 14:10:58,899-06 FINELoading extension file 'internal-authn.properties' 2018-04-23 14:10:58,900-06 INFOLoading extension 'internal-authn' 2018-04-23 14:10:58,900-06 FINEST Invoke Input BEGIN 2018-04-23 14:10:58,901-06 FINEST {Extkey[name=EXTENSION_INVOKE_COMMAND;type=class org.ovirt.engine.api.extensions.ExtUUID;uuid=EXTENSION_INVOKE_COMMAND[485778ab-bede-4f1a-b823-7 7b262a2f28d];]=EXTENSION_LOAD[b0f2460e-7971-4a9c-b4e1-c1db1362a47a], Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_C ONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6- 4cf1-bf08-297bc8903676];]=*skip*, Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
Re: [ovirt-users] FreeIPA authentication broken
On 04/23/2018 04:30 PM, Kristian Petersen wrote: Hey everyone, I had FreeIPA authentication set up on my oVirt instance and it was working great. Then something happened that disconnected my NFS storage and caused a problem with my hosted-engine. Once I got it back up and running again, my FreeIPA authentication was sill a choice for authentication, but it always rejects my password even though it is correct. I have tried running the setup again to no avail. Nothing shows up in the httpd error log when the login fails. The engine.log from ovirt-engine in /var/log shows the following upon attempting to authenticate with a user from freeIPA: 2018-04-23 08:08:24,384-06 WARN [org.ovirt.engineextensions.aaa.ldap.Framework] (default task-34) [] Ignoring records from pool: 'authz' 2018-04-23 08:08:24,384-06 ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-34) [] Cannot authenticate user 'nesretep@IPA' connecting from 'UNKNOWN': The username or password is incorrect. Can you try to run this command: $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log aaa login-user --user-name nesretep --profile IPA and share /tmp/aaa.log? I'm not sure why 'authz' is being ignored but it is certainly why IPA authentication isn't working as 'username@authz' is how IPA logins show up in oVirt when they do work. Any ideas where to look next? -- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] FreeIPA authentication broken
Hey everyone, I had FreeIPA authentication set up on my oVirt instance and it was working great. Then something happened that disconnected my NFS storage and caused a problem with my hosted-engine. Once I got it back up and running again, my FreeIPA authentication was sill a choice for authentication, but it always rejects my password even though it is correct. I have tried running the setup again to no avail. Nothing shows up in the httpd error log when the login fails. The engine.log from ovirt-engine in /var/log shows the following upon attempting to authenticate with a user from freeIPA: 2018-04-23 08:08:24,384-06 WARN [org.ovirt.engineextensions.aaa.ldap.Framework] (default task-34) [] Ignoring records from pool: 'authz' 2018-04-23 08:08:24,384-06 ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-34) [] Cannot authenticate user 'nesretep@IPA' connecting from 'UNKNOWN': The username or password is incorrect. I'm not sure why 'authz' is being ignored but it is certainly why IPA authentication isn't working as 'username@authz' is how IPA logins show up in oVirt when they do work. Any ideas where to look next? -- Kristian Petersen System Administrator BYU Dept. of Chemistry and Biochemistry ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] FreeIPA with ovirt 4.1
Looking at the error message again it says 'Unsupported command', Can you please share your properties files? I think that you have misconfugred it, I guess you use for example AuthzExtension instead of AuthnExtension or vice versa, maybe misconfigured mapping. On Fri, Feb 10, 2017 at 6:28 PM, Slava Bendersky <volga...@networklab.ca> wrote: > Hello Ondra, > I tried increase logging and command fail > > "outcome" => "failed", > "failure-description" => "WFLYCTL0216: Management resource '[ > (\"subsystem\" => \"logging\"), > (\"logger\" => \"org.ovirt.engine.core.sso\") > ]' not found", > "rolled-back" => true > } > > > Slava, > > > From: "Ondra Machacek" <omach...@redhat.com> > To: "Slava Bendersky" <volga...@networklab.ca> > Cc: "users" <users@ovirt.org> > Sent: Thursday, February 9, 2017 2:31:16 PM > > Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 > > Can you please enable DEBUG log of the SSO package and try login and > then share the logs, please? > > You can enable the debug log as following (use admin@internal password): > > /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh > --controller=127.0.0.1:8706 --connect --user=admin@internal > "/subsystem=logging/logger=org.ovirt.engine.core.sso:add" && > /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh > --controller=127.0.0.1:8706 --connect --user=admin@internal > "/subsystem=logging/logger=org.ovirt.engine.core.sso:write-attribute(name=level,value=DEBUG)" > > After tests you can disable it later as follows: > > $ /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh > --controller=127.0.0.1:8706 --connect --user=admin@internal > "/subsystem=logging/logger=org.ovirt.engine.core.sso:remove" > > On Thu, Feb 9, 2017 at 3:08 PM, Slava Bendersky <volga...@networklab.ca> > wrote: >> Hello Everyone, >> Anything else possible to check ? >> >> Slava. >> >> >> From: "Slava Bendersky" <volga...@networklab.ca> >> To: "Ondra Machacek" <omach...@redhat.com> >> Cc: "users" <users@ovirt.org> >> Sent: Saturday, February 4, 2017 2:27:31 PM >> >> Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 >> >> Hello Ondra, >> Log is empty >> >> [root@vhe00 ~]# ls -la /var/log/httpd/ssl_error_log >> -rw-r--r--. 1 root root 0 Feb 2 04:45 /var/log/httpd/ssl_error_log >> >> Slava. >> >> >> From: "Ondra Machacek" <omach...@redhat.com> >> To: "Slava Bendersky" <volga...@networklab.ca> >> Cc: "users" <users@ovirt.org>, "Ravi" <rn...@redhat.com> >> Sent: Saturday, February 4, 2017 10:35:31 AM >> Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 >> >> >> >> On Feb 4, 2017 1:21 AM, "Slava Bendersky" <volga...@networklab.ca> wrote: >> >> Hello Everyone, >> Having trouble implement FreeIPA authentication with GSSAPI SSO and >> ovirt >> 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I >> log to web admin with internal user and added FeeIPA user as SuperUser >> role. >> Also I added under System FreeIPA group authorized to login on any attempt >> to login with FreeIPA credentials getting message >> >> >> 2017-02-04 00:03:08,464Z ERROR >> [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default >> task-6) >> [] Internal Server Error: Unsupported command >> 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] >> (default task-6) [] Unsupported command >> 2017-02-04 00:03:08,659Z ERROR >> [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) >> [] >> server_error: Unsupported command >> >> >> Ravi, do you know what this can cause? >> >> >> >> Also when in extensions.d directory contain the following files. If I >> remove >> mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up >> in drop down list. Any http don't have influence on this. >> >> >> That is correct behavior, we dont show profiles, which uses http for >> authn. >> >> >> [root@vhe00 extensions.d]# pwd >> /etc/ovirt-engine/extensions.d >> >> [root@vhe00 extensions.d]# ls >> mydomain.lan-authn.properties mydomain.lan-http-authn.properties >> mydomain.lan.properties internal-authz.properties >> mydomain.lan-authz.properties mydomain.lan-http-mapping.properties >> internal-authn.properties >> [root@vhe00 extensions.d]# >> >> >> If possible clarify how it should be and what is possible issue. >> >> >> Can you please take a look to /var/log/httpd/ssl_error_log if any errors >> there? >> >> >> >> >> Slava. >> >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> >> >> >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] FreeIPA with ovirt 4.1
Hello Ondra, I tried increase logging and command fail "outcome" => "failed", "failure-description" => "WFLYCTL0216: Management resource '[ (\"subsystem\" => \"logging\"), (\"logger\" => \"org.ovirt.engine.core.sso\") ]' not found", "rolled-back" => true } Slava, From: "Ondra Machacek" <omach...@redhat.com> To: "Slava Bendersky" <volga...@networklab.ca> Cc: "users" <users@ovirt.org> Sent: Thursday, February 9, 2017 2:31:16 PM Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 Can you please enable DEBUG log of the SSO package and try login and then share the logs, please? You can enable the debug log as following (use admin@internal password): /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:add" && /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:write-attribute(name=level,value=DEBUG)" After tests you can disable it later as follows: $ /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:remove" On Thu, Feb 9, 2017 at 3:08 PM, Slava Bendersky <volga...@networklab.ca> wrote: > Hello Everyone, > Anything else possible to check ? > > Slava. > > ________ > From: "Slava Bendersky" <volga...@networklab.ca> > To: "Ondra Machacek" <omach...@redhat.com> > Cc: "users" <users@ovirt.org> > Sent: Saturday, February 4, 2017 2:27:31 PM > > Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 > > Hello Ondra, > Log is empty > > [root@vhe00 ~]# ls -la /var/log/httpd/ssl_error_log > -rw-r--r--. 1 root root 0 Feb 2 04:45 /var/log/httpd/ssl_error_log > > Slava. > > > From: "Ondra Machacek" <omach...@redhat.com> > To: "Slava Bendersky" <volga...@networklab.ca> > Cc: "users" <users@ovirt.org>, "Ravi" <rn...@redhat.com> > Sent: Saturday, February 4, 2017 10:35:31 AM > Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 > > > > On Feb 4, 2017 1:21 AM, "Slava Bendersky" <volga...@networklab.ca> wrote: > > Hello Everyone, > Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt > 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I > log to web admin with internal user and added FeeIPA user as SuperUser role. > Also I added under System FreeIPA group authorized to login on any attempt > to login with FreeIPA credentials getting message > > > 2017-02-04 00:03:08,464Z ERROR > [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) > [] Internal Server Error: Unsupported command > 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] > (default task-6) [] Unsupported command > 2017-02-04 00:03:08,659Z ERROR > [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] > server_error: Unsupported command > > > Ravi, do you know what this can cause? > > > > Also when in extensions.d directory contain the following files. If I remove > mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up > in drop down list. Any http don't have influence on this. > > > That is correct behavior, we dont show profiles, which uses http for authn. > > > [root@vhe00 extensions.d]# pwd > /etc/ovirt-engine/extensions.d > > [root@vhe00 extensions.d]# ls > mydomain.lan-authn.properties mydomain.lan-http-authn.properties > mydomain.lan.properties internal-authz.properties > mydomain.lan-authz.properties mydomain.lan-http-mapping.properties > internal-authn.properties > [root@vhe00 extensions.d]# > > > If possible clarify how it should be and what is possible issue. > > > Can you please take a look to /var/log/httpd/ssl_error_log if any errors > there? > > > > > Slava. > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] FreeIPA with ovirt 4.1
Can you please enable DEBUG log of the SSO package and try login and then share the logs, please? You can enable the debug log as following (use admin@internal password): /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:add" && /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:write-attribute(name=level,value=DEBUG)" After tests you can disable it later as follows: $ /usr/share/ovirt-engine-wildfly/bin/jboss-cli.sh --controller=127.0.0.1:8706 --connect --user=admin@internal "/subsystem=logging/logger=org.ovirt.engine.core.sso:remove" On Thu, Feb 9, 2017 at 3:08 PM, Slava Bendersky <volga...@networklab.ca> wrote: > Hello Everyone, > Anything else possible to check ? > > Slava. > > > From: "Slava Bendersky" <volga...@networklab.ca> > To: "Ondra Machacek" <omach...@redhat.com> > Cc: "users" <users@ovirt.org> > Sent: Saturday, February 4, 2017 2:27:31 PM > > Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 > > Hello Ondra, > Log is empty > > [root@vhe00 ~]# ls -la /var/log/httpd/ssl_error_log > -rw-r--r--. 1 root root 0 Feb 2 04:45 /var/log/httpd/ssl_error_log > > Slava. > > > From: "Ondra Machacek" <omach...@redhat.com> > To: "Slava Bendersky" <volga...@networklab.ca> > Cc: "users" <users@ovirt.org>, "Ravi" <rn...@redhat.com> > Sent: Saturday, February 4, 2017 10:35:31 AM > Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 > > > > On Feb 4, 2017 1:21 AM, "Slava Bendersky" <volga...@networklab.ca> wrote: > > Hello Everyone, > Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt > 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I > log to web admin with internal user and added FeeIPA user as SuperUser role. > Also I added under System FreeIPA group authorized to login on any attempt > to login with FreeIPA credentials getting message > > > 2017-02-04 00:03:08,464Z ERROR > [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) > [] Internal Server Error: Unsupported command > 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] > (default task-6) [] Unsupported command > 2017-02-04 00:03:08,659Z ERROR > [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] > server_error: Unsupported command > > > Ravi, do you know what this can cause? > > > > Also when in extensions.d directory contain the following files. If I remove > mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up > in drop down list. Any http don't have influence on this. > > > That is correct behavior, we dont show profiles, which uses http for authn. > > > [root@vhe00 extensions.d]# pwd > /etc/ovirt-engine/extensions.d > > [root@vhe00 extensions.d]# ls > mydomain.lan-authn.properties mydomain.lan-http-authn.properties > mydomain.lan.properties internal-authz.properties > mydomain.lan-authz.properties mydomain.lan-http-mapping.properties > internal-authn.properties > [root@vhe00 extensions.d]# > > > If possible clarify how it should be and what is possible issue. > > > Can you please take a look to /var/log/httpd/ssl_error_log if any errors > there? > > > > > Slava. > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] FreeIPA with ovirt 4.1
Hello Everyone, Anything else possible to check ? Slava. From: "Slava Bendersky" <volga...@networklab.ca> To: "Ondra Machacek" <omach...@redhat.com> Cc: "users" <users@ovirt.org> Sent: Saturday, February 4, 2017 2:27:31 PM Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 Hello Ondra, Log is empty [root@vhe00 ~]# ls -la /var/log/httpd/ssl_error_log -rw-r--r--. 1 root root 0 Feb 2 04:45 /var/log/httpd/ssl_error_log Slava. From: "Ondra Machacek" <omach...@redhat.com> To: "Slava Bendersky" <volga...@networklab.ca> Cc: "users" <users@ovirt.org>, "Ravi" <rn...@redhat.com> Sent: Saturday, February 4, 2017 10:35:31 AM Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 On Feb 4, 2017 1:21 AM, "Slava Bendersky" < [ mailto:volga...@networklab.ca | volga...@networklab.ca ] > wrote: Hello Everyone, Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I log to web admin with internal user and added FeeIPA user as SuperUser role. Also I added under System FreeIPA group authorized to login on any attempt to login with FreeIPA credentials getting message 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) [] Internal Server Error: Unsupported command 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-6) [] Unsupported command 2017-02-04 00:03:08,659Z ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] server_error: Unsupported command Ravi, do you know what this can cause? BQ_BEGIN Also when in extensions.d directory contain the following files. If I remove mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up in drop down list. Any http don't have influence on this. BQ_END That is correct behavior, we dont show profiles, which uses http for authn. BQ_BEGIN [root@vhe00 extensions.d]# pwd /etc/ovirt-engine/extensions.d [root@vhe00 extensions.d]# ls mydomain.lan-authn.properties mydomain.lan -http-authn.properties mydomain.lan .properties internal-authz.properties mydomain.lan -authz.properties mydomain.lan -http-mapping.properties internal-authn.properties [root@vhe00 extensions.d]# If possible clarify how it should be and what is possible issue. BQ_END Can you please take a look to /var/log/httpd/ssl_error_log if any errors there? BQ_BEGIN Slava. ___ Users mailing list [ mailto:Users@ovirt.org | Users@ovirt.org ] [ http://lists.ovirt.org/mailman/listinfo/users | http://lists.ovirt.org/mailman/listinfo/users ] BQ_END ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] FreeIPA with ovirt 4.1
Hello Ondra, Log is empty [root@vhe00 ~]# ls -la /var/log/httpd/ssl_error_log -rw-r--r--. 1 root root 0 Feb 2 04:45 /var/log/httpd/ssl_error_log Slava. From: "Ondra Machacek" <omach...@redhat.com> To: "Slava Bendersky" <volga...@networklab.ca> Cc: "users" <users@ovirt.org>, "Ravi" <rn...@redhat.com> Sent: Saturday, February 4, 2017 10:35:31 AM Subject: Re: [ovirt-users] FreeIPA with ovirt 4.1 On Feb 4, 2017 1:21 AM, "Slava Bendersky" < [ mailto:volga...@networklab.ca | volga...@networklab.ca ] > wrote: Hello Everyone, Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I log to web admin with internal user and added FeeIPA user as SuperUser role. Also I added under System FreeIPA group authorized to login on any attempt to login with FreeIPA credentials getting message 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) [] Internal Server Error: Unsupported command 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-6) [] Unsupported command 2017-02-04 00:03:08,659Z ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] server_error: Unsupported command Ravi, do you know what this can cause? BQ_BEGIN Also when in extensions.d directory contain the following files. If I remove mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up in drop down list. Any http don't have influence on this. BQ_END That is correct behavior, we dont show profiles, which uses http for authn. BQ_BEGIN [root@vhe00 extensions.d]# pwd /etc/ovirt-engine/extensions.d [root@vhe00 extensions.d]# ls mydomain.lan-authn.properties mydomain.lan -http-authn.properties mydomain.lan .properties internal-authz.properties mydomain.lan -authz.properties mydomain.lan -http-mapping.properties internal-authn.properties [root@vhe00 extensions.d]# If possible clarify how it should be and what is possible issue. BQ_END Can you please take a look to /var/log/httpd/ssl_error_log if any errors there? BQ_BEGIN Slava. ___ Users mailing list [ mailto:Users@ovirt.org | Users@ovirt.org ] [ http://lists.ovirt.org/mailman/listinfo/users | http://lists.ovirt.org/mailman/listinfo/users ] BQ_END ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] FreeIPA with ovirt 4.1
On Feb 4, 2017 1:21 AM, "Slava Bendersky"wrote: Hello Everyone, Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I log to web admin with internal user and added FeeIPA user as SuperUser role. Also I added under System FreeIPA group authorized to login on any attempt to login with FreeIPA credentials getting message 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) [] Internal Server Error: Unsupported command 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-6) [] Unsupported command 2017-02-04 00:03:08,659Z ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] server_error: Unsupported command Ravi, do you know what this can cause? Also when in extensions.d directory contain the following files. If I remove mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up in drop down list. Any http don't have influence on this. That is correct behavior, we dont show profiles, which uses http for authn. [root@vhe00 extensions.d]# pwd /etc/ovirt-engine/extensions.d [root@vhe00 extensions.d]# ls mydomain.lan-authn.properties mydomain.lan-http-authn.properties mydomain.lan.properties internal-authz.properties mydomain.lan-authz.properties mydomain.lan-http-mapping.properties internal-authn.properties [root@vhe00 extensions.d]# If possible clarify how it should be and what is possible issue. Can you please take a look to /var/log/httpd/ssl_error_log if any errors there? Slava. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] FreeIPA with ovirt 4.1
Hello Everyone, Having trouble implement FreeIPA authentication with GSSAPI SSO and ovirt 4.1. I ran setup and it finished OK then it wrote the files bellow. Next I log to web admin with internal user and added FeeIPA user as SuperUser role. Also I added under System FreeIPA group authorized to login on any attempt to login with FreeIPA credentials getting message 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-6) [] Internal Server Error: Unsupported command 2017-02-04 00:03:08,464Z ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] (default task-6) [] Unsupported command 2017-02-04 00:03:08,659Z ERROR [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-3) [] server_error: Unsupported command Also when in extensions.d directory contain the following files. If I remove mydomain.lan-authn.properties then in web ui FreeIPA domain not showing up in drop down list. Any http don't have influence on this. [root@vhe00 extensions.d]# pwd /etc/ovirt-engine/extensions.d [root@vhe00 extensions.d]# ls mydomain.lan-authn.properties mydomain.lan -http-authn.properties mydomain.lan .properties internal-authz.properties mydomain.lan -authz.properties mydomain.lan -http-mapping.properties internal-authn.properties [root@vhe00 extensions.d]# If possible clarify how it should be and what is possible issue. Slava. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] FreeIPA
-0238 2015-09-23 09:38:09,180 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.HSMGetAllTasksInfoVDSCommand] (org.ovirt.thread.pool-8-thread-16) [205b10f8] START, HSMGetAllTasksInfoVDSCommand(HostName = node3.acloud.pt, HostId = 0ffde0bc-c610-43ee-8ded-e8d2beb7e0f6), log id: 2c5dc746 2015-09-23 09:38:09,216 INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.HSMGetAllTasksInfoVDSCommand] (org.ovirt.thread.pool-8-thread-16) [205b10f8] FINISH, HSMGetAllTasksInfoVDSCommand, return: [], log id: 2c5dc746 2015-09-23 09:38:09,216 INFO [org.ovirt.engine.core.vdsbroker.irsbroker.SPMGetAllTasksInfoVDSCommand] (org.ovirt.thread.pool-8-thread-16) [205b10f8] FINISH, SPMGetAllTasksInfoVDSCommand, return: [], log id: 6735b7ad 2015-09-23 09:38:09,217 INFO [org.ovirt.engine.core.bll.tasks.AsyncTaskManager] (org.ovirt.thread.pool-8-thread-16) [205b10f8] Discovered no tasks on Storage Pool Default 2015-09-23 09:38:13,937 INFO [org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] (DefaultQuartzScheduler_Worker-30) START, GlusterVolumesListVDSCommand(HostName = node3.acloud.pt, HostId = 0ffde0bc-c610-43ee-8ded-e8d2beb7e0f6), log id: 663177d4 2015-09-23 09:38:13,964 INFO [org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] (DefaultQuartzScheduler_Worker-30) FINISH, GlusterVolumesListVDSCommand, return: {}, log id: 663177d4 2015-09-23 09:38:19,184 INFO [org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] (DefaultQuartzScheduler_Worker-40) START, GlusterVolumesListVDSCommand(HostName = node3.acloud.pt, HostId = 0ffde0bc-c610-43ee-8ded-e8d2beb7e0f6), log id: 4db78ebd 2015-09-23 09:38:19,232 INFO [org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] (DefaultQuartzScheduler_Worker-40) FINISH, GlusterVolumesListVDSCommand, return: {}, log id: 4db78ebd 2015-09-23 09:38:24,382 INFO [org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] (DefaultQuartzScheduler_Worker-50) START, GlusterVolumesListVDSCommand(HostName = node3.acloud.pt, HostId = 0ffde0bc-c610-43ee-8ded-e8d2beb7e0f6), log id: 3beec320 2015-09-23 09:38:24,410 INFO [org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] (DefaultQuartzScheduler_Worker-50) FINISH, GlusterVolumesListVDSCommand, return: {}, log id: 3beec320 Thanks *De: *"Ondra Machacek" <omach...@redhat.com> *Para: *supo...@logicworks.pt, users@ovirt.org *Enviadas: *Quarta-feira, 23 De Setembro de 2015 7:40:12 *Assunto: *Re: [ovirt-users] FreeIPA Just for clarification - ovirt-engine-extension-aaa-ldap-setup is available from oVirt 3.6 Can you send engine.log, hard to say what's wrong from configuration, it looks good. On 09/22/2015 09:55 PM, Ravi Nori wrote: Once you have installed ovirt-engine-extension-aaa-ldap and ovirt-engine-extension-aaa-ldap-setup You can run ovirt-engine-extension-aaa-ldap-setup and follow the steps to set up ldap. Once that is done you can login to webadmin and add users/groups from ipa On 09/22/2015 11:57 AM, supo...@logicworks.pt wrote: Here is what I'm trying to do: Ovirt engine : engine.domain.tld Freeipa 4.1.0 : ipa.domain.tld I have installed on the engine: /ovirt-engine-extension-aaa-ldap/ /openldap-clients/ /etc/ovirt-engine/aaa/profile1.properties: # # Select one # #include = #include = <389ds.properties> #include = include = #include = #include = #include = # # Server # vars.server = ipa.domain.tld # # Search user and its password. # vars.user = uid=search,cn=users,cn=accounts,dc=domain,dc=tld vars.password =/ipa_admin_password/ pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit On the engine cannot find any users configured on the ipa server. Any help? Thanks Jose *De: *"Alon Bar-Lev" <alo...@redhat.com> *Para: *supo...@logicworks.pt *Cc: *"users" <users@ovirt.org> *Enviadas: *Sexta-feira, 18 De Setembro de 2015 15:48:22 *Assunto: *Re: [ovirt-users] FreeIPA - Original Message - > From: supo...@logicworks.pt > To: "users" &
Re: [ovirt-users] FreeIPA
Try this[1] easier approach. [1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=aed09b5793e0352dc20812b4746dbd2d7898f292#l389 On 09/23/2015 03:58 PM, supo...@logicworks.pt wrote: well, when I run # /usr/share/ovirt-engine-jboss-as/bin/jboss-cli.sh --connect --timeout=3 --controller=localhost:8706 --user=admin@internal --commands="if (outcome != success) of /subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:read-attribute(name=level),/subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:add,end-if,/subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:write-attribute(name=level,value=ALL)" get this error: Duplicate argument '--command'/'--commands'. can't see why *De: *"Ondra Machacek" <omach...@redhat.com> *Para: *supo...@logicworks.pt *Cc: *users@ovirt.org *Enviadas: *Quarta-feira, 23 De Setembro de 2015 12:50:46 *Assunto: *Re: [ovirt-users] FreeIPA You don't have to do anything on IPA side, just create users/groups. OK, nothing in the log at INFO level, initialization succeed, so can you please send the debug log? See here[1] how to enable. Thank you. [1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l389 On 09/23/2015 10:48 AM, supo...@logicworks.pt wrote: Is there anything to do on the IPA side? Or is just add users? On the oVirt Engine, Users Tab, when click on add I can see profile1 (profile1-aurhz) but the GO button is still in gray. I think something is wrong with the autehtication on the IPA server. Here is the engine log : 2015-09-23 09:37:57,927 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'builtin-authn-internal' initialized 2015-09-23 09:37:57,927 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Initializing extension 'internal' 2015-09-23 09:37:57,928 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'internal' initialized 2015-09-23 09:37:57,928 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Start of enabled extensions list 2015-09-23 09:37:57,928 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'profile1-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/profile1-authn.properties', Initialized: 'true' 2015-09-23 09:37:57,929 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'profile1-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/profile1-authz.properties', Initialized: 'true' 2015-09-23 09:37:57,929 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'builtin-authn-internal', Extension name: 'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2015-09-23 09:37:57,930 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'internal', Extension name: 'Internal Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2015-09-23 09:37:57,930 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) End of enabled extensions list 2015-09-23 09:37:58,103 INFO [org.ovirt.engine.core.bll.tasks.AsyncTaskManager] (MSC service thread 1-1) Initialization of AsyncTaskManager completed successfully. 2015-09-23 09:37:58,105 INFO [org.ovirt.engine.core.vdsbroker.ResourceManager] (MSC service thread 1-1) Start initializing ResourceManager 2015-09-23 09:37:58,217 INFO [org.ovirt.engine.core.vdsbroker.VdsManager] (MSC service thread 1-1) Entered VdsManager constructor 2015-09-23 09:37:58,268 INFO [org.ovirt.engine.core.vdsbroker.VdsManager] (MSC service thread 1-1) Initialize vdsBroker (192.168.6.201,54,321) 20
Re: [ovirt-users] FreeIPA
1-1) Instance name: 'profile1-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/profile1-authn.properties', Initialized: 'true' 2015-09-23 16:24:50,542 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-1) Instance name: 'profile1-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/profile1-authz.properties', Initialized: 'true' *De: *"Ondra Machacek" <omach...@redhat.com> *Para: *supo...@logicworks.pt *Cc: *users@ovirt.org *Enviadas: *Quarta-feira, 23 De Setembro de 2015 15:02:54 *Assunto: *Re: [ovirt-users] FreeIPA Try this[1] easier approach. [1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=aed09b5793e0352dc20812b4746dbd2d7898f292#l389 On 09/23/2015 03:58 PM, supo...@logicworks.pt wrote: well, when I run # /usr/share/ovirt-engine-jboss-as/bin/jboss-cli.sh --connect --timeout=3 --controller=localhost:8706 --user=admin@internal --commands="if (outcome != success) of /subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:read-attribute(name=level),/subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:add,end-if,/subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:write-attribute(name=level,value=ALL)" get this error: Duplicate argument '--command'/'--commands'. can't see why *De: *"Ondra Machacek" <omach...@redhat.com> *Para: *supo...@logicworks.pt *Cc: *users@ovirt.org *Enviadas: *Quarta-feira, 23 De Setembro de 2015 12:50:46 *Assunto: *Re: [ovirt-users] FreeIPA You don't have to do anything on IPA side, just create users/groups. OK, nothing in the log at INFO level, initialization succeed, so can you please send the debug log? See here[1] how to enable. Thank you. [1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l389 On 09/23/2015 10:48 AM, supo...@logicworks.pt wrote: Is there anything to do on the IPA side? Or is just add users? On the oVirt Engine, Users Tab, when click on add I can see profile1 (profile1-aurhz) but the GO button is still in gray. I think something is wrong with the autehtication on the IPA server. Here is the engine log : 2015-09-23 09:37:57,927 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'builtin-authn-internal' initialized 2015-09-23 09:37:57,927 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Initializing extension 'internal' 2015-09-23 09:37:57,928 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'internal' initialized 2015-09-23 09:37:57,928 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Start of enabled extensions list 2015-09-23 09:37:57,928 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'profile1-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/profile1-authn.properties', Initialized: 'true' 2015-09-23 09:37:57,929 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'profile1-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/profile1-authz.properties', Initialized: 'true' 2015-09-23 09:37:57,929 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'builtin-authn-internal', Extension name: 'Internal Aut
Re: [ovirt-users] FreeIPA
well, when I run # /usr/share/ovirt-engine-jboss-as/bin/jboss-cli.sh --connect --timeout=3 --controller=localhost:8706 --user=admin@internal --commands="if (outcome != success) of /subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:read-attribute(name=level),/subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:add,end-if,/subsystem=logging/logger=org.ovirt.engineextensions.aaa.ldap:write-attribute(name=level,value=ALL)" get this error: Duplicate argument '--command'/'--commands'. can't see why - Mensagem original - De: "Ondra Machacek" <omach...@redhat.com> Para: supo...@logicworks.pt Cc: users@ovirt.org Enviadas: Quarta-feira, 23 De Setembro de 2015 12:50:46 Assunto: Re: [ovirt-users] FreeIPA You don't have to do anything on IPA side, just create users/groups. OK, nothing in the log at INFO level, initialization succeed, so can you please send the debug log? See here[1] how to enable. Thank you. [1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l389 On 09/23/2015 10:48 AM, supo...@logicworks.pt wrote: Is there anything to do on the IPA side? Or is just add users? On the oVirt Engine, Users Tab, when click on add I can see profile1 (profile1-aurhz) but the GO button is still in gray. I think something is wrong with the autehtication on the IPA server. Here is the engine log : 2015-09-23 09:37:57,927 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'builtin-authn-internal' initialized 2015-09-23 09:37:57,927 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Initializing extension 'internal' 2015-09-23 09:37:57,928 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Extension 'internal' initialized 2015-09-23 09:37:57,928 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Start of enabled extensions list 2015-09-23 09:37:57,928 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'profile1-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', Home: ' http://www.ovirt.org ', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/profile1-authn.properties', Initialized: 'true' 2015-09-23 09:37:57,929 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'profile1-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', Home: ' http://www.ovirt.org ', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/profile1-authz.properties', Initialized: 'true' 2015-09-23 09:37:57,929 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'builtin-authn-internal', Extension name: 'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: ' http://www.ovirt.org ', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2015-09-23 09:37:57,930 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) Instance name: 'internal', Extension name: 'Internal Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: ' http://www.ovirt.org ', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2015-09-23 09:37:57,930 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-2) End of enabled extensions list 2015-09-23 09:37:58,103 INFO [org.ovirt.engine.core.bll.tasks.AsyncTaskManager] (MSC service thread 1-1) Initialization of AsyncTaskManager completed successfully. 2015-09-23 09:37:58,105 INFO [org.ovirt.engine.core.vdsbroker.ResourceManager] (MSC service thread 1-1) Start initializing ResourceManager 2015-09-23 09:37:58,217 INFO [org.ovirt.engine.core.vdsbroker.VdsManager] (MSC service thread 1-1) Entered VdsManager constructor 2015-09-23 09:37:58,268 INFO [org.ovirt.engine.core.vdsbroker.VdsManager] (MSC service thread 1-1) Initialize vdsBroker (192.168.6.201,54,321) 2015-09-23 09:37:58,402 INFO [org.ovirt.engine.core.vdsbroker.ResourceManager] (MSC service thread 1-1) VDS 0ffde0bc-c610-43ee-8ded-e8d2beb7e0f6 was added to the Resource Manager 2015-09-23 09:37:58,429 INFO [org.ovirt.engine.core.vdsbroker.ResourceManager] (MSC service thread 1-1) Finished initializing ResourceManager 2015-09-23 09:37:58,430 INFO [org.ovirt.engine.core.bll.OvfDataUpdater] (MSC service thread 1-1) Initialization of OvfDataUpdater completed successfully. 20
Re: [ovirt-users] FreeIPA
great! It depends on what guest you are using, for fedora you can install from epel package ovirt-guest-agent. There are also for ubuntu[1], suse[2] and maybe other which I am not aware of. For windows there is guest tools[3] since oVirt 3.5 I think. [1] http://www.ovirt.org/Feature/GuestAgentUbuntu [2] http://www.ovirt.org/Feature/GuestAgentOpenSUSE [3] http://www.ovirt.org/Features/oVirt_Windows_Guest_Tools On 09/23/2015 06:26 PM, supo...@logicworks.pt wrote: Fantastic Ondra, nice Hawk Eye It's working. When I enter with a user name and click on console I get: Could not connect to the agent on the guest, it may be unresponsive or not installed. As a result, some features may not work. What kind of agent shoul I install on the guests? Thaks a lot *De: *"Ondra Machacek" <omach...@redhat.com> *Para: *supo...@logicworks.pt *Cc: *users@ovirt.org *Enviadas: *Quarta-feira, 23 De Setembro de 2015 16:39:05 *Assunto: *Re: [ovirt-users] FreeIPA As you can see in exception you have trailing space at the end of your fqdn of IPA, please remove the trailing space in properties file. it's: 'ipa.acloud.pt ' <- trailing space and should be: 'ipa.acloud.pt' On 09/23/2015 05:30 PM, supo...@logicworks.pt wrote: I can ping ipa server from engine, the log: 2015-09-23 16:24:50,504 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authn::profile1-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to resolve address 'ipa.acloud.pt ': java.net.UnknownHostException: ipa.acloud.pt : Name or service not known 2015-09-23 16:24:50,504 DEBUG [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) Ignoring Exception: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to resolve address 'ipa.acloud.pt ': java.net.UnknownHostException: ipa.acloud.pt : Name or service not known') at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:754) [unboundid-ldapsdk.jar:2.3.7] at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:709) [unboundid-ldapsdk.jar:2.3.7] at com.unboundid.ldap.sdk.LDAPConnection.(LDAPConnection.java:533) [unboundid-ldapsdk.jar:2.3.7] at com.unboundid.ldap.sdk.SingleServerSet.getConnection(SingleServerSet.java:229) [unboundid-ldapsdk.jar:2.3.7] at com.unboundid.ldap.sdk.ServerSet.getConnection(ServerSet.java:98) [unboundid-ldapsdk.jar:2.3.7] at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1088) [unboundid-ldapsdk.jar:2.3.7] at com.unboundid.ldap.sdk.LDAPConnectionPool.(LDAPConnectionPool.java:1026) [unboundid-ldapsdk.jar:2.3.7] at com.unboundid.ldap.sdk.LDAPConnectionPool.(LDAPConnectionPool.java:913) [unboundid-ldapsdk.jar:2.3.7] at org.ovirt.engineextensions.aaa.ldap.Framework.createConnectionPool(Framework.java:595) [ovirt-engine-extension-aaa-ldap.jar:] at org.ovirt.engineextensions.aaa.ldap.Framework.createPool(Framework.java:632) [ovirt-engine-extension-aaa-ldap.jar:] at org.ovirt.engineextensions.aaa.ldap.Framework.runSequence(Framework.java:1362) [ovirt-engine-extension-aaa-ldap.jar:] at org.ovirt.engineextensions.aaa.ldap.Framework.open(Framework.java:667) [ovirt-engine-extension-aaa-ldap.jar:] at org.ovirt.engineextensions.aaa.ldap.AuthnExtension.ensureFramework(AuthnExtension.java:49) [ovirt-engine-extension-aaa-ldap.jar:] at org.ovirt.engineextensions.aaa.ldap.AuthnExtension.doInit(AuthnExtension.java:130) [ovirt-engine-extension-aaa-ldap.jar:] at org.ovirt.engineextensions.aaa.ldap.AuthnExtension.invoke(AuthnExtension.java:66) [ovirt-engine-extension-aaa-ldap.jar:] at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:749) [unboundid-ldapsdk.jar:2.3.7] 2015-09-23 16:24:50,514 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-1) open Entry 2015-09-23 16:24:50,514 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-1) runSequence Entry name='simple-open-pools' 2015-09-23 16:24:50,514 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-1) Running sequence simple-open-pools/010/pool-create create authz pool 2015-09-23 16:24:50,515 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-1) VARS-BEGIN 2015-09-23 16:24:50,515 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service threa
Re: [ovirt-users] FreeIPA
Fantastic Ondra, nice Hawk Eye It's working. When I enter with a user name and click on console I get: Could not connect to the agent on the guest, it may be unresponsive or not installed. As a result, some features may not work. What kind of agent shoul I install on the guests? Thaks a lot - Mensagem original - De: "Ondra Machacek" <omach...@redhat.com> Para: supo...@logicworks.pt Cc: users@ovirt.org Enviadas: Quarta-feira, 23 De Setembro de 2015 16:39:05 Assunto: Re: [ovirt-users] FreeIPA As you can see in exception you have trailing space at the end of your fqdn of IPA, please remove the trailing space in properties file. it's: 'ipa.acloud.pt ' <- trailing space and should be: 'ipa.acloud.pt' On 09/23/2015 05:30 PM, supo...@logicworks.pt wrote: I can ping ipa server from engine, the log: 2015-09-23 16:24:50,504 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authn::profile1-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to resolve address 'ipa.acloud.pt ': java.net.UnknownHostException: ipa.acloud.pt : Name or service not known 2015-09-23 16:24:50,504 DEBUG [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) Ignoring Exception: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to resolve address 'ipa.acloud.pt ': java.net.UnknownHostException: ipa.acloud.pt : Name or service not known') at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:754) [unboundid-ldapsdk.jar:2.3.7] at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:709) [unboundid-ldapsdk.jar:2.3.7] at com.unboundid.ldap.sdk.LDAPConnection.(LDAPConnection.java:533) [unboundid-ldapsdk.jar:2.3.7] at com.unboundid.ldap.sdk.SingleServerSet.getConnection(SingleServerSet.java:229) [unboundid-ldapsdk.jar:2.3.7] at com.unboundid.ldap.sdk.ServerSet.getConnection(ServerSet.java:98) [unboundid-ldapsdk.jar:2.3.7] at com.unboundid.ldap.sdk.LDAPConnectionPool.createConnection(LDAPConnectionPool.java:1088) [unboundid-ldapsdk.jar:2.3.7] at com.unboundid.ldap.sdk.LDAPConnectionPool.(LDAPConnectionPool.java:1026) [unboundid-ldapsdk.jar:2.3.7] at com.unboundid.ldap.sdk.LDAPConnectionPool.(LDAPConnectionPool.java:913) [unboundid-ldapsdk.jar:2.3.7] at org.ovirt.engineextensions.aaa.ldap.Framework.createConnectionPool(Framework.java:595) [ovirt-engine-extension-aaa-ldap.jar:] at org.ovirt.engineextensions.aaa.ldap.Framework.createPool(Framework.java:632) [ovirt-engine-extension-aaa-ldap.jar:] at org.ovirt.engineextensions.aaa.ldap.Framework.runSequence(Framework.java:1362) [ovirt-engine-extension-aaa-ldap.jar:] at org.ovirt.engineextensions.aaa.ldap.Framework.open(Framework.java:667) [ovirt-engine-extension-aaa-ldap.jar:] at org.ovirt.engineextensions.aaa.ldap.AuthnExtension.ensureFramework(AuthnExtension.java:49) [ovirt-engine-extension-aaa-ldap.jar:] at org.ovirt.engineextensions.aaa.ldap.AuthnExtension.doInit(AuthnExtension.java:130) [ovirt-engine-extension-aaa-ldap.jar:] at org.ovirt.engineextensions.aaa.ldap.AuthnExtension.invoke(AuthnExtension.java:66) [ovirt-engine-extension-aaa-ldap.jar:] at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:749) [unboundid-ldapsdk.jar:2.3.7] 2015-09-23 16:24:50,514 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-1) open Entry 2015-09-23 16:24:50,514 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-1) runSequence Entry name='simple-open-pools' 2015-09-23 16:24:50,514 DEBUG [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-1) Running sequence simple-open-pools/010/pool-create create authz pool 2015-09-23 16:24:50,515 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-1) VARS-BEGIN 2015-09-23 16:24:50,515 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-1) authz_enable = 1 2015-09-23 16:24:50,515 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-1) capability_credentialsChange = false 2015-09-23 16:24:50,515 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-1) capability_resucrsiveGroupResolution = false 2015-09-23 16:24:50,515 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-1) maxFilterSize = 50 2015-09-23 16:24:50,515 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-1) sensitiveKeys = , password, passwordNew 2015-09-23 16:24:50,515 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-1) simple_attrGroupMemberDN = member 2015-09-23 16:24:50,516 TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-1) simple_attrMemberOf = memberOf 2015-09-23
Re: [ovirt-users] FreeIPA
Just for clarification - ovirt-engine-extension-aaa-ldap-setup is available from oVirt 3.6 Can you send engine.log, hard to say what's wrong from configuration, it looks good. On 09/22/2015 09:55 PM, Ravi Nori wrote: Once you have installed ovirt-engine-extension-aaa-ldap and ovirt-engine-extension-aaa-ldap-setup You can run ovirt-engine-extension-aaa-ldap-setup and follow the steps to set up ldap. Once that is done you can login to webadmin and add users/groups from ipa On 09/22/2015 11:57 AM, supo...@logicworks.pt wrote: Here is what I'm trying to do: Ovirt engine : engine.domain.tld Freeipa 4.1.0 : ipa.domain.tld I have installed on the engine: /ovirt-engine-extension-aaa-ldap/ /openldap-clients/ /etc/ovirt-engine/aaa/profile1.properties: # # Select one # #include = #include = <389ds.properties> #include = include = #include = #include = #include = # # Server # vars.server = ipa.domain.tld # # Search user and its password. # vars.user = uid=search,cn=users,cn=accounts,dc=domain,dc=tld vars.password =/ipa_admin_password/ pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit On the engine cannot find any users configured on the ipa server. Any help? Thanks Jose *De: *"Alon Bar-Lev" <alo...@redhat.com> *Para: *supo...@logicworks.pt *Cc: *"users" <users@ovirt.org> *Enviadas: *Sexta-feira, 18 De Setembro de 2015 15:48:22 *Assunto: *Re: [ovirt-users] FreeIPA - Original Message - > From: supo...@logicworks.pt > To: "users" <users@ovirt.org> > Sent: Friday, September 18, 2015 5:45:18 PM > Subject: [ovirt-users] FreeIPA > > Hi, > > Is there any documentation about FreeIPA integration with oVirt 3.5 and how > to configure it? > Hi, Please find documentation at [1][2]. Regards, Alon Bar-Lev. [1] http://www.ovirt.org/Features/AAA [2] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] FreeIPA
INFO [org.ovirt.engine.core.vdsbroker.vdsbroker.HSMGetAllTasksInfoVDSCommand] (org.ovirt.thread.pool-8-thread-16) [205b10f8] FINISH, HSMGetAllTasksInfoVDSCommand, return: [], log id: 2c5dc746 2015-09-23 09:38:09,216 INFO [org.ovirt.engine.core.vdsbroker.irsbroker.SPMGetAllTasksInfoVDSCommand] (org.ovirt.thread.pool-8-thread-16) [205b10f8] FINISH, SPMGetAllTasksInfoVDSCommand, return: [], log id: 6735b7ad 2015-09-23 09:38:09,217 INFO [org.ovirt.engine.core.bll.tasks.AsyncTaskManager] (org.ovirt.thread.pool-8-thread-16) [205b10f8] Discovered no tasks on Storage Pool Default 2015-09-23 09:38:13,937 INFO [org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] (DefaultQuartzScheduler_Worker-30) START, GlusterVolumesListVDSCommand(HostName = node3.acloud.pt, HostId = 0ffde0bc-c610-43ee-8ded-e8d2beb7e0f6), log id: 663177d4 2015-09-23 09:38:13,964 INFO [org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] (DefaultQuartzScheduler_Worker-30) FINISH, GlusterVolumesListVDSCommand, return: {}, log id: 663177d4 2015-09-23 09:38:19,184 INFO [org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] (DefaultQuartzScheduler_Worker-40) START, GlusterVolumesListVDSCommand(HostName = node3.acloud.pt, HostId = 0ffde0bc-c610-43ee-8ded-e8d2beb7e0f6), log id: 4db78ebd 2015-09-23 09:38:19,232 INFO [org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] (DefaultQuartzScheduler_Worker-40) FINISH, GlusterVolumesListVDSCommand, return: {}, log id: 4db78ebd 2015-09-23 09:38:24,382 INFO [org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] (DefaultQuartzScheduler_Worker-50) START, GlusterVolumesListVDSCommand(HostName = node3.acloud.pt, HostId = 0ffde0bc-c610-43ee-8ded-e8d2beb7e0f6), log id: 3beec320 2015-09-23 09:38:24,410 INFO [org.ovirt.engine.core.vdsbroker.gluster.GlusterVolumesListVDSCommand] (DefaultQuartzScheduler_Worker-50) FINISH, GlusterVolumesListVDSCommand, return: {}, log id: 3beec320 Thanks - Mensagem original - De: "Ondra Machacek" <omach...@redhat.com> Para: supo...@logicworks.pt, users@ovirt.org Enviadas: Quarta-feira, 23 De Setembro de 2015 7:40:12 Assunto: Re: [ovirt-users] FreeIPA Just for clarification - ovirt-engine-extension-aaa-ldap-setup is available from oVirt 3.6 Can you send engine.log, hard to say what's wrong from configuration, it looks good. On 09/22/2015 09:55 PM, Ravi Nori wrote: Once you have installed ovirt-engine-extension-aaa-ldap and ovirt-engine-extension-aaa-ldap-setup You can run ovirt-engine-extension-aaa-ldap-setup and follow the steps to set up ldap. Once that is done you can login to webadmin and add users/groups from ipa On 09/22/2015 11:57 AM, supo...@logicworks.pt wrote: Here is what I'm trying to do: Ovirt engine : engine.domain.tld Freeipa 4.1.0 : ipa.domain.tld I have installed on the engine: ovirt-engine-extension-aaa-ldap openldap-clients /etc/ovirt-engine/aaa/profile1.properties: # # Select one # #include = #include = <389ds.properties> #include = include = #include = #include = #include = # # Server # vars.server = ipa.domain.tld # # Search user and its password. # vars.user = uid=search,cn=users,cn=accounts,dc=domain,dc=tld vars.password = ipa_admin_password pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit On the engine cannot find any users configured on the ipa server. Any help? Thanks Jose - Mensagem original - De: "Alon Bar-Lev" <alo...@redhat.com> Para: supo...@logicworks.pt Cc: "users" <users@ovirt.org> Enviadas: Sexta-feira, 18 De Setembro de 2015 15:48:22 Assunto: Re: [ovirt-users] FreeIPA - Original Message - > From: supo...@logicworks.pt > To: "users" <users@ovirt.org> > Sent: Friday, September 18, 2015 5:45:18 PM > Subject: [ovirt-users] FreeIPA > > Hi, > > Is there any documentation about FreeIPA integration with oVirt 3.5 and how > to configure it? > Hi, Please find documentation at [1][2]. Regards, Alon Bar-Lev. [1] http://www.ovirt.org/Features/AAA [2] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] FreeIPA
Once you have installed ovirt-engine-extension-aaa-ldap and ovirt-engine-extension-aaa-ldap-setup You can run ovirt-engine-extension-aaa-ldap-setup and follow the steps to set up ldap. Once that is done you can login to webadmin and add users/groups from ipa On 09/22/2015 11:57 AM, supo...@logicworks.pt wrote: Here is what I'm trying to do: Ovirt engine : engine.domain.tld Freeipa 4.1.0 : ipa.domain.tld I have installed on the engine: /ovirt-engine-extension-aaa-ldap/ /openldap-clients/ /etc/ovirt-engine/aaa/profile1.properties: # # Select one # #include = #include = <389ds.properties> #include = include = #include = #include = #include = # # Server # vars.server = ipa.domain.tld # # Search user and its password. # vars.user = uid=search,cn=users,cn=accounts,dc=domain,dc=tld vars.password =/ipa_admin_password/ pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit On the engine cannot find any users configured on the ipa server. Any help? Thanks Jose *De: *"Alon Bar-Lev" <alo...@redhat.com> *Para: *supo...@logicworks.pt *Cc: *"users" <users@ovirt.org> *Enviadas: *Sexta-feira, 18 De Setembro de 2015 15:48:22 *Assunto: *Re: [ovirt-users] FreeIPA - Original Message - > From: supo...@logicworks.pt > To: "users" <users@ovirt.org> > Sent: Friday, September 18, 2015 5:45:18 PM > Subject: [ovirt-users] FreeIPA > > Hi, > > Is there any documentation about FreeIPA integration with oVirt 3.5 and how > to configure it? > Hi, Please find documentation at [1][2]. Regards, Alon Bar-Lev. [1] http://www.ovirt.org/Features/AAA [2] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] FreeIPA
Here is what I'm trying to do: Ovirt engine : engine.domain.tld Freeipa 4.1.0 : ipa.domain.tld I have installed on the engine: ovirt-engine-extension-aaa-ldap openldap-clients /etc/ovirt-engine/aaa/profile1.properties: # # Select one # #include = #include = <389ds.properties> #include = include = #include = #include = #include = # # Server # vars.server = ipa.domain.tld # # Search user and its password. # vars.user = uid=search,cn=users,cn=accounts,dc=domain,dc=tld vars.password = ipa_admin_password pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} # Create keystore, import certificate chain and uncomment # if using ssl/tls. #pool.default.ssl.startTLS = true #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks #pool.default.ssl.truststore.password = changeit On the engine cannot find any users configured on the ipa server. Any help? Thanks Jose - Mensagem original - De: "Alon Bar-Lev" <alo...@redhat.com> Para: supo...@logicworks.pt Cc: "users" <users@ovirt.org> Enviadas: Sexta-feira, 18 De Setembro de 2015 15:48:22 Assunto: Re: [ovirt-users] FreeIPA - Original Message - > From: supo...@logicworks.pt > To: "users" <users@ovirt.org> > Sent: Friday, September 18, 2015 5:45:18 PM > Subject: [ovirt-users] FreeIPA > > Hi, > > Is there any documentation about FreeIPA integration with oVirt 3.5 and how > to configure it? > Hi, Please find documentation at [1][2]. Regards, Alon Bar-Lev. [1] http://www.ovirt.org/Features/AAA [2] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users