[ovirt-users] Re: LDAP logins do not work
Thanks. I've deleted the old roles/users and recreated them using the System Permissions tab and logins are working now. On 06/14/2018 09:20 AM, Ondra Machacek wrote: > This error: > > The user u...@example.com@example.com is not authorized to perform login > > means that you don't have any role assigned to your user. > > Please check following documentation: > > > https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/#user-authorization > > > to understand permission model of oVirt. > > On 06/14/2018 02:39 PM, Michael Watters wrote: >> ldapsearch works correctly and I'm able to bind to AD without any >> issues. ovirt-engine-extension-aaa-ldap-setup also shows searches >> working correctly. >> >> One thing I've discovered is that I can login as "u...@domain.com" but >> then receive an error as follows. >> >>> The user u...@example.com@example.com is not authorized to perform >>> login >> >> How do I enable debug logs? The log entries from the engine.log file >> are the same as my previous message. >> >> >> On 06/14/2018 06:37 AM, Ondra Machacek wrote: >>> Can you share the debug log, and also make sure the search user you are >>> using is correct for example by running the ldapsearch command with it. >>> >>> On 06/13/2018 05:33 PM, Michael Watters wrote: I've ran the ovirt-engine-extension-aaa-ldap-setup command to configure LDAP authentication using Active Directory however I am unable to authenticate using valid credentials. Here is the output show while testing the login flow. [ INFO ] Executing login sequence... Login output: 2018-06-13 11:27:17,931-04 INFO 2018-06-13 11:27:17,960-04 INFO Initialization 2018-06-13 11:27:17,960-04 INFO 2018-06-13 11:27:17,999-04 INFO Loading extension 'example.com-authn' 2018-06-13 11:27:18,072-04 INFO Extension 'example.com-authn' loaded 2018-06-13 11:27:18,077-04 INFO Loading extension 'example.com-authz' 2018-06-13 11:27:18,089-04 INFO Extension 'example.com-authz' loaded 2018-06-13 11:27:18,090-04 INFO Initializing extension 'example.com-authn' 2018-06-13 11:27:18,091-04 INFO [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP pool 'authz' 2018-06-13 11:27:19,574-04 WARNING Exception: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 2018-06-13 11:27:19,576-04 INFO [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP pool 'authn' 2018-06-13 11:27:20,668-04 INFO [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] LDAP pool 'authn' information: vendor='null' version='null' 2018-06-13 11:27:20,674-04 WARNING Ignoring records from pool: 'authz' 2018-06-13 11:27:20,676-04 WARNING Ignoring records from pool: 'authz' 2018-06-13 11:27:20,676-04 INFO Extension 'example.com-authn' initialized 2018-06-13 11:27:20,677-04 INFO Initializing extension 'example.com-authz' 2018-06-13 11:27:20,679-04 INFO [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP pool 'authz' 2018-06-13 11:27:21,270-04 WARNING Exception: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 2018-06-13 11:27:21,273-04 INFO [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP pool 'gc' 2018-06-13 11:27:22,065-04 WARNING Exception: 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1 2018-06-13 11:27:22,069-04 WARNING Ignoring records from pool: 'authz' 2018-06-13 11:27:22,072-04 WARNING Ignoring records from pool: 'authz' 2018-06-13 11:27:22,085-04 WARNING Ignoring records from pool: 'authz' 2018-06-13 11:27:22,086-04 INFO [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Available Namespaces: [] 2018-06-13 11:27:22,087-04 INFO Extension 'example.com-authz' initialized 2018-06-13 11:27:22,088-04 INFO Start of enabled extensions list 2018-06-13 11:27:22,089-04 INFO Instance name: 'example.com-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.7', Notes: 'Display
[ovirt-users] Re: LDAP logins do not work
This error: The user u...@example.com@example.com is not authorized to perform login means that you don't have any role assigned to your user. Please check following documentation: https://www.ovirt.org/documentation/admin-guide/chap-Users_and_Roles/#user-authorization to understand permission model of oVirt. On 06/14/2018 02:39 PM, Michael Watters wrote: ldapsearch works correctly and I'm able to bind to AD without any issues. ovirt-engine-extension-aaa-ldap-setup also shows searches working correctly. One thing I've discovered is that I can login as "u...@domain.com" but then receive an error as follows. The user u...@example.com@example.com is not authorized to perform login How do I enable debug logs? The log entries from the engine.log file are the same as my previous message. On 06/14/2018 06:37 AM, Ondra Machacek wrote: Can you share the debug log, and also make sure the search user you are using is correct for example by running the ldapsearch command with it. On 06/13/2018 05:33 PM, Michael Watters wrote: I've ran the ovirt-engine-extension-aaa-ldap-setup command to configure LDAP authentication using Active Directory however I am unable to authenticate using valid credentials. Here is the output show while testing the login flow. [ INFO ] Executing login sequence... Login output: 2018-06-13 11:27:17,931-04 INFO 2018-06-13 11:27:17,960-04 INFO Initialization 2018-06-13 11:27:17,960-04 INFO 2018-06-13 11:27:17,999-04 INFO Loading extension 'example.com-authn' 2018-06-13 11:27:18,072-04 INFO Extension 'example.com-authn' loaded 2018-06-13 11:27:18,077-04 INFO Loading extension 'example.com-authz' 2018-06-13 11:27:18,089-04 INFO Extension 'example.com-authz' loaded 2018-06-13 11:27:18,090-04 INFO Initializing extension 'example.com-authn' 2018-06-13 11:27:18,091-04 INFO [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP pool 'authz' 2018-06-13 11:27:19,574-04 WARNING Exception: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 2018-06-13 11:27:19,576-04 INFO [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP pool 'authn' 2018-06-13 11:27:20,668-04 INFO [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] LDAP pool 'authn' information: vendor='null' version='null' 2018-06-13 11:27:20,674-04 WARNING Ignoring records from pool: 'authz' 2018-06-13 11:27:20,676-04 WARNING Ignoring records from pool: 'authz' 2018-06-13 11:27:20,676-04 INFO Extension 'example.com-authn' initialized 2018-06-13 11:27:20,677-04 INFO Initializing extension 'example.com-authz' 2018-06-13 11:27:20,679-04 INFO [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP pool 'authz' 2018-06-13 11:27:21,270-04 WARNING Exception: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 2018-06-13 11:27:21,273-04 INFO [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP pool 'gc' 2018-06-13 11:27:22,065-04 WARNING Exception: 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1 2018-06-13 11:27:22,069-04 WARNING Ignoring records from pool: 'authz' 2018-06-13 11:27:22,072-04 WARNING Ignoring records from pool: 'authz' 2018-06-13 11:27:22,085-04 WARNING Ignoring records from pool: 'authz' 2018-06-13 11:27:22,086-04 INFO [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Available Namespaces: [] 2018-06-13 11:27:22,087-04 INFO Extension 'example.com-authz' initialized 2018-06-13 11:27:22,088-04 INFO Start of enabled extensions list 2018-06-13 11:27:22,089-04 INFO Instance name: 'example.com-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.7', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmpPQluAI/extensions.d/example.com-authz.properties', Initialized: 'true' 2018-06-13 11:27:22,089-04 INFO Instance name: 'example.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.7', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmpPQluAI/extensions.d/example.com-authn.properties', Initialized: 'true'
[ovirt-users] Re: LDAP logins do not work
ldapsearch works correctly and I'm able to bind to AD without any issues. ovirt-engine-extension-aaa-ldap-setup also shows searches working correctly. One thing I've discovered is that I can login as "u...@domain.com" but then receive an error as follows. > The user u...@example.com@example.com is not authorized to perform login How do I enable debug logs? The log entries from the engine.log file are the same as my previous message. On 06/14/2018 06:37 AM, Ondra Machacek wrote: > Can you share the debug log, and also make sure the search user you are > using is correct for example by running the ldapsearch command with it. > > On 06/13/2018 05:33 PM, Michael Watters wrote: >> I've ran the ovirt-engine-extension-aaa-ldap-setup command to configure >> LDAP authentication using Active Directory however I am unable to >> authenticate using valid credentials. Here is the output show while >> testing the login flow. >> >> [ INFO ] Executing login sequence... >> Login output: >> 2018-06-13 11:27:17,931-04 INFO >> >> 2018-06-13 11:27:17,960-04 INFO >> Initialization >> 2018-06-13 11:27:17,960-04 INFO >> >> 2018-06-13 11:27:17,999-04 INFO Loading extension >> 'example.com-authn' >> 2018-06-13 11:27:18,072-04 INFO Extension >> 'example.com-authn' loaded >> 2018-06-13 11:27:18,077-04 INFO Loading extension >> 'example.com-authz' >> 2018-06-13 11:27:18,089-04 INFO Extension >> 'example.com-authz' loaded >> 2018-06-13 11:27:18,090-04 INFO Initializing extension >> 'example.com-authn' >> 2018-06-13 11:27:18,091-04 INFO >> [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP >> pool 'authz' >> 2018-06-13 11:27:19,574-04 WARNING Exception: 80090308: >> LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, >> v3839 >> 2018-06-13 11:27:19,576-04 INFO >> [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP >> pool 'authn' >> 2018-06-13 11:27:20,668-04 INFO >> [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] LDAP pool >> 'authn' information: vendor='null' version='null' >> 2018-06-13 11:27:20,674-04 WARNING Ignoring records from >> pool: >> 'authz' >> 2018-06-13 11:27:20,676-04 WARNING Ignoring records from >> pool: >> 'authz' >> 2018-06-13 11:27:20,676-04 INFO Extension >> 'example.com-authn' initialized >> 2018-06-13 11:27:20,677-04 INFO Initializing extension >> 'example.com-authz' >> 2018-06-13 11:27:20,679-04 INFO >> [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP >> pool 'authz' >> 2018-06-13 11:27:21,270-04 WARNING Exception: 80090308: >> LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, >> v3839 >> 2018-06-13 11:27:21,273-04 INFO >> [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP >> pool 'gc' >> 2018-06-13 11:27:22,065-04 WARNING Exception: 80090308: >> LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, >> v1db1 >> 2018-06-13 11:27:22,069-04 WARNING Ignoring records from >> pool: >> 'authz' >> 2018-06-13 11:27:22,072-04 WARNING Ignoring records from >> pool: >> 'authz' >> 2018-06-13 11:27:22,085-04 WARNING Ignoring records from >> pool: >> 'authz' >> 2018-06-13 11:27:22,086-04 INFO >> [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Available >> Namespaces: [] >> 2018-06-13 11:27:22,087-04 INFO Extension >> 'example.com-authz' initialized >> 2018-06-13 11:27:22,088-04 INFO Start of enabled >> extensions >> list >> 2018-06-13 11:27:22,089-04 INFO Instance name: >> 'example.com-authz', Extension name: >> 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.7', Notes: >> 'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos', >> License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt >> Project', Build interface Version: '0', File: >> '/tmp/tmpPQluAI/extensions.d/example.com-authz.properties', Initialized: >> 'true' >> 2018-06-13 11:27:22,089-04 INFO Instance name: >> 'example.com-authn', Extension name: >> 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.7', Notes: >> 'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos', >> License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt >> Project', Build interface Version: '0', File: >> '/tmp/tmpPQluAI/extensions.d/example.com-authn.properties', Initialized: >> 'true' >> 2018-06-13 11:27:22,090-04 INFO End of enabled >> extensions list >> 2018-06-13 11:27:22,090-04 INFO
[ovirt-users] Re: LDAP logins do not work
Can you share the debug log, and also make sure the search user you are using is correct for example by running the ldapsearch command with it. On 06/13/2018 05:33 PM, Michael Watters wrote: I've ran the ovirt-engine-extension-aaa-ldap-setup command to configure LDAP authentication using Active Directory however I am unable to authenticate using valid credentials. Here is the output show while testing the login flow. [ INFO ] Executing login sequence... Login output: 2018-06-13 11:27:17,931-04 INFO 2018-06-13 11:27:17,960-04 INFO Initialization 2018-06-13 11:27:17,960-04 INFO 2018-06-13 11:27:17,999-04 INFO Loading extension 'example.com-authn' 2018-06-13 11:27:18,072-04 INFO Extension 'example.com-authn' loaded 2018-06-13 11:27:18,077-04 INFO Loading extension 'example.com-authz' 2018-06-13 11:27:18,089-04 INFO Extension 'example.com-authz' loaded 2018-06-13 11:27:18,090-04 INFO Initializing extension 'example.com-authn' 2018-06-13 11:27:18,091-04 INFO [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP pool 'authz' 2018-06-13 11:27:19,574-04 WARNING Exception: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 2018-06-13 11:27:19,576-04 INFO [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP pool 'authn' 2018-06-13 11:27:20,668-04 INFO [ovirt-engine-extension-aaa-ldap.authn::example.com-authn] LDAP pool 'authn' information: vendor='null' version='null' 2018-06-13 11:27:20,674-04 WARNING Ignoring records from pool: 'authz' 2018-06-13 11:27:20,676-04 WARNING Ignoring records from pool: 'authz' 2018-06-13 11:27:20,676-04 INFO Extension 'example.com-authn' initialized 2018-06-13 11:27:20,677-04 INFO Initializing extension 'example.com-authz' 2018-06-13 11:27:20,679-04 INFO [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP pool 'authz' 2018-06-13 11:27:21,270-04 WARNING Exception: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 2018-06-13 11:27:21,273-04 INFO [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP pool 'gc' 2018-06-13 11:27:22,065-04 WARNING Exception: 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1 2018-06-13 11:27:22,069-04 WARNING Ignoring records from pool: 'authz' 2018-06-13 11:27:22,072-04 WARNING Ignoring records from pool: 'authz' 2018-06-13 11:27:22,085-04 WARNING Ignoring records from pool: 'authz' 2018-06-13 11:27:22,086-04 INFO [ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Available Namespaces: [] 2018-06-13 11:27:22,087-04 INFO Extension 'example.com-authz' initialized 2018-06-13 11:27:22,088-04 INFO Start of enabled extensions list 2018-06-13 11:27:22,089-04 INFO Instance name: 'example.com-authz', Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.7', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmpPQluAI/extensions.d/example.com-authz.properties', Initialized: 'true' 2018-06-13 11:27:22,089-04 INFO Instance name: 'example.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.7', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/tmp/tmpPQluAI/extensions.d/example.com-authn.properties', Initialized: 'true' 2018-06-13 11:27:22,090-04 INFO End of enabled extensions list 2018-06-13 11:27:22,090-04 INFO 2018-06-13 11:27:22,090-04 INFO == Execution === 2018-06-13 11:27:22,091-04 INFO 2018-06-13 11:27:22,091-04 INFO Iteration: 0 2018-06-13 11:27:22,093-04 INFO Profile='example.com' authn='example.com-authn' authz='example.com-authz' mapping='null' 2018-06-13 11:27:22,094-04 INFO API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='example.com' user='d861703' 2018-06-13 11:27:22,251-04 INFO API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='example.com'