Re: [ovirt-users] Errors while trying to join an external LDPA provider
On Mon, May 23, 2016 at 11:31 AM, Alexis HAUSER < alexis.hau...@telecom-bretagne.eu> wrote: > > > As I explained, my groups are not in the same dn path than my users. As > it > > is not possible to add multiple dn path, my only solution is to use > users. > > > Well, that's the 1st time I've heard about LDAP setup where users and > > groups of one domain are not under same baseDN. Usually all LDAP setups > > have some baseDN (for example 'dc=company,dc=com') and somewhere under > this > > baseDN (not necessarily directly under it) we could find users and > groups. > >The only exception to this is ActiveDirectory with multi-domain trust > >inside single forrest (which we currently support and user of domainA can > >be a member of a group from domainB) and multi-forrest trust (which we > >don't support). > > > Oh thank you, it actually helped a lot : I just realize the search was > "recursive" and now it actually works and seem to solve my problem. > Great news! > Now I only have to check if adding permissions to group apply to users who > belong to this group, but I guess it should. > > > > Those users have attributes like "member of" which still keep the > > information about what group they belong too. I didn't find any way using > > the interface to filter by attribute, for example to show all users > member > > of group "foo". > > > >" > > We don't support LDAP searches in the webadmin UI, because we don't > > distinguish betweem LDAP (ovirt-engine-extension-aaa-ldap) or database > > (ovirt-engine-extension-aaa-jdbc) providers, both of them provides users > > and groups for oVirt using same AAA interface. > > > And only a part of the attributes are imported to the database (it doesn't > seem to be able to display them from the web interface) ? > That would be a nice feature to be able to filter from any attribute of > users. > Do you think I should open a new RFE bug about it ? > We fetch only basic attributes common to all LDAPs, for users we fetch username, first name, last name, display name, department, title, email and for groups name and display name. But if you miss some attribute, please create an RFE bug for that. Thanks Martin Perina ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
> As I explained, my groups are not in the same dn path than my users. As it > is not possible to add multiple dn path, my only solution is to use users. > Well, that's the 1st time I've heard about LDAP setup where users and > groups of one domain are not under same baseDN. Usually all LDAP setups > have some baseDN (for example 'dc=company,dc=com') and somewhere under this > baseDN (not necessarily directly under it) we could find users and groups. >The only exception to this is ActiveDirectory with multi-domain trust >inside single forrest (which we currently support and user of domainA can >be a member of a group from domainB) and multi-forrest trust (which we >don't support). Oh thank you, it actually helped a lot : I just realize the search was "recursive" and now it actually works and seem to solve my problem. Now I only have to check if adding permissions to group apply to users who belong to this group, but I guess it should. > Those users have attributes like "member of" which still keep the > information about what group they belong too. I didn't find any way using > the interface to filter by attribute, for example to show all users member > of group "foo". > >" > We don't support LDAP searches in the webadmin UI, because we don't > distinguish betweem LDAP (ovirt-engine-extension-aaa-ldap) or database > (ovirt-engine-extension-aaa-jdbc) providers, both of them provides users > and groups for oVirt using same AAA interface. And only a part of the attributes are imported to the database (it doesn't seem to be able to display them from the web interface) ? That would be a nice feature to be able to filter from any attribute of users. Do you think I should open a new RFE bug about it ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
On Wed, May 18, 2016 at 9:48 AM, Alexis HAUSER < alexis.hau...@telecom-bretagne.eu> wrote: > >> Is their a way to search for attributes into the ovirt web interface, > for > >> example "memberof" ? > >> > >> I can't imagine adding hundreds or thousand of users one by one...What > >> would be the solutions ? > >> > > >You can assign specific permission to the group that relevant users are > >member of (we support also nested groups if needed) > >and of course you can select multiple users/groups when you assign > >permissions. > > >If the above is not option for you, could you try to describe what exactly > >are you trying to achieve? > > >Thanks > > >Martin Perina > > As I explained, my groups are not in the same dn path than my users. As it > is not possible to add multiple dn path, my only solution is to use users. Well, that's the 1st time I've heard about LDAP setup where users and groups of one domain are not under same baseDN. Usually all LDAP setups have some baseDN (for example 'dc=company,dc=com') and somewhere under this baseDN (not necessarily directly under it) we could find users and groups. The only exception to this is ActiveDirectory with multi-domain trust inside single forrest (which we currently support and user of domainA can be a member of a group from domainB) and multi-forrest trust (which we don't support). Those users have attributes like "member of" which still keep the > information about what group they belong too. I didn't find any way using > the interface to filter by attribute, for example to show all users member > of group "foo". > We don't support LDAP searches in the webadmin UI, because we don't distinguish betweem LDAP (ovirt-engine-extension-aaa-ldap) or database (ovirt-engine-extension-aaa-jdbc) providers, both of them provides users and groups for oVirt using same AAA interface. I could do that with ldapsearch, but then how would I inject the result to > ovirt configuration to add those users to specific ovirt roles ("ovirt > permission groups") ? > So the only way that comes to my mind is to use one of our SDKs (Python, Java, Ruby). You would need to implement LDAP query by yourself and them add wanted permission to those users using our SDKs. Martin Perina ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>> Is their a way to search for attributes into the ovirt web interface, for >> example "memberof" ? >> >> I can't imagine adding hundreds or thousand of users one by one...What >> would be the solutions ? >> >You can assign specific permission to the group that relevant users are >member of (we support also nested groups if needed) >and of course you can select multiple users/groups when you assign >permissions. >If the above is not option for you, could you try to describe what exactly >are you trying to achieve? >Thanks >Martin Perina As I explained, my groups are not in the same dn path than my users. As it is not possible to add multiple dn path, my only solution is to use users. Those users have attributes like "member of" which still keep the information about what group they belong too. I didn't find any way using the interface to filter by attribute, for example to show all users member of group "foo". I could do that with ldapsearch, but then how would I inject the result to ovirt configuration to add those users to specific ovirt roles ("ovirt permission groups") ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
On Tue, May 17, 2016 at 3:36 PM, Alexis HAUSER < alexis.hau...@telecom-bretagne.eu> wrote: > > > > > > > Is it possible now to search for groups instead of users / manipulate > > > groups in the web interface ? > > Sure, if you type some search term into UI users/permissions dialog it > > will also search for groups. > > Is their a way to search for attributes into the ovirt web interface, for > example "memberof" ? > > I can't imagine adding hundreds or thousand of users one by one...What > would be the solutions ? > You can assign specific permission to the group that relevant users are member of (we support also nested groups if needed) and of course you can select multiple users/groups when you assign permissions. If the above is not option for you, could you try to describe what exactly are you trying to achieve? Thanks Martin Perina ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
> > > > Is it possible now to search for groups instead of users / manipulate > > groups in the web interface ? > Sure, if you type some search term into UI users/permissions dialog it > will also search for groups. Is their a way to search for attributes into the ovirt web interface, for example "memberof" ? I can't imagine adding hundreds or thousand of users one by one...What would be the solutions ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
> > > > Is it possible now to search for groups instead of users / manipulate > > groups in the web interface ? > Sure, if you type some search term into UI users/permissions dialog it > will also search for groups. Thank you for all your answers, we can say my problem is now solved >Note in 4.0 we have split groups and users, and you have to select which type >you want to search for. This is to reduce the number of queries to the LDAP >server. Interesting, I'll have a look at all the features. > > In that case, the dn would be different, is it possible to specify > > multiple dn namespaces ? > Unfortunatelly, it's not currently possible, but feel free to open an > RFE in bugzilla for this feature, we can implement it in future version > if needed. I already spend my days on the bugzilla for both ovirt and RHEV, but I'll add this to my list :) ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
On Tuesday, May 03, 2016 03:58:27 PM Ondra Machacek wrote: > On 05/03/2016 03:13 PM, Alexis HAUSER wrote: > >> Or do you use rfc2307? You can find out running this command: > >> LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://myldap -b > >> > >> 'ou=people,o=unix,dc=somewhere,dc=any' -D > >> 'cn=mysearchuser,ou=admin,o=unix,dc=somewhere,dc=any' -W > >> '(&(objectClass=posixAccount)(uid=*)(uid=myuser))' > >> > >> If ^this command will find your user then just change in > >> /etc/ovirt-engine/aaa/your_profile.properties: > >> > >> include = > >> > >> to > >> > >> include = > > > > Actually you pointed exactly on the problem : this LDAP was using rfc2307 > > but I ignored it ! Thanks a lot, now I can login with users, that's > > almost perfect ! > > > > Is it possible now to search for groups instead of users / manipulate > > groups in the web interface ? > Sure, if you type some search term into UI users/permissions dialog it > will also search for groups. > Note in 4.0 we have split groups and users, and you have to select which type you want to search for. This is to reduce the number of queries to the LDAP server. > > In that case, the dn would be different, is it possible to specify > > multiple dn namespaces ? > Unfortunatelly, it's not currently possible, but feel free to open an > RFE in bugzilla for this feature, we can implement it in future version > if needed. > > > One quick question unrelated to this topic (as I can see an @redhat in > > your mail) : I'm trying to set up in parallel a RHEV server with only the > > free 60 days evaluation, do you have any idea where I should ask for help > > (as support only applies if you pay, if I understand), a similar mailing > > list or something ? > I am sorry, but I am really not sure about this, maybe there is some > limited support even with > the trial, but best to ask the support directly. > > >> Thanks, > >> for some reason it can't find the user 'myuser'. > > > > Yes, I changed all informations about users, domain name etc for > > confidentiality.> > >> The search command that is executed is: > >> LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://myldap -b > >> > >> 'ou=people,o=unix,dc=somewhere,dc=any' -D > >> 'cn=mysearchuser,ou=admin,o=unix,dc=somewhere,dc=any' -W > >> '(&(objectClass=uidObject)(uid=*)(uid=myuser))' > >> > >> Is that searchbase(-b param) ok? > > > > Yes > > > >> Does 'cn=mysearchuser' user have appropriate permissions to see users? > > > > Yes > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
On 05/03/2016 03:13 PM, Alexis HAUSER wrote: Or do you use rfc2307? You can find out running this command: LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://myldap -b 'ou=people,o=unix,dc=somewhere,dc=any' -D 'cn=mysearchuser,ou=admin,o=unix,dc=somewhere,dc=any' -W '(&(objectClass=posixAccount)(uid=*)(uid=myuser))' If ^this command will find your user then just change in /etc/ovirt-engine/aaa/your_profile.properties: include = to include = Actually you pointed exactly on the problem : this LDAP was using rfc2307 but I ignored it ! Thanks a lot, now I can login with users, that's almost perfect ! Is it possible now to search for groups instead of users / manipulate groups in the web interface ? Sure, if you type some search term into UI users/permissions dialog it will also search for groups. In that case, the dn would be different, is it possible to specify multiple dn namespaces ? Unfortunatelly, it's not currently possible, but feel free to open an RFE in bugzilla for this feature, we can implement it in future version if needed. One quick question unrelated to this topic (as I can see an @redhat in your mail) : I'm trying to set up in parallel a RHEV server with only the free 60 days evaluation, do you have any idea where I should ask for help (as support only applies if you pay, if I understand), a similar mailing list or something ? I am sorry, but I am really not sure about this, maybe there is some limited support even with the trial, but best to ask the support directly. Thanks, for some reason it can't find the user 'myuser'. Yes, I changed all informations about users, domain name etc for confidentiality. The search command that is executed is: LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://myldap -b 'ou=people,o=unix,dc=somewhere,dc=any' -D 'cn=mysearchuser,ou=admin,o=unix,dc=somewhere,dc=any' -W '(&(objectClass=uidObject)(uid=*)(uid=myuser))' Is that searchbase(-b param) ok? Yes Does 'cn=mysearchuser' user have appropriate permissions to see users? Yes ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>Or do you use rfc2307? You can find out running this command: > LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://myldap -b >'ou=people,o=unix,dc=somewhere,dc=any' -D >'cn=mysearchuser,ou=admin,o=unix,dc=somewhere,dc=any' -W >'(&(objectClass=posixAccount)(uid=*)(uid=myuser))' >If ^this command will find your user then just change in >/etc/ovirt-engine/aaa/your_profile.properties: >include = > to >include = Actually you pointed exactly on the problem : this LDAP was using rfc2307 but I ignored it ! Thanks a lot, now I can login with users, that's almost perfect ! Is it possible now to search for groups instead of users / manipulate groups in the web interface ? In that case, the dn would be different, is it possible to specify multiple dn namespaces ? One quick question unrelated to this topic (as I can see an @redhat in your mail) : I'm trying to set up in parallel a RHEV server with only the free 60 days evaluation, do you have any idea where I should ask for help (as support only applies if you pay, if I understand), a similar mailing list or something ? >Thanks, >for some reason it can't find the user 'myuser'. Yes, I changed all informations about users, domain name etc for confidentiality. >The search command that is executed is: > LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://myldap -b >'ou=people,o=unix,dc=somewhere,dc=any' -D >'cn=mysearchuser,ou=admin,o=unix,dc=somewhere,dc=any' -W >'(&(objectClass=uidObject)(uid=*)(uid=myuser))' >Is that searchbase(-b param) ok? Yes >Does 'cn=mysearchuser' user have appropriate permissions to see users? Yes ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
On 05/03/2016 11:58 AM, Alexis HAUSER wrote: Thank you, now I see the correct namespace shown, but still no way to login with any user...Any idea ? Hard to say without logs, can you please share log output of ovirt-engine-extensions-tool? Please run it with: ovirt-engine-extensions-tool --log-level=FINEST --log-file=output.log aaa login-user --profile=xxx --user-name=xxx I attached the log file Thanks, for some reason it can't find the user 'myuser'. The search command that is executed is: LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://myldap -b 'ou=people,o=unix,dc=somewhere,dc=any' -D 'cn=mysearchuser,ou=admin,o=unix,dc=somewhere,dc=any' -W '(&(objectClass=uidObject)(uid=*)(uid=myuser))' Is that searchbase(-b param) ok? Does 'cn=mysearchuser' user have appropriate permissions to see users? Or do you use rfc2307? You can find out running this command: LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://myldap -b 'ou=people,o=unix,dc=somewhere,dc=any' -D 'cn=mysearchuser,ou=admin,o=unix,dc=somewhere,dc=any' -W '(&(objectClass=posixAccount)(uid=*)(uid=myuser))' If ^this command will find your user then just change in /etc/ovirt-engine/aaa/your_profile.properties: include = to include = ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
On 05/03/2016 11:03 AM, Alexis HAUSER wrote: However, I can't login with any user...But with ldapsearch I can find those users with uid=user I used ovirt-engine-extensions-tool aaa login-user --profile=xxx --user-name=xxx and I realize now what is the problem : the available namespaces shows the wrong dn. It should be instead one level >above (or it will not possible to find the users) Any idea how I can change that in the configuration ? You can specify custom base DN, which overrides the one which is automatically resolved if you add following lines into /etc/ovirt-engine/aaa/your_profile.properties: sequence-init.init.100-my-basedn-init-vars = my-basedn-init sequence.my-basedn-init.010.description = set custom baseDN sequence.my-basedn-init.010.type = var-set sequence.my-basedn-init.010.var-set.variable = simple_baseDN sequence.my-basedn-init.010.var-set.value = dc=your,dc=different,dc=dn Thank you, now I see the correct namespace shown, but still no way to login with any user...Any idea ? Hard to say without logs, can you please share log output of ovirt-engine-extensions-tool? Please run it with: ovirt-engine-extensions-tool --log-level=FINEST --log-file=output.log aaa login-user --profile=xxx --user-name=xxx ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>> However, I can't login with any user...But with ldapsearch I can find those >> users with uid=user >> >> I used ovirt-engine-extensions-tool aaa login-user --profile=xxx >> --user-name=xxx >> and I realize now what is the problem : the available namespaces shows the >> wrong dn. It should be instead one level >above (or it will not possible to >> find the users) >> >> Any idea how I can change that in the configuration ? >> >You can specify custom base DN, which overrides the one which is >automatically resolved if >you add following lines into /etc/ovirt-engine/aaa/your_profile.properties: > > sequence-init.init.100-my-basedn-init-vars = my-basedn-init > sequence.my-basedn-init.010.description = set custom baseDN > sequence.my-basedn-init.010.type = var-set > sequence.my-basedn-init.010.var-set.variable = simple_baseDN > sequence.my-basedn-init.010.var-set.value = dc=your,dc=different,dc=dn Thank you, now I see the correct namespace shown, but still no way to login with any user...Any idea ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
On 05/03/2016 10:28 AM, Alexis HAUSER wrote: Are you sure you've specified correct CA? Can you try running this command: LDAPTLS_CACERT=your_ldap_ca_cert.crt ldapsearch -H ldaps://@HOST@ -x -D '@USERDN@' -w '@USERPW@' -b '@BASEDN@' If it fail then most probably you have incorrect CA certificate. If it succeed, please open bug in bugzilla with logs of setup tool if possible. Oh I'm sorry, that was actually a certificate problem... With the right certificate, I can now join the LDAP provider. However, I can't login with any user...But with ldapsearch I can find those users with uid=user I used ovirt-engine-extensions-tool aaa login-user --profile=xxx --user-name=xxx and I realize now what is the problem : the available namespaces shows the wrong dn. It should be instead one level above (or it will not possible to find the users) Any idea how I can change that in the configuration ? You can specify custom base DN, which overrides the one which is automatically resolved if you add following lines into /etc/ovirt-engine/aaa/your_profile.properties: sequence-init.init.100-my-basedn-init-vars = my-basedn-init sequence.my-basedn-init.010.description = set custom baseDN sequence.my-basedn-init.010.type = var-set sequence.my-basedn-init.010.var-set.variable = simple_baseDN sequence.my-basedn-init.010.var-set.value = dc=your,dc=different,dc=dn ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>Are you sure you've specified correct CA? > >Can you try running this command: > LDAPTLS_CACERT=your_ldap_ca_cert.crt ldapsearch -H ldaps://@HOST@ -x >-D '@USERDN@' -w '@USERPW@' -b '@BASEDN@' > >If it fail then most probably you have incorrect CA certificate. >If it succeed, please open bug in bugzilla with logs of setup tool if >possible. Oh I'm sorry, that was actually a certificate problem... With the right certificate, I can now join the LDAP provider. However, I can't login with any user...But with ldapsearch I can find those users with uid=user I used ovirt-engine-extensions-tool aaa login-user --profile=xxx --user-name=xxx and I realize now what is the problem : the available namespaces shows the wrong dn. It should be instead one level above (or it will not possible to find the users) Any idea how I can change that in the configuration ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
On 05/02/2016 03:02 PM, Alexis HAUSER wrote: I am unsure I understand. What is missing in interactive setup to properly setup TLS? You just enter CA certificte path/url/system and Java keystore file is created for you by the tool. I'll try to generate a new file with the interactive setup and tell you if the result is different. So, here is my problem when using the interactive setup : [ INFO ] Connecting to LDAP using 'ldaps://:636' [WARNING] Cannot connect using 'ldaps://:636': {'info': "TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.", 'desc': "Can't contact LDAP server"} [ ERROR ] Cannot connect using any of available options Are you sure you've specified correct CA? Can you try running this command: LDAPTLS_CACERT=your_ldap_ca_cert.crt ldapsearch -H ldaps://@HOST@ -x -D '@USERDN@' -w '@USERPW@' -b '@BASEDN@' If it fail then most probably you have incorrect CA certificate. If it succeed, please open bug in bugzilla with logs of setup tool if possible. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>>I am unsure I understand. What is missing in interactive setup to >>properly setup TLS? >>You just enter CA certificte path/url/system and Java keystore file is >>created for you by the tool. >I'll try to generate a new file with the interactive setup and tell you if the >result is different. So, here is my problem when using the interactive setup : [ INFO ] Connecting to LDAP using 'ldaps://:636' [WARNING] Cannot connect using 'ldaps://:636': {'info': "TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.", 'desc': "Can't contact LDAP server"} [ ERROR ] Cannot connect using any of available options ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>> Yes this is actually the tool I used first, then I modified manually as on >> the documentation. >> >> The problem in this approach is the fact you need a .profile file to be able >> to set up a TLS connection between the LDAP >and the engine. But this file >> is generated after the interactive setup. But the interactive setup doesn't >> allow you to >setup things properly as the TLS isn't set up... >I am unsure I understand. What is missing in interactive setup to >properly setup TLS? >You just enter CA certificte path/url/system and Java keystore file is >created for you by the tool. Interesting, so it's only an error in the Red Hat Documentation. If you check on the administrative guide, the prerequisite for using the interactive tool is to have a TLS connection set up betweem LDAP and the engine : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/sect-Configuring_an_External_LDAP_Provider.html But when you follow the link to set up this TLS connection, it makes you create the java keystore and modify the "profile1.properties" manually...Which doesn't exist because the interactive setup hasn't been done yet... I'll report this on their bugzilla. I'll try to generate a new file with the interactive setup and tell you if the result is different. >> >>So I had to setup things with "insecure" mode and then edit it manually... >> ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
On 05/02/2016 09:35 AM, Alexis HAUSER wrote: Should I report this on the bugzilla ? You can, but I beleive this is not bug, but some misconfiguration, many times I've tried completelly simillar setup and it worked. Btw.. did you used 'ovirt-engine-extension-aaa-ldap-setup'? If not you can install it. $ yum install ovirt-engine-extension-aaa-ldap-setup Then just run: $ ovirt-engine-extension-aaa-ldap-setup And follow the steps. This tool handle for you all perms and typos issues, which could be introduces by manually creating those properties files. Yes this is actually the tool I used first, then I modified manually as on the documentation. The problem in this approach is the fact you need a .profile file to be able to set up a TLS connection between the LDAP and the engine. But this file is generated after the interactive setup. But the interactive setup doesn't allow you to setup things properly as the TLS isn't set up... I am unsure I understand. What is missing in interactive setup to properly setup TLS? You just enter CA certificte path/url/system and Java keystore file is created for you by the tool. So I had to setup things with "insecure" mode and then edit it manually... ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>> Should I report this on the bugzilla ? >> >You can, but I beleive this is not bug, but some misconfiguration, many >times I've tried completelly simillar setup and it worked. > >Btw.. did you used 'ovirt-engine-extension-aaa-ldap-setup'? If not you >can install it. > $ yum install ovirt-engine-extension-aaa-ldap-setup > >Then just run: > $ ovirt-engine-extension-aaa-ldap-setup > >And follow the steps. This tool handle for you all perms and typos >issues, which could be introduces by manually creating those properties >files. Yes this is actually the tool I used first, then I modified manually as on the documentation. The problem in this approach is the fact you need a .profile file to be able to set up a TLS connection between the LDAP and the engine. But this file is generated after the interactive setup. But the interactive setup doesn't allow you to setup things properly as the TLS isn't set up... So I had to setup things with "insecure" mode and then edit it manually... ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
On 04/29/2016 03:03 PM, Alexis HAUSER wrote: pool.default.ssl.truststore.file = /tmp/.jks Maybe trailing space here ^ ? pool.default.ssl.truststore.password = Sadly it doesn't help So please ensure also that file '/tmp/.jks' is readable by ovirt user. The configuration looks fine. All permissions are given. The problem is still the same... Should I report this on the bugzilla ? You can, but I beleive this is not bug, but some misconfiguration, many times I've tried completelly simillar setup and it worked. Btw.. did you used 'ovirt-engine-extension-aaa-ldap-setup'? If not you can install it. $ yum install ovirt-engine-extension-aaa-ldap-setup Then just run: $ ovirt-engine-extension-aaa-ldap-setup And follow the steps. This tool handle for you all perms and typos issues, which could be introduces by manually creating those properties files. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>> pool.default.ssl.truststore.file = /tmp/.jks > > Maybe trailing space here ^ ? > >> pool.default.ssl.truststore.password = >> > > Sadly it doesn't help > >So please ensure also that file '/tmp/.jks' is readable by ovirt >user. The configuration looks fine. > All permissions are given. The problem is still the same... Should I report this on the bugzilla ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
On 04/29/2016 02:27 PM, Alexis HAUSER wrote: pool.default.ssl.truststore.file = /tmp/.jks Maybe trailing space here ^ ? pool.default.ssl.truststore.password = Sadly it doesn't help So please ensure also that file '/tmp/.jks' is readable by ovirt user. The configuration looks fine. All permissions are given. The problem is still the same... Please check also SELinux. Can you please send 'tool.log' generated from the following command? $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=tool.log aaa search --entity-name=* --extension-name=your_openldap_authz_name ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
>> pool.default.ssl.truststore.file = /tmp/.jks > > Maybe trailing space here ^ ? > >> pool.default.ssl.truststore.password = >> > > Sadly it doesn't help > >So please ensure also that file '/tmp/.jks' is readable by ovirt >user. The configuration looks fine. All permissions are given. The problem is still the same... ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
On 04/28/2016 06:02 PM, Alexis HAUSER wrote: pool.default.ssl.truststore.file = /tmp/.jks Maybe trailing space here ^ ? pool.default.ssl.truststore.password = Sadly it doesn't help So please ensure also that file '/tmp/.jks' is readable by ovirt user. The configuration looks fine. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
> pool.default.ssl.truststore.file = /tmp/.jks Maybe trailing space here ^ ? > pool.default.ssl.truststore.password = > Sadly it doesn't help ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Errors while trying to join an external LDPA provider
On 04/28/2016 02:59 PM, Alexis HAUSER wrote: Hi, I'm using 3.6.3.4-1.el7.centos and I'm having troubles joining an LDAP provider. When I try to login into the new profile, I get a "general command validation failure" error. This is what I can get from ovirt-engine/engine.log : tail -n 400 /var/log/ovirt-engine/engine.log | grep -i error 2016-04-28 09:27:08,355 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (default task-56) [] [ovirt-engine-extension-aaa-ldap.authn::public-authn] Cannot initialize LDAP framework, deferring initialization. Error: /etc/ovirt-engine/aaa/.jks (No such file or directory) 2016-04-28 09:27:08,356 ERROR [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-56) [] Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException 2016-04-28 09:27:13,941 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (default task-58) [] [ovirt-engine-extension-aaa-ldap.authn::public-authn] Cannot initialize LDAP framework, deferring initialization. Error: /etc/ovirt-engine/aaa/.jks (No such file or directory) 2016-04-28 09:27:13,941 ERROR [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-58) [] Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException I checked the permissions of the file and it's path and they are allright. Changing the path to /tmp/xxx.jks didn't help too. Here is my .profile : include = vars.server = vars.user = cn=,ou=,o=,dc=,dc= vars.password = pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.serverset.type = single pool.default.serverset.single.server = ${global:vars.server} pool.default.ssl.enable = true pool.default.serverset.single.port = 636 pool.default.ssl.truststore.file = /tmp/.jks Maybe trailing space here ^ ? pool.default.ssl.truststore.password = Any idea how to deal with that problem ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Errors while trying to join an external LDPA provider
Hi, I'm using 3.6.3.4-1.el7.centos and I'm having troubles joining an LDAP provider. When I try to login into the new profile, I get a "general command validation failure" error. This is what I can get from ovirt-engine/engine.log : tail -n 400 /var/log/ovirt-engine/engine.log | grep -i error 2016-04-28 09:27:08,355 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (default task-56) [] [ovirt-engine-extension-aaa-ldap.authn::public-authn] Cannot initialize LDAP framework, deferring initialization. Error: /etc/ovirt-engine/aaa/.jks (No such file or directory) 2016-04-28 09:27:08,356 ERROR [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-56) [] Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException 2016-04-28 09:27:13,941 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (default task-58) [] [ovirt-engine-extension-aaa-ldap.authn::public-authn] Cannot initialize LDAP framework, deferring initialization. Error: /etc/ovirt-engine/aaa/.jks (No such file or directory) 2016-04-28 09:27:13,941 ERROR [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (default task-58) [] Error during CanDoActionFailure.: Class: class org.ovirt.engine.core.extensions.mgr.ExtensionInvokeCommandFailedException I checked the permissions of the file and it's path and they are allright. Changing the path to /tmp/xxx.jks didn't help too. Here is my .profile : include = vars.server = vars.user = cn=,ou=,o=,dc=,dc= vars.password = pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.serverset.type = single pool.default.serverset.single.server = ${global:vars.server} pool.default.ssl.enable = true pool.default.serverset.single.port = 636 pool.default.ssl.truststore.file = /tmp/.jks pool.default.ssl.truststore.password = Any idea how to deal with that problem ? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users