Re: [ovirt-users] ovirt-engine-extension-aaa-ldap active directory

2017-10-10 Thread Martin Perina
Hi,

most probably you are affected by [1], so could you please check
certificates on all your AD servers?
You can verify using following command:

  ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
--user-name= --profile=


Thanks

Martin

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463


On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto <
lorenzetto.l...@gmail.com> wrote:

> On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile
>  wrote:
> > I run the command you suggest
> > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it
> > -W -x sAMAccountName=user_to_search userPrincipalName | grep
> > userPrincipalName
> >
> > This is the result:
> >
> > Enter LDAP Password:
> > # requesting: userPrincipalName
> >
>
> Supposing you're using all the right parameters in ldapsearch command,
> it seems that the user you were looking up is not a valid user in that
> directory server.
>
> Please check with someone that can access to AD and verify the status
> of the user with ADSI Edit.
>
> Luca
>
>
> --
> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
> calcoli che potrebbero essere affidati a chiunque se si usassero delle
> macchine"
> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>
> "Internet è la più grande biblioteca del mondo.
> Ma il problema è che i libri sono tutti sparsi sul pavimento"
> John Allen Paulos, Matematico (1945-vivente)
>
> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , <
> lorenzetto.l...@gmail.com>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirt-engine-extension-aaa-ldap active directory

2017-10-10 Thread Luca 'remix_tj' Lorenzetto
On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile
 wrote:
> I run the command you suggest
> ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it
> -W -x sAMAccountName=user_to_search userPrincipalName | grep
> userPrincipalName
>
> This is the result:
>
> Enter LDAP Password:
> # requesting: userPrincipalName
>

Supposing you're using all the right parameters in ldapsearch command,
it seems that the user you were looking up is not a valid user in that
directory server.

Please check with someone that can access to AD and verify the status
of the user with ADSI Edit.

Luca


-- 
"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

"Internet è la più grande biblioteca del mondo.
Ma il problema è che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)

Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirt-engine-extension-aaa-ldap active directory

2017-10-10 Thread nicola gentile
yes is AD.
Nick

2017-10-10 16:41 GMT+02:00 nicola gentile :
> I run the command you suggest
> ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it
> -W -x sAMAccountName=user_to_search userPrincipalName | grep
> userPrincipalName
>
> This is the result:
>
> Enter LDAP Password:
> # requesting: userPrincipalName
>
> Nick
>
> 2017-10-10 16:21 GMT+02:00 Luca 'remix_tj' Lorenzetto
> :
>> On Tue, Oct 10, 2017 at 4:06 PM, nicola gentile
>>  wrote:
>>> include = 
>>>
>>> vars.domain = dom.it
>>> vars.user = CN=myuser,OU=spuser,DC=dom,DC=it
>>> vars.password = x
>>>
>>> pool.default.auth.simple.bindDN = ${global:vars.user}
>>> pool.default.auth.simple.password = ${global:vars.password}
>>> pool.default.serverset.type = srvrecord
>>> pool.default.serverset.srvrecord.domain = ${global:vars.domain}
>>> pool.default.ssl.startTLS = true
>>> pool.default.ssl.truststore.file = ${local:_basedir}/polito.it.jks
>>> pool.default.ssl.truststore.password = changeit
>>
>> It's an AD?
>>
>> Can you check if userPrincipalName of the user you're trying to use
>> for connecting contains the login name in the format of
>> u...@domain.fqdn?
>>
>> I had issues with users that had userPrincipalName wrongly formatted.
>> You should find nicola.gent...@polito.it on that field.
>>
>> You can check in this way:
>>
>> ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it
>> -W -x sAMAccountName=user_to_search userPrincipalName | grep
>> userPrincipalName
>>
>>
>> Luca
>>
>>
>>
>> --
>> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
>> calcoli che potrebbero essere affidati a chiunque se si usassero delle
>> macchine"
>> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>>
>> "Internet è la più grande biblioteca del mondo.
>> Ma il problema è che i libri sono tutti sparsi sul pavimento"
>> John Allen Paulos, Matematico (1945-vivente)
>>
>> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , 
>> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirt-engine-extension-aaa-ldap active directory

2017-10-10 Thread Luca 'remix_tj' Lorenzetto
On Tue, Oct 10, 2017 at 4:06 PM, nicola gentile
 wrote:
> include = 
>
> vars.domain = dom.it
> vars.user = CN=myuser,OU=spuser,DC=dom,DC=it
> vars.password = x
>
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
> pool.default.serverset.type = srvrecord
> pool.default.serverset.srvrecord.domain = ${global:vars.domain}
> pool.default.ssl.startTLS = true
> pool.default.ssl.truststore.file = ${local:_basedir}/polito.it.jks
> pool.default.ssl.truststore.password = changeit

It's an AD?

Can you check if userPrincipalName of the user you're trying to use
for connecting contains the login name in the format of
u...@domain.fqdn?

I had issues with users that had userPrincipalName wrongly formatted.
You should find nicola.gent...@polito.it on that field.

You can check in this way:

ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it
-W -x sAMAccountName=user_to_search userPrincipalName | grep
userPrincipalName


Luca



-- 
"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

"Internet è la più grande biblioteca del mondo.
Ma il problema è che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)

Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirt-engine-extension-aaa-ldap active directory

2017-10-10 Thread Luca 'remix_tj' Lorenzetto
Can you post the file?

Luca

On Tue, Oct 10, 2017 at 3:32 PM, nicola gentile
 wrote:
> in my /etc/ovirt-engine/aaa/polito.it.properties the DN is written correctly:
>
> vars.user = CN=myuser,OU=spuser,DC=dom,DC=it
>
> I don't have ldap search.
>
> 2017-10-10 15:19 GMT+02:00 Luca 'remix_tj' Lorenzetto
> :
>> Hello Nicola,
>>
>> i don't see anything strange in your setup. Can you check if DN in files
>>
>>  /etc/ovirt-engine/aaa/polito.it*.properties
>>
>> are written correctly?
>>
>> Can you also check with a ldapsearch if there is something strange in
>> your LDAP entry? I found that some users were not logging in correctly
>> due to wrong fields in the ldap object.
>>
>>
>> Luca
>>
>> On Tue, Oct 10, 2017 at 3:07 PM, nicola.gentile.to
>>  wrote:
>>> Sorry I forgot the attachment
>>>
>>> Nick
>>>
>>>
>>> Il 10/10/2017 14:50, nicola.gentile.to ha scritto:

 Hi,
 I have a problem. Suddenly from the user portal the users of AD not login
 and displays the error:

 server_error: Unexpected comma or semicolon found at the end of the DN
 string.

 Also, from Admin Portal ->Users when I try to add a user of AD I don't see
 the sub domain

 Also, I try to run ovirt-engine-extension-aaa-ldap-setup but not works.
 I attach the log file.

 please help me

 Thanks

 Nick
>>>
>>>
>>>
>>> ___
>>> Users mailing list
>>> Users@ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>
>>
>>
>> --
>> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
>> calcoli che potrebbero essere affidati a chiunque se si usassero delle
>> macchine"
>> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>>
>> "Internet è la più grande biblioteca del mondo.
>> Ma il problema è che i libri sono tutti sparsi sul pavimento"
>> John Allen Paulos, Matematico (1945-vivente)
>>
>> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , 
>> 



-- 
"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

"Internet è la più grande biblioteca del mondo.
Ma il problema è che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)

Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirt-engine-extension-aaa-ldap active directory

2017-10-10 Thread nicola gentile
in my /etc/ovirt-engine/aaa/polito.it.properties the DN is written correctly:

vars.user = CN=myuser,OU=spuser,DC=dom,DC=it

I don't have ldap search.

2017-10-10 15:19 GMT+02:00 Luca 'remix_tj' Lorenzetto
:
> Hello Nicola,
>
> i don't see anything strange in your setup. Can you check if DN in files
>
>  /etc/ovirt-engine/aaa/polito.it*.properties
>
> are written correctly?
>
> Can you also check with a ldapsearch if there is something strange in
> your LDAP entry? I found that some users were not logging in correctly
> due to wrong fields in the ldap object.
>
>
> Luca
>
> On Tue, Oct 10, 2017 at 3:07 PM, nicola.gentile.to
>  wrote:
>> Sorry I forgot the attachment
>>
>> Nick
>>
>>
>> Il 10/10/2017 14:50, nicola.gentile.to ha scritto:
>>>
>>> Hi,
>>> I have a problem. Suddenly from the user portal the users of AD not login
>>> and displays the error:
>>>
>>> server_error: Unexpected comma or semicolon found at the end of the DN
>>> string.
>>>
>>> Also, from Admin Portal ->Users when I try to add a user of AD I don't see
>>> the sub domain
>>>
>>> Also, I try to run ovirt-engine-extension-aaa-ldap-setup but not works.
>>> I attach the log file.
>>>
>>> please help me
>>>
>>> Thanks
>>>
>>> Nick
>>
>>
>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
>
> --
> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare
> calcoli che potrebbero essere affidati a chiunque se si usassero delle
> macchine"
> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)
>
> "Internet è la più grande biblioteca del mondo.
> Ma il problema è che i libri sono tutti sparsi sul pavimento"
> John Allen Paulos, Matematico (1945-vivente)
>
> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , 
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirt-engine-extension-aaa-ldap active directory

2017-10-10 Thread Luca 'remix_tj' Lorenzetto
Hello Nicola,

i don't see anything strange in your setup. Can you check if DN in files

 /etc/ovirt-engine/aaa/polito.it*.properties

are written correctly?

Can you also check with a ldapsearch if there is something strange in
your LDAP entry? I found that some users were not logging in correctly
due to wrong fields in the ldap object.


Luca

On Tue, Oct 10, 2017 at 3:07 PM, nicola.gentile.to
 wrote:
> Sorry I forgot the attachment
>
> Nick
>
>
> Il 10/10/2017 14:50, nicola.gentile.to ha scritto:
>>
>> Hi,
>> I have a problem. Suddenly from the user portal the users of AD not login
>> and displays the error:
>>
>> server_error: Unexpected comma or semicolon found at the end of the DN
>> string.
>>
>> Also, from Admin Portal ->Users when I try to add a user of AD I don't see
>> the sub domain
>>
>> Also, I try to run ovirt-engine-extension-aaa-ldap-setup but not works.
>> I attach the log file.
>>
>> please help me
>>
>> Thanks
>>
>> Nick
>
>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>



-- 
"E' assurdo impiegare gli uomini di intelligenza eccellente per fare
calcoli che potrebbero essere affidati a chiunque se si usassero delle
macchine"
Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716)

"Internet è la più grande biblioteca del mondo.
Ma il problema è che i libri sono tutti sparsi sul pavimento"
John Allen Paulos, Matematico (1945-vivente)

Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ovirt-engine-extension-aaa-ldap active directory

2017-10-10 Thread nicola.gentile.to

Sorry I forgot the attachment

Nick

Il 10/10/2017 14:50, nicola.gentile.to ha scritto:

Hi,
I have a problem. Suddenly from the user portal the users of AD not 
login and displays the error:


server_error: Unexpected comma or semicolon found at the end of the DN 
string.


Also, from Admin Portal ->Users when I try to add a user of AD I don't 
see the sub domain


Also, I try to run ovirt-engine-extension-aaa-ldap-setup but not works.
I attach the log file.

please help me

Thanks

Nick


ovirt-engine-extension-aaa-ldap-setup 
[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
  Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
  Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20171010144529-5gjttc.log
  Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
  Welcome to LDAP extension configuration program
  Available LDAP implementations:
   1 - 389ds
   2 - 389ds RFC-2307 Schema
   3 - Active Directory
   4 - IBM Security Directory Server
   5 - IBM Security Directory Server RFC-2307 Schema
   6 - IPA
   7 - Novell eDirectory RFC-2307 Schema
   8 - OpenLDAP RFC-2307 Schema
   9 - OpenLDAP Standard Schema
  10 - Oracle Unified Directory RFC-2307 Schema
  11 - RFC-2307 Schema (Generic)
  12 - RHDS
  13 - RHDS RFC-2307 Schema
  14 - iPlanet
  Please select: 3
  Please enter Active Directory Forest name: polito.it
[ INFO  ] Resolving Global Catalog SRV record for polito.it
   
  NOTE:
  It is highly recommended to use secure protocol to access the LDAP server.
  Protocol startTLS is the standard recommended method to do so.
  Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol.
  Use plain for test environments only.
   
  Please select protocol to use (startTLS, ldaps, plain) [startTLS]: 
  Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File
  File path: /root/politoca.pem
[ INFO  ] Resolving SRV record 'polito.it'
[ INFO  ] Connecting to LDAP using 'ldap://politodc01.polito.it:389'
[ INFO  ] Executing startTLS
[ INFO  ] Connection succeeded
  Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous): CN=TOOL_NICOLA,OU=Special_Users,DC=polito,DC=it   
  Enter search user password: 
[ INFO  ] Attempting to bind using 'CN=TOOL_NICOLA,OU=Special_Users,DC=polito,DC=it'
  Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: No
  Please specify profile name that will be visible to users [polito.it]: 
[ INFO  ] Stage: Setup validation
  The following files are about to be overwritten:
  /etc/ovirt-engine/extensions.d/polito.it-authn.properties
  /etc/ovirt-engine/extensions.d/polito.it-authz.properties
  /etc/ovirt-engine/aaa/polito.it.properties
  /etc/ovirt-engine/aaa/polito.it.jks
  Continue and overwrite? (Yes, No) [No]: Yes
   
  NOTE:
  It is highly recommended to test drive the configuration before applying it into engine.
  Login sequence is executed automatically, but it is recommended to also execute Search sequence manually after successful Login sequence.
   
  Please provide credentials to test login flow:
  Enter user name: nicola.gent...@polito.it
  Enter user password: 
[ INFO  ] Executing login sequence...
  Login output:
  2017-10-10 14:47:35,284+02 INFO
  2017-10-10 14:47:35,297+02 INFO Initialization 
  2017-10-10 14:47:35,298+02 INFO
  2017-10-10 14:47:35,316+02 INFOLoading extension 'polito.it-authz'
  2017-10-10 14:47:35,368+02 INFOExtension 'polito.it-authz' loaded
  2017-10-10 14:47:35,370+02 INFOLoading extension 'polito.it-authn'
  2017-10-10 14:47:35,377+02 INFOExtension 'polito.it-authn' loaded
  2017-10-10 14:47:35,377+02 INFOInitializing extension 'polito.it-authz'
  2017-10-10 14:47:35,378+02 INFO[ovirt-engine-extension-aaa-ldap.authz::polito.it-authz] Creating LDAP pool 'authz'
  2017-10-10 14:47:36,199+02 INFO[ovirt-engine-extension-aaa-ldap.authz::polito.it-authz] LDAP pool 'authz' information: vendor='null' version='null'
  2017-10-10 14:47:36,201+02 INFO[ovirt-engine-extension-aaa-ldap.authz::polito.it-authz]