Re: [ovirt-users] ovirt-engine-extension-aaa-ldap active directory
Hi, most probably you are affected by [1], so could you please check certificates on all your AD servers? You can verify using following command: ovirt-engine-extensions-tool --log-level=FINEST aaa login-user --user-name= --profile= Thanks Martin [1] https://bugzilla.redhat.com/show_bug.cgi?id=1465463 On Tue, Oct 10, 2017 at 6:13 PM, Luca 'remix_tj' Lorenzetto < lorenzetto.l...@gmail.com> wrote: > On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile > wrote: > > I run the command you suggest > > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it > > -W -x sAMAccountName=user_to_search userPrincipalName | grep > > userPrincipalName > > > > This is the result: > > > > Enter LDAP Password: > > # requesting: userPrincipalName > > > > Supposing you're using all the right parameters in ldapsearch command, > it seems that the user you were looking up is not a valid user in that > directory server. > > Please check with someone that can access to AD and verify the status > of the user with ADSI Edit. > > Luca > > > -- > "E' assurdo impiegare gli uomini di intelligenza eccellente per fare > calcoli che potrebbero essere affidati a chiunque se si usassero delle > macchine" > Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) > > "Internet è la più grande biblioteca del mondo. > Ma il problema è che i libri sono tutti sparsi sul pavimento" > John Allen Paulos, Matematico (1945-vivente) > > Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , < > lorenzetto.l...@gmail.com> > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt-engine-extension-aaa-ldap active directory
On Tue, Oct 10, 2017 at 4:41 PM, nicola gentile wrote: > I run the command you suggest > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it > -W -x sAMAccountName=user_to_search userPrincipalName | grep > userPrincipalName > > This is the result: > > Enter LDAP Password: > # requesting: userPrincipalName > Supposing you're using all the right parameters in ldapsearch command, it seems that the user you were looking up is not a valid user in that directory server. Please check with someone that can access to AD and verify the status of the user with ADSI Edit. Luca -- "E' assurdo impiegare gli uomini di intelligenza eccellente per fare calcoli che potrebbero essere affidati a chiunque se si usassero delle macchine" Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) "Internet è la più grande biblioteca del mondo. Ma il problema è che i libri sono tutti sparsi sul pavimento" John Allen Paulos, Matematico (1945-vivente) Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt-engine-extension-aaa-ldap active directory
yes is AD. Nick 2017-10-10 16:41 GMT+02:00 nicola gentile : > I run the command you suggest > ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it > -W -x sAMAccountName=user_to_search userPrincipalName | grep > userPrincipalName > > This is the result: > > Enter LDAP Password: > # requesting: userPrincipalName > > Nick > > 2017-10-10 16:21 GMT+02:00 Luca 'remix_tj' Lorenzetto > : >> On Tue, Oct 10, 2017 at 4:06 PM, nicola gentile >> wrote: >>> include = >>> >>> vars.domain = dom.it >>> vars.user = CN=myuser,OU=spuser,DC=dom,DC=it >>> vars.password = x >>> >>> pool.default.auth.simple.bindDN = ${global:vars.user} >>> pool.default.auth.simple.password = ${global:vars.password} >>> pool.default.serverset.type = srvrecord >>> pool.default.serverset.srvrecord.domain = ${global:vars.domain} >>> pool.default.ssl.startTLS = true >>> pool.default.ssl.truststore.file = ${local:_basedir}/polito.it.jks >>> pool.default.ssl.truststore.password = changeit >> >> It's an AD? >> >> Can you check if userPrincipalName of the user you're trying to use >> for connecting contains the login name in the format of >> u...@domain.fqdn? >> >> I had issues with users that had userPrincipalName wrongly formatted. >> You should find nicola.gent...@polito.it on that field. >> >> You can check in this way: >> >> ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it >> -W -x sAMAccountName=user_to_search userPrincipalName | grep >> userPrincipalName >> >> >> Luca >> >> >> >> -- >> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare >> calcoli che potrebbero essere affidati a chiunque se si usassero delle >> macchine" >> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) >> >> "Internet è la più grande biblioteca del mondo. >> Ma il problema è che i libri sono tutti sparsi sul pavimento" >> John Allen Paulos, Matematico (1945-vivente) >> >> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , >> ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt-engine-extension-aaa-ldap active directory
On Tue, Oct 10, 2017 at 4:06 PM, nicola gentile wrote: > include = > > vars.domain = dom.it > vars.user = CN=myuser,OU=spuser,DC=dom,DC=it > vars.password = x > > pool.default.auth.simple.bindDN = ${global:vars.user} > pool.default.auth.simple.password = ${global:vars.password} > pool.default.serverset.type = srvrecord > pool.default.serverset.srvrecord.domain = ${global:vars.domain} > pool.default.ssl.startTLS = true > pool.default.ssl.truststore.file = ${local:_basedir}/polito.it.jks > pool.default.ssl.truststore.password = changeit It's an AD? Can you check if userPrincipalName of the user you're trying to use for connecting contains the login name in the format of u...@domain.fqdn? I had issues with users that had userPrincipalName wrongly formatted. You should find nicola.gent...@polito.it on that field. You can check in this way: ldapsearch -h domaincontroller.dom.it -b "dc=dom,dc=it" -D u...@dom.it -W -x sAMAccountName=user_to_search userPrincipalName | grep userPrincipalName Luca -- "E' assurdo impiegare gli uomini di intelligenza eccellente per fare calcoli che potrebbero essere affidati a chiunque se si usassero delle macchine" Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) "Internet è la più grande biblioteca del mondo. Ma il problema è che i libri sono tutti sparsi sul pavimento" John Allen Paulos, Matematico (1945-vivente) Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt-engine-extension-aaa-ldap active directory
Can you post the file? Luca On Tue, Oct 10, 2017 at 3:32 PM, nicola gentile wrote: > in my /etc/ovirt-engine/aaa/polito.it.properties the DN is written correctly: > > vars.user = CN=myuser,OU=spuser,DC=dom,DC=it > > I don't have ldap search. > > 2017-10-10 15:19 GMT+02:00 Luca 'remix_tj' Lorenzetto > : >> Hello Nicola, >> >> i don't see anything strange in your setup. Can you check if DN in files >> >> /etc/ovirt-engine/aaa/polito.it*.properties >> >> are written correctly? >> >> Can you also check with a ldapsearch if there is something strange in >> your LDAP entry? I found that some users were not logging in correctly >> due to wrong fields in the ldap object. >> >> >> Luca >> >> On Tue, Oct 10, 2017 at 3:07 PM, nicola.gentile.to >> wrote: >>> Sorry I forgot the attachment >>> >>> Nick >>> >>> >>> Il 10/10/2017 14:50, nicola.gentile.to ha scritto: Hi, I have a problem. Suddenly from the user portal the users of AD not login and displays the error: server_error: Unexpected comma or semicolon found at the end of the DN string. Also, from Admin Portal ->Users when I try to add a user of AD I don't see the sub domain Also, I try to run ovirt-engine-extension-aaa-ldap-setup but not works. I attach the log file. please help me Thanks Nick >>> >>> >>> >>> ___ >>> Users mailing list >>> Users@ovirt.org >>> http://lists.ovirt.org/mailman/listinfo/users >>> >> >> >> >> -- >> "E' assurdo impiegare gli uomini di intelligenza eccellente per fare >> calcoli che potrebbero essere affidati a chiunque se si usassero delle >> macchine" >> Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) >> >> "Internet è la più grande biblioteca del mondo. >> Ma il problema è che i libri sono tutti sparsi sul pavimento" >> John Allen Paulos, Matematico (1945-vivente) >> >> Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , >> -- "E' assurdo impiegare gli uomini di intelligenza eccellente per fare calcoli che potrebbero essere affidati a chiunque se si usassero delle macchine" Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) "Internet è la più grande biblioteca del mondo. Ma il problema è che i libri sono tutti sparsi sul pavimento" John Allen Paulos, Matematico (1945-vivente) Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt-engine-extension-aaa-ldap active directory
in my /etc/ovirt-engine/aaa/polito.it.properties the DN is written correctly: vars.user = CN=myuser,OU=spuser,DC=dom,DC=it I don't have ldap search. 2017-10-10 15:19 GMT+02:00 Luca 'remix_tj' Lorenzetto : > Hello Nicola, > > i don't see anything strange in your setup. Can you check if DN in files > > /etc/ovirt-engine/aaa/polito.it*.properties > > are written correctly? > > Can you also check with a ldapsearch if there is something strange in > your LDAP entry? I found that some users were not logging in correctly > due to wrong fields in the ldap object. > > > Luca > > On Tue, Oct 10, 2017 at 3:07 PM, nicola.gentile.to > wrote: >> Sorry I forgot the attachment >> >> Nick >> >> >> Il 10/10/2017 14:50, nicola.gentile.to ha scritto: >>> >>> Hi, >>> I have a problem. Suddenly from the user portal the users of AD not login >>> and displays the error: >>> >>> server_error: Unexpected comma or semicolon found at the end of the DN >>> string. >>> >>> Also, from Admin Portal ->Users when I try to add a user of AD I don't see >>> the sub domain >>> >>> Also, I try to run ovirt-engine-extension-aaa-ldap-setup but not works. >>> I attach the log file. >>> >>> please help me >>> >>> Thanks >>> >>> Nick >> >> >> >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> > > > > -- > "E' assurdo impiegare gli uomini di intelligenza eccellente per fare > calcoli che potrebbero essere affidati a chiunque se si usassero delle > macchine" > Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) > > "Internet è la più grande biblioteca del mondo. > Ma il problema è che i libri sono tutti sparsi sul pavimento" > John Allen Paulos, Matematico (1945-vivente) > > Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt-engine-extension-aaa-ldap active directory
Hello Nicola, i don't see anything strange in your setup. Can you check if DN in files /etc/ovirt-engine/aaa/polito.it*.properties are written correctly? Can you also check with a ldapsearch if there is something strange in your LDAP entry? I found that some users were not logging in correctly due to wrong fields in the ldap object. Luca On Tue, Oct 10, 2017 at 3:07 PM, nicola.gentile.to wrote: > Sorry I forgot the attachment > > Nick > > > Il 10/10/2017 14:50, nicola.gentile.to ha scritto: >> >> Hi, >> I have a problem. Suddenly from the user portal the users of AD not login >> and displays the error: >> >> server_error: Unexpected comma or semicolon found at the end of the DN >> string. >> >> Also, from Admin Portal ->Users when I try to add a user of AD I don't see >> the sub domain >> >> Also, I try to run ovirt-engine-extension-aaa-ldap-setup but not works. >> I attach the log file. >> >> please help me >> >> Thanks >> >> Nick > > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > -- "E' assurdo impiegare gli uomini di intelligenza eccellente per fare calcoli che potrebbero essere affidati a chiunque se si usassero delle macchine" Gottfried Wilhelm von Leibnitz, Filosofo e Matematico (1646-1716) "Internet è la più grande biblioteca del mondo. Ma il problema è che i libri sono tutti sparsi sul pavimento" John Allen Paulos, Matematico (1945-vivente) Luca 'remix_tj' Lorenzetto, http://www.remixtj.net , ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt-engine-extension-aaa-ldap active directory
Sorry I forgot the attachment Nick Il 10/10/2017 14:50, nicola.gentile.to ha scritto: Hi, I have a problem. Suddenly from the user portal the users of AD not login and displays the error: server_error: Unexpected comma or semicolon found at the end of the DN string. Also, from Admin Portal ->Users when I try to add a user of AD I don't see the sub domain Also, I try to run ovirt-engine-extension-aaa-ldap-setup but not works. I attach the log file. please help me Thanks Nick ovirt-engine-extension-aaa-ldap-setup [ INFO ] Stage: Initializing [ INFO ] Stage: Environment setup Configuration files: ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf'] Log file: /tmp/ovirt-engine-extension-aaa-ldap-setup-20171010144529-5gjttc.log Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos) [ INFO ] Stage: Environment packages setup [ INFO ] Stage: Programs detection [ INFO ] Stage: Environment customization Welcome to LDAP extension configuration program Available LDAP implementations: 1 - 389ds 2 - 389ds RFC-2307 Schema 3 - Active Directory 4 - IBM Security Directory Server 5 - IBM Security Directory Server RFC-2307 Schema 6 - IPA 7 - Novell eDirectory RFC-2307 Schema 8 - OpenLDAP RFC-2307 Schema 9 - OpenLDAP Standard Schema 10 - Oracle Unified Directory RFC-2307 Schema 11 - RFC-2307 Schema (Generic) 12 - RHDS 13 - RHDS RFC-2307 Schema 14 - iPlanet Please select: 3 Please enter Active Directory Forest name: polito.it [ INFO ] Resolving Global Catalog SRV record for polito.it NOTE: It is highly recommended to use secure protocol to access the LDAP server. Protocol startTLS is the standard recommended method to do so. Only in cases in which the startTLS is not supported, fallback to non standard ldaps protocol. Use plain for test environments only. Please select protocol to use (startTLS, ldaps, plain) [startTLS]: Please select method to obtain PEM encoded CA certificate (File, URL, Inline, System, Insecure): File File path: /root/politoca.pem [ INFO ] Resolving SRV record 'polito.it' [ INFO ] Connecting to LDAP using 'ldap://politodc01.polito.it:389' [ INFO ] Executing startTLS [ INFO ] Connection succeeded Enter search user DN (for example uid=username,dc=example,dc=com or leave empty for anonymous): CN=TOOL_NICOLA,OU=Special_Users,DC=polito,DC=it Enter search user password: [ INFO ] Attempting to bind using 'CN=TOOL_NICOLA,OU=Special_Users,DC=polito,DC=it' Are you going to use Single Sign-On for Virtual Machines (Yes, No) [Yes]: No Please specify profile name that will be visible to users [polito.it]: [ INFO ] Stage: Setup validation The following files are about to be overwritten: /etc/ovirt-engine/extensions.d/polito.it-authn.properties /etc/ovirt-engine/extensions.d/polito.it-authz.properties /etc/ovirt-engine/aaa/polito.it.properties /etc/ovirt-engine/aaa/polito.it.jks Continue and overwrite? (Yes, No) [No]: Yes NOTE: It is highly recommended to test drive the configuration before applying it into engine. Login sequence is executed automatically, but it is recommended to also execute Search sequence manually after successful Login sequence. Please provide credentials to test login flow: Enter user name: nicola.gent...@polito.it Enter user password: [ INFO ] Executing login sequence... Login output: 2017-10-10 14:47:35,284+02 INFO 2017-10-10 14:47:35,297+02 INFO Initialization 2017-10-10 14:47:35,298+02 INFO 2017-10-10 14:47:35,316+02 INFOLoading extension 'polito.it-authz' 2017-10-10 14:47:35,368+02 INFOExtension 'polito.it-authz' loaded 2017-10-10 14:47:35,370+02 INFOLoading extension 'polito.it-authn' 2017-10-10 14:47:35,377+02 INFOExtension 'polito.it-authn' loaded 2017-10-10 14:47:35,377+02 INFOInitializing extension 'polito.it-authz' 2017-10-10 14:47:35,378+02 INFO[ovirt-engine-extension-aaa-ldap.authz::polito.it-authz] Creating LDAP pool 'authz' 2017-10-10 14:47:36,199+02 INFO[ovirt-engine-extension-aaa-ldap.authz::polito.it-authz] LDAP pool 'authz' information: vendor='null' version='null' 2017-10-10 14:47:36,201+02 INFO[ovirt-engine-extension-aaa-ldap.authz::polito.it-authz] Creat