Re: [Users] Testing LDAP support.
- Original Message - From: Sharad Mishra snmis...@linux.vnet.ibm.com To: Itamar Heim ih...@redhat.com Cc: Oved Ourfalli ov...@redhat.com, users@ovirt.org Sent: Thursday, April 12, 2012 9:37:46 PM Subject: Re: [Users] Testing LDAP support. On Thu, 2012-04-12 at 02:26 +0300, Itamar Heim wrote: On 04/12/2012 01:09 AM, Sharad Mishra wrote: On Wed, 2012-04-11 at 10:18 -0400, Oved Ourfalli wrote: - Original Message - From: Sharad Mishrasnmis...@linux.vnet.ibm.com To: Itamar Heimih...@redhat.com Cc: Oved Ourfalliov...@redhat.com, users@ovirt.org Sent: Wednesday, April 11, 2012 4:53:37 PM Subject: Re: [Users] Testing LDAP support. On Tue, 2012-04-10 at 10:55 +0300, Itamar Heim wrote: On 04/10/2012 04:51 AM, Sharad Mishra wrote: On Mon, 2012-04-09 at 12:38 -0700, Sharad Mishra wrote: On Mon, 2012-04-09 at 14:10 -0400, Oved Ourfalli wrote: When a call is made to construct InitialDirContext with following settings - {java.naming.provider.url=ldap://ldapserver.ibm.com:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=uid=1234567,c=us,ou=ldapserver,o=ibm.com, java.naming.security.authentication=DIGEST-MD5 GSSAPI, java.naming.security.credentials=password, java.naming.referral=follow, java.naming.ldap.attributes.binary=objectGUID} How do I configure the ovirt test setup on my workstation to use LDAP for authentication? I looked around webadmin GUI but could not find it. -Sharad If you are working with an installed oVirt environment, you can use engine-manage-domains utility in order to add/remove/edit domains. It will create the krb5.conf file, update database entries, add permissions for the user you use, and etc. I was able to move around some jar files and config files to finally be able to run engine-manage-domains to add new domains. First I ran #./engine-manage-domains -action=list Manage Domains completed successfully I did not get any domain, which makes sense since I only have default setup. then I tried #./engine-manage-domains -action=add -domain=bluepages.ibm.com -user=snmis...@us.ibm.com -passwordFile=/tmp/.pwd where /tmp/.pwd has my ldap password. I got the following error - Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: bluepages.ibm.com Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct. I also tried -domain=bluepages.ibm.com:389 this is kerberos based auth. do I need any package/setup on client machine? usual suspects are dns issues. doesn't look like its dns issue, I can run ldapsearch from the command line. anything in the manage domains log? There is nothing in engine or server logs. Where are the manage domain logs? the log is in: /var/log/ovirt-engine/engine-manage-domains/engine-manage-domains.log -Sharad -Sharad If, however, you are in a development environment, then currently it is not easy to run this utility, as it requires some configuration files and jars that are there when you install the engine, but not there in a development environment. So, in that case you'll need to run the following (change the domain name, user name and user guid): update vdc_options set option_value = 'your domain' where option_name = 'DomainName'; update vdc_options set option_value = 'your domain:your user@your domain' where option_name= 'AdUserName'; update vdc_options set option_value = 'your domain:user guid' where option_name='AdUserId'; update vdc_options set option_value = 'your domain:your password' where option_name='AdUserPassword'; insert into permissions (id,role_id,ad_element_id,object_id,object_type_id) values ('choose a random guid','----0001','user guid','aaa0----123456789aaa',1); Also, you'll have to create a krb5.conf file, and place it in $JBOSS_HOME/standalone/configuration An example for the contents of this file: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = no default_tkt_enctypes = arcfour-hmac-md5 udp_preference_limit = 1 [realms] EXAMPLE.COM = { kdc = my_host.example.com.:88 } [domain_realm] example.com = EXAMPLE.COM Note that you need to have the following records for your LDAP server, defined in the DNS: * LDAP SRV record * Kerberos SRV record * PTR record (You can use dnsmasq
Re: [Users] Testing LDAP support.
On 04/12/2012 09:37 PM, Sharad Mishra wrote: doesn't look like its dns issue, I can run ldapsearch from the command line. are you using simple or kerberos modes? ldap search is kerberos based, manage domains iirc is keberos as well mostly ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Testing LDAP support.
On Tue, 2012-04-10 at 10:55 +0300, Itamar Heim wrote: On 04/10/2012 04:51 AM, Sharad Mishra wrote: On Mon, 2012-04-09 at 12:38 -0700, Sharad Mishra wrote: On Mon, 2012-04-09 at 14:10 -0400, Oved Ourfalli wrote: When a call is made to construct InitialDirContext with following settings - {java.naming.provider.url=ldap://ldapserver.ibm.com:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=uid=1234567,c=us,ou=ldapserver,o=ibm.com, java.naming.security.authentication=DIGEST-MD5 GSSAPI, java.naming.security.credentials=password, java.naming.referral=follow, java.naming.ldap.attributes.binary=objectGUID} How do I configure the ovirt test setup on my workstation to use LDAP for authentication? I looked around webadmin GUI but could not find it. -Sharad Can you also attach the jboss log and engine log? (assuming you are testing it in the ovirt-engine environment). They can be helpful, as it might be related to some class loading issue or something similar, and the log might shed light on that. I think its my setup that is the issue here. I am unable to run ldapsearch CLI with DIGEST-MD5 protocol. I am not sure how to setup/use secret key with sasl. I am running my queries against a production ldap server on which I have user access. I tried to look around on internet but did not get a good hit. have you tried the kebreros based authentication with it? I see it is supposed to have it: http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=%2Fliaai%2Fkerberos%2Fliaaikerberos1.htm ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Testing LDAP support.
- Original Message - From: Sharad Mishra snmis...@linux.vnet.ibm.com To: Itamar Heim ih...@redhat.com Cc: Oved Ourfalli ov...@redhat.com, users@ovirt.org Sent: Wednesday, April 11, 2012 4:53:37 PM Subject: Re: [Users] Testing LDAP support. On Tue, 2012-04-10 at 10:55 +0300, Itamar Heim wrote: On 04/10/2012 04:51 AM, Sharad Mishra wrote: On Mon, 2012-04-09 at 12:38 -0700, Sharad Mishra wrote: On Mon, 2012-04-09 at 14:10 -0400, Oved Ourfalli wrote: When a call is made to construct InitialDirContext with following settings - {java.naming.provider.url=ldap://ldapserver.ibm.com:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=uid=1234567,c=us,ou=ldapserver,o=ibm.com, java.naming.security.authentication=DIGEST-MD5 GSSAPI, java.naming.security.credentials=password, java.naming.referral=follow, java.naming.ldap.attributes.binary=objectGUID} How do I configure the ovirt test setup on my workstation to use LDAP for authentication? I looked around webadmin GUI but could not find it. -Sharad If you are working with an installed oVirt environment, you can use engine-manage-domains utility in order to add/remove/edit domains. It will create the krb5.conf file, update database entries, add permissions for the user you use, and etc. If, however, you are in a development environment, then currently it is not easy to run this utility, as it requires some configuration files and jars that are there when you install the engine, but not there in a development environment. So, in that case you'll need to run the following (change the domain name, user name and user guid): update vdc_options set option_value = 'your domain' where option_name = 'DomainName'; update vdc_options set option_value = 'your domain:your user@your domain' where option_name= 'AdUserName'; update vdc_options set option_value = 'your domain:user guid' where option_name='AdUserId'; update vdc_options set option_value = 'your domain:your password' where option_name='AdUserPassword'; insert into permissions (id,role_id,ad_element_id,object_id,object_type_id) values ('choose a random guid','----0001','user guid','aaa0----123456789aaa',1); Also, you'll have to create a krb5.conf file, and place it in $JBOSS_HOME/standalone/configuration An example for the contents of this file: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = no default_tkt_enctypes = arcfour-hmac-md5 udp_preference_limit = 1 [realms] EXAMPLE.COM = { kdc = my_host.example.com.:88 } [domain_realm] example.com = EXAMPLE.COM Note that you need to have the following records for your LDAP server, defined in the DNS: * LDAP SRV record * Kerberos SRV record * PTR record (You can use dnsmasq if you wish to create those records by yourself - if you need help with this let me know). Oved Can you also attach the jboss log and engine log? (assuming you are testing it in the ovirt-engine environment). They can be helpful, as it might be related to some class loading issue or something similar, and the log might shed light on that. I think its my setup that is the issue here. I am unable to run ldapsearch CLI with DIGEST-MD5 protocol. I am not sure how to setup/use secret key with sasl. I am running my queries against a production ldap server on which I have user access. I tried to look around on internet but did not get a good hit. have you tried the kebreros based authentication with it? I see it is supposed to have it: http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=%2Fliaai%2Fkerberos%2Fliaaikerberos1.htm ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Testing LDAP support.
On Wed, 2012-04-11 at 10:18 -0400, Oved Ourfalli wrote: - Original Message - From: Sharad Mishra snmis...@linux.vnet.ibm.com To: Itamar Heim ih...@redhat.com Cc: Oved Ourfalli ov...@redhat.com, users@ovirt.org Sent: Wednesday, April 11, 2012 4:53:37 PM Subject: Re: [Users] Testing LDAP support. On Tue, 2012-04-10 at 10:55 +0300, Itamar Heim wrote: On 04/10/2012 04:51 AM, Sharad Mishra wrote: On Mon, 2012-04-09 at 12:38 -0700, Sharad Mishra wrote: On Mon, 2012-04-09 at 14:10 -0400, Oved Ourfalli wrote: When a call is made to construct InitialDirContext with following settings - {java.naming.provider.url=ldap://ldapserver.ibm.com:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=uid=1234567,c=us,ou=ldapserver,o=ibm.com, java.naming.security.authentication=DIGEST-MD5 GSSAPI, java.naming.security.credentials=password, java.naming.referral=follow, java.naming.ldap.attributes.binary=objectGUID} How do I configure the ovirt test setup on my workstation to use LDAP for authentication? I looked around webadmin GUI but could not find it. -Sharad If you are working with an installed oVirt environment, you can use engine-manage-domains utility in order to add/remove/edit domains. It will create the krb5.conf file, update database entries, add permissions for the user you use, and etc. I was able to move around some jar files and config files to finally be able to run engine-manage-domains to add new domains. First I ran #./engine-manage-domains -action=list Manage Domains completed successfully I did not get any domain, which makes sense since I only have default setup. then I tried #./engine-manage-domains -action=add -domain=bluepages.ibm.com -user=snmis...@us.ibm.com -passwordFile=/tmp/.pwd where /tmp/.pwd has my ldap password. I got the following error - Error: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct.. Problematic domain is: bluepages.ibm.com Failure while applying Kerberos configuration. Details: Authentication Failed. Please verify the fully qualified domain name that is used for authentication is correct. I also tried -domain=bluepages.ibm.com:389 -Sharad If, however, you are in a development environment, then currently it is not easy to run this utility, as it requires some configuration files and jars that are there when you install the engine, but not there in a development environment. So, in that case you'll need to run the following (change the domain name, user name and user guid): update vdc_options set option_value = 'your domain' where option_name = 'DomainName'; update vdc_options set option_value = 'your domain:your user@your domain' where option_name= 'AdUserName'; update vdc_options set option_value = 'your domain:user guid' where option_name='AdUserId'; update vdc_options set option_value = 'your domain:your password' where option_name='AdUserPassword'; insert into permissions (id,role_id,ad_element_id,object_id,object_type_id) values ('choose a random guid','----0001','user guid','aaa0----123456789aaa',1); Also, you'll have to create a krb5.conf file, and place it in $JBOSS_HOME/standalone/configuration An example for the contents of this file: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = no default_tkt_enctypes = arcfour-hmac-md5 udp_preference_limit = 1 [realms] EXAMPLE.COM = { kdc = my_host.example.com.:88 } [domain_realm] example.com = EXAMPLE.COM Note that you need to have the following records for your LDAP server, defined in the DNS: * LDAP SRV record * Kerberos SRV record * PTR record (You can use dnsmasq if you wish to create those records by yourself - if you need help with this let me know). Oved Can you also attach the jboss log and engine log? (assuming you are testing it in the ovirt-engine environment). They can be helpful, as it might be related to some class loading issue or something similar, and the log might shed light on that. I think its my setup that is the issue here. I am unable to run ldapsearch CLI with DIGEST-MD5 protocol. I am not sure how to setup/use secret key with sasl. I am running my queries against a production ldap server on which I have user access. I tried to look around on internet but did not get a good hit. have you tried the kebreros based authentication with it? I see it is supposed to have it: http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=%2Fliaai%2Fkerberos%2Fliaaikerberos1.htm
Re: [Users] Testing LDAP support.
- Original Message - From: Sharad Mishra snmis...@linux.vnet.ibm.com To: users@ovirt.org Sent: Monday, April 9, 2012 8:19:23 PM Subject: [Users] Testing LDAP support. Hi, I was able to successfully test simple authentication support of IBM Directory Server (IDS) in ovirt. Next step is to test DIGEST-MD5 support. This protocol is currently supported by my test IDS. But I get - javax.naming.CommunicationException: [LDAP: error code 2 - Protocol Error] When a call is made to construct InitialDirContext with following settings - {java.naming.provider.url=ldap://ldapserver.ibm.com:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=uid=1234567,c=us,ou=ldapserver,o=ibm.com, java.naming.security.authentication=DIGEST-MD5 GSSAPI, java.naming.security.credentials=password, java.naming.referral=follow, java.naming.ldap.attributes.binary=objectGUID} Do you know what could be going wrong here? I think its something wrong with my usage and not in code. What test cases were run to verify RedHat DS support? I can try to run the same for IBM DS before posting the patch. Hard to tell what went wrong there. I'll try to take a look a bit on the web (as I assume you did but I guess it can't hurt). As for RHDS, most tests were done manually: * Adding users/groups * Authentication * Group membership * Adding / removing / editing RHDS domain with the engine-manage-domains utility. * Refresh users/groups. * Search for users/groups That's basically the main scenarios. We have an LdapTester as well. The problem there was to setup the environment needed for the testing. It contains test cases for AD/IPA. Oved Thanks Sharad Mishra IBM ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Testing LDAP support.
On Mon, 2012-04-09 at 14:10 -0400, Oved Ourfalli wrote: - Original Message - From: Oved Ourfalli ov...@redhat.com To: Sharad Mishra snmis...@linux.vnet.ibm.com Cc: users@ovirt.org Sent: Monday, April 9, 2012 8:36:49 PM Subject: Re: [Users] Testing LDAP support. - Original Message - From: Sharad Mishra snmis...@linux.vnet.ibm.com To: users@ovirt.org Sent: Monday, April 9, 2012 8:19:23 PM Subject: [Users] Testing LDAP support. Hi, I was able to successfully test simple authentication support of IBM Directory Server (IDS) in ovirt. Next step is to test DIGEST-MD5 support. This protocol is currently supported by my test IDS. But I get - javax.naming.CommunicationException: [LDAP: error code 2 - Protocol Error] When a call is made to construct InitialDirContext with following settings - {java.naming.provider.url=ldap://ldapserver.ibm.com:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=uid=1234567,c=us,ou=ldapserver,o=ibm.com, java.naming.security.authentication=DIGEST-MD5 GSSAPI, java.naming.security.credentials=password, java.naming.referral=follow, java.naming.ldap.attributes.binary=objectGUID} Can you also attach the jboss log and engine log? (assuming you are testing it in the ovirt-engine environment). They can be helpful, as it might be related to some class loading issue or something similar, and the log might shed light on that. there is nothing much in jboss and engine logs. 2012-04-09 10:03:19,203 INFO [org.ovirt.engine.core.bll.DbUserCacheManager] (QuartzScheduler_Worker-56) DbUserCacheManager::refreshAllUserData() - entered 2012-04-09 11:03:19,205 INFO [org.ovirt.engine.core.bll.DbUserCacheManager] (QuartzScheduler_Worker-11) DbUserCacheManager::refreshAllUserData() - entered 2012-04-09 12:03:19,207 INFO [org.ovirt.engine.core.bll.DbUserCacheManager] (QuartzScheduler_Worker-84) DbUserCacheManager::refreshAllUserData() - entered Output of both, server.log and engine.log for this time period looks exactly same. Do I need to enable more logging? -Sharad Do you know what could be going wrong here? I think its something wrong with my usage and not in code. What test cases were run to verify RedHat DS support? I can try to run the same for IBM DS before posting the patch. Hard to tell what went wrong there. I'll try to take a look a bit on the web (as I assume you did but I guess it can't hurt). As for RHDS, most tests were done manually: * Adding users/groups * Authentication * Group membership * Adding / removing / editing RHDS domain with the engine-manage-domains utility. * Refresh users/groups. * Search for users/groups That's basically the main scenarios. We have an LdapTester as well. The problem there was to setup the environment needed for the testing. It contains test cases for AD/IPA. Oved Thanks Sharad Mishra IBM ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] Testing LDAP support.
On Mon, 2012-04-09 at 12:38 -0700, Sharad Mishra wrote: On Mon, 2012-04-09 at 14:10 -0400, Oved Ourfalli wrote: - Original Message - From: Oved Ourfalli ov...@redhat.com To: Sharad Mishra snmis...@linux.vnet.ibm.com Cc: users@ovirt.org Sent: Monday, April 9, 2012 8:36:49 PM Subject: Re: [Users] Testing LDAP support. - Original Message - From: Sharad Mishra snmis...@linux.vnet.ibm.com To: users@ovirt.org Sent: Monday, April 9, 2012 8:19:23 PM Subject: [Users] Testing LDAP support. Hi, I was able to successfully test simple authentication support of IBM Directory Server (IDS) in ovirt. Next step is to test DIGEST-MD5 support. This protocol is currently supported by my test IDS. But I get - javax.naming.CommunicationException: [LDAP: error code 2 - Protocol Error] When a call is made to construct InitialDirContext with following settings - {java.naming.provider.url=ldap://ldapserver.ibm.com:389, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=uid=1234567,c=us,ou=ldapserver,o=ibm.com, java.naming.security.authentication=DIGEST-MD5 GSSAPI, java.naming.security.credentials=password, java.naming.referral=follow, java.naming.ldap.attributes.binary=objectGUID} Can you also attach the jboss log and engine log? (assuming you are testing it in the ovirt-engine environment). They can be helpful, as it might be related to some class loading issue or something similar, and the log might shed light on that. I think its my setup that is the issue here. I am unable to run ldapsearch CLI with DIGEST-MD5 protocol. I am not sure how to setup/use secret key with sasl. I am running my queries against a production ldap server on which I have user access. I tried to look around on internet but did not get a good hit. -Sharad there is nothing much in jboss and engine logs. 2012-04-09 10:03:19,203 INFO [org.ovirt.engine.core.bll.DbUserCacheManager] (QuartzScheduler_Worker-56) DbUserCacheManager::refreshAllUserData() - entered 2012-04-09 11:03:19,205 INFO [org.ovirt.engine.core.bll.DbUserCacheManager] (QuartzScheduler_Worker-11) DbUserCacheManager::refreshAllUserData() - entered 2012-04-09 12:03:19,207 INFO [org.ovirt.engine.core.bll.DbUserCacheManager] (QuartzScheduler_Worker-84) DbUserCacheManager::refreshAllUserData() - entered Output of both, server.log and engine.log for this time period looks exactly same. Do I need to enable more logging? -Sharad Do you know what could be going wrong here? I think its something wrong with my usage and not in code. What test cases were run to verify RedHat DS support? I can try to run the same for IBM DS before posting the patch. Hard to tell what went wrong there. I'll try to take a look a bit on the web (as I assume you did but I guess it can't hurt). As for RHDS, most tests were done manually: * Adding users/groups * Authentication * Group membership * Adding / removing / editing RHDS domain with the engine-manage-domains utility. * Refresh users/groups. * Search for users/groups That's basically the main scenarios. We have an LdapTester as well. The problem there was to setup the environment needed for the testing. It contains test cases for AD/IPA. Oved Thanks Sharad Mishra IBM ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users