subject:"\[Users\] ldap"

[ovirt-users] LDAP auth and group members

2022-10-21 Thread Jiří Sléžka


Hi,

I have configured oVirt authentication against our MicroFocus/Novell 
eDirectory (edir) ldap. It is working fine on per user base. Now I am 
tried to set permissions per group but it seems does not work.


My CRO.properties

---
include = 

vars.server = ldap.
vars.port = 389
vars.user = cn=***
vars.password = ***

pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = ${global:vars.port}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

pool.default.ssl.startTLS = true
pool.default.socketfactory.resolver.supportIPv6 = false

sequence-init.init.100-my-edir-init-vars = my-edir-init-vars
sequence.my-edir-init-vars.010.description = set baseDN
sequence.my-edir-init-vars.010.type = var-set
sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN
sequence.my-edir-init-vars.010.var-set.value = o=su

search.default.search-request.derefPolicy = ALWAYS
---

I am able search groups in manager but users with permissions per group 
are unable to login with "The user *** with profile [CRO] is not 
authorized to perform login".


When I try debug it with

ovirt-engine-extensions-tool aaa login-user --profile=CRO 
--user-name=***


I can see common attributes (name, email,...) in PrincipalRecord but not 
any record mentioned group membership.


Group which holds this user has posixGroup objectClass and member 
attributes which points to dn of users.


There were also similar post in this list in 2019 which unfortunately 
was not much specific with solution


https://lists.ovirt.org/archives/list/users@ovirt.org/thread/PBQXDJGOZ2ET347YDZFSQPFJGMNSALHD/

Could any suggest how to better debug this or how to modify group search 
filter in my profile to work with member attribute?


Thanks in advance,

Jiri


smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/RPHPO4J42ZYX377KBSBC6QMKVJ26ZA66/

[ovirt-users] LDAP auth error "server_error: Cannot locate principal"

2021-07-21 Thread tbural

Trying to configure LDAP auth on engine. After adding user from LDAP i cannot 
login with this error "server_error: Cannot locate principal"
Errors from engine.log
2021-06-30 17:24:23,830+05 ERROR 
[org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-5) 
[686f77b] Internal Server Error: Cannot locate principal 'Domain Reader'
2021-06-30 17:24:23,830+05 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] 
(default task-5) [686f77b] Cannot locate principal 'Domain Reader'
2021-06-30 17:24:23,851+05 ERROR 
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-5) 
[686f77b] server_error: Cannot locate principal 'Domain Reader'
How i can fix this error?

ovirt 4.3.10
Config /etc/ovirt-engine/aaa/openldap_rfc.properties:
include = 

vars.server = LDAP.testdom.local
vars.user = CN=Domain Reader,OU=AD,OU=SERVICE,DC=testdom,DC=local
vars.password = password

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = single
pool.default.serverset.single.server = ${global:vars.server}
pool.default.ssl.startTLS = tlocale
pool.default.ssl.insecure = tlocale

attrmap.map-principal-record.attr.PrincipalRecord_ID.map = uid
attrmap.map-principal-record.attr.PrincipalRecord_PRINCIPAL.map = cn

#LDAP value changes
sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn, givenName, 
sn, Email
sequence.openldap-init-vars.040.var-set.value = 
(objectClass=posixAccount)(uid=*)
sequence.openldap-init-vars.050.var-set.value = entryUUID, uid
sequence.openldap-init-vars.060.var-set.value = (objectClass=posixGroup)
sequence.openldap-init-vars.070.var-set.value = membelocalid

User attribures:
ovirt-engine-extensions-tool aaa search --extension-name=openldap_rfc-authz 
--entity=principal --entity-name=domreader
2021-07-21 17:14:33,805+05 INFO

2021-07-21 17:14:33,833+05 INFO Initialization 

2021-07-21 17:14:33,833+05 INFO

2021-07-21 17:14:33,878+05 INFOLoading extension 'internal-authz'
2021-07-21 17:14:33,885+05 INFOExtension 'internal-authz' loaded
--
2021-07-21 17:14:35,885+05 INFO

2021-07-21 17:14:35,886+05 INFO== Execution 
===
2021-07-21 17:14:35,886+05 INFO

2021-07-21 17:14:35,886+05 INFOIteration: 0
2021-07-21 17:14:35,891+05 INFO--- Begin QueryFilterRecord ---
2021-07-21 17:14:35,892+05 INFOAAA_AUTHZ_QUERY_FILTER_OPERATOR: 102
2021-07-21 17:14:35,892+05 INFOAAA_AUTHZ_QUERY_ENTITY: 
AAA_AUTHZ_QUERY_ENTITY_PRINCIPAL[1695cd36-4656-474f-b7bc-4466e12634e4]
2021-07-21 17:14:35,893+05 INFO  --- Begin QueryFilterRecord ---
2021-07-21 17:14:35,893+05 INFO  AAA_AUTHZ_QUERY_FILTER_OPERATOR: 0
2021-07-21 17:14:35,894+05 INFO  AAA_AUTHZ_QUERY_FILTER_KEY: 
Extkey[name=AAA_AUTHZ_PRINCIPAL_NAME;type=class 
java.lang.String;uuid=AAA_AUTHZ_PRINCIPAL_NAME[a0df5bcc-6ead-40a2-8565-2f5cc8773bdd];]
2021-07-21 17:14:35,894+05 INFO  AAA_AUTHZ_PRINCIPAL_NAME: domreader
2021-07-21 17:14:35,894+05 INFO  --- End QueryFilterRecord ---
2021-07-21 17:14:35,895+05 INFO--- End QueryFilterRecord ---
2021-07-21 17:14:35,895+05 INFOAPI: -->Authz.InvokeCommands.QUERY_OPEN 
namespace='dc=testdom,dc=local'
2021-07-21 17:14:35,904+05 INFOAPI: <--Authz.InvokeCommands.QUERY_OPEN
2021-07-21 17:14:35,904+05 INFOAPI: -->Authz.InvokeCommands.QUERY_EXECUTE
2021-07-21 17:16:04,079+05 INFOAPI: <--Authz.InvokeCommands.QUERY_EXECUTE 
count=1
2021-07-21 17:16:04,080+05 INFO--- Begin PrincipalRecord ---
2021-07-21 17:16:04,081+05 INFOAAA_AUTHZ_PRINCIPAL_PRINCIPAL: Domain Reader
2021-07-21 17:16:04,081+05 INFOAAA_AUTHZ_PRINCIPAL_LAST_NAME: Reader
2021-07-21 17:16:04,081+05 INFOAAA_LDAP_UNBOUNDID_DN: cn=Domain 
Reader,ou=AD,ou=SERVICE,dc=testdom,dc=local
2021-07-21 17:16:04,082+05 INFOAAA_AUTHZ_PRINCIPAL_NAMESPACE: 
dc=testdom,dc=local
2021-07-21 17:16:04,082+05 INFOAAA_AUTHZ_PRINCIPAL_ID: domreader
2021-07-21 17:16:04,082+05 INFOAAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: Domain 
Reader
2021-07-21 17:16:04,083+05 INFOAAA_AUTHZ_PRINCIPAL_NAME: domreader
2021-07-21 17:16:04,083+05 INFOAAA_AUTHZ_PRINCIPAL_FIRST_NAME: Domain
2021-07-21 17:16:04,083+05 INFO--- End   PrincipalRecord ---
2021-07-21 17:16:04,084+05 INFOAPI: -->Authz.InvokeCommands.QUERY_EXECUTE
2021-07-21 17:16:04,084+05 INFOAPI: <--Authz.InvokeCommands.QUERY_EXECUTE 
count=END
2021-07-21 17:16:04,084+05 INFOAPI: -->Authz.InvokeCommands.QUERY_CLOSE
2021-07-21 17:16:04,084+05 INFOAPI: <--Authz.InvokeCommands.QUERY_CLOSE

Trying to auth using ovirt-engine-extensio

[ovirt-users] ldap auth problem after upgrade from 4.4.1 to 4.4.2

2020-10-01 Thread Jiří Sléžka

Hi,

I just upgraded my HE to 4.4.2 but now I cannot login using my ldap aaa
profile anymore.

We are using Novell/NetIQ E-directory (load ballanced by haproxy,
probably not important...)

In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol
supported by our edir) from default crypto policies but I was able
revert it by

update-crypto-policies --set LEGACY

after upgrade to 4.4.2 the error is

server_error: An error occurred while attempting to connect to server
ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect
error), errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))

but our ldap server is reachable from ovirt, I tested it via (also ldaps
and startls variants are working)

ldapsearch -H ldap://ldap1.slu.cz -x -D cn=*,ou=**,o=su -w
'' -b 'o=su'

As a workaround I tried to set plain ldap protocol in profile

cat /etc/ovirt-engine/aaa/CRO.properties


include = 

vars.server = ldap1.slu.cz
vars.port = 389
vars.user = cn=*,ou=**,o=su
vars.password = **

pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = ${global:vars.port}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

pool.default.ssl.startTLS = false
pool.default.ssl.enable = false
#pool.default.ssl.protocol = TLSv1
#pool.default.ssl.startTLSProtocol = TLSv1
#pool.default.ssl.insecure = true

sequence-init.init.100-my-edir-init-vars = my-edir-init-vars
sequence.my-edir-init-vars.010.description = set baseDN
sequence.my-edir-init-vars.010.type = var-set
sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN
sequence.my-edir-init-vars.010.var-set.value = o=su

#search.default.search-request.derefPolicy = ALWAYS


but the error is the same...

ovirt-engine-extensions-tool aaa login-user --profile=CRO
--user-name=my_user


WARNING: [ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication]
TLS/SSL insecure mode
...
WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot
initialize LDAP framework, deferring initialization. Error: An error
occurred while attempting to connect to server ldap1.slu.cz:389:
IOException(LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
...
INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
profile='CRO' user='my_user'
Password:
...
WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot
initialize LDAP framework, deferring initialization. Error: An error
occurred while attempting to connect to server ldap1.slu.cz:389:
IOException(LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
Oct 01, 2020 10:57:37 AM
org.ovirt.engine.exttool.core.ExtensionsToolExecutor main
SEVERE: An error occurred while attempting to connect to server
ldap1.slu.cz:389:  IOException(LDAPException(resultCode=91 (connect
error), errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))

debug with tcpdump reveals only that connection is made and there are
only "bindRequest" and "bindResponse success" messages visible (with
correct tcp handshake and close) and nothing more

any help would be appreciated

Cheers,

Jiri



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4MFGXGJ33R5DFX66HHGENOROHGOTF2D/

[ovirt-users] LDAP/AD issue

2020-08-26 Thread kim . kargaard

Hi all,

We have had our ovirt instance connected to our internal AD for users to log 
into the VM portal for the last year, linked to studentdomene.noroff.no. This 
has been working without any problems. We had it set up and the DNS server had 
a forward record to the DC's. All good. 

Then, of course, the institution decided to introduce student emails and they 
decided to add the domain stud.noroff.no for student emails and made this the 
primary domain in the AD. The problem is that when this is changed, students 
can no longer log into the engine. I have of course changed the ldap settings 
and added a forward record on the DNS to the new domain. However, it seems that 
the domain is studentdomene.noroff.no, but with an added UPN suffix with 
stud.noroff.no 

When students try to log in, with the config changes, they get this error in 
the browser:

server_error: An error occurred while attempting to query DNS in order to 
retrieve SRV records with name '_ldap._tcp.stud.noroff.no': 
NameNotFoundException(DNS name not found [response code 3]), 
ldapSDKVersion=4.0.7, revision=b28fb50058dfe2864171df2448ad2ad2b4c2ad58 

Any ideas on how to solve this issue? 

My config looks like this:

sudo cat /etc/ovirt-engine/aaa/Students.properties 
[sudo] password for noroffadmin: 
include = 

vars.domain = studentdomene.noroff.no
vars.user = CN=ovirt auth,CN=Users,DC=stud,DC=noroff,DC=no
vars.password = PASSWORD

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}

my forward on the DNS server looks like this:
sudo cat /etc/named/named.conf.local
[sudo] password for noroffadmin: 
zone "platform.noroff.no"{
type master;
file "/etc/named/zones/db.platform.noroff.no";  # zone file path
};
zone "stud.noroff.no" {
type forward;
forward only;
forwarders { 172.24.111.20; 172.27.111.20; 172.21.111.20; 
172.16.111.20; };
};
zone "studentdomene.noroff.no" {
type forward;
forward only;
forwarders { 172.24.111.20; 172.27.111.20; 172.21.111.20; 
172.16.111.20; };
};
zone "122.16.172.in-addr.arpa" {
type master;
file "/etc/named/zones/db.122.16.172";  # 172.16.122.0/24 subnet
};

Any pointers would be greatly appreciated :)

Kim
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/4NUUMBLEUD2MYZVAMGY2AJVBS235CEQK/

[ovirt-users] LDAP setup fails on 4.4 reading PEM file

2020-06-11 Thread Stack Korora

Greetings,
I'm having some issues getting LDAP working on CentOS 8 with oVirt 4.4.
I would appreciate some help please.

When I run ovirt-engine-extension-aaa-ldap-setup I choose "11 - RFC-2307
Schema (Generic)" because that's what my LDAP guy said I should do. :-)

Next I select the default Yes for "Use DNS".

I select 4 for "Failover between multiple hosts".

I put in my two hosts "svr1.my.domain srv2.my.domain".

To select the protocol I type "ldaps".

To select the method to obtain the PEM I type "File".

Then the "File path". A full path to the file. Not quoted. Yes, I
checked that I typed it correct. I can copy-paste into "ls" and it's
fine with the correct read permissions and everything. (I can't copy
paste into the script but that's another issue.)

It immediately fails with:
[ ERROR ] Failed to execute stage 'Environment customization': a
byte-like object is required, not 'str'

There is a log file, here is the snippet at the point it goes wrong.

2020-06-11 11:35:49,915-0500 DEBUG otopi.plugins.otopi.dialog.human
dialog.__logString:204 DIALOG:SEND File path:
2020-06-11 11:36:24,373-0500 DEBUG otopi.plugins.otopi.dialog.human
dialog.__logString:204 DIALOG:RECEIVE
/etc/pki/ca-trust/source/anchors/Infrastructure.pem
2020-06-11 11:36:24,375-0500 DEBUG otopi.context
context._executeMethod:145 method exception
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132, in
_executeMethod
method['method']()
  File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 781, in _customization_late
cacert, cacertfile, insecure = self._getCACert()
  File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 357, in _getCACert
_cacertfile.write('\n'.join(cacert) + '\n')
  File "/usr/lib64/python3.6/tempfile.py", line 485, in func_wrapper
return func(*args, **kwargs)
TypeError: a bytes-like object is required, not 'str'
2020-06-11 11:36:24,376-0500 ERROR otopi.context
context._executeMethod:154 Failed to execute stage 'Environment
customization': a bytes-like object is required, not 'str'
2020-06-11 11:36:24,376-0500 DEBUG otopi.context
context.dumpEnvironment:765 ENVIRONMENT DUMP - BEGIN
2020-06-11 11:36:24,376-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV BASE/error=bool:'True'
2020-06-11 11:36:24,376-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV BASE/exceptionInfo=list:'[(, TypeError("a bytes-like object is required, not 'str'",),
)]'
2020-06-11 11:36:24,377-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV OVAAALDAP_LDAP/hosts=str:'svr1.my.domain
srv2.my.domain'
2020-06-11 11:36:24,377-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV OVAAALDAP_LDAP/protocol=str:'ldaps'
2020-06-11 11:36:24,377-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV OVAAALDAP_LDAP/serverset=str:'failover'
2020-06-11 11:36:24,377-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV OVAAALDAP_LDAP/useDNS=bool:'True'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV
QUESTION/1/OVAAALDAP_LDAP_CACERT_FILE=str:'/etc/pki/ca-trust/source/anchors/Infrastructure.pem'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV
QUESTION/1/OVAAALDAP_LDAP_CACERT_METHOD=str:'file'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV
QUESTION/1/OVAAALDAP_LDAP_PROTOCOL=str:'ldaps'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV QUESTION/1/OVAAALDAP_LDAP_SERVERSET=str:'4'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV QUESTION/1/OVAAALDAP_LDAP_USE_DNS=str:'yes'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV
QUESTION/2/OVAAALDAP_LDAP_SERVERSET=str:'svr1.my.domain srv2.my.domain'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:779 ENVIRONMENT DUMP - END


Can someone help please?
Thanks!
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MHBAPSJOFLAWFMBT4HPJAZUYB3ODL7BX/

[ovirt-users] LDAP

2020-03-20 Thread Nicholas Emmerling

Would you please provide any documentation you have regarding configuring oVirt 
to work with LDAP. Preferably the guest VMs as well as the Hosts/Nodes 
themselves. Thank you.

nicholas.emmerl...@me.com


Sent from my iPhone
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CV7IAUQHUC2YIAHITQKDN5YIYSR533AE/

[ovirt-users] LDAP Users constatly can't login on Ovirt Portal

2019-10-25 Thread rubennunes12

Hello,

So we have LDAP Authentication configured on Ovirt with aaa-extension, but the 
users of LDAP are constantly not being able to login, but when i restart 
ovirt-engine they can login again, but after some time they can't again bellow 
i will leave some logs:

2019-10-25 13:38:20,287+01 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] 
(default task-1) [] Session expired.
2019-10-25 13:39:01,503+01 INFO  
[org.ovirt.engine.extension.aaa.jdbc.core.Tasks] (default task-4) [] (house 
keeping) deleting failed logins prior to 2019-10-18 12:39:01Z.
2019-10-25 13:39:06,659+01 ERROR 
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default 
task-3) [] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User username@ldapprofile 
connecting from '' failed to log in : 'Unable to log in. Verify your login 
information or contact the system administrator.'.

If you need anything else let me now!

Thank you!
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WAS2GMLJOVBC4DSB7DIHAKJIXZB2TCOX/

[ovirt-users] LDAP Group issue with rfc2307bis

2019-07-17 Thread Timmi


Hi oVirt List,

I'm currently working on my new oVirt setup and want to integrate it 
into our LDAP server.
Accounts are working fine but I have problems to get the groups working 
correctly.


The LDAP server is base on ClearOS which is using the rfc2307bis setup. 
Means I don't have MemberOf inside my users. The user DN is as Member 
inside the group.


I manage that oVirt is able to read the groups while overwriting:
search.rfc2307-resolve-groups-memberUid.search-request.filter = 
&(objectClass=posixGroup)(memberUid=${seq:_rfc2307_uid_encoded})

with
search.rfc2307-resolve-groups-memberUid.search-request.filter = 
&(objectClass=posixGroup)(member=${seq:_rfc2307_dn})


This is working absolutely fine for my admin group in "Administrator 
Portal". I can asign the group to the system permission "SuperUser" and 
everything is working great.


My problem is with the "VM Portal" I have assigned "PowerUser" rights to 
a quota and it is possible to login but I receive the following error in 
the engine.log.


2019-07-18 07:38:12,317+02 ERROR 
[org.ovirt.engine.core.bll.GetPermissionsForObjectQuery] (default 
task-5) [a6828f8b-8ded-422f-a216-5e5406d7bf20] Query execution failed 
due to insufficient permissions.
2019-07-18 07:38:12,319+02 ERROR 
[org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (default 
task-5) [] Operation Failed: query execution failed due to insufficient 
permissions.


I'm able to see the group permission in the user details. So I guess 
that something is already working. But I guess the error is preventing 
me to have the "create VM" button on the "VM Portal".


Would be great if someone could help me out.

I'm running the latest 4.3.4 version.

Best regards
Christoph
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/KML5XQ6QI6JKWQMY3WPQAMJCKSSW2OFS/

[ovirt-users] LDAP - not able to find members of groups

2019-05-08 Thread Timmi


Hi oVirt List,

I manage to connect oVirt to my LDAP and I'm able to search for users 
and groups.


I'm using openLDAP within a ClearOS installation and it looks like this 
is a bit different to the standard openLDAP.


Inside the LDAP groups there is an attribute with is calls "member".

Example:
member    cn=Timmi,ou=Users,ou=Accounts,dc=domain,dc=com

Is someone able to help me how to make sure that oVirt is able to join 
the users to the groups?


Best regards
Timmi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PBQXDJGOZ2ET347YDZFSQPFJGMNSALHD/

[ovirt-users] LDAP Bind failing because of SSLHandshakeException after Virtualization Manager was rebooted

2018-11-13 Thread wbhegedus

After moving and rebooting our Red Hat Virtualization Manager box to another 
node in our cluster, we are unable to make LDAP login work using StartTLS. No 
networking or configuration changes were made, but the logs indicate that the 
TLS negotiation is failing with our Active Directory domain controllers now. 
Specifically: 

"2018-11-13 10:33:12,500-05 WARN  
[org.ovirt.engineextensions.aaa.ldap.Framework] (ServerService Thread Pool -- 
49) [] Exception: The connection reader was unable to successfully complete TLS 
negotiation:  SSLHandshakeException(sun.security.validator.ValidatorException: 
No trusted certificate found), ldapSDKVersion=4.0.5, 
revision=b28fb50058dfe2864171df2448ad2ad2b4c2ad58"

I have tried everything I can think of. I removed and reimported the 
certificate for the domain controller in the Java Keystore. I deleted the 
profile entirely and recreated it. I tried using the full certificate chain and 
I tried using single certificates from the chain, and all combinations together.

For now, we have it working by specifying "pool.default.ssl.insecure = true" in 
the .properties file, but I'd prefer to have this working again using StartTLS. 
Is there something I am missing? I want to make sure that I'm not overlooking 
something before submitting any sort of bug report.

Any help is appreciated. Thanks!

PS - this is what the properties file looks like:
[root@rhvm ~]# cat /etc/ovirt-engine/aaa/liberty.edu.properties 
include = 

vars.domain = liberty.edu
vars.user = cn=PREADER,ou=Service 
Accounts,ou=IS,OU=FSA,dc=University,dc=liberty,dc=edu
vars.password = 

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = ${local:_basedir}/liberty.edu.jks
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MZ3I6BOJFKNP3UPIF6WGGTBXJLTAMTPM/

[ovirt-users] LDAP-Error

2018-09-26 Thread Budur Nagaraju

Hi

Have configured LDAP authentication in oVirt4.2, but unable to login facing
issues below is the error log and configuration, able to search the users
in the UI at same time unable to search the Group.

Can someone help on the same?


Error :

https://pastebin.com/76cZdV7d

Configuration:

https://pastebin.com/nRmibZh7

Thanks,
Nagaraju
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/XYNGCLUPDFRI4QSGBBFSYXS4RIVSZZJU/

[ovirt-users] Ldap-configure

2018-09-26 Thread Budur Nagaraju

Hi

Can you please let us know how to configure LDAP authentication in oVirt
4.2 ?

Thanks,
Nagaraju
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/DNHC4DIEM6OSYWR7XG4SXMHL7I6UUIE7/

[ovirt-users] LDAP authentication does not work after engine upgrade to ovirt 4.6

2018-09-11 Thread Michael Watters

I've just upgraded our ovirt engine server to ovirt 4.6 and it appears
that LDAP logins no longer work.  When I attempt to log in using an AD
account the following errors are shown in the engine log.

2018-09-11 10:03:44,610-04 ERROR
[org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default
task-10) [] Internal Server Error: Cannot locate principal
'usern...@example.com'
2018-09-11 10:03:44,610-04 ERROR
[org.ovirt.engine.core.sso.utils.SsoUtils] (default task-10) [] Cannot
locate principal 'usern...@example.com'
2018-09-11 10:03:44,645-04 ERROR
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default
task-10) [] server_error: Cannot locate principal 'usern...@example.com'

I have not changed any LDAP settings and ldapsearch is able to find this
object without any issues.  Does anybody have any idea what would cause
this?


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JRRXINSYZXLGD4YCQL5NKEIRGMOCV4AV/

[ovirt-users] LDAP login extension

2018-07-01 Thread Mariusz Kozakowski

Hello,

We managed to setup oVirt Engine with your help, now we're facing other issue.

I'm trying to configure AD auth for web portal, but unfortunately I got error 
during ovirt-engine-extension-aaa-ldap-setup:


  2018-06-27 09:06:21,926+02 INFO

  2018-06-27 09:06:21,926+02 INFO== 
Execution ===
  2018-06-27 09:06:21,926+02 INFO

  2018-06-27 09:06:21,927+02 INFOIteration: 0
  2018-06-27 09:06:21,928+02 INFOProfile='ad' authn='ad-authn' 
authz='ad-authz' mapping='null'
  2018-06-27 09:06:21,928+02 INFOAPI: 
-->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='ad' user='username'
  2018-06-27 09:06:21,945+02 INFOAPI: 
<--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='ad' result=SUCCESS
  2018-06-27 09:06:21,948+02 INFO--- Begin AuthRecord ---
  2018-06-27 09:06:21,949+02 INFOAAA_AUTHN_AUTH_RECORD_PRINCIPAL: 
username
  2018-06-27 09:06:21,949+02 INFO--- End   AuthRecord ---
  2018-06-27 09:06:21,950+02 INFOAPI: 
-->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='username'
  2018-06-27 09:06:21,952+02 WARNING Ignoring records from pool: 'gc'
  2018-06-27 09:06:21,953+02 SEVERE  Cannot resolve principal 'username'

Do you have any idea what's the issue and what we're missing? As it looks like 
credentials are correct - passing wrong username gives fail earlier, so issue 
is somewhere after authentication.


--

Best regards/Pozdrawiam/MfG

Mariusz Kozakowski

Site Reliability Engineer

Dansk Supermarked Group
Baltic Business Park
ul. 1 Maja 38-39
71-627 Szczecin
dansksupermarked.com
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/6BZXOA6ZXMSN5EPC67LNBUSANJLUBHA7/

[ovirt-users] LDAP logins do not work

2018-06-13 Thread Michael Watters

I've ran the ovirt-engine-extension-aaa-ldap-setup command to configure
LDAP authentication using Active Directory however I am unable to
authenticate using valid credentials.  Here is the output show while
testing the login flow.

[ INFO  ] Executing login sequence...
  Login output:
  2018-06-13 11:27:17,931-04 INFO   

  2018-06-13 11:27:17,960-04 INFO   
 Initialization 
  2018-06-13 11:27:17,960-04 INFO   

  2018-06-13 11:27:17,999-04 INFO    Loading extension
'example.com-authn'
  2018-06-13 11:27:18,072-04 INFO    Extension
'example.com-authn' loaded
  2018-06-13 11:27:18,077-04 INFO    Loading extension
'example.com-authz'
  2018-06-13 11:27:18,089-04 INFO    Extension
'example.com-authz' loaded
  2018-06-13 11:27:18,090-04 INFO    Initializing extension
'example.com-authn'
  2018-06-13 11:27:18,091-04 INFO   
[ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP
pool 'authz'
  2018-06-13 11:27:19,574-04 WARNING Exception: 80090308:
LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e,
v3839
  2018-06-13 11:27:19,576-04 INFO   
[ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP
pool 'authn'
  2018-06-13 11:27:20,668-04 INFO   
[ovirt-engine-extension-aaa-ldap.authn::example.com-authn] LDAP pool
'authn' information: vendor='null' version='null'
  2018-06-13 11:27:20,674-04 WARNING Ignoring records from pool:
'authz'
  2018-06-13 11:27:20,676-04 WARNING Ignoring records from pool:
'authz'
  2018-06-13 11:27:20,676-04 INFO    Extension
'example.com-authn' initialized
  2018-06-13 11:27:20,677-04 INFO    Initializing extension
'example.com-authz'
  2018-06-13 11:27:20,679-04 INFO   
[ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP
pool 'authz'
  2018-06-13 11:27:21,270-04 WARNING Exception: 80090308:
LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e,
v3839
  2018-06-13 11:27:21,273-04 INFO   
[ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP
pool 'gc'
  2018-06-13 11:27:22,065-04 WARNING Exception: 80090308:
LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e,
v1db1
  2018-06-13 11:27:22,069-04 WARNING Ignoring records from pool:
'authz'
  2018-06-13 11:27:22,072-04 WARNING Ignoring records from pool:
'authz'
  2018-06-13 11:27:22,085-04 WARNING Ignoring records from pool:
'authz'
  2018-06-13 11:27:22,086-04 INFO   
[ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Available
Namespaces: []
  2018-06-13 11:27:22,087-04 INFO    Extension
'example.com-authz' initialized
  2018-06-13 11:27:22,088-04 INFO    Start of enabled extensions
list
  2018-06-13 11:27:22,089-04 INFO    Instance name:
'example.com-authz', Extension name:
'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.7', Notes:
'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos',
License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
Project', Build interface Version: '0',  File:
'/tmp/tmpPQluAI/extensions.d/example.com-authz.properties', Initialized:
'true'
  2018-06-13 11:27:22,089-04 INFO    Instance name:
'example.com-authn', Extension name:
'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.7', Notes:
'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos',
License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
Project', Build interface Version: '0',  File:
'/tmp/tmpPQluAI/extensions.d/example.com-authn.properties', Initialized:
'true'
  2018-06-13 11:27:22,090-04 INFO    End of enabled extensions list
  2018-06-13 11:27:22,090-04 INFO   

  2018-06-13 11:27:22,090-04 INFO   
== Execution ===
  2018-06-13 11:27:22,091-04 INFO   

  2018-06-13 11:27:22,091-04 INFO    Iteration: 0
  2018-06-13 11:27:22,093-04 INFO    Profile='example.com'
authn='example.com-authn' authz='example.com-authz' mapping='null'
  2018-06-13 11:27:22,094-04 INFO    API:
-->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='example.com'
user='d861703'
  2018-06-13 11:27:22,251-04 INFO    API:
<--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='example.com'
result=CREDENTIALS_INCORRECT
  2018-06-13 11:27:22,262-04 SEVERE  Authn.Result code is:
CREDENTIALS_INCORRECT
[ ERROR ] Login sequence failed

Does anybody know what LdapErr: DSID-0C09042A, comment:
Acce

[ovirt-users] LDAP Authentication issues

2018-05-25 Thread Callum Smith

Dear All,

I'm having problems getting LDAP running, login works, but I'm getting "user is 
not authorised to perform login" - this is even if i specify the UserRole 
specifically to the LDAP group the user is in.

2018-05-25 08:56:16,212+01 INFO  
[org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-23) [] User 
callum@Biomedical Research Computing successfully logged in with scopes: 
ovirt-app-admin ovirt-app-api ovirt-app-portal 
ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all 
ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search 
ovirt-ext=token-info:validate ovirt-ext=token:password-access
2018-05-25 08:56:16,391+01 INFO  
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-25) 
[63e60fe9] Running command: CreateUserSessionCommand internal: false.
2018-05-25 08:56:16,430+01 ERROR 
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default 
task-25) [63e60fe9] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User 
callum@Biomedical Research Computing connecting from '192.168.65.254' failed to 
log in.
2018-05-25 08:56:16,430+01 ERROR 
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-25) [] 
The user callum@Biomedical Research Computing is not authorized to perform login


on a side note: is it possible to assign permissions to all members of an LDAP 
tree where they dont have a common group membership?

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org

Re: [ovirt-users] LDAP sources

2017-11-15 Thread Ondra Machacek

Hello,

On Wed, Nov 15, 2017 at 9:03 AM, Magnus Isaksson  wrote:
> Hello,
>
> I have tried googling and searching in the documentation, but i can't seem
> to find any instructions on how to remove a authentication source.
>
> The background is that i did set up an FreeIPA server for auth, worked
> perfectly, but i ran into some problems using that to auth other systems, so
> i had to setup a new FreeIPA server and added that to oVirt, but now i want
> to remove the old one, but can not seem to find how.
> Anyone sitting on that info?

You have to remove the extension files of the old IPA server. It's
following files:

 - /etc/ovirt-engine/extensions.d/ipa-old-authn.properties
 - /etc/ovirt-engine/extensions.d/ipa-old-authn.properties
 - /etc/ovirt-engine/aaa/ipa-old.properties

Also don't forget to remove all users and groups of the old profile
via webadmin.

>
> And while on the subject, how do i set the FreeIPA auth as default auth
> source in oVirt?

Yes, this is supported since 4.0 release. You can check more info in
this bugzilla:

 https://bugzilla.redhat.com/show_bug.cgi?id=1296274

What you need to do is, add this line:

ovirt.engine.aaa.authn.default.profile=true

to your authn properties file of the profile, you want to have the default.

>
> Regards
>  Magnus
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] LDAP sources

2017-11-15 Thread Magnus Isaksson


Hello,

I have tried googling and searching in the documentation, but i can't 
seem to find any instructions on how to remove a authentication source.


The background is that i did set up an FreeIPA server for auth, worked 
perfectly, but i ran into some problems using that to auth other 
systems, so i had to setup a new FreeIPA server and added that to 
oVirt, but now i want to remove the old one, but can not seem to find 
how.

Anyone sitting on that info?

And while on the subject, how do i set the FreeIPA auth as default auth 
source in oVirt?


Regards
Magnus
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] Ldap authentification filtering with custom attribute

2017-08-16 Thread Jean-mathieu CHANTREIN

Hello. 

Here is a way to filtering a group of ldap user by one of custom attribute and 
not by groups ? By example, I tryed (without success) to put this entry in 
/etc/ovirt-engine/extensions.d/my-ldap-authz.properties : 

search.simple-resolve-groups-memberOf.search-request.filter = 
&(myCustomAttribute=nameOfAttributeToFilter) 

And if it's possible, can I have filtering with more than one attribute (i.e.: 
each attribute will be discriminate like a group) ? 

Thanks for your help. 

Regards. 

Jean-Mathieu 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-15 Thread Nicolás

El 15/08/16 a las 13:28, Ondra Machacek escribió:

On 08/13/2016 12:44 AM, nico...@devels.es wrote:

El 2016-08-12 20:38, Ondra Machacek escribió:

On 08/12/2016 05:53 PM, nico...@devels.es wrote:

El 2016-08-10 14:46, Nicolás escribió:

En 10/8/2016 2:29 p. m., Alexander Wels  escribió:

On Wednesday, August 10, 2016 9:02:16 AM EDT Alexander Wels wrote:

On Wednesday, August 10, 2016 9:10:25 AM EDT nico...@devels.es

wrote:

El 2016-08-10 08:58, Ondra Machacek escribió:

> On 08/10/2016 09:37 AM, Nicolás wrote:

>> Hi,

>>

>> We're running oVirt 4.0.1.1 [1], and we're trying to grant a

permission to

>> a

>> user on a VM. Thing is when we open the 'Permissions' subtab

on that

>> VM,

>> we click on Add, the LDAP backend shows up but any value

entered into

>> the search box returns nothing, even when I know the values

exist.

>>

>> This has been working on oVirt 3.x, we actually migrated to

4.x last

>> week and didn't notice this issue.

>>

>> Additionally, there's no combobox to choose the permission to

grant?

>

> There should be combo box to choose a role.

I've attached a screenshot, seems there's not.

Its highly likely the dropdown is there, but its scrolled below

the bottom

of the dialog and thus you can't see it. I thought I made sure all

the

dialogs were working, seems like I missed one. Let me check it out

and see

what is going on.

Okay I double checked, I went to the VMs main tab, selected a VM,
then went to

the permissions sub tab. Clicked add. The dialog that popped up
looks like the

one attached, which is what I was expecting. The one you attached
appears to

be missing some styling, which is likely what caused the Role to
Assign part

to be scrolled below the bottom of the page.

Can you complete clear your cache (not shift reload, but
settings->clear

cache). If that doesn't work can you tell us the version of the
patternfly rpm

installed on your engine?

Yes, I already did that, also opened the engine on different clients
and the behavior is the same, I believe this is not a client issue.
Patternfly package is patternfly1-1.3.0-1.el7.centos.noarch

Ok, this indeed seems like a graphics problem since I am seeing this
connecting to a machine through a VNC server and the Role combobox is
moved down out of the dialog.

However, the LDAP issue persists. When I choose the 'internal' 
domain, I
can search the 'admin' user successfully, however, if I set it to 
be the

LDAP domain, any search returns nothing.

Any hints or ideas how to debug this?

Can you please enable debug log[1] and send it here?

[1]
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README#L442 

Thanks. I was now able to see why it is failing:

TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (default task-13)
[] SearchRequest: Exception: LDAPSearchException(resultCode=11 (admin
limit exceeded), numEntries=0, numReferences=0, errorMessage='admin
limit exceeded')

This is server error, that number of entries to be returned is higher, 
than the limit set on server.
You should either increase that limit server side, or don't use '*', 
but use some filter. ( ie. user* )

That's the problem, the patterns we enter in the search box are specific 
usernames that usually return only one or 2 results at most from the 
LDAP directory, that's why I think this filter is needlessly too broad 
in our case. I've been making the query more specific on the command 
line (i.e., using ldapsearch) and removing some of the OR (|) clauses 
seems to return a lower number of entries below the limit, that's why I 
asked if it's possible to manually specify the filter.

Do you think it would be useful to open a RFE on BZ asking for a feature 
to allow the user specify the filter?

I'll see what's the best way to workaround this problem as is, either 
defining a user and allowing them a higher number of returned results or 
increasing the limit on the server side.

Thanks.

Indeed, if I run that query using the ldapsearch command I can clearly
see it is returning an "admin limit exceeded" error.

The applied filter is:
(&(objectClass=posixAccount)(uid=*)(|(givenName=username)(sn=username)(displayName=username)(uid=username))) 

Strange thing is this hasn't been an issue on oVirt 3.6.x and we've not
changed our LDAP configuration. Has the filter been changed in 4.x by
default?

It didn't.

If so, is there a way to override the filter to make it simpler? (In our
case we'll always seek by username, so no need to search by givenName,
sn or displayName).

Filtering is constructed on client side, in this case ovirt-engine 
backend,

so unfortunatelly it's not easilly modifiable.

Thanks.

Thanks.

Anyhow, I see there are lots of packages to update so I'll do so
within a few days and report results.

>> All this is done with the admin@internal user, so I guess

this is not

>> a

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-15 Thread Ondra Machacek

On 08/13/2016 12:44 AM, nico...@devels.es wrote:

El 2016-08-12 20:38, Ondra Machacek escribió:

On 08/12/2016 05:53 PM, nico...@devels.es wrote:

El 2016-08-10 14:46, Nicolás escribió:

En 10/8/2016 2:29 p. m., Alexander Wels  escribió:

On Wednesday, August 10, 2016 9:02:16 AM EDT Alexander Wels wrote:

On Wednesday, August 10, 2016 9:10:25 AM EDT nico...@devels.es

wrote:

El 2016-08-10 08:58, Ondra Machacek escribió:

> On 08/10/2016 09:37 AM, Nicolás wrote:

>> Hi,

>>

>> We're running oVirt 4.0.1.1 [1], and we're trying to grant a

permission to

>> a

>> user on a VM. Thing is when we open the 'Permissions' subtab

on that

>> VM,

>> we click on Add, the LDAP backend shows up but any value

entered into

>> the search box returns nothing, even when I know the values

exist.

>>

>> This has been working on oVirt 3.x, we actually migrated to

4.x last

>> week and didn't notice this issue.

>>

>> Additionally, there's no combobox to choose the permission to

grant?

>

> There should be combo box to choose a role.

I've attached a screenshot, seems there's not.

Its highly likely the dropdown is there, but its scrolled below

the bottom

of the dialog and thus you can't see it. I thought I made sure all

the

dialogs were working, seems like I missed one. Let me check it out

and see

what is going on.

Okay I double checked, I went to the VMs main tab, selected a VM,
then went to

the permissions sub tab. Clicked add. The dialog that popped up
looks like the

one attached, which is what I was expecting. The one you attached
appears to

be missing some styling, which is likely what caused the Role to
Assign part

to be scrolled below the bottom of the page.

Can you complete clear your cache (not shift reload, but
settings->clear

cache). If that doesn't work can you tell us the version of the
patternfly rpm

installed on your engine?

Yes, I already did that, also opened the engine on different clients
and the behavior is the same, I believe this is not a client issue.
Patternfly package is patternfly1-1.3.0-1.el7.centos.noarch

Ok, this indeed seems like a graphics problem since I am seeing this
connecting to a machine through a VNC server and the Role combobox is
moved down out of the dialog.

However, the LDAP issue persists. When I choose the 'internal' domain, I
can search the 'admin' user successfully, however, if I set it to be the
LDAP domain, any search returns nothing.

Any hints or ideas how to debug this?

Can you please enable debug log[1] and send it here?

[1]
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README#L442

Thanks. I was now able to see why it is failing:

TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (default task-13)
[] SearchRequest: Exception: LDAPSearchException(resultCode=11 (admin
limit exceeded), numEntries=0, numReferences=0, errorMessage='admin
limit exceeded')

This is server error, that number of entries to be returned is higher, 
than the limit set on server.
You should either increase that limit server side, or don't use '*', but 
use some filter. ( ie. user* )

Indeed, if I run that query using the ldapsearch command I can clearly
see it is returning an "admin limit exceeded" error.

The applied filter is:
(&(objectClass=posixAccount)(uid=*)(|(givenName=username)(sn=username)(displayName=username)(uid=username)))

Strange thing is this hasn't been an issue on oVirt 3.6.x and we've not
changed our LDAP configuration. Has the filter been changed in 4.x by
default?

It didn't.

If so, is there a way to override the filter to make it simpler? (In our
case we'll always seek by username, so no need to search by givenName,
sn or displayName).

Filtering is constructed on client side, in this case ovirt-engine backend,
so unfortunatelly it's not easilly modifiable.

Thanks.

Thanks.

Anyhow, I see there are lots of packages to update so I'll do so
within a few days and report results.

>> All this is done with the admin@internal user, so I guess

this is not

>> a

>> self-permission issue.

>>

>> Interesting thing is that I can successfully log-in to the

user portal

>> with a LDAP based user and manage all the VMs assigned to

them.

>>

>> Just to see if there's been any configuration change, we also

run the

>> ovirt-engine-extension-aaa-ldap-setup tool, the configuration

it

>> returns

>> is pretty similar to ours, and even the test commands (Login,

Search)

>> work successfully (I can see search returning user's data

like name,

>> surname, ...). We even applied this configuration to engine

to see if

>> it

>> makes a difference but the result is the same, the search

dialog

>> returns

>> nothing and neither I can see the permission to grant.

>>

>> Any hint about this?

>

> Maybe you hit similar issue to this one[1].

>

> Can you please share engine.

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-12 Thread nicolas

El 2016-08-12 20:38, Ondra Machacek escribió:

On 08/12/2016 05:53 PM, nico...@devels.es wrote:

El 2016-08-10 14:46, Nicolás escribió:

En 10/8/2016 2:29 p. m., Alexander Wels  escribió:

On Wednesday, August 10, 2016 9:02:16 AM EDT Alexander Wels wrote:

On Wednesday, August 10, 2016 9:10:25 AM EDT nico...@devels.es

wrote:

El 2016-08-10 08:58, Ondra Machacek escribió:

> On 08/10/2016 09:37 AM, Nicolás wrote:

>> Hi,

>>

>> We're running oVirt 4.0.1.1 [1], and we're trying to grant a

permission to

>> a

>> user on a VM. Thing is when we open the 'Permissions' subtab

on that

>> VM,

>> we click on Add, the LDAP backend shows up but any value

entered into

>> the search box returns nothing, even when I know the values

exist.

>>

>> This has been working on oVirt 3.x, we actually migrated to

4.x last

>> week and didn't notice this issue.

>>

>> Additionally, there's no combobox to choose the permission to

grant?

>

> There should be combo box to choose a role.

I've attached a screenshot, seems there's not.

Its highly likely the dropdown is there, but its scrolled below

the bottom

of the dialog and thus you can't see it. I thought I made sure all

the

dialogs were working, seems like I missed one. Let me check it out

and see

what is going on.

Okay I double checked, I went to the VMs main tab, selected a VM,
then went to

the permissions sub tab. Clicked add. The dialog that popped up
looks like the

one attached, which is what I was expecting. The one you attached
appears to

be missing some styling, which is likely what caused the Role to
Assign part

to be scrolled below the bottom of the page.

Can you complete clear your cache (not shift reload, but
settings->clear

cache). If that doesn't work can you tell us the version of the
patternfly rpm

installed on your engine?

Yes, I already did that, also opened the engine on different clients
and the behavior is the same, I believe this is not a client issue.
Patternfly package is patternfly1-1.3.0-1.el7.centos.noarch

Ok, this indeed seems like a graphics problem since I am seeing this
connecting to a machine through a VNC server and the Role combobox is
moved down out of the dialog.

However, the LDAP issue persists. When I choose the 'internal' domain, 
I
can search the 'admin' user successfully, however, if I set it to be 
the

LDAP domain, any search returns nothing.

Any hints or ideas how to debug this?

Can you please enable debug log[1] and send it here?

[1]
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README#L442

Thanks. I was now able to see why it is failing:

TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (default task-13) 
[] SearchRequest: Exception: LDAPSearchException(resultCode=11 (admin 
limit exceeded), numEntries=0, numReferences=0, errorMessage='admin 
limit exceeded')

Indeed, if I run that query using the ldapsearch command I can clearly 
see it is returning an "admin limit exceeded" error.

The applied filter is: 
(&(objectClass=posixAccount)(uid=*)(|(givenName=username)(sn=username)(displayName=username)(uid=username)))

Strange thing is this hasn't been an issue on oVirt 3.6.x and we've not 
changed our LDAP configuration. Has the filter been changed in 4.x by 
default?

If so, is there a way to override the filter to make it simpler? (In our 
case we'll always seek by username, so no need to search by givenName, 
sn or displayName).

Thanks.

Thanks.

Anyhow, I see there are lots of packages to update so I'll do so
within a few days and report results.

>> All this is done with the admin@internal user, so I guess

this is not

>> a

>> self-permission issue.

>>

>> Interesting thing is that I can successfully log-in to the

user portal

>> with a LDAP based user and manage all the VMs assigned to

them.

>>

>> Just to see if there's been any configuration change, we also

run the

>> ovirt-engine-extension-aaa-ldap-setup tool, the configuration

it

>> returns

>> is pretty similar to ours, and even the test commands (Login,

Search)

>> work successfully (I can see search returning user's data

like name,

>> surname, ...). We even applied this configuration to engine

to see if

>> it

>> makes a difference but the result is the same, the search

dialog

>> returns

>> nothing and neither I can see the permission to grant.

>>

>> Any hint about this?

>

> Maybe you hit similar issue to this one[1].

>

> Can you please share engine.log, while you hit search button?

I'm also attaching the log at the time I hit the search button,

but I'm

afraid there's no entry about that.

Thanks.

> [1] https [2]://bugzilla.redhat.com/show_bug.cgi?id=1356675

[2]

>

>> Thanks

>> ___

>> Users mailing list

>> Users@ovirt.org

>> http [3]://lists.ovirt

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-12 Thread Ondra Machacek

On 08/12/2016 05:53 PM, nico...@devels.es wrote:

El 2016-08-10 14:46, Nicolás escribió:

En 10/8/2016 2:29 p. m., Alexander Wels  escribió:

On Wednesday, August 10, 2016 9:02:16 AM EDT Alexander Wels wrote:

On Wednesday, August 10, 2016 9:10:25 AM EDT nico...@devels.es

wrote:

El 2016-08-10 08:58, Ondra Machacek escribió:

> On 08/10/2016 09:37 AM, Nicolás wrote:

>> Hi,

>>

>> We're running oVirt 4.0.1.1 [1], and we're trying to grant a

permission to

>> a

>> user on a VM. Thing is when we open the 'Permissions' subtab

on that

>> VM,

>> we click on Add, the LDAP backend shows up but any value

entered into

>> the search box returns nothing, even when I know the values

exist.

>>

>> This has been working on oVirt 3.x, we actually migrated to

4.x last

>> week and didn't notice this issue.

>>

>> Additionally, there's no combobox to choose the permission to

grant?

>

> There should be combo box to choose a role.

I've attached a screenshot, seems there's not.

Its highly likely the dropdown is there, but its scrolled below

the bottom

of the dialog and thus you can't see it. I thought I made sure all

the

dialogs were working, seems like I missed one. Let me check it out

and see

what is going on.

Okay I double checked, I went to the VMs main tab, selected a VM,
then went to

the permissions sub tab. Clicked add. The dialog that popped up
looks like the

one attached, which is what I was expecting. The one you attached
appears to

be missing some styling, which is likely what caused the Role to
Assign part

to be scrolled below the bottom of the page.

Can you complete clear your cache (not shift reload, but
settings->clear

cache). If that doesn't work can you tell us the version of the
patternfly rpm

installed on your engine?

Yes, I already did that, also opened the engine on different clients
and the behavior is the same, I believe this is not a client issue.
Patternfly package is patternfly1-1.3.0-1.el7.centos.noarch

Ok, this indeed seems like a graphics problem since I am seeing this
connecting to a machine through a VNC server and the Role combobox is
moved down out of the dialog.

However, the LDAP issue persists. When I choose the 'internal' domain, I
can search the 'admin' user successfully, however, if I set it to be the
LDAP domain, any search returns nothing.

Any hints or ideas how to debug this?

Can you please enable debug log[1] and send it here?

[1] 
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README#L442

Thanks.

Anyhow, I see there are lots of packages to update so I'll do so
within a few days and report results.

>> All this is done with the admin@internal user, so I guess

this is not

>> a

>> self-permission issue.

>>

>> Interesting thing is that I can successfully log-in to the

user portal

>> with a LDAP based user and manage all the VMs assigned to

them.

>>

>> Just to see if there's been any configuration change, we also

run the

>> ovirt-engine-extension-aaa-ldap-setup tool, the configuration

it

>> returns

>> is pretty similar to ours, and even the test commands (Login,

Search)

>> work successfully (I can see search returning user's data

like name,

>> surname, ...). We even applied this configuration to engine

to see if

>> it

>> makes a difference but the result is the same, the search

dialog

>> returns

>> nothing and neither I can see the permission to grant.

>>

>> Any hint about this?

>

> Maybe you hit similar issue to this one[1].

>

> Can you please share engine.log, while you hit search button?

I'm also attaching the log at the time I hit the search button,

but I'm

afraid there's no entry about that.

Thanks.

> [1] https [2]://bugzilla.redhat.com/show_bug.cgi?id=1356675

[2]

>

>> Thanks

>> ___

>> Users mailing list

>> Users@ovirt.org

>> http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/

[3]users [3]

___

Users mailing list

Users@ovirt.org

http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/

[3]users [3]

___

Users mailing list

Users@ovirt.org

http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/
[3]users [3]

Links:
--
[1] http://4.0.1.1
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1356675
[3] http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinf

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-12 Thread nicolas

El 2016-08-10 14:46, Nicolás escribió:

En 10/8/2016 2:29 p. m., Alexander Wels  escribió:

On Wednesday, August 10, 2016 9:02:16 AM EDT Alexander Wels wrote:

On Wednesday, August 10, 2016 9:10:25 AM EDT nico...@devels.es

wrote:

El 2016-08-10 08:58, Ondra Machacek escribió:

> On 08/10/2016 09:37 AM, Nicolás wrote:

>> Hi,

>>

>> We're running oVirt 4.0.1.1 [1], and we're trying to grant a

permission to

>> a

>> user on a VM. Thing is when we open the 'Permissions' subtab

on that

>> VM,

>> we click on Add, the LDAP backend shows up but any value

entered into

>> the search box returns nothing, even when I know the values

exist.

>>

>> This has been working on oVirt 3.x, we actually migrated to

4.x last

>> week and didn't notice this issue.

>>

>> Additionally, there's no combobox to choose the permission to

grant?

>

> There should be combo box to choose a role.

I've attached a screenshot, seems there's not.

Its highly likely the dropdown is there, but its scrolled below

the bottom

of the dialog and thus you can't see it. I thought I made sure all

the

dialogs were working, seems like I missed one. Let me check it out

and see

what is going on.

Okay I double checked, I went to the VMs main tab, selected a VM,
then went to

the permissions sub tab. Clicked add. The dialog that popped up
looks like the

one attached, which is what I was expecting. The one you attached
appears to

be missing some styling, which is likely what caused the Role to
Assign part

to be scrolled below the bottom of the page.

Can you complete clear your cache (not shift reload, but
settings->clear

cache). If that doesn't work can you tell us the version of the
patternfly rpm

installed on your engine?

Yes, I already did that, also opened the engine on different clients
and the behavior is the same, I believe this is not a client issue.
Patternfly package is patternfly1-1.3.0-1.el7.centos.noarch

Ok, this indeed seems like a graphics problem since I am seeing this 
connecting to a machine through a VNC server and the Role combobox is 
moved down out of the dialog.

However, the LDAP issue persists. When I choose the 'internal' domain, I 
can search the 'admin' user successfully, however, if I set it to be the 
LDAP domain, any search returns nothing.

Any hints or ideas how to debug this?

Thanks.

Anyhow, I see there are lots of packages to update so I'll do so
within a few days and report results.

>> All this is done with the admin@internal user, so I guess

this is not

>> a

>> self-permission issue.

>>

>> Interesting thing is that I can successfully log-in to the

user portal

>> with a LDAP based user and manage all the VMs assigned to

them.

>>

>> Just to see if there's been any configuration change, we also

run the

>> ovirt-engine-extension-aaa-ldap-setup tool, the configuration

it

>> returns

>> is pretty similar to ours, and even the test commands (Login,

Search)

>> work successfully (I can see search returning user's data

like name,

>> surname, ...). We even applied this configuration to engine

to see if

>> it

>> makes a difference but the result is the same, the search

dialog

>> returns

>> nothing and neither I can see the permission to grant.

>>

>> Any hint about this?

>

> Maybe you hit similar issue to this one[1].

>

> Can you please share engine.log, while you hit search button?

I'm also attaching the log at the time I hit the search button,

but I'm

afraid there's no entry about that.

Thanks.

> [1] https [2]://bugzilla.redhat.com/show_bug.cgi?id=1356675

[2]

>

>> Thanks

>> ___

>> Users mailing list

>> Users@ovirt.org

>> http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/

[3]users [3]

___

Users mailing list

Users@ovirt.org

http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/

[3]users [3]

___

Users mailing list

Users@ovirt.org

http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/
[3]users [3]

Links:
--
[1] http://4.0.1.1
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1356675
[3] http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread nicolas

El 2016-08-10 14:46, Nicolás escribió:

En 10/8/2016 2:29 p. m., Alexander Wels  escribió:

On Wednesday, August 10, 2016 9:02:16 AM EDT Alexander Wels wrote:

On Wednesday, August 10, 2016 9:10:25 AM EDT nico...@devels.es

wrote:

El 2016-08-10 08:58, Ondra Machacek escribió:

> On 08/10/2016 09:37 AM, Nicolás wrote:

>> Hi,

>>

>> We're running oVirt 4.0.1.1 [1], and we're trying to grant a

permission to

>> a

>> user on a VM. Thing is when we open the 'Permissions' subtab

on that

>> VM,

>> we click on Add, the LDAP backend shows up but any value

entered into

>> the search box returns nothing, even when I know the values

exist.

>>

>> This has been working on oVirt 3.x, we actually migrated to

4.x last

>> week and didn't notice this issue.

>>

>> Additionally, there's no combobox to choose the permission to

grant?

>

> There should be combo box to choose a role.

I've attached a screenshot, seems there's not.

Its highly likely the dropdown is there, but its scrolled below

the bottom

of the dialog and thus you can't see it. I thought I made sure all

the

dialogs were working, seems like I missed one. Let me check it out

and see

what is going on.

Okay I double checked, I went to the VMs main tab, selected a VM,
then went to

the permissions sub tab. Clicked add. The dialog that popped up
looks like the

one attached, which is what I was expecting. The one you attached
appears to

be missing some styling, which is likely what caused the Role to
Assign part

to be scrolled below the bottom of the page.

Can you complete clear your cache (not shift reload, but
settings->clear

cache). If that doesn't work can you tell us the version of the
patternfly rpm

installed on your engine?

Yes, I already did that, also opened the engine on different clients
and the behavior is the same, I believe this is not a client issue.
Patternfly package is patternfly1-1.3.0-1.el7.centos.noarch

Anyhow, I see there are lots of packages to update so I'll do so
within a few days and report results.

So I was able to update all packages, restart run engine-setup just in 
case, restart ovirt-engine and the situation is the same. I remembered 
we also have a dev. environment oVirt installation which we upgraded 
from 3.6.7 to 4.0.1 and same happens here, so finally we have 3 
independent oVirt installations with the same problem. There's something 
not working as intended.

I'm attaching a list of packages on oVirt engine and their versions if 
you want to check if there's something wrong with versioning, although 
everything seems to be ok.

Thanks!

>> All this is done with the admin@internal user, so I guess

this is not

>> a

>> self-permission issue.

>>

>> Interesting thing is that I can successfully log-in to the

user portal

>> with a LDAP based user and manage all the VMs assigned to

them.

>>

>> Just to see if there's been any configuration change, we also

run the

>> ovirt-engine-extension-aaa-ldap-setup tool, the configuration

it

>> returns

>> is pretty similar to ours, and even the test commands (Login,

Search)

>> work successfully (I can see search returning user's data

like name,

>> surname, ...). We even applied this configuration to engine

to see if

>> it

>> makes a difference but the result is the same, the search

dialog

>> returns

>> nothing and neither I can see the permission to grant.

>>

>> Any hint about this?

>

> Maybe you hit similar issue to this one[1].

>

> Can you please share engine.log, while you hit search button?

I'm also attaching the log at the time I hit the search button,

but I'm

afraid there's no entry about that.

Thanks.

> [1] https [2]://bugzilla.redhat.com/show_bug.cgi?id=1356675

[2]

>

>> Thanks

>> ___

>> Users mailing list

>> Users@ovirt.org

>> http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/

[3]users [3]

___

Users mailing list

Users@ovirt.org

http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/

[3]users [3]

___

Users mailing list

Users@ovirt.org

http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/
[3]users [3]

Links:
--
[1] http://4.0.1.1
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1356675
[3] http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/usersovirt-engine-4.0.1.1-1.el7.centos.noarch
ovirt-engine-backend-4.0.1.1-1.el7.centos.noarch
ovirt-engine-cli-3.6.8.0-1.el7.centos.noarch
ovirt-engine-dashboard-1.0.0-0.2.20160610git5d210ea.el7.centos.noarch
ovirt-engine-dbscripts-4.0.1.1-1.el7.centos.noarch
ovirt-engine-dwh-4.0.1-1.el7.centos.no

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread Nicolás

En 10/8/2016 2:29 p. m., Alexander Wels  escribió:

On Wednesday, August 10, 2016 9:02:16 AM EDT Alexander Wels wrote:

> On Wednesday, August 10, 2016 9:10:25 AM EDT nicolas@devels.es wrote:

> > El 2016-08-10 08:58, Ondra Machacek escribió:

> > > On 08/10/2016 09:37 AM, Nicolás wrote:

> > >> Hi,

> > >> 

> > >> We're running oVirt 4.0.1.1, and we're trying to grant a permission to

> > >> a

> > >> user on a VM. Thing is when we open the 'Permissions' subtab on that

> > >> VM,

> > >> we click on Add, the LDAP backend shows up but any value entered into

> > >> the search box returns nothing, even when I know the values exist.

> > >> 

> > >> This has been working on oVirt 3.x, we actually migrated to 4.x last

> > >> week and didn't notice this issue.

> > >> 

> > >> Additionally, there's no combobox to choose the permission to grant?

> > > 

> > > There should be combo box to choose a role.

> > 

> > I've attached a screenshot, seems there's not.

> 

> Its highly likely the dropdown is there, but its scrolled below the bottom

> of the dialog and thus you can't see it. I thought I made sure all the

> dialogs were working, seems like I missed one. Let me check it out and see

> what is going on.

> 



Okay I double checked, I went to the VMs main tab, selected a VM, then went to 

the permissions sub tab. Clicked add. The dialog that popped up looks like the 

one attached, which is what I was expecting. The one you attached appears to 

be missing some styling, which is likely what caused the Role to Assign part 

to be scrolled below the bottom of the page.



Can you complete clear your cache (not shift reload, but settings->clear 

cache). If that doesn't work can you tell us the version of the patternfly rpm 

installed on your engine?



Yes, I already did that, also opened the engine on different clients and the behavior is the same, I believe this is not a client issue. Patternfly package is patternfly1-1.3.0-1.el7.centos.noarch



Anyhow, I see there are lots of packages to update so I'll do so within a few days and report results.



> > >> All this is done with the admin@internal user, so I guess this is not

> > >> a

> > >> self-permission issue.

> > >> 

> > >> Interesting thing is that I can successfully log-in to the user portal

> > >> with a LDAP based user and manage all the VMs assigned to them.

> > >> 

> > >> Just to see if there's been any configuration change, we also run the

> > >> ovirt-engine-extension-aaa-ldap-setup tool, the configuration it

> > >> returns

> > >> is pretty similar to ours, and even the test commands (Login, Search)

> > >> work successfully (I can see search returning user's data like name,

> > >> surname, ...). We even applied this configuration to engine to see if

> > >> it

> > >> makes a difference but the result is the same, the search dialog

> > >> returns

> > >> nothing and neither I can see the permission to grant.

> > >> 

> > >> Any hint about this?

> > > 

> > > Maybe you hit similar issue to this one[1].

> > > 

> > > Can you please share engine.log, while you hit search button?

> > 

> > I'm also attaching the log at the time I hit the search button, but I'm

> > afraid there's no entry about that.

> > 

> > Thanks.

> > 

> > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1356675

> > > 

> > >> Thanks

> > >> ___

> > >> Users mailing list

> > >> Users@ovirt.org

> > >> http://lists.ovirt.org/mailman/listinfo/users

> 

> ___

> Users mailing list

> Users@ovirt.org

> http://lists.ovirt.org/mailman/listinfo/users

___

Users mailing list

Users@ovirt.org

http://lists.ovirt.org/mailman/listinfo/users




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread Alexander Wels

On Wednesday, August 10, 2016 9:02:16 AM EDT Alexander Wels wrote:
> On Wednesday, August 10, 2016 9:10:25 AM EDT nico...@devels.es wrote:
> > El 2016-08-10 08:58, Ondra Machacek escribió:
> > > On 08/10/2016 09:37 AM, Nicolás wrote:
> > >> Hi,
> > >> 
> > >> We're running oVirt 4.0.1.1, and we're trying to grant a permission to
> > >> a
> > >> user on a VM. Thing is when we open the 'Permissions' subtab on that
> > >> VM,
> > >> we click on Add, the LDAP backend shows up but any value entered into
> > >> the search box returns nothing, even when I know the values exist.
> > >> 
> > >> This has been working on oVirt 3.x, we actually migrated to 4.x last
> > >> week and didn't notice this issue.
> > >> 
> > >> Additionally, there's no combobox to choose the permission to grant?
> > > 
> > > There should be combo box to choose a role.
> > 
> > I've attached a screenshot, seems there's not.
> 
> Its highly likely the dropdown is there, but its scrolled below the bottom
> of the dialog and thus you can't see it. I thought I made sure all the
> dialogs were working, seems like I missed one. Let me check it out and see
> what is going on.
> 

Okay I double checked, I went to the VMs main tab, selected a VM, then went to 
the permissions sub tab. Clicked add. The dialog that popped up looks like the 
one attached, which is what I was expecting. The one you attached appears to 
be missing some styling, which is likely what caused the Role to Assign part 
to be scrolled below the bottom of the page.

Can you complete clear your cache (not shift reload, but settings->clear 
cache). If that doesn't work can you tell us the version of the patternfly rpm 
installed on your engine?

Alexander

> > >> All this is done with the admin@internal user, so I guess this is not
> > >> a
> > >> self-permission issue.
> > >> 
> > >> Interesting thing is that I can successfully log-in to the user portal
> > >> with a LDAP based user and manage all the VMs assigned to them.
> > >> 
> > >> Just to see if there's been any configuration change, we also run the
> > >> ovirt-engine-extension-aaa-ldap-setup tool, the configuration it
> > >> returns
> > >> is pretty similar to ours, and even the test commands (Login, Search)
> > >> work successfully (I can see search returning user's data like name,
> > >> surname, ...). We even applied this configuration to engine to see if
> > >> it
> > >> makes a difference but the result is the same, the search dialog
> > >> returns
> > >> nothing and neither I can see the permission to grant.
> > >> 
> > >> Any hint about this?
> > > 
> > > Maybe you hit similar issue to this one[1].
> > > 
> > > Can you please share engine.log, while you hit search button?
> > 
> > I'm also attaching the log at the time I hit the search button, but I'm
> > afraid there's no entry about that.
> > 
> > Thanks.
> > 
> > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1356675
> > > 
> > >> Thanks
> > >> ___
> > >> Users mailing list
> > >> Users@ovirt.org
> > >> http://lists.ovirt.org/mailman/listinfo/users
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread Alexander Wels

On Wednesday, August 10, 2016 9:10:25 AM EDT nico...@devels.es wrote:
> El 2016-08-10 08:58, Ondra Machacek escribió:
> > On 08/10/2016 09:37 AM, Nicolás wrote:
> >> Hi,
> >> 
> >> We're running oVirt 4.0.1.1, and we're trying to grant a permission to
> >> a
> >> user on a VM. Thing is when we open the 'Permissions' subtab on that
> >> VM,
> >> we click on Add, the LDAP backend shows up but any value entered into
> >> the search box returns nothing, even when I know the values exist.
> >> 
> >> This has been working on oVirt 3.x, we actually migrated to 4.x last
> >> week and didn't notice this issue.
> >> 
> >> Additionally, there's no combobox to choose the permission to grant?
> > 
> > There should be combo box to choose a role.
> 
> I've attached a screenshot, seems there's not.
> 

Its highly likely the dropdown is there, but its scrolled below the bottom of 
the dialog and thus you can't see it. I thought I made sure all the dialogs 
were working, seems like I missed one. Let me check it out and see what is 
going on.

> >> All this is done with the admin@internal user, so I guess this is not
> >> a
> >> self-permission issue.
> >> 
> >> Interesting thing is that I can successfully log-in to the user portal
> >> with a LDAP based user and manage all the VMs assigned to them.
> >> 
> >> Just to see if there's been any configuration change, we also run the
> >> ovirt-engine-extension-aaa-ldap-setup tool, the configuration it
> >> returns
> >> is pretty similar to ours, and even the test commands (Login, Search)
> >> work successfully (I can see search returning user's data like name,
> >> surname, ...). We even applied this configuration to engine to see if
> >> it
> >> makes a difference but the result is the same, the search dialog
> >> returns
> >> nothing and neither I can see the permission to grant.
> >> 
> >> Any hint about this?
> > 
> > Maybe you hit similar issue to this one[1].
> > 
> > Can you please share engine.log, while you hit search button?
> 
> I'm also attaching the log at the time I hit the search button, but I'm
> afraid there's no entry about that.
> 
> Thanks.
> 
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1356675
> > 
> >> Thanks
> >> ___
> >> Users mailing list
> >> Users@ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread nicolas


El 2016-08-10 13:36, nico...@devels.es escribió:

El 2016-08-10 09:32, Ondra Machacek escribió:

On 08/10/2016 10:10 AM, nico...@devels.es wrote:

El 2016-08-10 08:58, Ondra Machacek escribió:

On 08/10/2016 09:37 AM, Nicolás wrote:

Hi,

We're running oVirt 4.0.1.1, and we're trying to grant a permission 
to a
user on a VM. Thing is when we open the 'Permissions' subtab on 
that VM,
we click on Add, the LDAP backend shows up but any value entered 
into

the search box returns nothing, even when I know the values exist.

This has been working on oVirt 3.x, we actually migrated to 4.x 
last

week and didn't notice this issue.

Additionally, there's no combobox to choose the permission to 
grant?


There should be combo box to choose a role.



I've attached a screenshot, seems there's not.


OK, it seems like some UI issue. Can you please force reload or clear
browser cache?
Maybe try different browser.



Nope... Cleaned cache from Chrome, Firefox, same result. Even private
windows have the same behaviour. By the way, we have 2 independent
oVirt infrastructures, both upgraded from 3.6.7 and both have the same
issue, I just had a look at the second and the same happens here (no
log in engine.log either). This second is 4.0.0 instead of 4.0.0,
FWIW.



I meant: This second is 4.0.0 instead of 4.0.1





All this is done with the admin@internal user, so I guess this is 
not a

self-permission issue.

Interesting thing is that I can successfully log-in to the user 
portal

with a LDAP based user and manage all the VMs assigned to them.

Just to see if there's been any configuration change, we also run 
the
ovirt-engine-extension-aaa-ldap-setup tool, the configuration it 
returns
is pretty similar to ours, and even the test commands (Login, 
Search)
work successfully (I can see search returning user's data like 
name,
surname, ...). We even applied this configuration to engine to see 
if it
makes a difference but the result is the same, the search dialog 
returns

nothing and neither I can see the permission to grant.

Any hint about this?


Maybe you hit similar issue to this one[1].

Can you please share engine.log, while you hit search button?



I'm also attaching the log at the time I hit the search button, but 
I'm

afraid there's no entry about that.

Thanks.



[1] https://bugzilla.redhat.com/show_bug.cgi?id=1356675



Thanks
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread nicolas


El 2016-08-10 09:32, Ondra Machacek escribió:

On 08/10/2016 10:10 AM, nico...@devels.es wrote:

El 2016-08-10 08:58, Ondra Machacek escribió:

On 08/10/2016 09:37 AM, Nicolás wrote:

Hi,

We're running oVirt 4.0.1.1, and we're trying to grant a permission 
to a
user on a VM. Thing is when we open the 'Permissions' subtab on that 
VM,
we click on Add, the LDAP backend shows up but any value entered 
into

the search box returns nothing, even when I know the values exist.

This has been working on oVirt 3.x, we actually migrated to 4.x last
week and didn't notice this issue.

Additionally, there's no combobox to choose the permission to grant?


There should be combo box to choose a role.



I've attached a screenshot, seems there's not.


OK, it seems like some UI issue. Can you please force reload or clear
browser cache?
Maybe try different browser.



Nope... Cleaned cache from Chrome, Firefox, same result. Even private 
windows have the same behaviour. By the way, we have 2 independent oVirt 
infrastructures, both upgraded from 3.6.7 and both have the same issue, 
I just had a look at the second and the same happens here (no log in 
engine.log either). This second is 4.0.0 instead of 4.0.0, FWIW.






All this is done with the admin@internal user, so I guess this is 
not a

self-permission issue.

Interesting thing is that I can successfully log-in to the user 
portal

with a LDAP based user and manage all the VMs assigned to them.

Just to see if there's been any configuration change, we also run 
the
ovirt-engine-extension-aaa-ldap-setup tool, the configuration it 
returns
is pretty similar to ours, and even the test commands (Login, 
Search)

work successfully (I can see search returning user's data like name,
surname, ...). We even applied this configuration to engine to see 
if it
makes a difference but the result is the same, the search dialog 
returns

nothing and neither I can see the permission to grant.

Any hint about this?


Maybe you hit similar issue to this one[1].

Can you please share engine.log, while you hit search button?



I'm also attaching the log at the time I hit the search button, but 
I'm

afraid there's no entry about that.

Thanks.



[1] https://bugzilla.redhat.com/show_bug.cgi?id=1356675



Thanks
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread Ondra Machacek


On 08/10/2016 10:10 AM, nico...@devels.es wrote:

El 2016-08-10 08:58, Ondra Machacek escribió:

On 08/10/2016 09:37 AM, Nicolás wrote:

Hi,

We're running oVirt 4.0.1.1, and we're trying to grant a permission to a
user on a VM. Thing is when we open the 'Permissions' subtab on that VM,
we click on Add, the LDAP backend shows up but any value entered into
the search box returns nothing, even when I know the values exist.

This has been working on oVirt 3.x, we actually migrated to 4.x last
week and didn't notice this issue.

Additionally, there's no combobox to choose the permission to grant?


There should be combo box to choose a role.



I've attached a screenshot, seems there's not.


OK, it seems like some UI issue. Can you please force reload or clear 
browser cache?

Maybe try different browser.





All this is done with the admin@internal user, so I guess this is not a
self-permission issue.

Interesting thing is that I can successfully log-in to the user portal
with a LDAP based user and manage all the VMs assigned to them.

Just to see if there's been any configuration change, we also run the
ovirt-engine-extension-aaa-ldap-setup tool, the configuration it returns
is pretty similar to ours, and even the test commands (Login, Search)
work successfully (I can see search returning user's data like name,
surname, ...). We even applied this configuration to engine to see if it
makes a difference but the result is the same, the search dialog returns
nothing and neither I can see the permission to grant.

Any hint about this?


Maybe you hit similar issue to this one[1].

Can you please share engine.log, while you hit search button?



I'm also attaching the log at the time I hit the search button, but I'm
afraid there's no entry about that.

Thanks.



[1] https://bugzilla.redhat.com/show_bug.cgi?id=1356675



Thanks
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread nicolas


El 2016-08-10 08:58, Ondra Machacek escribió:

On 08/10/2016 09:37 AM, Nicolás wrote:

Hi,

We're running oVirt 4.0.1.1, and we're trying to grant a permission to 
a
user on a VM. Thing is when we open the 'Permissions' subtab on that 
VM,

we click on Add, the LDAP backend shows up but any value entered into
the search box returns nothing, even when I know the values exist.

This has been working on oVirt 3.x, we actually migrated to 4.x last
week and didn't notice this issue.

Additionally, there's no combobox to choose the permission to grant?


There should be combo box to choose a role.



I've attached a screenshot, seems there's not.



All this is done with the admin@internal user, so I guess this is not 
a

self-permission issue.

Interesting thing is that I can successfully log-in to the user portal
with a LDAP based user and manage all the VMs assigned to them.

Just to see if there's been any configuration change, we also run the
ovirt-engine-extension-aaa-ldap-setup tool, the configuration it 
returns

is pretty similar to ours, and even the test commands (Login, Search)
work successfully (I can see search returning user's data like name,
surname, ...). We even applied this configuration to engine to see if 
it
makes a difference but the result is the same, the search dialog 
returns

nothing and neither I can see the permission to grant.

Any hint about this?


Maybe you hit similar issue to this one[1].

Can you please share engine.log, while you hit search button?



I'm also attaching the log at the time I hit the search button, but I'm 
afraid there's no entry about that.


Thanks.



[1] https://bugzilla.redhat.com/show_bug.cgi?id=1356675



Thanks
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

engine.tar.gz
Description: GNU Zip compressed data
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread Ondra Machacek


On 08/10/2016 09:37 AM, Nicolás wrote:

Hi,

We're running oVirt 4.0.1.1, and we're trying to grant a permission to a
user on a VM. Thing is when we open the 'Permissions' subtab on that VM,
we click on Add, the LDAP backend shows up but any value entered into
the search box returns nothing, even when I know the values exist.

This has been working on oVirt 3.x, we actually migrated to 4.x last
week and didn't notice this issue.

Additionally, there's no combobox to choose the permission to grant?


There should be combo box to choose a role.



All this is done with the admin@internal user, so I guess this is not a
self-permission issue.

Interesting thing is that I can successfully log-in to the user portal
with a LDAP based user and manage all the VMs assigned to them.

Just to see if there's been any configuration change, we also run the
ovirt-engine-extension-aaa-ldap-setup tool, the configuration it returns
is pretty similar to ours, and even the test commands (Login, Search)
work successfully (I can see search returning user's data like name,
surname, ...). We even applied this configuration to engine to see if it
makes a difference but the result is the same, the search dialog returns
nothing and neither I can see the permission to grant.

Any hint about this?


Maybe you hit similar issue to this one[1].

Can you please share engine.log, while you hit search button?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1356675



Thanks
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread Nicolás


Hi,

We're running oVirt 4.0.1.1, and we're trying to grant a permission to a 
user on a VM. Thing is when we open the 'Permissions' subtab on that VM, 
we click on Add, the LDAP backend shows up but any value entered into 
the search box returns nothing, even when I know the values exist.


This has been working on oVirt 3.x, we actually migrated to 4.x last 
week and didn't notice this issue.


Additionally, there's no combobox to choose the permission to grant?

All this is done with the admin@internal user, so I guess this is not a 
self-permission issue.


Interesting thing is that I can successfully log-in to the user portal 
with a LDAP based user and manage all the VMs assigned to them.


Just to see if there's been any configuration change, we also run the 
ovirt-engine-extension-aaa-ldap-setup tool, the configuration it returns 
is pretty similar to ours, and even the test commands (Login, Search) 
work successfully (I can see search returning user's data like name, 
surname, ...). We even applied this configuration to engine to see if it 
makes a difference but the result is the same, the search dialog returns 
nothing and neither I can see the permission to grant.


Any hint about this?

Thanks
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ldap and multiple profiles

2016-07-11 Thread Ondra Machacek

On 07/04/2016 04:13 PM, Fabrice Bacchella wrote:

I want to setup two LDAP base profile.

One is backed using an active directory (for real users)
One is backed using an openldap (for service account).

I have to problem with this setup.

One it's that in the log I see many "Creating LDAP pool 'authz'" and "Creating LDAP
pool 'authn'". If I have two LDAP backend, I'm afraid they will be a conflict of ldap pool if
they used the same name.

I am unsure I understand the problem, if you will use different profiles
you won't share the
pool. Can you send the log and explain on that what's going on, so we
can understand the

problem?

I tried to add in my openldap.properties:

search.simple-namespace.pool = authz-prod
search.simple-user-fetch.pool = authz-prod
search.simple-resolve-groups-member.pool = authz-prod
search.simple-resolve-groups-memberOf-item.pool = authz-prod
search.simple-resolve-groups-memberOf.pool = authz-prod
search.simple-query-principals.pool = authz-prod
search.simple-query-groups.pool = authz-prod

Is that enough ? And Why is it replicated many time ?

I have another problem, there is a stupid bug in my openldap configuration, but
it will be difficult to resolve that.

In it, there is two naming context
dc=sub,dc=example,dc=com
and
dc=example,dc=com

Ovirt only see the first one, and of course, with a little help from Murphy, I
need the seconde one. Is there anything I can do about that ?

Yes, you can. Please see[1] and check 'Is it possible to use specific
base DN instead of automatic resolution?'

[1] http://www.ovirt.org/develop/release-management/features/infra/aaa_faq/

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] ldap and multiple profiles

2016-07-04 Thread Fabrice Bacchella

I want to setup two LDAP base profile.

One is backed using an active directory (for real users)
One is backed using an openldap (for service account).

I have to problem with this setup.

One it's that in the log I see many "Creating LDAP pool 'authz'" and "Creating 
LDAP pool 'authn'". If I have two LDAP backend, I'm afraid they will be a 
conflict of ldap pool if they used the same name.

I tried to add in my openldap.properties:

search.simple-namespace.pool = authz-prod
search.simple-user-fetch.pool = authz-prod
search.simple-resolve-groups-member.pool = authz-prod
search.simple-resolve-groups-memberOf-item.pool = authz-prod
search.simple-resolve-groups-memberOf.pool = authz-prod
search.simple-query-principals.pool = authz-prod
search.simple-query-groups.pool = authz-prod

Is that enough ? And Why is it replicated many time ?

I have another problem, there is a stupid bug in my openldap configuration, but 
it will be difficult to resolve that.

In it, there is two naming context
dc=sub,dc=example,dc=com
and 
dc=example,dc=com

Ovirt only see the first one, and of course, with a little help from Murphy, I 
need the seconde one. Is there anything I can do about that ?

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ldap servers configuration can be misleading with AD

2016-04-20 Thread Ondra Machacek


On 04/20/2016 10:33 AM, Fabrice Bacchella wrote:



Le 20 avr. 2016 à 10:16, Ondra Machacek  a écrit :

On 04/19/2016 07:46 PM, Fabrice Bacchella wrote:



Le 19 avr. 2016 à 17:35, Ondra Machacek  a écrit :

On 04/19/2016 04:37 PM, Fabrice Bacchella wrote:

I tried to plug ovirt using my company AD.

But I have a problem, the DNS srv records are not well managed and I can't use 
them so I changed pool.default.serverset.type from srvrecord to failover.


With AD you should use srvrecord, unless you have somehow miscofigured AD.
Can you please elaborate more what does it mean 'DNS srv records are not well 
managed'?


The command
dig +short  _ldap._tcp.dsone.3ds.com any | wc -l
return 122 lines. Out of that, I can only use less than 10, all other generates 
timeout. I don't know if it's firewall or forgotten DC that generate that. 
There is no way I can use srvrecord.
This domain is totally out of my reach, I have to take it as is.


ok, that's not good, but if some of the domains which are working are in same 
site, you can use 'domain-conversion'(works only with srvrecord):
pool.default.serverset.srvrecord.domain-conversion.type = regex
pool.default.serverset.srvrecord.domain-conversion.regex.pattern = 
^(?.*)$
pool.default.serverset.srvrecord.domain-conversion.regex.replacement = 
WORKING-SITE._sites.${domain}


What is that supposed to do ? All my DC are in the form xx-xxx-dcs99.${domain} 
and I have to pick a in this list. dig _sites.${domain} return nothing for me

what a regex will do ?


Well AD has something called sites[1].
With this regex, you can specify what computers will only be used.

[1] https://technet.microsoft.com/en-us/library/cc782048%28v=ws.10%29.aspx





Is that your case? Can you please share log of extensions-tool, so we can 
better understand
your problem and provide better help.


I have no knowledge about AD, I'm a 100% linux sysadmin and just use AD as an 
LDAP server, so all those forest/GC are unknown things for me.

I will send that in a private mail.



OK, will take a look.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ldap servers configuration can be misleading with AD

2016-04-20 Thread Fabrice Bacchella


> Le 20 avr. 2016 à 10:16, Ondra Machacek  a écrit :
> 
> On 04/19/2016 07:46 PM, Fabrice Bacchella wrote:
>> 
>>> Le 19 avr. 2016 à 17:35, Ondra Machacek  a écrit :
>>> 
>>> On 04/19/2016 04:37 PM, Fabrice Bacchella wrote:
 I tried to plug ovirt using my company AD.
 
 But I have a problem, the DNS srv records are not well managed and I can't 
 use them so I changed pool.default.serverset.type from srvrecord to 
 failover.
>>> 
>>> With AD you should use srvrecord, unless you have somehow miscofigured AD.
>>> Can you please elaborate more what does it mean 'DNS srv records are not 
>>> well managed'?
>> 
>> The command
>> dig +short  _ldap._tcp.dsone.3ds.com any | wc -l
>> return 122 lines. Out of that, I can only use less than 10, all other 
>> generates timeout. I don't know if it's firewall or forgotten DC that 
>> generate that. There is no way I can use srvrecord.
>> This domain is totally out of my reach, I have to take it as is.
> 
> ok, that's not good, but if some of the domains which are working are in same 
> site, you can use 'domain-conversion'(works only with srvrecord):
> pool.default.serverset.srvrecord.domain-conversion.type = regex
> pool.default.serverset.srvrecord.domain-conversion.regex.pattern = 
> ^(?.*)$
> pool.default.serverset.srvrecord.domain-conversion.regex.replacement = 
> WORKING-SITE._sites.${domain}

What is that supposed to do ? All my DC are in the form xx-xxx-dcs99.${domain} 
and I have to pick a in this list. dig _sites.${domain} return nothing for me

what a regex will do ?


> Is that your case? Can you please share log of extensions-tool, so we can 
> better understand
> your problem and provide better help.

I have no knowledge about AD, I'm a 100% linux sysadmin and just use AD as an 
LDAP server, so all those forest/GC are unknown things for me.

I will send that in a private mail.

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ldap servers configuration can be misleading with AD

2016-04-20 Thread Ondra Machacek


On 04/19/2016 07:46 PM, Fabrice Bacchella wrote:



Le 19 avr. 2016 à 17:35, Ondra Machacek  a écrit :

On 04/19/2016 04:37 PM, Fabrice Bacchella wrote:

I tried to plug ovirt using my company AD.

But I have a problem, the DNS srv records are not well managed and I can't use 
them so I changed pool.default.serverset.type from srvrecord to failover.


With AD you should use srvrecord, unless you have somehow miscofigured AD.
Can you please elaborate more what does it mean 'DNS srv records are not well 
managed'?


The command
dig +short  _ldap._tcp.dsone.3ds.com any | wc -l
return 122 lines. Out of that, I can only use less than 10, all other generates 
timeout. I don't know if it's firewall or forgotten DC that generate that. 
There is no way I can use srvrecord.
This domain is totally out of my reach, I have to take it as is.


ok, that's not good, but if some of the domains which are working are in 
same site, you can use 'domain-conversion'(works only with srvrecord):

pool.default.serverset.srvrecord.domain-conversion.type = regex
pool.default.serverset.srvrecord.domain-conversion.regex.pattern = 
^(?.*)$
pool.default.serverset.srvrecord.domain-conversion.regex.replacement = 
WORKING-SITE._sites.${domain}






Can you please send engine log or if you are on 3.6, then use this command to 
test and provide log:
$ ovirt-engine-extensions-tool --log-level=FINEST --log-file=ad-search.log aaa 
search --entity-name=userX --extension-name=ad-authz


I kill it after 1h of execution, and a 1.6MB log file, when I have
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}

With pool.default.serverset.type = failover and 
pool.default.connection-options.connectTimeoutMillis = 500, I got:
time ovirt-engine-extensions-tool  bla
real1m29.264s
user0m6.837s
sys 0m0.291s
and a 278KB log file.


And with my setup (pool.default.serverset.type and 
pool.default.dc-resolve.default.serverset.type set to failover, 
pool.default.connection-options.connectTimeoutMillis = 500), I got
real0m5.084s
user0m6.343s
sys 0m0.164s
and a 199KB log file.


With pool.default.dc-resolve.enable = false, the results is the same than with 
failover for every one.


Ok. So assure in your failover servers are GCs(for correct group 
resolution).
Now it could use other servers (which you didn't specified in failover) 
in case you are resolving
user/group from different domain, so it's chasing refferal, in that case 
we run 'dig
domainX.forest.com A', so you can have actually more A 
records(inacessible) for it.


Is that your case? Can you please share log of extensions-tool, so we 
can better understand

your problem and provide better help.





Btw: Do you use mutli domain AD setup? Or only single domain?


I think it's a single domain, but I'm not a Microsoft expert at all.



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ldap servers configuration can be misleading with AD

2016-04-19 Thread Fabrice Bacchella

> Le 19 avr. 2016 à 17:35, Ondra Machacek  a écrit :
> 
> On 04/19/2016 04:37 PM, Fabrice Bacchella wrote:
>> I tried to plug ovirt using my company AD.
>> 
>> But I have a problem, the DNS srv records are not well managed and I can't 
>> use them so I changed pool.default.serverset.type from srvrecord to failover.
> 
> With AD you should use srvrecord, unless you have somehow miscofigured AD.
> Can you please elaborate more what does it mean 'DNS srv records are not well 
> managed'?

The command
dig +short  _ldap._tcp.dsone.3ds.com any | wc -l
return 122 lines. Out of that, I can only use less than 10, all other generates 
timeout. I don't know if it's firewall or forgotten DC that generate that. 
There is no way I can use srvrecord.
This domain is totally out of my reach, I have to take it as is.

> 
> Can you please send engine log or if you are on 3.6, then use this command to 
> test and provide log:
> $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=ad-search.log 
> aaa search --entity-name=userX --extension-name=ad-authz

I kill it after 1h of execution, and a 1.6MB log file, when I have
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}

With pool.default.serverset.type = failover and 
pool.default.connection-options.connectTimeoutMillis = 500, I got:
time ovirt-engine-extensions-tool  bla
real1m29.264s
user0m6.837s
sys 0m0.291s
and a 278KB log file.

And with my setup (pool.default.serverset.type and 
pool.default.dc-resolve.default.serverset.type set to failover, 
pool.default.connection-options.connectTimeoutMillis = 500), I got
real0m5.084s
user0m6.343s
sys 0m0.164s
and a 199KB log file.

With pool.default.dc-resolve.enable = false, the results is the same than with 
failover for every one.

> 
> Btw: Do you use mutli domain AD setup? Or only single domain?

I think it's a single domain, but I'm not a Microsoft expert at all.

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] ldap servers configuration can be misleading with AD

2016-04-19 Thread Ondra Machacek


On 04/19/2016 04:37 PM, Fabrice Bacchella wrote:

I tried to plug ovirt using my company AD.

But I have a problem, the DNS srv records are not well managed and I can't use 
them so I changed pool.default.serverset.type from srvrecord to failover.


With AD you should use srvrecord, unless you have somehow miscofigured AD.
Can you please elaborate more what does it mean 'DNS srv records are not 
well managed'?


Can you please send engine log or if you are on 3.6, then use this 
command to test and provide log:
$ ovirt-engine-extensions-tool --log-level=FINEST 
--log-file=ad-search.log aaa search --entity-name=userX 
--extension-name=ad-authz


Btw: Do you use mutli domain AD setup? Or only single domain?



But it was not enough, it was still using those invalid records. It was used by 
pool.default.dc-resolve.default.serverset.type too. I found that after digging 
in the source. I wonder why it should be specified twice. Why 
pool.default.dc-resolve.default.serverset and pool.default.serverset are 
different ?


You can disable 'dc-resolve' by 'pool.default.dc-resolve.enable = false',
but first you should find issue.



I also need to specify search.ad-resolve-upn.search-request.baseDN because it 
didn't found it any more. I wonder if it's related.

My aaa property file:

include = 

vars.domain = MYDOME
vars.user = A_DN
vars.password = the_password
vars.forest = my_forest

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = failover
pool.default.serverset.failover.1.server = server1
pool.default.serverset.failover.2.server = server2
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = trust.jks
pool.default.ssl.truststore.password =
pool.default.ssl.startTLSProtocol = TLSv1.2

pool.default.connection-options.connectTimeoutMillis = 500
pool.default.dc-resolve.enable = true
pool.default.dc-resolve.default.serverset.type = failover
pool.default.dc-resolve.serverset.failover.1.server = server1
pool.default.dc-resolve.serverset.failover.2.server = server2

search.ad-resolve-upn.search-request.baseDN = BASE_DN


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] ldap servers configuration can be misleading with AD

2016-04-19 Thread Fabrice Bacchella

I tried to plug ovirt using my company AD.

But I have a problem, the DNS srv records are not well managed and I can't use 
them so I changed pool.default.serverset.type from srvrecord to failover.

But it was not enough, it was still using those invalid records. It was used by 
pool.default.dc-resolve.default.serverset.type too. I found that after digging 
in the source. I wonder why it should be specified twice. Why 
pool.default.dc-resolve.default.serverset and pool.default.serverset are 
different ?

I also need to specify search.ad-resolve-upn.search-request.baseDN because it 
didn't found it any more. I wonder if it's related.

My aaa property file:

include = 

vars.domain = MYDOME
vars.user = A_DN
vars.password = the_password
vars.forest = my_forest

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = failover
pool.default.serverset.failover.1.server = server1
pool.default.serverset.failover.2.server = server2
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = trust.jks
pool.default.ssl.truststore.password = 
pool.default.ssl.startTLSProtocol = TLSv1.2

pool.default.connection-options.connectTimeoutMillis = 500
pool.default.dc-resolve.enable = true
pool.default.dc-resolve.default.serverset.type = failover
pool.default.dc-resolve.serverset.failover.1.server = server1
pool.default.dc-resolve.serverset.failover.2.server = server2

search.ad-resolve-upn.search-request.baseDN = BASE_DN


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

1 2 >

1 - 100 of 166 matches

Mail list logo