[ovirt-users] active directory: how to replace u...@corp.mydomain.com with u...@mydomain.com

2019-04-16 Thread Jarosław Prokopowski
I configured active directory authentication but the problem is I need to 
replace u...@corp.mydomain.com with u...@mydomain.com to be able to 
authenticate.
ovirt-engine-extension-aaa-misc has been installed and I configured it as shown 
below but still it is not working. Do you have any idea what is wrong and how 
to fix it?

/etc/ovirt-engine/aaa/corp.mydomain.com.properties:
--
include = 

vars.domain = corp.mydomain.com
vars.user = CN=user,DC=xxx,DC=corp,DC=mydomain,DC=com
vars.password = password

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}


/etc/ovirt-engine/extensions.d/mapping.properties:
-
ovirt.engine.extension.name = mapping
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapUser.type = regex
config.mapUser.regex.pattern = ^(?[^@]*)$
config.mapUser.regex.replacement = ${user}@mydomain.com
config.mapUser.regex.mustMatch = false
ovirt.engine.aaa.authn.mapping.plugin = mapping


In the engine logs I see mapping loaded:
---
2019-04-16 10:35:40,406+02 INFO  
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread 
Pool -- 44) [] Loading extension 'mapping'
2019-04-16 10:35:40,420+02 INFO  
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread 
Pool -- 44) [] Extension 'mapping' loaded
2019-04-16 10:35:40,424+02 INFO  
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread 
Pool -- 44) [] Initializing extension 'internal-authn'
2019-04-16 10:35:40,475+02 INFO  
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread 
Pool -- 44) [] Extension 'internal-authn' initialized
2019-04-16 10:35:40,476+02 INFO  
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread 
Pool -- 44) [] Initializing extension 'mapping'
2019-04-16 10:35:40,476+02 INFO  
[org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (ServerService Thread 
Pool -- 44) [] Extension 'mapping' initialized


But still in the logs I see the {user}@corp.mydomain.com is not replaced with 
{user}@mydomain.com:
-
2019-04-16 10:36:27,988+02 WARN  
[org.ovirt.engineextensions.aaa.ldap.Framework] (default task-3) [] 
Authentication exception
2019-04-16 10:36:28,231+02 ERROR 
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default 
task-4) [] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User a_u...@corp.mydomain.com 
connecting from '192.168.1.11' failed to log in : 'Unable to log in. Verify 
your login information or contact the system administrator.'.
2019-04-16 10:36:28,235+02 ERROR 
[org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-3) [] 
Cannot authenticate user 'a_u...@corp.mydomain.com' connecting from 
'192.168.1.11': Unable to log in. Verify your login information or contact the 
system administrator.
2019-04-16 10:40:48,062+02 INFO  
[org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] 
(EE-ManagedThreadFactory-engineScheduled-Thread-28) [e479270] Lock Acquired to 
object 
'EngineLock:{exclusiveLocks='[fd6141fe-6a69-49c8-807d-39313cae0756=PROVIDER]', 
sharedLocks=''}'
2019-04-16 10:40:48,084+02 INFO  
[org.ovirt.engine.core.bll.provider.network.SyncNetworkProviderCommand] 
(EE-ManagedThreadFactory-engineScheduled-Thread-28) [e479270] Running command: 
SyncNetworkProviderCommand internal: true.
2019-04-16 10:40:48,270+02 INFO  
[org.ovirt.engine.extension.aaa.jdbc.core.Tasks] (default task-3) [] (house 
keeping) deleting failed logins prior to 2019-04-09 08:40:48Z.
2019-04-16 10:40:48,323+02 INFO  
[org.ovirt.engine.extension.aaa.jdbc.core.Tasks] (default task-3) [] (house 
keeping) deleting failed logins prior to 2019-04-09 08:40:48Z.

Thanks
Jarek
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/QBC2XTQQ5XTW2OGXO7A5T3LRDPXVFMMW/


Re: [ovirt-users] active directory and sso

2018-02-04 Thread 董青龙
Here are the engine logs:


2018-02-05 14:53:53,681+08 INFO  
[org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-38) [] User 
t...@test.org successfully logged in with scopes: ovirt-app-admin ovirt-app-api 
ovirt-app-portal ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all 
ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search 
ovirt-ext=token-info:validate ovirt-ext=token:password-access
2018-02-05 14:53:53,765+08 INFO  
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-40) 
[6961a53b] Running command: CreateUserSessionCommand internal: false.
2018-02-05 14:53:53,775+08 INFO  
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default 
task-40) [6961a53b] EVENT_ID: USER_VDC_LOGIN(30), Correlation ID: 6961a53b, 
Call Stack: null, Custom Event ID: -1, Message: User t...@test.org@test.org 
logged in.
2018-02-05 14:53:55,305+08 ERROR 
[org.ovirt.engine.core.utils.servlet.ServletUtils] (default task-60) [] Can't 
read file '/usr/share/ovirt-engine/files/spice/SpiceVersion_x64.txt' for 
request '/ovirt-engine/services/files/spice/SpiceVersion_x64.txt', will send a 
404 error response.
2018-02-05 14:53:57,379+08 INFO  [org.ovirt.engine.core.bll.VmLogonCommand] 
(default task-21) [4550dbd4-9c26-48fa-8ded-e50cd47a34e1] Running command: 
VmLogonCommand internal: false. Entities affected :  ID: 
ae5846f6-4f25-4e7a-af2d-02e99599de47 Type: VMAction group CONNECT_TO_VM with 
role type USER
2018-02-05 14:53:57,400+08 INFO  
[org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-21) 
[4550dbd4-9c26-48fa-8ded-e50cd47a34e1] START, VmLogonVDSCommand(HostName = 
host, VmLogonVDSCommandParameters:{runAsync='true', 
hostId='0049362d-39cc-498d-9c7e-f36c5fba20bf', 
vmId='ae5846f6-4f25-4e7a-af2d-02e99599de47', domain='test.org', password='***', 
userName='t...@test.org@test.org'}), log id: 34439164
2018-02-05 14:53:58,404+08 INFO  
[org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] (default task-21) 
[4550dbd4-9c26-48fa-8ded-e50cd47a34e1] FINISH, VmLogonVDSCommand, log id: 
34439164
2018-02-05 14:53:58,467+08 INFO  [org.ovirt.engine.core.bll.SetVmTicketCommand] 
(default task-23) [48fb921e] Running command: SetVmTicketCommand internal: 
false. Entities affected :  ID: ae5846f6-4f25-4e7a-af2d-02e99599de47 Type: 
VMAction group CONNECT_TO_VM with role type USER
2018-02-05 14:53:58,469+08 INFO  
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default 
task-23) [48fb921e] START, SetVmTicketVDSCommand(HostName = host, 
SetVmTicketVDSCommandParameters:{runAsync='true', 
hostId='0049362d-39cc-498d-9c7e-f36c5fba20bf', 
vmId='ae5846f6-4f25-4e7a-af2d-02e99599de47', protocol='SPICE', 
ticket='60qsiE96d7F5', validTime='120', userName='t...@test.org', 
userId='737c7b8b-9503-489b-b32a-10bf8615bc1f', 
disconnectAction='LOCK_SCREEN'}), log id: 3076856
2018-02-05 14:53:59,108+08 INFO  
[org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] (default 
task-23) [48fb921e] FINISH, SetVmTicketVDSCommand, log id: 3076856
2018-02-05 14:53:59,116+08 INFO  
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default 
task-23) [48fb921e] EVENT_ID: VM_SET_TICKET(164), Correlation ID: 48fb921e, 
Call Stack: null, Custom Event ID: -1, Message: User t...@test.org@test.org 
initiated console session for VM win7
2018-02-05 14:54:16,134+08 INFO  
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] 
(DefaultQuartzScheduler4) [] EVENT_ID: VM_CONSOLE_CONNECTED(167), Correlation 
ID: null, Call Stack: null, Custom Event ID: -1, Message: User t...@test.org is 
connected to VM win7.

At 2018-02-02 14:50:49, "Martin Perina"  wrote:





On Fri, Feb 2, 2018 at 4:46 AM, 董青龙  wrote:

Thanks for the reply. I have completely configured all the things in option 1 
which you told. But it seems that sso still does not work. My domain forest is 
"test.org" and my user is "test". When I login the user portal, I get 
"t...@test.org@test.org" int the top right corner. Should it be "t...@test.org"?

This is fine, for AD we are using UPN as username (in your case 
't...@test.org') and we concatenate this with authz extension name (in your 
case '@test.org').


Is it possible that engine send wrong user name to the guest agent?





Could you please share engine.log from, after you try to login to VM Portal and 
open console to the VM to investigate?


Thanks


Martin


At 2018-02-01 15:35:57, "Martin Perina"  wrote:





On Thu, Feb 1, 2018 at 9:13 AM, 董青龙  wrote:

Hi, all
I am trying to make SSO working with windows7 vm in an ovirt 4.1 
environment. Ovirt-guest-agent has been installed in windows7 vm. I have an 
active directory server of windows2012 and I have configured the engine using 
"ovirt-engine-extension-aaa-ldap-setup" successfully. The windows7 vm has 
joined the domain,too. But when I login the 

Re: [ovirt-users] active directory and sso

2018-02-01 Thread Martin Perina
On Fri, Feb 2, 2018 at 4:46 AM, 董青龙  wrote:

> Thanks for the reply. I have completely configured all the things in
> option 1 which you told. But it seems that sso still does not work. My
> domain forest is "test.org" and my user is "test". When I login the user
> portal, I get "t...@test.org@test.org" int the top right corner. Should
> it be "t...@test.org"?
>

​This​ is fine, for AD we are using UPN as username (in your case '
t...@test.org') and we concatenate this with authz extension name (in your
case '@test.org').

Is it possible that engine send wrong user name to the guest agent?
>

>
​Could you please share engine.log from, after you try to login to VM
Portal and open console to the VM to investigate?

Thanks

Martin

At 2018-02-01 15:35:57, "Martin Perina"  wrote:
>
>
>
> On Thu, Feb 1, 2018 at 9:13 AM, 董青龙  wrote:
>
>> Hi, all
>> I am trying to make SSO working with windows7 vm in an ovirt 4.1
>> environment. Ovirt-guest-agent has been installed in windows7 vm. I have an
>> active directory server of windows2012 and I have configured the engine
>> using "ovirt-engine-extension-aaa-ldap-setup" successfully. The windows7
>> vm has joined the domain,too. But when I login the userportal using a user
>> created in the AD server, I still have to login the windows7 vm using the
>> same user for the second time. It seems that SSO does not work.
>> Anyone can help me? Thanks!
>>
>
> We are not providing full SSO for
> VMs
> . At the moment you have  2 options:
>
> 1. If you want user to be automatically logged in into a VM, then you need
> to setup SSO using aaa-ldap extension for AD (please don't forget to answer
> Yes for question about SSO for VMs in setup tool). Andf of course in a VM
> you need to have installed and enabled guest agent. Once user logs into VM
> Portal and clicks on a VM, then he should be automatically logged into it.
>
> 2. If you setup kerberos for engine SSO, then you don't need to enter
> password to loging into VM Portal, but in such case we cannot pass a
> password into a VM and user are not automatically logged in.
>
> Martin
>
>
>>
>>
>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>
>
> --
> Martin Perina
> Associate Manager, Software Engineering
> Red Hat Czech s.r.o.
>
>
>
>
>



-- 
Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] active directory and sso

2018-02-01 Thread 董青龙
Thanks for the reply. I have completely configured all the things in option 1 
which you told. But it seems that sso still does not work. My domain forest is 
"test.org" and my user is "test". When I login the user portal, I get 
"t...@test.org@test.org" int the top right corner. Should it be 
"t...@test.org"? Is it possible that engine send wrong user name to the guest 
agent?


At 2018-02-01 15:35:57, "Martin Perina"  wrote:





On Thu, Feb 1, 2018 at 9:13 AM, 董青龙  wrote:

Hi, all
I am trying to make SSO working with windows7 vm in an ovirt 4.1 
environment. Ovirt-guest-agent has been installed in windows7 vm. I have an 
active directory server of windows2012 and I have configured the engine using 
"ovirt-engine-extension-aaa-ldap-setup" successfully. The windows7 vm has 
joined the domain,too. But when I login the userportal using a user created in 
the AD server, I still have to login the windows7 vm using the same user for 
the second time. It seems that SSO does not work.
Anyone can help me? Thanks!


We are not providing full SSO for
VMs
. At the moment you have  2 options:


1. If you want user to be automatically logged in into a VM, then you need to 
setup SSO using aaa-ldap extension for AD (please don't forget to answer Yes 
for question about SSO for VMs in setup tool). Andf of course in a VM you need 
to have installed and enabled guest agent. Once user logs into VM Portal and 
clicks on a VM, then he should be automatically logged into it.


2. If you setup kerberos for engine SSO, then you don't need to enter password 
to loging into VM Portal, but in such case we cannot pass a password into a VM 
and user are not automatically logged in.


Martin






 


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users





--

Martin Perina
Associate Manager, Software Engineering
Red Hat Czech s.r.o.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] active directory and sso

2018-02-01 Thread 董青龙
Hi, all
I am trying to make SSO working with windows7 vm in an ovirt 4.1 
environment. Ovirt-guest-agent has been installed in windows7 vm. I have an 
active directory server of windows2012 and I have configured the engine using 
"ovirt-engine-extension-aaa-ldap-setup" successfully. The windows7 vm has 
joined the domain,too. But when I login the userportal using a user created in 
the AD server, I still have to login the windows7 vm using the same user for 
the second time. It seems that SSO does not work.
Anyone can help me? Thanks!___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Active Directory authentication setup

2017-07-17 Thread Todd Punderson
Sorry to reply to myself, but I figured it out.  Putting this here for 
documentation in case anyone ever runs into this as it was absolutely horrible 
to troubleshoot.


I had this set: 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm
 = 1 (I think that's by default) That caused the CA to issue certs with 
RSASSA-PSS (1.2.840.113549.1.1.10) algorithm on them instead of sha256RSA. So I 
changed that registry value to a 0 as well as my CAPolicy.inf file and reissued 
my Root and Sub CA certs. Then refreshed the DC certs, loaded the new Root/Sub 
CAs in CentOS and it started working.


I actually figured it out from a bug report for Firefox here: 
https://support.mozilla.org/en-US/questions/986085


Either way it's working now. That drove me nuts for 2+ days.


Thank you anyway for your assistance!


From: users-boun...@ovirt.org <users-boun...@ovirt.org> on behalf of Todd 
Punderson <t...@doonga.org>
Sent: Monday, July 17, 2017 9:05:12 AM
To: Ondra Machacek
Cc: users@ovirt.org
Subject: Re: [ovirt-users] Active Directory authentication setup


Hi,

 Agreed on the certificate issue, I fought with it all weekend! Here's the 
output of those commands:


ldap_url_parse_ext(ldaps://DC3.home.doonga.org)
ldap_create
ldap_url_parse_ext(ldaps://DC3.home.doonga.org:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP DC3.home.doonga.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.16.10.4:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' 
certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate [(null)] is not valid - error -8182:Peer's certificate has an 
invalid signature..
TLS: error: connect - force handshake failure: errno 21 - moznss error -8174
TLS: can't connect: TLS error -8174:security library: bad database..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I tried digging into this one. I'm very sure the peer doesn't have an invalid 
signature, I tested the certificate chain with openssl successfully, I'm 
guessing that error is related to the "bad database". I couldn't quite figure 
out that part of the error though.


I have an offline root and online issuing CA, here's those certs. I loaded both 
of these to the system CA trust.


[root@ovirt-engine ~]#  openssl x509 -in /root/root.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1a:01:7c:fc:bf:77:9c:95:4e:13:7d:bf:36:a8:be:5b
Signature Algorithm: rsassaPss
 Hash Algorithm: sha256
 Mask Algorithm: mgf1 with sha256
 Salt Length: 20
 Trailer Field: 0xbc (default)
Issuer: CN=Doonga.Org Root CA
Validity
Not Before: Jul 13 01:15:39 2017 GMT
Not After : Jul 13 01:25:39 2037 GMT
Subject: CN=Doonga.Org Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ac:ad:1e:3a:9c:08:76:7f:eb:83:ea:d9:f6:4b:
d3:4b:88:45:bb:50:b1:3b:a6:b9:a0:22:d4:94:a5:
b4:6a:32:39:cd:3b:5e:83:c1:1e:de:cb:0e:da:73:
e2:3a:df:f0:97:a2:72:b1:35:cf:bd:a3:a7:e5:dc:
67:ac:38:82:e8:a2:31:21:ab:cf:19:6d:a5:7d:44:
5e:f3:dd:76:d1:02:8b:cf:3b:25:ce:c0:7a:4b:0d:
ae:bb:d5:02:06:8b:0b:33:75:5a:81:1b:c1:53:52:
45:44:65:49:35:08:d7:0c:35:15:bf:6b:1e:82:49:
d2:de:ce:4b:0b:1b:6c:02:97:af:86:0c:ce:78:6f:
4f:dd:fe:9e:13:e7:43:94:53:df:76:91:8a:df:88:
4c:0b:0e:a6:6b:ef:7a:2f:ff:cc:ad:a5:36:fd:8f:
ad:44:e5:93:b3:4b:cb:43:c9:28:9d:21:86:7c:c5:
72:91:0b:a8:d5:36:f2:14:bf:df:58:27:a9:4b:04:
de:f1:89:aa:c0:27:ba:81:c9:0c:08:f7:08:f9:f3:
05:d1:d7:26:45:80:9c:d6:da:98:0c:d9:b8:44:e2:
aa:4f:32:2d:7b:5f:1a:14:ac:34:52:76:20:2d:cb:
6d:8e:d5:87:80:b2:d4:2f:0f:77:13:51:92:bb:f3:
07:75
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
72:21:77:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07
1.3.6.1.4.1.311.21.1:
...
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.37476.9000.53
  User Notice:
  

Re: [ovirt-users] Active Directory authentication setup

2017-07-17 Thread Todd Punderson
8:98:ae:07

[root@ovirt-engine ~]#  openssl x509 -in /root/sub.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
50:00:00:00:02:2e:ac:e2:5e:b2:d5:fc:11:00:00:00:00:00:02
Signature Algorithm: rsassaPss
 Hash Algorithm: sha256
 Mask Algorithm: mgf1 with sha256
 Salt Length: 20
 Trailer Field: 0xbc (default)
Issuer: CN=Doonga.Org Root CA
Validity
Not Before: Jul 13 02:07:35 2017 GMT
Not After : Jul 13 02:17:35 2027 GMT
Subject: DC=org, DC=doonga, DC=home, CN=Doonga.Org Issuing CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f3:1d:d4:7b:c4:49:0a:d0:8a:9d:91:52:ca:e1:
3f:f6:f6:6b:33:6e:f2:47:0b:62:fc:a4:21:48:88:
0a:50:a4:10:83:59:ab:73:e9:46:08:45:39:52:67:
d3:a2:e5:33:ef:33:3f:2a:c0:b5:f5:9c:58:26:6a:
54:00:73:66:96:f6:e0:e6:db:49:58:aa:3b:43:06:
da:d0:25:cf:cf:5b:7b:d8:93:69:12:ee:c9:c0:d1:
e0:28:c8:3e:77:b1:67:8f:e0:37:5b:26:9b:2e:df:
b0:9f:0b:6c:aa:e5:5b:31:de:65:cc:f3:ab:d1:5b:
db:8d:3e:57:bf:db:7e:bb:d2:f1:83:e3:88:21:92:
0c:22:c5:ce:a9:bc:da:99:df:f1:83:01:35:a7:52:
e9:81:01:ab:e0:ca:7a:78:b3:98:4c:1a:2c:a3:5d:
75:a5:b1:be:dc:cb:cd:1d:32:e5:36:37:3b:f1:64:
8b:f9:b2:25:f6:ad:ee:74:ab:ac:66:cd:07:67:80:
14:78:54:e6:a9:74:58:d1:9f:1d:2f:57:d5:ef:80:
73:25:de:aa:be:46:0f:70:ca:20:42:ba:73:a1:12:
70:eb:78:7d:95:9b:77:5b:b8:70:f2:a2:b9:d5:b6:
63:f0:b5:51:32:24:f4:c5:f8:6a:d3:28:bd:8e:79:
fc:89
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
21:BB:5D:9C:46:0C:B8:DE:5B:2C:B5:3D:5D:CF:D7:F2:07:2C:48:FD
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.37476.9000.53
  User Notice:
Explicit Text:
  CPS: http://www.doonga.org/pki/cps.txt

1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:

keyid:72:21:77:3F:D7:2A:F9:87:BA:19:F5:32:50:B2:9E:F4:21:B9:8B:07

X509v3 CRL Distribution Points:

Full Name:
  URI:http://www.doonga.org/pki/Doonga.Org%20Root%20CA.crl

Authority Information Access:
CA Issuers - 
URI:http://www.doonga.org/pki/CAROOT_Doonga.Org%20Root%20CA.crt

Signature Algorithm: rsassaPss
 Hash Algorithm: sha256
 Mask Algorithm: mgf1 with sha256
 Salt Length: 20
 Trailer Field: 0xbc (default)

 70:f2:32:da:17:22:40:4a:e7:20:12:44:99:62:82:d7:97:e8:
 48:c6:d4:34:71:d7:58:03:ef:5b:b4:db:74:9a:81:51:7c:6f:
 f4:2c:c1:7a:cc:84:28:61:8d:10:d1:3c:da:1c:28:26:1c:e6:
 5e:85:6d:84:93:30:12:4c:8f:a7:5d:4c:8f:e0:e8:75:99:62:
 6b:ef:f3:82:10:fa:da:6d:3f:2d:3b:eb:61:ff:fc:4c:2b:55:
 cb:29:f6:10:0c:35:7f:b6:ff:4a:b1:e8:a5:6a:3d:ad:fe:cd:
 57:6f:c9:99:c5:41:2d:29:90:c8:7c:83:03:4f:e1:36:e1:f9:
 24:78:cb:d8:46:19:bf:1a:a8:a8:e1:94:2f:2a:67:43:a3:1c:
 ce:22:7e:9a:47:49:a6:e9:35:30:77:35:9c:01:3a:41:bd:71:
 17:11:b8:f4:42:a9:25:b7:7b:6a:7b:8f:c1:cc:1a:03:d0:47:
 bb:1e:4f:39:ff:97:cb:38:c5:19:c4:f2:dd:de:16:cd:64:ad:
 6f:2a:1f:21:09:62:dc:28:2a:cb:d9:3e:dd:7e:b0:6e:86:f5:
 16:0f:5b:6e:df:4a:dc:e6:f9:2c:4b:aa:aa:71:5c:ba:4f:cc:
 1e:c4:bf:de:ff:56:c9:28:13:23:e2:d5:ef:4f:68:86:96:52:
 fa:d8:9c:31

I'm definitely sure that I have the correct CA certs loaded. I tried removing 
them and I got an invalid CA error. When they are in place I get the error I'm 
asking about. So I'm sure it's reading the CA certificates properly.


Thanks very much for your help!

Todd



From: Ondra Machacek <omach...@redhat.com>
Sent: Monday, July 17, 2017 3:34:49 AM
To: Todd Punderson
Cc: users@ovirt.org
Subject: Re: [ovirt-users] Active Directory authentication setup

This is most probably certificate issue.

Can you please share output of following command:

 $ ldapsearch -d 1 -H ldaps://DC3.home.doonga.org -x -s base -b ''

And also the output of following command:

 $ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout

Are you sure you added a proper CA cert to your system?


On Sun, Jul 16, 2017 at 1:04 AM, Todd Punderson <t...@doon

Re: [ovirt-users] Active Directory authentication setup

2017-07-17 Thread Ondra Machacek
This is most probably certificate issue.

Can you please share output of following command:

 $ ldapsearch -d 1 -H ldaps://DC3.home.doonga.org -x -s base -b ''

And also the output of following command:

 $ openssl x509 -in /path/to/your/active_diretory_ca.pem -text -noout

Are you sure you added a proper CA cert to your system?


On Sun, Jul 16, 2017 at 1:04 AM, Todd Punderson  wrote:
> Hi,
>
>I’ve been pulling my hair out over this one. Here’s the
> output of ovirt-engine-extension-aaa-ldap-setup. Everything works fine if I
> use “plain” but I don’t really want to do that. I searched the error that’s
> shown below and tried several different “fixes” but none of them helped.
> These are Server 2016 DCs. Not too sure where to go next.
>
>
>
> [ INFO  ] Stage: Initializing
>
> [ INFO  ] Stage: Environment setup
>
>   Configuration files:
> ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
>
>   Log file:
> /tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log
>
>   Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
>
> [ INFO  ] Stage: Environment packages setup
>
> [ INFO  ] Stage: Programs detection
>
> [ INFO  ] Stage: Environment customization
>
>   Welcome to LDAP extension configuration program
>
>   Available LDAP implementations:
>
>1 - 389ds
>
>2 - 389ds RFC-2307 Schema
>
>3 - Active Directory
>
>4 - IBM Security Directory Server
>
>5 - IBM Security Directory Server RFC-2307 Schema
>
>6 - IPA
>
>7 - Novell eDirectory RFC-2307 Schema
>
>8 - OpenLDAP RFC-2307 Schema
>
>9 - OpenLDAP Standard Schema
>
>   10 - Oracle Unified Directory RFC-2307 Schema
>
>   11 - RFC-2307 Schema (Generic)
>
>   12 - RHDS
>
>   13 - RHDS RFC-2307 Schema
>
>   14 - iPlanet
>
>   Please select: 3
>
>   Please enter Active Directory Forest name: home.doonga.org
>
> [ INFO  ] Resolving Global Catalog SRV record for home.doonga.org
>
> [ INFO  ] Resolving LDAP SRV record for home.doonga.org
>
>   NOTE:
>
>   It is highly recommended to use secure protocol to access the LDAP
> server.
>
>   Protocol startTLS is the standard recommended method to do so.
>
>   Only in cases in which the startTLS is not supported, fallback to
> non standard ldaps protocol.
>
>   Use plain for test environments only.
>
>   Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
> ldaps
>
>   Please select method to obtain PEM encoded CA certificate (File,
> URL, Inline, System, Insecure): System
>
> [ INFO  ] Resolving SRV record 'home.doonga.org'
>
> [ INFO  ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:636'
>
> [WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'info':
> 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact
> LDAP server"}
>
> [ INFO  ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:636'
>
> [WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'info':
> 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact
> LDAP server"}
>
> [ INFO  ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:636'
>
> [WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'info':
> 'TLS error -8157:Certificate extension not found.', 'desc': "Can't contact
> LDAP server"}
>
> [ ERROR ] Cannot connect using any of available options
>
>
>
> Also:
>
> 2017-07-15 18:18:06 INFO
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:391 Connecting to LDAP using
> 'ldap://DC2.home.doonga.org:389'
>
> 2017-07-15 18:18:06 INFO
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:442 Executing startTLS
>
> 2017-07-15 18:18:06 DEBUG
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:459 Exception
>
> Traceback (most recent call last):
>
>   File
> "/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
> line 443, in _connectLDAP
>
> c.start_tls_s()
>
>   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in
> start_tls_s
>
> return self._ldap_call(self._l.start_tls_s)
>
>   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
> _ldap_call
>
> result = func(*args,**kwargs)
>
> CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.',
> 'desc': 'Connect error'}
>
> 2017-07-15 18:18:06 WARNING
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> common._connectLDAP:463 Cannot connect using
> 'ldap://DC2.home.doonga.org:389': {'info': 'TLS error -8157:Certificate
> extension not found.', 'desc': 'Connect error'}
>
> 2017-07-15 18:18:06 INFO
> otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common
> 

[ovirt-users] Active Directory authentication setup

2017-07-15 Thread Todd Punderson
Hi,
   I've been pulling my hair out over this one. Here's the output 
of ovirt-engine-extension-aaa-ldap-setup. Everything works fine if I use 
"plain" but I don't really want to do that. I searched the error that's shown 
below and tried several different "fixes" but none of them helped. These are 
Server 2016 DCs. Not too sure where to go next.

[ INFO  ] Stage: Initializing
[ INFO  ] Stage: Environment setup
  Configuration files: 
['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
  Log file: 
/tmp/ovirt-engine-extension-aaa-ldap-setup-20170715170953-wfo1pk.log
  Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
[ INFO  ] Stage: Environment packages setup
[ INFO  ] Stage: Programs detection
[ INFO  ] Stage: Environment customization
  Welcome to LDAP extension configuration program
  Available LDAP implementations:
   1 - 389ds
   2 - 389ds RFC-2307 Schema
   3 - Active Directory
   4 - IBM Security Directory Server
   5 - IBM Security Directory Server RFC-2307 Schema
   6 - IPA
   7 - Novell eDirectory RFC-2307 Schema
   8 - OpenLDAP RFC-2307 Schema
   9 - OpenLDAP Standard Schema
  10 - Oracle Unified Directory RFC-2307 Schema
  11 - RFC-2307 Schema (Generic)
  12 - RHDS
  13 - RHDS RFC-2307 Schema
  14 - iPlanet
  Please select: 3
  Please enter Active Directory Forest name: home.doonga.org
[ INFO  ] Resolving Global Catalog SRV record for home.doonga.org
[ INFO  ] Resolving LDAP SRV record for home.doonga.org
  NOTE:
  It is highly recommended to use secure protocol to access the LDAP 
server.
  Protocol startTLS is the standard recommended method to do so.
  Only in cases in which the startTLS is not supported, fallback to non 
standard ldaps protocol.
  Use plain for test environments only.
  Please select protocol to use (startTLS, ldaps, plain) [startTLS]: 
ldaps
  Please select method to obtain PEM encoded CA certificate (File, URL, 
Inline, System, Insecure): System
[ INFO  ] Resolving SRV record 'home.doonga.org'
[ INFO  ] Connecting to LDAP using 'ldaps://DC1.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC1.home.doonga.org:636': {'info': 'TLS 
error -8157:Certificate extension not found.', 'desc': "Can't contact LDAP 
server"}
[ INFO  ] Connecting to LDAP using 'ldaps://DC2.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC2.home.doonga.org:636': {'info': 'TLS 
error -8157:Certificate extension not found.', 'desc': "Can't contact LDAP 
server"}
[ INFO  ] Connecting to LDAP using 'ldaps://DC3.home.doonga.org:636'
[WARNING] Cannot connect using 'ldaps://DC3.home.doonga.org:636': {'info': 'TLS 
error -8157:Certificate extension not found.', 'desc': "Can't contact LDAP 
server"}
[ ERROR ] Cannot connect using any of available options

Also:
2017-07-15 18:18:06 INFO 
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common 
common._connectLDAP:391 Connecting to LDAP using 
'ldap://DC2.home.doonga.org:389'
2017-07-15 18:18:06 INFO 
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common 
common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG 
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common 
common._connectLDAP:459 Exception
Traceback (most recent call last):
  File 
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
 line 443, in _connectLDAP
c.start_tls_s()
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in 
start_tls_s
return self._ldap_call(self._l.start_tls_s)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in 
_ldap_call
result = func(*args,**kwargs)
CONNECT_ERROR: {'info': 'TLS error -8157:Certificate extension not found.', 
'desc': 'Connect error'}
2017-07-15 18:18:06 WARNING 
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common 
common._connectLDAP:463 Cannot connect using 'ldap://DC2.home.doonga.org:389': 
{'info': 'TLS error -8157:Certificate extension not found.', 'desc': 'Connect 
error'}
2017-07-15 18:18:06 INFO 
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common 
common._connectLDAP:391 Connecting to LDAP using 
'ldap://DC3.home.doonga.org:389'
2017-07-15 18:18:06 INFO 
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common 
common._connectLDAP:442 Executing startTLS
2017-07-15 18:18:06 DEBUG 
otopi.plugins.ovirt_engine_extension_aaa_ldap.ldap.common 
common._connectLDAP:459 Exception
Traceback (most recent call last):
  File 
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
 line 443, in _connectLDAP
c.start_tls_s()
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 564, in 
start_tls_s
return self._ldap_call(self._l.start_tls_s)
  File 

Re: [ovirt-users] active directory

2017-06-08 Thread qinglong.d...@horebdata.cn
It worked. Thanks!
 
From: Ondra Machacek
Date: 2017-06-08 14:45
To: qinglong.d...@horebdata.cn
CC: Latcho; users
Subject: Re: Re: [ovirt-users] active directory
If you are using Active Directory you most probably don't use Anonymous bind.
The question:
 
   Enter search user DN (for example
uid=username,dc=example,dc=com or leave empty for anonymous):
 
You should not leave empty but rather specify some user, which can
search in active directory,
you can enter it either in DN format(cn=user,dc=domain,dcom) or UPN
format (u...@domain.com).
 
On Thu, Jun 8, 2017 at 5:32 AM, qinglong.d...@horebdata.cn
<qinglong.d...@horebdata.cn> wrote:
> Thanks! I excuted "ovirt-engine-extension-aaa-ldap-setup", but I got an
> error. Is there anything wrong?
>
> [root@engine ~]# ovirt-engine-extension-aaa-ldap-setup
> [ INFO  ] Stage: Initializing
> [ INFO  ] Stage: Environment setup
>   Configuration files:
> ['/etc/ovirt-engine-extension-aaa-ldap-setup.conf.d/10-packaging.conf']
>   Log file:
> /tmp/ovirt-engine-extension-aaa-ldap-setup-20170608112535-jll8t2.log
>   Version: otopi-1.6.2 (otopi-1.6.2-1.el7.centos)
> [ INFO  ] Stage: Environment packages setup
> [ INFO  ] Stage: Programs detection
> [ INFO  ] Stage: Environment customization
>   Welcome to LDAP extension configuration program
>   Available LDAP implementations:
>1 - 389ds
>2 - 389ds RFC-2307 Schema
>3 - Active Directory
>4 - IBM Security Directory Server
>5 - IBM Security Directory Server RFC-2307 Schema
>6 - IPA
>7 - Novell eDirectory RFC-2307 Schema
>8 - OpenLDAP RFC-2307 Schema
>9 - OpenLDAP Standard Schema
>   10 - Oracle Unified Directory RFC-2307 Schema
>   11 - RFC-2307 Schema (Generic)
>   12 - RHDS
>   13 - RHDS RFC-2307 Schema
>   14 - iPlanet
>   Please select: 3
>   Please enter Active Directory Forest name: horebdata.com
> [ INFO  ] Resolving Global Catalog SRV record for horebdata.com
> [ INFO  ] Resolving LDAP SRV record for horebdata.com
>   NOTE:
>   It is highly recommended to use secure protocol to access the LDAP
> server.
>   Protocol startTLS is the standard recommended method to do so.
>   Only in cases in which the startTLS is not supported, fallback to
> non standard ldaps protocol.
>   Use plain for test environments only.
>   Please select protocol to use (startTLS, ldaps, plain) [startTLS]:
> plain
> [ INFO  ] Resolving SRV record 'horebdata.com'
> [ INFO  ] Connecting to LDAP using
> 'ldap://win-fvdsocg3abj.horebdata.com:389'
> [ INFO  ] Connection succeeded
>   Enter search user DN (for example uid=username,dc=example,dc=com
> or leave empty for anonymous):
> [ INFO  ] Attempting to bind using '[Anonymous]'
>   Are you going to use Single Sign-On for Virtual Machines (Yes, No)
> [No]: yes
>   NOTE:
>   Profile name has to match domain name, otherwise Single Sign-On
> for Virtual Machines will not work.
>   Please specify profile name that will be visible to users
> [horebdata.com]:
> [ INFO  ] Stage: Setup validation
>   The following files are about to be overwritten:
>   /etc/ovirt-engine/extensions.d/horebdata.com-authn.properties
>   /etc/ovirt-engine/extensions.d/horebdata.com.properties
>   /etc/ovirt-engine/aaa/horebdata.com.properties
>   Continue and overwrite? (Yes, No) [No]: yes
>   NOTE:
>   It is highly recommended to test drive the configuration before
> applying it into engine.
>   Perform at least one Login sequence and one Search sequence.
>   Select test sequence to execute (Done, Abort, Login, Search)
> [Abort]: login
>   Enter user name: horebdata
>   Enter user password:
> [ INFO  ] Executing login sequence...
>   Login output:
>   2017-06-08 11:26:09,446+08 INFO
> 
>   2017-06-08 11:26:09,463+08 INFO
> Initialization 
>   2017-06-08 11:26:09,463+08 INFO
> 
>   2017-06-08 11:26:09,475+08 INFOLoading extension
> 'horebdata.com-authn'
>   2017-06-08 11:26:09,517+08 INFOExtension 'horebdata.com-authn'
> loaded
>   2017-06-08 11:26:09,522+08 INFOLoading extension
> 'horebdata.com'
>   2017-06-08 11:26:09,530+08 INFOExtension 'horebdata.com'
> loaded
>

Re: [ovirt-users] active directory

2017-06-08 Thread Ondra Machacek
dap.authn::horebdata.com-authn] Creating LDAP
> pool 'authz'
>   2017-06-08 11:26:09,620+08 INFO
> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] LDAP pool
> 'authz' information: vendor='null' version='null'
>   2017-06-08 11:26:09,621+08 INFO
> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] Creating LDAP
> pool 'authn'
>   2017-06-08 11:26:09,636+08 INFO
> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] LDAP pool
> 'authn' information: vendor='null' version='null'
>   2017-06-08 11:26:09,649+08 WARNING
> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] Cannot
> initialize LDAP framework, deferring initialization. Error: Unexpected comma
> or semicolon found at the end of the DN string.
>   2017-06-08 11:26:09,650+08 INFOExtension 'horebdata.com-authn'
> initialized
>   2017-06-08 11:26:09,650+08 INFOInitializing extension
> 'horebdata.com'
>   2017-06-08 11:26:09,651+08 INFO
> [ovirt-engine-extension-aaa-ldap.authz::horebdata.com] Creating LDAP pool
> 'authz'
>   2017-06-08 11:26:09,679+08 INFO
> [ovirt-engine-extension-aaa-ldap.authz::horebdata.com] LDAP pool 'authz'
> information: vendor='null' version='null'
>   2017-06-08 11:26:09,679+08 INFO
> [ovirt-engine-extension-aaa-ldap.authz::horebdata.com] Creating LDAP pool
> 'gc'
>   2017-06-08 11:26:09,694+08 INFO
> [ovirt-engine-extension-aaa-ldap.authz::horebdata.com] LDAP pool 'gc'
> information: vendor='null' version='null'
>   2017-06-08 11:26:09,697+08 WARNING
> [ovirt-engine-extension-aaa-ldap.authz::horebdata.com] Cannot initialize
> LDAP framework, deferring initialization. Error: Unexpected comma or
> semicolon found at the end of the DN string.
>   2017-06-08 11:26:09,697+08 INFOExtension 'horebdata.com'
> initialized
>   2017-06-08 11:26:09,697+08 INFOStart of enabled extensions
> list
>   2017-06-08 11:26:09,697+08 INFOInstance name: 'horebdata.com',
> Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.1',
> Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.1-1.el7.centos',
> License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
> Project', Build interface Version: '0',  File:
> '/tmp/tmpHfBhQf/extensions.d/horebdata.com.properties', Initialized: 'true'
>   2017-06-08 11:26:09,698+08 INFOInstance name:
> 'horebdata.com-authn', Extension name:
> 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.1', Notes: 'Display
> name: ovirt-engine-extension-aaa-ldap-1.3.1-1.el7.centos', License: 'ASL
> 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build
> interface Version: '0',  File:
> '/tmp/tmpHfBhQf/extensions.d/horebdata.com-authn.properties', Initialized:
> 'true'
>   2017-06-08 11:26:09,698+08 INFOEnd of enabled extensions list
>   2017-06-08 11:26:09,698+08 INFO
> 
>   2017-06-08 11:26:09,698+08 INFO==
> Execution ===
>   2017-06-08 11:26:09,698+08 INFO
> 
>   2017-06-08 11:26:09,698+08 INFOIteration: 0
>   2017-06-08 11:26:09,699+08 INFOProfile='horebdata.com'
> authn='horebdata.com-authn' authz='horebdata.com' mapping='null'
>   2017-06-08 11:26:09,699+08 INFOAPI:
> -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='horebdata.com'
> user='horebdata'
>   2017-06-08 11:26:09,702+08 WARNING
> [ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] Cannot
> initialize LDAP framework, deferring initialization. Error: Unexpected comma
> or semicolon found at the end of the DN string.
>   2017-06-08 11:26:09,703+08 SEVERE  Unexpected comma or semicolon
> found at the end of the DN string.
> [ ERROR ] Login sequence failed
>   Please investigate details of the failure (search for lines
> containing SEVERE log level).
>   Select test sequence to execute (Done, Abort, Login, Search)
> [Abort]:
>
> From: Ondra Machacek
> Date: 2017-06-07 14:47
> To: qinglong.d...@horebdata.cn
> CC: users
> Subject: Re: [ovirt-users] active directory
> Or you can try the migration tool:
>
> https://github.com/oVirt/ovirt-engine-kerbldap-migration
>
> Check the README, there are instructions how to procceed.
>
> On Wed, Jun 7, 2017 at 8:33 AM, Latchezar Filtchev <lat...@aubg.bg> wrote:
>> This can help you:
>>
>>
>>
>> http://lists.ovirt.org/pipermail/users/201

Re: [ovirt-users] active directory

2017-06-07 Thread qinglong.d...@horebdata.cn
itializing extension 
'horebdata.com'
  2017-06-08 11:26:09,651+08 INFO
[ovirt-engine-extension-aaa-ldap.authz::horebdata.com] Creating LDAP pool 
'authz'
  2017-06-08 11:26:09,679+08 INFO
[ovirt-engine-extension-aaa-ldap.authz::horebdata.com] LDAP pool 'authz' 
information: vendor='null' version='null'
  2017-06-08 11:26:09,679+08 INFO
[ovirt-engine-extension-aaa-ldap.authz::horebdata.com] Creating LDAP pool 'gc'
  2017-06-08 11:26:09,694+08 INFO
[ovirt-engine-extension-aaa-ldap.authz::horebdata.com] LDAP pool 'gc' 
information: vendor='null' version='null'
  2017-06-08 11:26:09,697+08 WARNING 
[ovirt-engine-extension-aaa-ldap.authz::horebdata.com] Cannot initialize LDAP 
framework, deferring initialization. Error: Unexpected comma or semicolon found 
at the end of the DN string.
  2017-06-08 11:26:09,697+08 INFOExtension 'horebdata.com' 
initialized
  2017-06-08 11:26:09,697+08 INFOStart of enabled extensions list
  2017-06-08 11:26:09,697+08 INFOInstance name: 'horebdata.com', 
Extension name: 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.1', 
Notes: 'Display name: ovirt-engine-extension-aaa-ldap-1.3.1-1.el7.centos', 
License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', 
Build interface Version: '0',  File: 
'/tmp/tmpHfBhQf/extensions.d/horebdata.com.properties', Initialized: 'true'
  2017-06-08 11:26:09,698+08 INFOInstance name: 
'horebdata.com-authn', Extension name: 'ovirt-engine-extension-aaa-ldap.authn', 
Version: '1.3.1', Notes: 'Display name: 
ovirt-engine-extension-aaa-ldap-1.3.1-1.el7.centos', License: 'ASL 2.0', Home: 
'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: 
'0',  File: '/tmp/tmpHfBhQf/extensions.d/horebdata.com-authn.properties', 
Initialized: 'true'
  2017-06-08 11:26:09,698+08 INFOEnd of enabled extensions list
  2017-06-08 11:26:09,698+08 INFO

  2017-06-08 11:26:09,698+08 INFO== 
Execution ===
  2017-06-08 11:26:09,698+08 INFO

  2017-06-08 11:26:09,698+08 INFOIteration: 0
  2017-06-08 11:26:09,699+08 INFOProfile='horebdata.com' 
authn='horebdata.com-authn' authz='horebdata.com' mapping='null'
  2017-06-08 11:26:09,699+08 INFOAPI: 
-->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='horebdata.com' 
user='horebdata'
  2017-06-08 11:26:09,702+08 WARNING 
[ovirt-engine-extension-aaa-ldap.authn::horebdata.com-authn] Cannot initialize 
LDAP framework, deferring initialization. Error: Unexpected comma or semicolon 
found at the end of the DN string.
  2017-06-08 11:26:09,703+08 SEVERE  Unexpected comma or semicolon 
found at the end of the DN string.
[ ERROR ] Login sequence failed
  Please investigate details of the failure (search for lines 
containing SEVERE log level).
  Select test sequence to execute (Done, Abort, Login, Search) [Abort]: 
 
From: Ondra Machacek
Date: 2017-06-07 14:47
To: qinglong.d...@horebdata.cn
CC: users
Subject: Re: [ovirt-users] active directory
Or you can try the migration tool:
 
https://github.com/oVirt/ovirt-engine-kerbldap-migration
 
Check the README, there are instructions how to procceed.
 
On Wed, Jun 7, 2017 at 8:33 AM, Latchezar Filtchev <lat...@aubg.bg> wrote:
> This can help you:
>
>
>
> http://lists.ovirt.org/pipermail/users/2016-September/042937.html
>
>
>
> Best,
>
> Latcho
>
>
>
>
>
> From: users-boun...@ovirt.org [mailto:users-boun...@ovirt.org] On Behalf Of
> qinglong.d...@horebdata.cn
> Sent: Wednesday, June 07, 2017 4:57 AM
> To: users
> Subject: [ovirt-users] active directory
>
>
>
> Hi all,
>
> I used "engine-manage-domains" to add AD to ovirt in earlier
> version. What should I do in ovirt 4.1? Hope someone can help. Thanks!
>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] active directory

2017-06-07 Thread Ondra Machacek
Or you can try the migration tool:

 https://github.com/oVirt/ovirt-engine-kerbldap-migration

Check the README, there are instructions how to procceed.

On Wed, Jun 7, 2017 at 8:33 AM, Latchezar Filtchev <lat...@aubg.bg> wrote:
> This can help you:
>
>
>
> http://lists.ovirt.org/pipermail/users/2016-September/042937.html
>
>
>
> Best,
>
> Latcho
>
>
>
>
>
> From: users-boun...@ovirt.org [mailto:users-boun...@ovirt.org] On Behalf Of
> qinglong.d...@horebdata.cn
> Sent: Wednesday, June 07, 2017 4:57 AM
> To: users
> Subject: [ovirt-users] active directory
>
>
>
> Hi all,
>
> I used "engine-manage-domains" to add AD to ovirt in earlier
> version. What should I do in ovirt 4.1? Hope someone can help. Thanks!
>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] active directory

2017-06-07 Thread Latchezar Filtchev
This can help you:

http://lists.ovirt.org/pipermail/users/2016-September/042937.html

Best,
Latcho


From: users-boun...@ovirt.org [mailto:users-boun...@ovirt.org] On Behalf Of 
qinglong.d...@horebdata.cn
Sent: Wednesday, June 07, 2017 4:57 AM
To: users
Subject: [ovirt-users] active directory

Hi all,
I used "engine-manage-domains" to add AD to ovirt in earlier version. 
What should I do in ovirt 4.1? Hope someone can help. Thanks!
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] active directory

2017-06-06 Thread qinglong.d...@horebdata.cn
Hi all,
I used "engine-manage-domains" to add AD to ovirt in earlier version. 
What should I do in ovirt 4.1? Hope someone can help. Thanks!
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Active Directory domain authorization in oVirt Hosted Engine guest OS

2016-10-20 Thread aleksey . maksimov
Thank You for the advice, Karli

Problem solved here: 
https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/thread/NDBFLJ774A2TUWC65CHRQ5XVL3DGVMQR/

Again sorry for offtopic

19.10.2016, 15:23, "Karli Sjöberg" :
> On Wed, 2016-10-19 at 13:48 +0300, aleksey.maksi...@it-kb.ru wrote:
>>  Hello oVirt guru`s!
>>
>>  I'm sorry for possible offtopic, but I do not know where to seek
>>  help.
>>
>>  I want to set up Active Directory domain authorization in oVirt
>>  Hosted Engine guest OS.
>>
>>  For this I use SSSD as described here:
>>  https://blog.it-kb.ru/2016/10/15/join-debian-gnu-linux-8-6-to-active-
>>  directory-domain-with-sssd-and-realmd-for-authentication-and-
>>  configure-ad-domain-security-group-authorization-for-sudo-and-ssh-
>>  with-putty-sso/
>
> I used this[*] that worked for me (at least on Ubuntu) yesterday.
> Adjust accordingly for CentOS.
>
> /K
>
> [*] https://help.ubuntu.com/lts/serverguide/sssd-ad.html
>
>>  I attached the computer to the domain using the realm utility.
>>  It looks nice.
>>
>>  [root@KOM-OVIRT1 ~]# realm list
>>  ad.holding.com
>>    type: kerberos
>>    realm-name: AD.HOLDING.COM
>>    domain-name: ad.holding.com
>>    configured: kerberos-member
>>    server-software: active-directory
>>    client-software: sssd
>>    required-package: oddjob
>>    required-package: oddjob-mkhomedir
>>    required-package: sssd
>>    required-package: adcli
>>    required-package: samba-common
>>    login-formats: %u...@ad.holding.com
>>    login-policy: allow-permitted-logins
>>    permitted-logins:
>>    permitted-groups: kom-srv-linux-adm...@ad.holding.com
>>
>>  However, getent does not return information about domain accounts:
>>
>>  [root@KOM-OVIRT1 ~]# getent passwd alek...@ad.holding.com
>>  [root@KOM-OVIRT1 ~]#
>>
>>  getent for local accounts work:
>>
>>  [root@KOM-OVIRT1 ~]# getent passwd root
>>  root:x:0:0:root:/root:/bin/bash
>>
>>  oVirt Hosted Engine guest OS has some tricky authorization settings?
>>  Can you help me?
>>  ___
>>  Users mailing list
>>  Users@ovirt.org
>>  http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Active Directory domain authorization in oVirt Hosted Engine guest OS

2016-10-19 Thread Karli Sjöberg
On Wed, 2016-10-19 at 13:48 +0300, aleksey.maksi...@it-kb.ru wrote:
> Hello oVirt guru`s!
> 
> I'm sorry for possible offtopic, but I do not know where to seek
> help.
> 
> I want to set up Active Directory domain authorization in oVirt
> Hosted Engine guest OS.
> 
> For this I use SSSD as described here: 
> https://blog.it-kb.ru/2016/10/15/join-debian-gnu-linux-8-6-to-active-
> directory-domain-with-sssd-and-realmd-for-authentication-and-
> configure-ad-domain-security-group-authorization-for-sudo-and-ssh-
> with-putty-sso/

I used this[*] that worked for me (at least on Ubuntu) yesterday.
Adjust accordingly for CentOS.

/K

[*] https://help.ubuntu.com/lts/serverguide/sssd-ad.html

> 
> I attached the computer to the domain using the realm utility.
> It looks nice.
> 
> [root@KOM-OVIRT1 ~]# realm list
> ad.holding.com
>   type: kerberos
>   realm-name: AD.HOLDING.COM
>   domain-name: ad.holding.com
>   configured: kerberos-member
>   server-software: active-directory
>   client-software: sssd
>   required-package: oddjob
>   required-package: oddjob-mkhomedir
>   required-package: sssd
>   required-package: adcli
>   required-package: samba-common
>   login-formats: %u...@ad.holding.com
>   login-policy: allow-permitted-logins
>   permitted-logins:
>   permitted-groups: kom-srv-linux-adm...@ad.holding.com
> 
> However, getent does not return information about domain accounts:
> 
> [root@KOM-OVIRT1 ~]# getent passwd alek...@ad.holding.com
> [root@KOM-OVIRT1 ~]# 
> 
> getent for local accounts work:
> 
> [root@KOM-OVIRT1 ~]# getent passwd root
> root:x:0:0:root:/root:/bin/bash
> 
> oVirt Hosted Engine guest OS has some tricky authorization settings?
> Can you help me?
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] Active Directory domain authorization in oVirt Hosted Engine guest OS

2016-10-19 Thread aleksey . maksimov
Hello oVirt guru`s!

I'm sorry for possible offtopic, but I do not know where to seek help.

I want to set up Active Directory domain authorization in oVirt Hosted Engine 
guest OS.

For this I use SSSD as described here: 
https://blog.it-kb.ru/2016/10/15/join-debian-gnu-linux-8-6-to-active-directory-domain-with-sssd-and-realmd-for-authentication-and-configure-ad-domain-security-group-authorization-for-sudo-and-ssh-with-putty-sso/

I attached the computer to the domain using the realm utility.
It looks nice.

[root@KOM-OVIRT1 ~]# realm list
ad.holding.com
  type: kerberos
  realm-name: AD.HOLDING.COM
  domain-name: ad.holding.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %u...@ad.holding.com
  login-policy: allow-permitted-logins
  permitted-logins:
  permitted-groups: kom-srv-linux-adm...@ad.holding.com

However, getent does not return information about domain accounts:

[root@KOM-OVIRT1 ~]# getent passwd alek...@ad.holding.com
[root@KOM-OVIRT1 ~]# 

getent for local accounts work:

[root@KOM-OVIRT1 ~]# getent passwd root
root:x:0:0:root:/root:/bin/bash

oVirt Hosted Engine guest OS has some tricky authorization settings?
Can you help me?
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Active Directory (LDAP) user auth is slow

2016-03-24 Thread Karli Sjöberg
Sorry about the thread-breakage, OWA...

Från: Ondra Machacek <omach...@redhat.com>
Skickat: den 24 mars 2016 15:08
Till: Karli Sjöberg
Kopia: Martin Perina; Will Dennis; users
Ämne: Re: [ovirt-users] Active Directory (LDAP) user auth is slow

On 03/24/2016 03:02 PM, Karli Sjöberg wrote:
>
> Den 24 mars 2016 13:49 skrev Ondra Machacek <omach...@redhat.com>:
>  >
>  > Hi,
>  >
>  > if you remove user, then also permissions of that user to vms will be
>  > removed.
>  > And yes, you will have to add all those permissions back to users from
>  > new profile.
>  >
>  > But, you can try migration tool[1], to migrate all users to new AAA
> profile.
>  > If you have any problem with it, you can ask.
>
> Ehm, how do you install it? (el6)

yum install -y
https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases/download/ovirt-engine-kerbldap-migration-1.0.4/ovirt-engine-kerbldap-migration-1.0.4-1.el6ev.noarch.rpm

That worked, plus the migration, but can´t log in since our domain is called 
like 'baz.foo.bar' but our users´s userPrincipalName are just 'u...@foo.bar'. 
How do you configure that with aaa?

/K

>
> /K
>
>  >
>  > Ondra
>  >
>  > [1]
>  >
> https://github.com/machacekondra/ovirt-engine-kerbldap-migration/blob/master/README.md
>  >
>  > On 03/24/2016 01:06 PM, Will Dennis wrote:
>  > > In the RHEV Admin Guide that Martin mentioned, it says:
>  > >
>  > > "Log in to the Administration Portal, and remove all users and
> groups related to the old profile. Users defined in the removed domain
> will no longer be able to authenticate with the Red Hat Enterprise
> Virtualization Manager. The entries for the affected users will remain
> defined in the Red Hat Enterprise Virtualization Manager until they are
> explicitly removed from the Administration Portal.”
>  > >
>  > > I have some VMs running under some AD domain users; if I remove the
> users from the system as above, will I need to remove them from the VM
> permissions, or is that cleaned up as well? And I guess I’ll need to
> manually re-add the perms back after the new directory config is in
> place? Please advise.
>  > >
>  > > Thanks,
>  > > Will
>  > >
>  > > On Mar 21, 2016, at 4:29 AM, Martin Perina
> <mper...@redhat.com<mailto:mper...@redhat.com>> wrote:
>  > >
>  > >
>  > >
>  > > On Mon, Mar 21, 2016 at 8:20 AM, Yedidyah Bar David
> <d...@redhat.com<mailto:d...@redhat.com>> wrote:
>  > > On Mon, Mar 21, 2016 at 4:47 AM, Will Dennis
> <wden...@nec-labs.com<mailto:wden...@nec-labs.com>> wrote:
>  > >> Hi all,
>  > >>
>  > >> I have enabled Active Directory authentication for the users in
> oVirt (via engine-manage-domains command using --provider=ad) and,
> although it works, it takes about ~50 sec’s to process a login. I have
> other OSS software that utilizes AD auth, and there is no such lag when
> processing logins, so I’m guessing it’s a problem with the oVirt
> implementation… Any way to debug why the auth process is taking so long?
>  > >
>  > > This is an old, unmaintained component. You should use the new
> aaa-ldap one.
>  > > Search the list archives for "aaa-ldap" and/or read the README file
> in the
>  > > sources [1]. Best,
>  > >
>  > > [1]
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README
>  > >
>  > > ​You could also take a look at RHEV 3.6 Administration Guide,
> chapter 13 Users and Roles [2]
>  > > where you can find detailed steps for common configurations.
>  > >
>  > > Martin Perina
>  > >
>  > > [2]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/chap-Users_and_Roles.html
>  > > ​
>  > >
>  > >
>  > >>
>  > >> Will
>  > >> ___
>  > >> Users mailing list
>  > >> Users@ovirt.org<mailto:Users@ovirt.org>
>  > >> http://lists.ovirt.org/mailman/listinfo/users
>  > >
>  > >
>  > >
>  > > --
>  > > Didi
>  > > ___
>  > > Users mailing list
>  > > Users@ovirt.org<mailto:Users@ovirt.org>
>  > > http://lists.ovirt.org/mailman/listinfo/users
>  > >
>  > >
>  > > ___
>  > > Users mailing list
>  > > Users@ovirt.org
>  > > http://lists.ovirt.org/mailman/listinfo/users
>  > >
>  > ___
>  > Users mailing list
>  > Users@ovirt.org
>  > http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Active Directory (LDAP) user auth is slow

2016-03-24 Thread Will Dennis
No worries...

I only had a few VMs to re-assign, so I did it manually...

-Original Message-
From: Karli Sjöberg [mailto:karli.sjob...@slu.se] 
Sent: Thursday, March 24, 2016 11:13 AM
To: Ondra Machacek
Cc: Martin Perina; Will Dennis; users
Subject: SV: [ovirt-users] Active Directory (LDAP) user auth is slow

Sorry about the thread-breakage, OWA...

Från: Ondra Machacek <omach...@redhat.com>
Skickat: den 24 mars 2016 15:08
Till: Karli Sjöberg
Kopia: Martin Perina; Will Dennis; users
Ämne: Re: [ovirt-users] Active Directory (LDAP) user auth is slow

On 03/24/2016 03:02 PM, Karli Sjöberg wrote:
>
> Den 24 mars 2016 13:49 skrev Ondra Machacek <omach...@redhat.com>:
>  >
>  > Hi,
>  >
>  > if you remove user, then also permissions of that user to vms will 
> be  > removed.
>  > And yes, you will have to add all those permissions back to users 
> from  > new profile.
>  >
>  > But, you can try migration tool[1], to migrate all users to new AAA 
> profile.
>  > If you have any problem with it, you can ask.
>
> Ehm, how do you install it? (el6)

yum install -y
https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases/download/ovirt-engine-kerbldap-migration-1.0.4/ovirt-engine-kerbldap-migration-1.0.4-1.el6ev.noarch.rpm

That worked, plus the migration, but can´t log in since our domain is called 
like 'baz.foo.bar' but our users´s userPrincipalName are just 'u...@foo.bar'. 
How do you configure that with aaa?

/K

>
> /K
>
>  >
>  > Ondra
>  >
>  > [1]
>  >
> https://github.com/machacekondra/ovirt-engine-kerbldap-migration/blob/
> master/README.md
>  >
>  > On 03/24/2016 01:06 PM, Will Dennis wrote:
>  > > In the RHEV Admin Guide that Martin mentioned, it says:
>  > >
>  > > "Log in to the Administration Portal, and remove all users and 
> groups related to the old profile. Users defined in the removed domain 
> will no longer be able to authenticate with the Red Hat Enterprise 
> Virtualization Manager. The entries for the affected users will remain 
> defined in the Red Hat Enterprise Virtualization Manager until they 
> are explicitly removed from the Administration Portal.”
>  > >
>  > > I have some VMs running under some AD domain users; if I remove 
> the users from the system as above, will I need to remove them from 
> the VM permissions, or is that cleaned up as well? And I guess I’ll 
> need to manually re-add the perms back after the new directory config 
> is in place? Please advise.
>  > >
>  > > Thanks,
>  > > Will
>  > >
>  > > On Mar 21, 2016, at 4:29 AM, Martin Perina 
> <mper...@redhat.com<mailto:mper...@redhat.com>> wrote:
>  > >
>  > >
>  > >
>  > > On Mon, Mar 21, 2016 at 8:20 AM, Yedidyah Bar David 
> <d...@redhat.com<mailto:d...@redhat.com>> wrote:
>  > > On Mon, Mar 21, 2016 at 4:47 AM, Will Dennis 
> <wden...@nec-labs.com<mailto:wden...@nec-labs.com>> wrote:
>  > >> Hi all,
>  > >>
>  > >> I have enabled Active Directory authentication for the users in 
> oVirt (via engine-manage-domains command using --provider=ad) and, 
> although it works, it takes about ~50 sec’s to process a login. I have 
> other OSS software that utilizes AD auth, and there is no such lag 
> when processing logins, so I’m guessing it’s a problem with the oVirt 
> implementation… Any way to debug why the auth process is taking so long?
>  > >
>  > > This is an old, unmaintained component. You should use the new 
> aaa-ldap one.
>  > > Search the list archives for "aaa-ldap" and/or read the README 
> file in the  > > sources [1]. Best,  > >  > > [1] 
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;
> a=blob;f=README
>  > >
>  > > ​You could also take a look at RHEV 3.6 Administration Guide, 
> chapter 13 Users and Roles [2]  > > where you can find detailed steps 
> for common configurations.
>  > >
>  > > Martin Perina
>  > >
>  > > [2]
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtu
> alization/3.6/html/Administration_Guide/chap-Users_and_Roles.html
>  > > ​
>  > >
>  > >
>  > >>
>  > >> Will
>  > >> ___
>  > >> Users mailing list
>  > >> Users@ovirt.org<mailto:Users@ovirt.org>
>  > >> http://lists.ovirt.org/mailman/listinfo/users
>  > >
>  > >
>  > >
>  > > --
>  > > Didi
>  > > ___
>  > > Users mailing list
>  > > Users@ovirt.org<mailto:Users@ovirt.org>
>  > > http://lists.ovirt.org/mailman/listinfo/users
>  > >
>  > >
>  > > ___
>  > > Users mailing list
>  > > Users@ovirt.org
>  > > http://lists.ovirt.org/mailman/listinfo/users
>  > >
>  > ___
>  > Users mailing list
>  > Users@ovirt.org
>  > http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Active Directory (LDAP) user auth is slow

2016-03-24 Thread Karli Sjöberg

Den 24 mars 2016 3:06 em skrev Ondra Machacek :
>
> On 03/24/2016 03:02 PM, Karli Sjöberg wrote:
> >
> > Den 24 mars 2016 13:49 skrev Ondra Machacek :
> >  >
> >  > Hi,
> >  >
> >  > if you remove user, then also permissions of that user to vms will be
> >  > removed.
> >  > And yes, you will have to add all those permissions back to users from
> >  > new profile.
> >  >
> >  > But, you can try migration tool[1], to migrate all users to new AAA
> > profile.
> >  > If you have any problem with it, you can ask.
> >
> > Ehm, how do you install it? (el6)
>
> yum install -y
> https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases/download/ovirt-engine-kerbldap-migration-1.0.4/ovirt-engine-kerbldap-migration-1.0.4-1.el6ev.noarch.rpm

Awesome, thanks!

/K

>
> >
> > /K
> >
> >  >
> >  > Ondra
> >  >
> >  > [1]
> >  >
> > https://github.com/machacekondra/ovirt-engine-kerbldap-migration/blob/master/README.md
> >  >
> >  > On 03/24/2016 01:06 PM, Will Dennis wrote:
> >  > > In the RHEV Admin Guide that Martin mentioned, it says:
> >  > >
> >  > > "Log in to the Administration Portal, and remove all users and
> > groups related to the old profile. Users defined in the removed domain
> > will no longer be able to authenticate with the Red Hat Enterprise
> > Virtualization Manager. The entries for the affected users will remain
> > defined in the Red Hat Enterprise Virtualization Manager until they are
> > explicitly removed from the Administration Portal.”
> >  > >
> >  > > I have some VMs running under some AD domain users; if I remove the
> > users from the system as above, will I need to remove them from the VM
> > permissions, or is that cleaned up as well? And I guess I’ll need to
> > manually re-add the perms back after the new directory config is in
> > place? Please advise.
> >  > >
> >  > > Thanks,
> >  > > Will
> >  > >
> >  > > On Mar 21, 2016, at 4:29 AM, Martin Perina
> > > wrote:
> >  > >
> >  > >
> >  > >
> >  > > On Mon, Mar 21, 2016 at 8:20 AM, Yedidyah Bar David
> > > wrote:
> >  > > On Mon, Mar 21, 2016 at 4:47 AM, Will Dennis
> > > wrote:
> >  > >> Hi all,
> >  > >>
> >  > >> I have enabled Active Directory authentication for the users in
> > oVirt (via engine-manage-domains command using --provider=ad) and,
> > although it works, it takes about ~50 sec’s to process a login. I have
> > other OSS software that utilizes AD auth, and there is no such lag when
> > processing logins, so I’m guessing it’s a problem with the oVirt
> > implementation… Any way to debug why the auth process is taking so long?
> >  > >
> >  > > This is an old, unmaintained component. You should use the new
> > aaa-ldap one.
> >  > > Search the list archives for "aaa-ldap" and/or read the README file
> > in the
> >  > > sources [1]. Best,
> >  > >
> >  > > [1]
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README
> >  > >
> >  > > ​You could also take a look at RHEV 3.6 Administration Guide,
> > chapter 13 Users and Roles [2]
> >  > > where you can find detailed steps for common configurations.
> >  > >
> >  > > Martin Perina
> >  > >
> >  > > [2]
> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/chap-Users_and_Roles.html
> >  > > ​
> >  > >
> >  > >
> >  > >>
> >  > >> Will
> >  > >> ___
> >  > >> Users mailing list
> >  > >> Users@ovirt.org
> >  > >> http://lists.ovirt.org/mailman/listinfo/users
> >  > >
> >  > >
> >  > >
> >  > > --
> >  > > Didi
> >  > > ___
> >  > > Users mailing list
> >  > > Users@ovirt.org
> >  > > http://lists.ovirt.org/mailman/listinfo/users
> >  > >
> >  > >
> >  > > ___
> >  > > Users mailing list
> >  > > Users@ovirt.org
> >  > > http://lists.ovirt.org/mailman/listinfo/users
> >  > >
> >  > ___
> >  > Users mailing list
> >  > Users@ovirt.org
> >  > http://lists.ovirt.org/mailman/listinfo/users
> >
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Active Directory (LDAP) user auth is slow

2016-03-24 Thread Karli Sjöberg

Den 24 mars 2016 13:49 skrev Ondra Machacek :
>
> Hi,
>
> if you remove user, then also permissions of that user to vms will be
> removed.
> And yes, you will have to add all those permissions back to users from
> new profile.
>
> But, you can try migration tool[1], to migrate all users to new AAA profile.
> If you have any problem with it, you can ask.

Ehm, how do you install it? (el6)

/K

>
> Ondra
>
> [1]
> https://github.com/machacekondra/ovirt-engine-kerbldap-migration/blob/master/README.md
>
> On 03/24/2016 01:06 PM, Will Dennis wrote:
> > In the RHEV Admin Guide that Martin mentioned, it says:
> >
> > "Log in to the Administration Portal, and remove all users and groups 
> > related to the old profile. Users defined in the removed domain will no 
> > longer be able to authenticate with the Red Hat Enterprise Virtualization 
> > Manager. The entries for the affected users will remain defined in the Red 
> > Hat Enterprise Virtualization Manager until they are explicitly removed 
> > from the Administration Portal.”
> >
> > I have some VMs running under some AD domain users; if I remove the users 
> > from the system as above, will I need to remove them from the VM 
> > permissions, or is that cleaned up as well? And I guess I’ll need to 
> > manually re-add the perms back after the new directory config is in place? 
> > Please advise.
> >
> > Thanks,
> > Will
> >
> > On Mar 21, 2016, at 4:29 AM, Martin Perina 
> > > wrote:
> >
> >
> >
> > On Mon, Mar 21, 2016 at 8:20 AM, Yedidyah Bar David 
> > > wrote:
> > On Mon, Mar 21, 2016 at 4:47 AM, Will Dennis 
> > > wrote:
> >> Hi all,
> >>
> >> I have enabled Active Directory authentication for the users in oVirt (via 
> >> engine-manage-domains command using --provider=ad) and, although it works, 
> >> it takes about ~50 sec’s to process a login. I have other OSS software 
> >> that utilizes AD auth, and there is no such lag when processing logins, so 
> >> I’m guessing it’s a problem with the oVirt implementation… Any way to 
> >> debug why the auth process is taking so long?
> >
> > This is an old, unmaintained component. You should use the new aaa-ldap one.
> > Search the list archives for "aaa-ldap" and/or read the README file in the
> > sources [1]. Best,
> >
> > [1] 
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README
> >
> > ​You could also take a look at RHEV 3.6 Administration Guide, chapter 13 
> > Users and Roles [2]
> > where you can find detailed steps for common configurations.
> >
> > Martin Perina
> >
> > [2] 
> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/chap-Users_and_Roles.html
> > ​
> >
> >
> >>
> >> Will
> >> ___
> >> Users mailing list
> >> Users@ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >
> >
> >
> > --
> > Didi
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
> >
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Active Directory (LDAP) user auth is slow

2016-03-24 Thread Ondra Machacek

On 03/24/2016 03:02 PM, Karli Sjöberg wrote:


Den 24 mars 2016 13:49 skrev Ondra Machacek :
 >
 > Hi,
 >
 > if you remove user, then also permissions of that user to vms will be
 > removed.
 > And yes, you will have to add all those permissions back to users from
 > new profile.
 >
 > But, you can try migration tool[1], to migrate all users to new AAA
profile.
 > If you have any problem with it, you can ask.

Ehm, how do you install it? (el6)


yum install -y 
https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases/download/ovirt-engine-kerbldap-migration-1.0.4/ovirt-engine-kerbldap-migration-1.0.4-1.el6ev.noarch.rpm




/K

 >
 > Ondra
 >
 > [1]
 >
https://github.com/machacekondra/ovirt-engine-kerbldap-migration/blob/master/README.md
 >
 > On 03/24/2016 01:06 PM, Will Dennis wrote:
 > > In the RHEV Admin Guide that Martin mentioned, it says:
 > >
 > > "Log in to the Administration Portal, and remove all users and
groups related to the old profile. Users defined in the removed domain
will no longer be able to authenticate with the Red Hat Enterprise
Virtualization Manager. The entries for the affected users will remain
defined in the Red Hat Enterprise Virtualization Manager until they are
explicitly removed from the Administration Portal.”
 > >
 > > I have some VMs running under some AD domain users; if I remove the
users from the system as above, will I need to remove them from the VM
permissions, or is that cleaned up as well? And I guess I’ll need to
manually re-add the perms back after the new directory config is in
place? Please advise.
 > >
 > > Thanks,
 > > Will
 > >
 > > On Mar 21, 2016, at 4:29 AM, Martin Perina
> wrote:
 > >
 > >
 > >
 > > On Mon, Mar 21, 2016 at 8:20 AM, Yedidyah Bar David
> wrote:
 > > On Mon, Mar 21, 2016 at 4:47 AM, Will Dennis
> wrote:
 > >> Hi all,
 > >>
 > >> I have enabled Active Directory authentication for the users in
oVirt (via engine-manage-domains command using --provider=ad) and,
although it works, it takes about ~50 sec’s to process a login. I have
other OSS software that utilizes AD auth, and there is no such lag when
processing logins, so I’m guessing it’s a problem with the oVirt
implementation… Any way to debug why the auth process is taking so long?
 > >
 > > This is an old, unmaintained component. You should use the new
aaa-ldap one.
 > > Search the list archives for "aaa-ldap" and/or read the README file
in the
 > > sources [1]. Best,
 > >
 > > [1]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README
 > >
 > > ​You could also take a look at RHEV 3.6 Administration Guide,
chapter 13 Users and Roles [2]
 > > where you can find detailed steps for common configurations.
 > >
 > > Martin Perina
 > >
 > > [2]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/chap-Users_and_Roles.html
 > > ​
 > >
 > >
 > >>
 > >> Will
 > >> ___
 > >> Users mailing list
 > >> Users@ovirt.org
 > >> http://lists.ovirt.org/mailman/listinfo/users
 > >
 > >
 > >
 > > --
 > > Didi
 > > ___
 > > Users mailing list
 > > Users@ovirt.org
 > > http://lists.ovirt.org/mailman/listinfo/users
 > >
 > >
 > > ___
 > > Users mailing list
 > > Users@ovirt.org
 > > http://lists.ovirt.org/mailman/listinfo/users
 > >
 > ___
 > Users mailing list
 > Users@ovirt.org
 > http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Active Directory (LDAP) user auth is slow

2016-03-24 Thread Ondra Machacek

Hi,

if you remove user, then also permissions of that user to vms will be 
removed.
And yes, you will have to add all those permissions back to users from 
new profile.


But, you can try migration tool[1], to migrate all users to new AAA profile.
If you have any problem with it, you can ask.

Ondra

[1] 
https://github.com/machacekondra/ovirt-engine-kerbldap-migration/blob/master/README.md


On 03/24/2016 01:06 PM, Will Dennis wrote:

In the RHEV Admin Guide that Martin mentioned, it says:

"Log in to the Administration Portal, and remove all users and groups related 
to the old profile. Users defined in the removed domain will no longer be able to 
authenticate with the Red Hat Enterprise Virtualization Manager. The entries for the 
affected users will remain defined in the Red Hat Enterprise Virtualization Manager 
until they are explicitly removed from the Administration Portal.”

I have some VMs running under some AD domain users; if I remove the users from 
the system as above, will I need to remove them from the VM permissions, or is 
that cleaned up as well? And I guess I’ll need to manually re-add the perms 
back after the new directory config is in place? Please advise.

Thanks,
Will

On Mar 21, 2016, at 4:29 AM, Martin Perina 
> wrote:



On Mon, Mar 21, 2016 at 8:20 AM, Yedidyah Bar David 
> wrote:
On Mon, Mar 21, 2016 at 4:47 AM, Will Dennis 
> wrote:

Hi all,

I have enabled Active Directory authentication for the users in oVirt (via 
engine-manage-domains command using --provider=ad) and, although it works, it 
takes about ~50 sec’s to process a login. I have other OSS software that 
utilizes AD auth, and there is no such lag when processing logins, so I’m 
guessing it’s a problem with the oVirt implementation… Any way to debug why the 
auth process is taking so long?


This is an old, unmaintained component. You should use the new aaa-ldap one.
Search the list archives for "aaa-ldap" and/or read the README file in the
sources [1]. Best,

[1] 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README

​You could also take a look at RHEV 3.6 Administration Guide, chapter 13 Users 
and Roles [2]
where you can find detailed steps for common configurations.

Martin Perina

[2] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/chap-Users_and_Roles.html
​




Will
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users




--
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Active Directory (LDAP) user auth is slow

2016-03-24 Thread Will Dennis
In the RHEV Admin Guide that Martin mentioned, it says:

"Log in to the Administration Portal, and remove all users and groups related 
to the old profile. Users defined in the removed domain will no longer be able 
to authenticate with the Red Hat Enterprise Virtualization Manager. The entries 
for the affected users will remain defined in the Red Hat Enterprise 
Virtualization Manager until they are explicitly removed from the 
Administration Portal.”

I have some VMs running under some AD domain users; if I remove the users from 
the system as above, will I need to remove them from the VM permissions, or is 
that cleaned up as well? And I guess I’ll need to manually re-add the perms 
back after the new directory config is in place? Please advise.

Thanks,
Will

On Mar 21, 2016, at 4:29 AM, Martin Perina 
> wrote:



On Mon, Mar 21, 2016 at 8:20 AM, Yedidyah Bar David 
> wrote:
On Mon, Mar 21, 2016 at 4:47 AM, Will Dennis 
> wrote:
> Hi all,
>
> I have enabled Active Directory authentication for the users in oVirt (via 
> engine-manage-domains command using --provider=ad) and, although it works, it 
> takes about ~50 sec’s to process a login. I have other OSS software that 
> utilizes AD auth, and there is no such lag when processing logins, so I’m 
> guessing it’s a problem with the oVirt implementation… Any way to debug why 
> the auth process is taking so long?

This is an old, unmaintained component. You should use the new aaa-ldap one.
Search the list archives for "aaa-ldap" and/or read the README file in the
sources [1]. Best,

[1] 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README

​You could also take a look at RHEV 3.6 Administration Guide, chapter 13 Users 
and Roles [2]
where you can find detailed steps for common configurations.

Martin Perina

[2] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/chap-Users_and_Roles.html
​


>
> Will
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users



--
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Active Directory (LDAP) user auth is slow

2016-03-21 Thread Martin Perina
On Mon, Mar 21, 2016 at 8:20 AM, Yedidyah Bar David  wrote:

> On Mon, Mar 21, 2016 at 4:47 AM, Will Dennis  wrote:
> > Hi all,
> >
> > I have enabled Active Directory authentication for the users in oVirt
> (via engine-manage-domains command using --provider=ad) and, although it
> works, it takes about ~50 sec’s to process a login. I have other OSS
> software that utilizes AD auth, and there is no such lag when processing
> logins, so I’m guessing it’s a problem with the oVirt implementation… Any
> way to debug why the auth process is taking so long?
>
> This is an old, unmaintained component. You should use the new aaa-ldap
> one.
> Search the list archives for "aaa-ldap" and/or read the README file in the
> sources [1]. Best,
>
> [1]
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README
>

​You could also take a look at RHEV 3.6 Administration Guide, chapter 13
Users and Roles [2]
where you can find detailed steps for common configurations.

Martin Perina

[2]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/chap-Users_and_Roles.html
​


>
> >
> > Will
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
>
>
>
> --
> Didi
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Active Directory (LDAP) user auth is slow

2016-03-21 Thread Yedidyah Bar David
On Mon, Mar 21, 2016 at 4:47 AM, Will Dennis  wrote:
> Hi all,
>
> I have enabled Active Directory authentication for the users in oVirt (via 
> engine-manage-domains command using --provider=ad) and, although it works, it 
> takes about ~50 sec’s to process a login. I have other OSS software that 
> utilizes AD auth, and there is no such lag when processing logins, so I’m 
> guessing it’s a problem with the oVirt implementation… Any way to debug why 
> the auth process is taking so long?

This is an old, unmaintained component. You should use the new aaa-ldap one.
Search the list archives for "aaa-ldap" and/or read the README file in the
sources [1]. Best,

[1] 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README

>
> Will
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users



-- 
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] Active Directory (LDAP) user auth is slow

2016-03-20 Thread Will Dennis
Hi all,

I have enabled Active Directory authentication for the users in oVirt (via 
engine-manage-domains command using --provider=ad) and, although it works, it 
takes about ~50 sec’s to process a login. I have other OSS software that 
utilizes AD auth, and there is no such lag when processing logins, so I’m 
guessing it’s a problem with the oVirt implementation… Any way to debug why the 
auth process is taking so long?

Will
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users