[ovirt-users] Re: LDAP Authentication issues

2018-06-12 Thread Callum Smith
Dear All, Seems the required element for the CPU Profile to work is in roles_groups table: insert into roles_groups (role_id, action_group_id) VALUES ('def00017----def00017', '1668'); Whether the action_group_id is install-specific or not is unclear, but the role UUID for

[ovirt-users] Re: LDAP Authentication issues

2018-06-12 Thread Callum Smith
Yes indeed Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. cal...@well.ox.ac.uk On 12 Jun 2018, at 10:18, Roy Golan mailto:rgo...@redhat.com>> wrote: On Tue, 12 Jun 2018 at 11:48 Callum

[ovirt-users] Re: LDAP Authentication issues

2018-06-12 Thread Roy Golan
On Tue, 12 Jun 2018 at 11:48 Callum Smith wrote: > Dear All, > > Process of database "fixing" is required because adding system permissions > to the "Everyone" group is a one-way process that causes many problems and > there is no way to rescue from the GUI, only options are to restore from >

[ovirt-users] Re: LDAP Authentication issues

2018-06-12 Thread Callum Smith
Dear All, Process of database "fixing" is required because adding system permissions to the "Everyone" group is a one-way process that causes many problems and there is no way to rescue from the GUI, only options are to restore from backup or rebuild the permissions database. The next issue,

[ovirt-users] Re: LDAP Authentication issues

2018-06-11 Thread Roy Golan
On Tue, 12 Jun 2018 at 02:24 Donny Davis wrote: > I am happy to help where I can. I would also not recommend tinkering > around in the database, but I am happy to hear you have it all running. :) > > Everything you should every be doing in the engine is available via the > API/UI. Just some

[ovirt-users] Re: LDAP Authentication issues

2018-06-11 Thread Donny Davis
I am happy to help where I can. I would also not recommend tinkering around in the database, but I am happy to hear you have it all running. :) Everything you should every be doing in the engine is available via the API/UI. Just some general advice. On Mon, Jun 11, 2018 at 9:31 AM, Callum

[ovirt-users] Re: LDAP Authentication issues

2018-06-11 Thread Callum Smith
Dear All & Donny, Thank you for the clarifications, very useful indeed. A note for future users who go down this path and dont want to restore or reinstall: Cleaning out the `permissions` table in the database and restoring the defaults will solve the issue, but you need to restore the

[ovirt-users] Re: LDAP Authentication issues

2018-06-11 Thread Donny Davis
https://lists.ovirt.org/pipermail/users/2015-January/030981.html This is the thread where I discussed a bit of the permissions thing. I am sure things have changed since 3.5.1, but should get you down the right path. On Mon, Jun 11, 2018 at 6:54 AM, Callum Smith wrote: > Yes, in process of

[ovirt-users] Re: LDAP Authentication issues

2018-06-11 Thread Callum Smith
Yes, in process of trying to fix/identify things - need to undo this. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. cal...@well.ox.ac.uk On 11 Jun 2018, at 11:48, Donny Davis

[ovirt-users] Re: LDAP Authentication issues

2018-06-11 Thread Donny Davis
did you add system permissions to the everyone group? On Mon, Jun 11, 2018 at 6:42 AM, Callum Smith wrote: > Happy for you to link me a guide, googlefu is failing me. > > How do i get around this "It's not allowed to remove system permissions > assigned to built-in Everyone group" - to remove

[ovirt-users] Re: LDAP Authentication issues

2018-06-11 Thread Callum Smith
Happy for you to link me a guide, googlefu is failing me. How do i get around this "It's not allowed to remove system permissions assigned to built-in Everyone group" - to remove permissions erroneously added. Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for

[ovirt-users] Re: LDAP Authentication issues

2018-06-11 Thread Donny Davis
You can create a profile that has the proper permissions to allow what you are looking for, and then assign that profile to the groups you wish. I wrote a post on this quite a while back on how to setup oVirt to appear to be multi-tenant. Happy to see you don't have an ldap issue :) >This will

[ovirt-users] Re: LDAP Authentication issues

2018-06-11 Thread Callum Smith
Ah, this appears to be an issue with the proxy - setting up the spice proxy as indicated in the guides is causing this issue, and likely will need support. https://www.ovirt.org/documentation/admin-guide/chap-Proxies/ Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust

[ovirt-users] Re: LDAP Authentication issues

2018-06-11 Thread Callum Smith
Ok, the user now logs in! This will be a problem for us to now create group permissions for all 100+ groups since Everyone === No-one. -sigh- A new issue, when in the VM portal as the LDAP user, i get HTTP basic auth login prompts, and a "Authorization expired" error, then a page reload.

[ovirt-users] Re: LDAP Authentication issues

2018-06-11 Thread Donny Davis
Try giving your user system permissions as a superuser and see if it goes away. I wouldn't leave it like that, but it will help isolate your issue. I don't think you have an ldap issue... the log entry is telling you that user has no permissions >The user callum@Biomedical Research Computing is

[ovirt-users] Re: LDAP Authentication issues

2018-06-11 Thread Callum Smith
Dear Donny, No, though the user shows the permissions inherited from the Everyone group: [cid:3C4DA68E-6FBF-4D50-AA88-9E063CFBED6C@well.ox.ac.uk] Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e.

[ovirt-users] Re: LDAP Authentication issues

2018-06-11 Thread Donny Davis
Just a shot in the dark, but after you setup ldap did you go in as the default admin and give an ldap account permissions? On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith wrote: > Dear All, > > Could this be as our LDAP is fairly short on attributes? > > 2018-06-11 11:00:52,856+01 INFO >

[ovirt-users] Re: LDAP Authentication issues

2018-06-11 Thread Callum Smith
Dear All, Could this be as our LDAP is fairly short on attributes? 2018-06-11 11:00:52,856+01 INFO [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-5) [5dff9eb0] Running command: CreateUserSessionCommand internal: false. 2018-06-11 11:00:52,884+01 ERROR

[ovirt-users] Re: LDAP Authentication issues

2018-06-11 Thread Callum Smith
What would be the next step to help solve this issue? All users authenticating through LDAP get "This user is not authorised to perform authentication". Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e.

[ovirt-users] Re: LDAP Authentication issues

2018-06-05 Thread Callum Smith
Ok I spoke too soon, I have resolved the groups, but authentication still isn't working for LDAP users, same error as before (114). Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e.

[ovirt-users] Re: LDAP Authentication issues

2018-06-05 Thread Callum Smith
Dear Ondra, all, Managed to solve this once i got my head around the properties file. Conceptually the problem is that users are typically not a member of their primary group in a POSIX scenario, and their primary group is set by the gidNumber of the user's record, with additional group

[ovirt-users] Re: LDAP Authentication issues

2018-06-04 Thread Callum Smith
Dear Ondra, I went for openldap-rfc2307 as that best describes our ldap setup. The issue seems to be that the gidNumber is set, but users are not a member of their primary group within the LDAP. So, user's gidNumber represents primary group and posixGroup membership (memberUid) represents

[ovirt-users] Re: LDAP Authentication issues

2018-05-29 Thread Ondra Machacek
What's you LDAP and what profile did you choose? This looks like you have chosen incorect profile during setup. Are you sure you arent using posix group and using non-posix aaa profile? Sharing a debug log of ovirt-engine-extensions-tool would be helpfull. On Fri, May 25, 2018, 10:04 AM Callum