Re: [ovirt-users] oVirt AD integration problems

2016-10-17 Thread cmc 
Hi Ondra,

I assigned permissions to an LDAP group and it just needed me to remove
that group and re-add it for it to authorize again.

Yes, the UPN is user@domain in our case. Not a big deal, but is there a
plan to change the display name? I get confused looks
and questions when people log in.

All working now, many thanks once again for all your help!

Cheers,

Cam

On Mon, Oct 17, 2016 at 10:06 AM, Ondra Machacek 
wrote:

> Hi Cam,
>
> this is OK, because we use user principal name(UPN)[1] for the
> 'username' field of the oVirt. So the result username will consist of
> UPN@authz-extension, so if your user's UPN is 'user@domain' and you
> will name your authz extension as 'domain', then the result username
> will be 'user@domain@domain'.
>
> The problem, that you can't get authorized is that you didn't assigned
> any permissions to your user.
>
> [1] https://msdn.microsoft.com/en-us/library/ms680857(v=vs.85).aspx
>
> On 10/14/2016 04:30 PM, cmc wrote:
>
>> Hi Ondra,
>>
>> It manages to authenticate, but appends the domain again once I'm logged
>> in, for instance, if I log in as user 'cam', it will log me in,
>> and display the login name in the top right corner as
>> 'c...@domain.com@domain.com ' (this shows up in the
>> log as well: it shows me
>> logging in as c...@domain.com , but then returns
>> an error as user  c...@domain.com@domain.com  is not
>> authorized). My thought was
>> that something done earlier when I was playing around with sssd,
>> kerberos and AD is doing this, though I have removed these packages
>> and run authconfig to remove sssd. Any ideas?
>>
>> Cheers,
>>
>> Cam
>>
>> On Thu, Oct 13, 2016 at 2:04 PM, cmc > > wrote:
>>
>> Hi Ondra,
>>
>> That is good to know that we don't need Kerberos - it complicates
>> things a lot.
>>
>> I think the errors might be the options I'd selected during the
>> setup. I was thrown a bit that
>> it passed all the internal tests provided by the setup script, but
>> failed on the web GUI. When
>> I've seen 'unspecified GSS failure' and 'peer not authenticated'
>> it's usually been due to
>> Kerberos (though admittedly these are just generic errors). So I
>> tried the Redhat guide for SSO at:
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>> rise_Virtualization/3.6/html/Administration_Guide/Configuri
>> ng_LDAP_and_Kerberos_for_Single_Sign-on.html
>> > prise_Virtualization/3.6/html/Administration_Guide/Configuri
>> ng_LDAP_and_Kerberos_for_Single_Sign-on.html>
>>
>> which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink
>> to the Apache
>> config it says to create, as it results in internal server errors in
>> Apache. It uses an SPN for
>> Apache in the keytab.
>>
>> Now that you've confirmed that it can actually work without any need
>> for the Kerberos stuff,
>> I will start afresh from a clean setup and apply what I've learnt
>> during this process.
>>
>> I'll try it out and let you know either way.
>>
>> Many thanks for all the help!
>>
>> Kind regards,
>>
>> Cam
>>
>>
>>
>> Yes, you really do not need anything kerberos related to
>> securely bind
>> to AD via LDAP simple bind over TLS/SSL. This is really strange
>> to me
>> what errors you are getting, but you probably configured apache
>> (or
>> something else?) to require keytab, but you don't have to, and
>> you can
>> remove that configuration.
>>
>>
>> Thanks,
>>
>> Cam
>>
>>
>>
>>
>> Thanks,
>>
>> Cam
>>
>> ___
>>
>> Users mailing list
>> Users@ovirt.org 
>> >
>> 
>> >>
>>
>> http://lists.ovirt.org/mailman/listinfo/users
>> 
>> > >
>>
>> > 
>> > >>
>>
>>
>>
>>
>>
>>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt AD integration problems

2016-10-17 Thread Ondra Machacek 

Hi Cam,

this is OK, because we use user principal name(UPN)[1] for the
'username' field of the oVirt. So the result username will consist of
UPN@authz-extension, so if your user's UPN is 'user@domain' and you
will name your authz extension as 'domain', then the result username
will be 'user@domain@domain'.

The problem, that you can't get authorized is that you didn't assigned
any permissions to your user.

[1] https://msdn.microsoft.com/en-us/library/ms680857(v=vs.85).aspx

On 10/14/2016 04:30 PM, cmc wrote:

Hi Ondra,

It manages to authenticate, but appends the domain again once I'm logged
in, for instance, if I log in as user 'cam', it will log me in,
and display the login name in the top right corner as
'c...@domain.com@domain.com ' (this shows up in the
log as well: it shows me
logging in as c...@domain.com , but then returns
an error as user  c...@domain.com@domain.com  is not
authorized). My thought was
that something done earlier when I was playing around with sssd,
kerberos and AD is doing this, though I have removed these packages
and run authconfig to remove sssd. Any ideas?

Cheers,

Cam

On Thu, Oct 13, 2016 at 2:04 PM, cmc > wrote:

Hi Ondra,

That is good to know that we don't need Kerberos - it complicates
things a lot.

I think the errors might be the options I'd selected during the
setup. I was thrown a bit that
it passed all the internal tests provided by the setup script, but
failed on the web GUI. When
I've seen 'unspecified GSS failure' and 'peer not authenticated'
it's usually been due to
Kerberos (though admittedly these are just generic errors). So I
tried the Redhat guide for SSO at:


https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html



which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink
to the Apache
config it says to create, as it results in internal server errors in
Apache. It uses an SPN for
Apache in the keytab.

Now that you've confirmed that it can actually work without any need
for the Kerberos stuff,
I will start afresh from a clean setup and apply what I've learnt
during this process.

I'll try it out and let you know either way.

Many thanks for all the help!

Kind regards,

Cam



Yes, you really do not need anything kerberos related to
securely bind
to AD via LDAP simple bind over TLS/SSL. This is really strange
to me
what errors you are getting, but you probably configured apache (or
something else?) to require keytab, but you don't have to, and
you can
remove that configuration.


Thanks,

Cam




Thanks,

Cam

___

Users mailing list
Users@ovirt.org 
>

>>

http://lists.ovirt.org/mailman/listinfo/users

>


>>






___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt AD integration problems

2016-10-14 Thread Karli Sjöberg 

Den 14 okt. 2016 4:30 em skrev cmc :
>
> Hi Ondra,
>
> It manages to authenticate, but appends the domain again once I'm logged in, 
> for instance, if I log in as user 'cam', it will log me in,
> and display the login name in the top right corner as 
> 'c...@domain.com@domain.com' (this shows up in the log as well: it shows me
> logging in as c...@domain.com, but then returns an error as user  
> c...@domain.com@domain.com is not authorized). My thought was
> that something done earlier when I was playing around with sssd, kerberos and 
> AD is doing this, though I have removed these packages
> and run authconfig to remove sssd. Any ideas?

Can't say why, but it's the same for us. It's unsightly, kindly put.

/K

>
> Cheers,
>
> Cam
>
> On Thu, Oct 13, 2016 at 2:04 PM, cmc  wrote:
>>
>> Hi Ondra,
>>
>> That is good to know that we don't need Kerberos - it complicates things a 
>> lot.
>>
>> I think the errors might be the options I'd selected during the setup. I was 
>> thrown a bit that
>> it passed all the internal tests provided by the setup script, but failed on 
>> the web GUI. When
>> I've seen 'unspecified GSS failure' and 'peer not authenticated' it's 
>> usually been due to
>> Kerberos (though admittedly these are just generic errors). So I tried the 
>> Redhat guide for SSO at:
>>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html
>>
>> which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink to the 
>> Apache
>> config it says to create, as it results in internal server errors in Apache. 
>> It uses an SPN for
>> Apache in the keytab.
>>
>> Now that you've confirmed that it can actually work without any need for the 
>> Kerberos stuff,
>> I will start afresh from a clean setup and apply what I've learnt during 
>> this process.
>>
>> I'll try it out and let you know either way.
>>
>> Many thanks for all the help!
>>
>> Kind regards,
>>
>> Cam
>>
>>
>>>
>>> Yes, you really do not need anything kerberos related to securely bind
>>> to AD via LDAP simple bind over TLS/SSL. This is really strange to me
>>> what errors you are getting, but you probably configured apache (or
>>> something else?) to require keytab, but you don't have to, and you can
>>> remove that configuration.
>>>

 Thanks,

 Cam




 Thanks,

 Cam

 ___

 Users mailing list
 Users@ovirt.org 
 >
 http://lists.ovirt.org/mailman/listinfo/users
 
 >



>>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt AD integration problems

2016-10-14 Thread cmc 
Hi Ondra,

It manages to authenticate, but appends the domain again once I'm logged
in, for instance, if I log in as user 'cam', it will log me in,
and display the login name in the top right corner as 'c...@domain.com@
domain.com' (this shows up in the log as well: it shows me
logging in as c...@domain.com, but then returns an error as user
c...@domain.com@domain.com is not authorized). My thought was
that something done earlier when I was playing around with sssd, kerberos
and AD is doing this, though I have removed these packages
and run authconfig to remove sssd. Any ideas?

Cheers,

Cam

On Thu, Oct 13, 2016 at 2:04 PM, cmc  wrote:

> Hi Ondra,
>
> That is good to know that we don't need Kerberos - it complicates things a
> lot.
>
> I think the errors might be the options I'd selected during the setup. I
> was thrown a bit that
> it passed all the internal tests provided by the setup script, but failed
> on the web GUI. When
> I've seen 'unspecified GSS failure' and 'peer not authenticated' it's
> usually been due to
> Kerberos (though admittedly these are just generic errors). So I tried the
> Redhat guide for SSO at:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterprise_Virtualization/3.6/html/Administration_Guide/
> Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html
>
> which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink to the
> Apache
> config it says to create, as it results in internal server errors in
> Apache. It uses an SPN for
> Apache in the keytab.
>
> Now that you've confirmed that it can actually work without any need for
> the Kerberos stuff,
> I will start afresh from a clean setup and apply what I've learnt during
> this process.
>
> I'll try it out and let you know either way.
>
> Many thanks for all the help!
>
> Kind regards,
>
> Cam
>
>
>
>> Yes, you really do not need anything kerberos related to securely bind
>> to AD via LDAP simple bind over TLS/SSL. This is really strange to me
>> what errors you are getting, but you probably configured apache (or
>> something else?) to require keytab, but you don't have to, and you can
>> remove that configuration.
>>
>>
>>> Thanks,
>>>
>>> Cam
>>>
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Cam
>>>
>>> ___
>>>
>>> Users mailing list
>>> Users@ovirt.org 
>>> >
>>> http://lists.ovirt.org/mailman/listinfo/users
>>> 
>>> >> >
>>>
>>>
>>>
>>>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt AD integration problems

2016-10-13 Thread cmc 
Hi Ondra,

That is good to know that we don't need Kerberos - it complicates things a
lot.

I think the errors might be the options I'd selected during the setup. I
was thrown a bit that
it passed all the internal tests provided by the setup script, but failed
on the web GUI. When
I've seen 'unspecified GSS failure' and 'peer not authenticated' it's
usually been due to
Kerberos (though admittedly these are just generic errors). So I tried the
Redhat guide for SSO at:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/Configuring_LDAP_and_Kerberos_for_Single_Sign-on.html

which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink to the
Apache
config it says to create, as it results in internal server errors in
Apache. It uses an SPN for
Apache in the keytab.

Now that you've confirmed that it can actually work without any need for
the Kerberos stuff,
I will start afresh from a clean setup and apply what I've learnt during
this process.

I'll try it out and let you know either way.

Many thanks for all the help!

Kind regards,

Cam



> Yes, you really do not need anything kerberos related to securely bind
> to AD via LDAP simple bind over TLS/SSL. This is really strange to me
> what errors you are getting, but you probably configured apache (or
> something else?) to require keytab, but you don't have to, and you can
> remove that configuration.
>
>
>> Thanks,
>>
>> Cam
>>
>>
>>
>>
>> Thanks,
>>
>> Cam
>>
>> ___
>>
>> Users mailing list
>> Users@ovirt.org 
>> >
>> http://lists.ovirt.org/mailman/listinfo/users
>> 
>> > >
>>
>>
>>
>>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt AD integration problems

2016-10-13 Thread Ondra Machacek 

On 10/12/2016 03:31 PM, cmc wrote:


Hi Ondra,

It's not, but you need to use insecure connection then (you need to
have following line in /etc/ovirt-engine/aaa/domain.properties):

 pool.default.ssl.insecure = true


I ended up generating a cert on one of the AD machines, copying it to
the host, and then specified it in the setup process via
ovirt-engine-extension-aaa-ldap-setup.
It seems to create a .jks file. It still gave me the same 'peer not
authenticated' so I checked the krb5.keytab and saw that there was no
SPN for http, so I rejoined the domain and specified http as a service
name via adcli, and then things worked.



So double check that, and if it still won't work, the logs from
ovirt-engine-extensions-tool would help, you can generate them as
follows:

 $ ovirt-engine-extensions-tool --log-level=FINEST
--log-file=/tmp/aaa.log aaa 


Do I need to set up Apache separately to use LDAP auth? The service
principals exist in the krb5.keytab, but I don't if that is only
if you
are using SSO.


Yes, that's only if you use SSO. If you use plain LDAP simple bind, you
don't need anything related to kerberos.


I think I was under the impression that you needed to join the domain in
order to auth via AD. However, I've now seen one HOWTO that says that
you just need the cert from AD to be able to auth securely though I'm
not entirely clear whether that works for Apache. Is that correct -
Kerberos, binding etc is not needed for the oVirt web interface to auth
securely?


Yes, you really do not need anything kerberos related to securely bind
to AD via LDAP simple bind over TLS/SSL. This is really strange to me
what errors you are getting, but you probably configured apache (or
something else?) to require keytab, but you don't have to, and you can
remove that configuration.



Thanks,

Cam




Thanks,

Cam

___

Users mailing list
Users@ovirt.org 
>
http://lists.ovirt.org/mailman/listinfo/users

>




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt AD integration problems

2016-10-12 Thread cmc 
Hi Ondra,

It's not, but you need to use insecure connection then (you need to have
> following line in /etc/ovirt-engine/aaa/domain.properties):
>
>  pool.default.ssl.insecure = true
>

I ended up generating a cert on one of the AD machines, copying it to the
host, and then specified it in the setup process via
ovirt-engine-extension-aaa-ldap-setup.
It seems to create a .jks file. It still gave me the same 'peer not
authenticated' so I checked the krb5.keytab and saw that there was no SPN
for http, so I rejoined the domain and specified http as a service name via
adcli, and then things worked.


>
> So double check that, and if it still won't work, the logs from
> ovirt-engine-extensions-tool would help, you can generate them as follows:
>
>  $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=/tmp/aaa.log
> aaa 
>
>
>> Do I need to set up Apache separately to use LDAP auth? The service
>> principals exist in the krb5.keytab, but I don't if that is only if you
>> are using SSO.
>>
>
> Yes, that's only if you use SSO. If you use plain LDAP simple bind, you
> don't need anything related to kerberos.
>

I think I was under the impression that you needed to join the domain in
order to auth via AD. However, I've now seen one HOWTO that says that you
just need the cert from AD to be able to auth securely though I'm not
entirely clear whether that works for Apache. Is that correct - Kerberos,
binding etc is not needed for the oVirt web interface to auth securely?

Thanks,

Cam


>
>
>> Thanks,
>>
>> Cam
>>
>> ___
>>
>> Users mailing list
>> Users@ovirt.org 
>> http://lists.ovirt.org/mailman/listinfo/users
>> 
>>
>>
>>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt AD integration problems

2016-10-12 Thread Ondra Machacek 



On 10/11/2016 05:32 PM, cmc wrote:

Hi Ondra,




Not really. aaa-ldap by default uses just simple bind, no gssapi.
If you have any problems with certificate I would suggest you to
check if you are using the correct one, correctly. More info for it
can be
found here:



https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;h=1f4381e4f0d22acdda63c56a84863fcb0f72bc3a;hb=HEAD#l397





I've run the following tests in that README you posted above, and all
worked fine:

ovirt-engine-extensions-tool aaa login-user --profile=mydomain.com
 --user-name=myuser
ovirt-engine-extensions-tool aaa search
--extension-name=mydomain.com-authz --entity=principal --entity-name=myuser
LDAPTLS_REQCERT=never ldapsearch -ZZ -H ldap://ad.mydomain.com
 -x -D "CN=myuser,CN=Users,DC=mydomain,DC=com"
-W -b "dc=mydomain,dc=com"

I thought I wouldn't need to import any certificate from AD - is that a
requirement?


It's not, but you need to use insecure connection then (you need to have 
following line in /etc/ovirt-engine/aaa/domain.properties):


 pool.default.ssl.insecure = true

So double check that, and if it still won't work, the logs from 
ovirt-engine-extensions-tool would help, you can generate them as follows:


 $ ovirt-engine-extensions-tool --log-level=FINEST 
--log-file=/tmp/aaa.log aaa 




Do I need to set up Apache separately to use LDAP auth? The service
principals exist in the krb5.keytab, but I don't if that is only if you
are using SSO.


Yes, that's only if you use SSO. If you use plain LDAP simple bind, you
don't need anything related to kerberos.



Thanks,

Cam

___

Users mailing list
Users@ovirt.org 
http://lists.ovirt.org/mailman/listinfo/users




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt AD integration problems

2016-10-11 Thread cmc 
Hi Ondra,



>
> Not really. aaa-ldap by default uses just simple bind, no gssapi.
> If you have any problems with certificate I would suggest you to check if
> you are using the correct one, correctly. More info for it can be
> found here:
>
>
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa
> -ldap.git;a=blob;f=README;h=1f4381e4f0d22acdda63c56a84863f
> cb0f72bc3a;hb=HEAD#l397
>
>

I've run the following tests in that README you posted above, and all
worked fine:

ovirt-engine-extensions-tool aaa login-user --profile=mydomain.com
--user-name=myuser
ovirt-engine-extensions-tool aaa search --extension-name=mydomain.com-authz
--entity=principal --entity-name=myuser
LDAPTLS_REQCERT=never ldapsearch -ZZ -H ldap://ad.mydomain.com -x -D
"CN=myuser,CN=Users,DC=mydomain,DC=com" -W -b "dc=mydomain,dc=com"

I thought I wouldn't need to import any certificate from AD - is that a
requirement?

Do I need to set up Apache separately to use LDAP auth? The service
principals exist in the krb5.keytab, but I don't if that is only if you are
using SSO.

Thanks,

Cam

___

> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt AD integration problems

2016-09-29 Thread Ondra Machacek 

On 09/28/2016 05:14 PM, cmc wrote:

Hi,

I'm trying to use the directory services provided by the
ovirt-engine-extension-aaa-ldap, and I can get it to successfully login
when I run the tests in the setup script, but when I login via the GUI,
it gives me:

unexpected error was encountered during validation processing:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated'

and fails login. It looks a bit like it is expecting to already be
joined to the domain, so I tried doing that manually via realmd and
sssd. It involved installing a lot of packages, such as kerberos and
samba, which I am nervous about on an engine host. Anyway, once I was
joined, it still gives me the same 'peer not authenticated' message.
Does it need to be separately bound to the domain, i.e., do you need all
the other stuff installed and running for it to work, or is the
ovirt-engine-extension-aaa-ldap package all that is needed?


Not really. aaa-ldap by default uses just simple bind, no gssapi.
If you have any problems with certificate I would suggest you to check 
if you are using the correct one, correctly. More info for it can be

found here:


https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;h=1f4381e4f0d22acdda63c56a84863fcb0f72bc3a;hb=HEAD#l397



Anyway, I ran the ovirt-engine-extensions-tool --log-level=FINEST
--log-file=/tmp/aaa.log aaa search --extension-name=domain-authz command
suggested in an earlier post, and it only gave me one exception, which was:

2016-09-28 16:08:15 SEVERE  Extension domain-authz could not be found
2016-09-28 16:08:15 FINEException:
org.ovirt.engine.core.extensions.mgr.ConfigurationException: Extension
domain-authz could not be found


Well, you need to replace 'domain-authz', with your real authz-name to
see any reasonable results.



Thanks for any help,

Cam



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users