Hi, Alon,
I modified ovirt-engine.xml.in and restarted ovirt-engine.
Attached is the modified ovirt-engine.xml.in.
The engine.log outputs are fllowing: (Unfortunately it became the same result.)
-----
2014-09-22 19:48:11,245 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
(ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication profile
"rxc05271.com" because the authentication failed.
2014-09-22 19:48:11,257 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event
ID: -1, Message: User Fumihide cannot login, please verify the username and
password.
2014-09-22 19:48:11,265 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event
ID: -1, Message: User Fumihide failed to log in.
2014-09-22 19:48:11,266 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand]
(ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed.
Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
-----
As a cause of fail to OpenLDAP user login,
I suspect that the my openldap password encryption method setting not meet with
the ovirt.
Is there any method to verify?
Thanks,
(2014/09/22 19:15), Alon Bar-Lev wrote:
You need to add the following:
+ <logger category="org.ovirt.engineextensions.aaa.ldap">
+ <level name="FINEST"/>
+ </logger>
<logger category="org.ovirt.engine.core.bll">
Look at the + lines, please add these (without the +) just before: <logger
category="org.ovirt.engine.core.bll">
Thanks!
----- Original Message -----
From: "Fumihide Tani" <rxc05...@nifty.com>
To: "Alon Bar-Lev" <alo...@redhat.com>
Cc: users@ovirt.org
Sent: Monday, September 22, 2014 1:10:57 PM
Subject: Re: [ovirt-users] Can not configure with simple LDAP.
(2014/09/22 15:00), Alon Bar-Lev wrote:
----- Original Message -----
From: "Fumihide Tani" <rxc05...@nifty.com>
To: "Alon Bar-Lev" <alo...@redhat.com>
Cc: users@ovirt.org
Sent: Monday, September 22, 2014 4:16:17 AM
Subject: Re: [ovirt-users] Can not configure with simple LDAP.
(2014/09/22 0:16), Alon Bar-Lev wrote:
----- Original Message -----
From: "Fumihide Tani" <rxc05...@nifty.com>
To: "Alon Bar-Lev" <alo...@redhat.com>
Cc: users@ovirt.org
Sent: Sunday, September 21, 2014 6:00:48 PM
Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon,
Following Alon's advice, I added authz-company.properties file to the
configuration directory.
Then OpenLDAP users can searched from oVirt Web admin. and I could add
it's
users
to the portal successfully.
But I have another problem.
These OpenLDAP users that I added can not login to ovirt web user
portal.
User Name: Fumihide (This is shown on Web Admin Portal "Users" tab as
"First
Name")
Password: (I specified it as OpenLDAP's userPassword for "Fumihide")
Domain: rxc05271.com (I selected instead of "internal")
?
1. What error do you get at ui?
"The user name or password is incorrect."
2. Please look at engine.log while attempting to login, if you see
something helpful.
2014-09-22 09:53:27,669 INFO
[org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
(ajp--127.0.0.1-8702-2) Cant login user "Fumihide" with authentication
profile "rxc05271.com" because the authentication failed.
2014-09-22 09:53:27,685 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom
Event
ID: -1, Message: User Fumihide cannot login, please verify the username
and
password.
2014-09-22 09:53:27,693 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom
Event
ID: -1, Message: User Fumihide failed to log in.
2014-09-22 09:53:27,693 WARN
[org.ovirt.engine.core.bll.aaa.LoginUserCommand]
(ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed.
Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
3. Please make sure that the following is a success:
$ ldapsearch -h <HOST> -x -W -D <LOGIN_USER_DN> -b <BASE_DN>
uid=<LOGIN_NAME>
[root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D
"uid=tani,ou=Users,dc=rxc05271,dc=com" -b 'dc=rxc05271,dc=com' -x
'(uid=tani)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=rxc05271,dc=com> with scope subtree
# filter: (uid=tani)
# requesting: ALL
#
# tani, Users, rxc05271.com
dn: uid=tani,ou=Users,dc=rxc05271,dc=com
objectClass: inetOrgPerson
objectClass: uidObject
uid: tani
cn: Fumihide Tani
givenName: Fumihide
mail: t...@rxc05271.com
sn: Tani
userPassword:: a3VtaXRhbg==
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@ovirt ~]#
4. If working please modify
/usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in
---
<file-handler name="ENGINE" autoflush="true">
- <level name="INFO"/>
- <level name="FINEST"/>
<snip>
+ <logger category="org.ovirt.engineextensions.aaa.ldap">
+ <level name="FINEST"/>
+ </logger>
<logger category="org.ovirt.engine.core.bll">
---
Restart engine, attempt login, send me the output.
2014-09-22 10:03:57,517 INFO
[org.ovirt.engine.core.bll.aaa.LoginBaseCommand]
(ajp--127.0.0.1-8702-7) Cant login user "Fumihide" with authentication
profile "rxc05271.com" because the authentication failed.
2014-09-22 10:03:57,534 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom
Event
ID: -1, Message: User Fumihide cannot login, please verify the username
and
password.
2014-09-22 10:03:57,545 ERROR
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom
Event
ID: -1, Message: User Fumihide failed to log in.
2014-09-22 10:03:57,545 WARN
[org.ovirt.engine.core.bll.aaa.LoginUserCommand]
(ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed.
Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD
(logger level is not changed to FINEST? outputs is same as above.)
I had a mistake above... the file-handler level should be set to finest.
<file-handler name="ENGINE" autoflush="true">
<level name="FINEST"/>
can you confirm?
or best send me the engine.xml.in file and I can see what's wrong.
thanks!
I set file-handler's level name to "FINEST". but outputs are same as before.
I attached the ovirt-engine.xml.in
Regards,
Thanks,
Fumihide Tani
Please advice me, it's so thanksfull.
Fumihide Tani
(2014/09/21 17:13), Alon Bar-Lev wrote:
----- Original Message -----
From: "Fumihide Tani" <rxc05...@nifty.com>
To: "Alon Bar-Lev" <alo...@redhat.com>
Cc: users@ovirt.org
Sent: Sunday, September 21, 2014 11:11:11 AM
Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon
Very thanks for your help.
My problem was solved and the AAA is working now.
I could add LDAP user. :)
Great.
Can you please send me a patch or modified README to make it better?
Alon
Fumihide Tani
(2014/09/21 16:19), Alon Bar-Lev wrote:
----- Original Message -----
From: "Alon Bar-Lev" <alo...@redhat.com>
To: "Fumihide Tani" <rxc05...@nifty.com>
Cc: users@ovirt.org
Sent: Sunday, September 21, 2014 10:19:11 AM
Subject: Re: [ovirt-users] Can not configure with simple LDAP.
Hi,
You need to create authz extension as well (authz-company).
The configuration you provided is establishing authentication only
(authn)
which refer to authz-company but you did not add it.
The terms are:
1. authn - who the user is.
2. authz - what user is permitted.
3. profile - combination of the two.
-----------------------------
# vi /etc/ovirt-engine/extensions.d/authz-company.properties
ovirt.engine.extension.name = authz-company
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
Sorry:
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties
--------------------------------------------------
Regards,
Alon
<?xml version="1.0" ?>
<server xmlns="urn:jboss:domain:1.1">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>
<extension module="org.jboss.as.connector"/>
<extension module="org.jboss.as.deployment-scanner"/>
<extension module="org.jboss.as.ee"/>
<extension module="org.jboss.as.ejb3"/>
<extension module="org.jboss.as.jaxrs"/>
<extension module="org.jboss.as.jmx"/>
<extension module="org.jboss.as.jpa"/>
<extension module="org.jboss.as.logging"/>
<extension module="org.jboss.as.naming"/>
<extension module="org.jboss.as.remoting"/>
<extension module="org.jboss.as.security"/>
<extension module="org.jboss.as.threads"/>
<extension module="org.jboss.as.transactions"/>
<extension module="org.jboss.as.web"/>
<extension module="org.jboss.as.weld"/>
</extensions>
<system-properties>
<!-- Don't let quartz call home to check for updates: -->
<property name="org.quartz.scheduler.skipUpdateCheck" value="true"/>
<!-- Configure quartz thread pool: -->
<property name="org.quartz.threadPool.class" value="org.quartz.simpl.SimpleThreadPool"/>
<property name="org.quartz.threadPool.threadCount" value="100"/>
<property name="org.quartz.jobStore.misfireThreshold" value="60000"/>
<property name="org.quartz.jobStore.class" value="org.quartz.simpl.RAMJobStore"/>
<!-- Enable compression for html content and REST api -->
<property name="org.apache.coyote.http11.Http11Protocol.COMPRESSION" value="on"/>
<property name="org.apache.coyote.http11.Http11Protocol.COMPRESSION_MIME_TYPES" value="text/javascript,text/css,text/html,text/xml,text/json,application/x-yaml,application/xml,application/json"/>
</system-properties>
<!-- We need to enable the management subsystem because it is an
indirect dependency of the Infinispan subsystem (since version
7.2 of the application server) but at the same time we don't
want anyone (other than the root and ovirt users) to be able
to connect to the management port, so we just use an empty
users file: -->
<management>
<security-realms>
<security-realm name="management">
<authentication>
<properties path="/dev/null"/>
</authentication>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface security-realm="management">
<socket-binding native="management"/>
</native-interface>
</management-interfaces>
</management>
<profile>
<subsystem xmlns="urn:jboss:domain:logging:1.1">
<custom-handler name="ovirt-logger" class="org.ovirt.engine.core.logger.LoggerHandler" module="org.ovirt.engine.core.logger">
<level name="DEBUG"/>
</custom-handler>
<!-- All the application server messages go here: -->
<file-handler name="SERVER">
<level name="INFO"/>
<formatter>
<pattern-formatter pattern="%d %-5p [%c] (%t) %s%E%n"/>
</formatter>
<file path="$getstring('ENGINE_LOG')/server.log"/>
<append value="true"/>
</file-handler>
<!-- Only the engine messages go here: -->
<file-handler name="ENGINE" autoflush="true">
<level name="INFO"/>
<formatter>
<pattern-formatter pattern="%d %-5p [%c] (%t) %s%E%n"/>
</formatter>
<file path="$getstring('ENGINE_LOG')/engine.log"/>
<append value="true"/>
</file-handler>
<!-- Console -->
<console-handler name="CONSOLE" autoflush="true">
<level name="INFO"/>
<formatter>
<pattern-formatter pattern="%d %-5p [%c] (%t) %s%E%n"/>
</formatter>
</console-handler>
<!-- Loggers for the application server: -->
<logger category="com.arjuna">
<level name="WARN"/>
</logger>
<logger category="org.apache.tomcat.util">
<level name="WARN"/>
</logger>
<logger category="sun.rmi">
<level name="WARN"/>
</logger>
<!-- Loggers for the engine: -->
<logger category="org.ovirt" use-parent-handlers="false">
<level name="INFO"/>
<handlers>
<handler name="ENGINE"/>
<handler name="ovirt-logger"/>
#if $getboolean('ENGINE_LOG_TO_CONSOLE')
<handler name="CONSOLE"/>
#end if
</handlers>
</logger>
<logger category="org.ovirt.engineextensions.aaa.ldap">
<level name="FINEST"/>
</logger>
<logger category="org.ovirt.engine.core.bll">
<level name="INFO"/>
</logger>
<logger category="org.ovirt.engine.core.dal.dbbroker.PostgresDbEngineDialect\$PostgresJdbcTemplate">
<level name="WARN"/>
</logger>
<logger category="org.springframework.ldap">
<level name="ERROR"/>
</logger>
<root-logger>
<level name="INFO"/>
<handlers>
<handler name="ovirt-logger"/>
<handler name="SERVER"/>
</handlers>
</root-logger>
</subsystem>
<subsystem xmlns="urn:jboss:domain:datasources:1.0">
<datasources>
<datasource jndi-name="java:/ENGINEDataSource" pool-name="ENGINEDataSource" enabled="true" use-ccm="false">
<connection-url><![CDATA[$getstring('ENGINE_DB_URL')]]></connection-url>
<driver>postgresql</driver>
<transaction-isolation>TRANSACTION_READ_COMMITTED</transaction-isolation>
<pool>
<min-pool-size>$getinteger('ENGINE_DB_MIN_CONNECTIONS')</min-pool-size>
<max-pool-size>$getinteger('ENGINE_DB_MAX_CONNECTIONS')</max-pool-size>
<prefill>true</prefill>
</pool>
<security>
<user-name><![CDATA[$getstring('ENGINE_DB_USER')]]></user-name>
<password><![CDATA[$getstring('ENGINE_DB_PASSWORD')]]></password>
</security>
<statement>
<prepared-statement-cache-size>100</prepared-statement-cache-size>
<share-prepared-statements/>
</statement>
<validation>
<validate-on-match>true</validate-on-match>
<check-valid-connection-sql>select 1</check-valid-connection-sql>
</validation>
</datasource>
<drivers>
<driver name="postgresql" module="org.postgresql">
<xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
</subsystem>
<subsystem xmlns="urn:jboss:domain:deployment-scanner:1.1">
<deployment-scanner scan-interval="5000" path="$jboss_runtime/deployments" deployment-timeout="1200"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:ee:1.0"/>
<subsystem xmlns="urn:jboss:domain:ejb3:1.2">
<session-bean>
<stateless>
<bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
</stateless>
<stateful default-access-timeout="300000" cache-ref="simple"/>
<singleton default-access-timeout="300000"/>
</session-bean>
<mdb>
<resource-adapter-ref resource-adapter-name="hornetq-ra"/>
<bean-instance-pool-ref pool-name="mdb-strict-max-pool"/>
</mdb>
<pools>
<bean-instance-pools>
<strict-max-pool name="slsb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
<strict-max-pool name="mdb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
</bean-instance-pools>
</pools>
<caches>
<cache name="simple" aliases="NoPassivationCache"/>
</caches>
<async thread-pool-name="default"/>
<timer-service thread-pool-name="default">
<data-store path="$getstring('ENGINE_VAR')/timer-service-data"/>
</timer-service>
<remote connector-ref="remoting-connector" thread-pool-name="default"/>
<thread-pools>
<thread-pool name="default">
<max-threads count="10"/>
<keepalive-time time="100" unit="milliseconds"/>
</thread-pool>
</thread-pools>
</subsystem>
<subsystem xmlns="urn:jboss:domain:infinispan:1.1" default-cache-container="ovirt-engine">
<cache-container name="ovirt-engine" default-cache="timeout-base" jndi-name="java:jboss/infinispan/ovirt-engine" start="EAGER">
<local-cache name="timeout-base">
<transaction mode="NONE"/>
<eviction max-entries="10000"/>
<expiration interval="60000"/>
</local-cache>
</cache-container>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
<subsystem xmlns="urn:jboss:domain:jca:1.1">
<archive-validation enabled="false" fail-on-error="false" fail-on-warn="false"/>
<bean-validation enabled="true"/>
<default-workmanager>
<short-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</short-running-threads>
<long-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</long-running-threads>
</default-workmanager>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jmx:1.1">
<show-model value="true"/>
<remoting-connector/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.0">
<jpa default-datasource=""/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:naming:1.1"/>
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector" socket-binding="remoting"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:resource-adapters:1.0"/>
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="oVirtKerb">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="oVirtKerbDebug">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="debug" value="true"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:1.1">
<core-environment>
<process-id>
<uuid/>
</process-id>
</core-environment>
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
<coordinator-environment default-timeout="600"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:threads:1.1"/>
<subsystem xmlns="urn:jboss:domain:web:1.1" native="false" default-virtual-server="default-host">
#if $getboolean('ENGINE_HTTP_ENABLED')
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="$getinteger('ENGINE_HTTPS_PORT')"/>
#end if
#if $getboolean('ENGINE_HTTPS_ENABLED')
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="ssl" password="mypass" certificate-key-file="$getstring('ENGINE_PKI')/keys/jboss.p12" keystore-type="PKCS12" key-alias="1" protocol="$getstring('ENGINE_HTTPS_PROTOCOLS')" verify-client="false"/>
</connector>
#end if
#if $getboolean('ENGINE_AJP_ENABLED')
<connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp" redirect-port="$getinteger('ENGINE_PROXY_HTTPS_PORT')"/>
#end if
<virtual-server name="default-host" enable-welcome-root="false">
<alias name="localhost"/>
<rewrite pattern="^/RHEVManager(.*)$" substitution="/OvirtEngine$1" flags="last"/>
</virtual-server>
</subsystem>
<subsystem xmlns="urn:jboss:domain:weld:1.0"/>
</profile>
<interfaces>
<interface name="loopback">
<loopback/>
</interface>
<interface name="public">
<any-address/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="loopback">
#if $getboolean('ENGINE_HTTP_ENABLED')
<socket-binding name="http" port="$getinteger('ENGINE_HTTP_PORT')" interface="public"/>
#end if
#if $getboolean('ENGINE_HTTPS_ENABLED')
<socket-binding name="https" port="$getinteger('ENGINE_HTTPS_PORT')" interface="public"/>
#end if
#if $getboolean('ENGINE_AJP_ENABLED')
<socket-binding name="ajp" port="$getinteger('ENGINE_AJP_PORT')"/>
#end if
<socket-binding name="remoting" port="8703"/>
<socket-binding name="txn-recovery-environment" port="8704"/>
<socket-binding name="txn-status-manager" port="8705"/>
<socket-binding name="management" port="8706"/>
</socket-binding-group>
</server>
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
