Provided the "user role" permissions still same issue On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek <omach...@redhat.com> wrote:
> Hi, > > your user nbud...@abc.net doesn't have appropriate permissions to login. > First you need to login as 'admin@internal' and assign him some > permissions, then you will be able to login. > > Ondra > > > On 09/23/2015 09:15 AM, Budur Nagaraju wrote: > > HI All, > > After rectifying this able to search the domain in the users in UI, > but unable to login getting the below error , > > > 2015-09-23 12:41:47,482 WARN > [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] > (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for > user nbud...@abc.net. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION > > Thanks, > Nagaraju > > > > > > On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek <omach...@redhat.com> > wrote: > >> Hi, >> >> as Alon already said, you have trailing space in your configuration >> >> 'my.abc.net ' <-- space at the end >> >> Please remove this space and try again. >> >> Ondra >> >> >> On 09/23/2015 05:35 AM, Budur Nagaraju wrote: >> >> HI Alon, >> >> Tried all the options but no luck , >> >> I have copied the logs in the pastebin below is the link , warning >> message is that unable to resolve the DNS ,let me know any help would I get >> . >> >> http://pastebin.com/7qN9QnHK >> >> Thanks, >> Nagaraju >> >> >> On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger < >> <daniel.helgenber...@m-box.de>daniel.helgenber...@m-box.de> wrote: >> >>> Hello Budur, >>> >>> I've done this recently. Alon, no offense, but the docs are not quite >>> strait forward... >>> >>> Requirements: >>> - LDAP server (obviously) - called here ldap.mydomain.com >>> - LDAP bind account - called here <l...@mydomain.com>l...@mydomain.com, >>> password 'Passw@rd' >>> - At least one existing account in ladp, called u...@mydomain.com >>> >>> Please note, the most common issue will be DNS. >>> >>> I'll describe in short what steps need to be taken. All this needs to be >>> done on your engine host. In the end this was quite easy :) >>> >>> 1. Install the packages: ovirt-engine-extension-aaa-ldap and >>> openldap-clients (these are only for testing your setup) >>> 2. Test if ldap is working in general. (The extension uses the global >>> catalog at least for AD, this was news to me): >>> # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap:// >>> ldap.mydomain.com:3268/ -x \ >>> -D 'l...@mydomain.com' -w Passw@rd -b '' '(userPrincipalName= >>> <u...@mydomian.com>u...@mydomian.com)' cn userPrincipalName >>> >>> If this command does not return details of the user, do debug your >>> ldap and continue once this works. Example: >>> >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <> with scope subtree >>> # filter: (userPrincipalName= <u...@mydomain.com>u...@mydomain.com) >>> # requesting: cn userPrincipalName >>> # with pagedResults control: size=1024 >>> # >>> >>> # Some Name, some-ou, mydomain.com >>> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com >>> cn: Some Name >>> userPrincipalName: u...@mydomain.com >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA= >>> pagedresults: cookie= >>> >>> # numResponses: 2 >>> # numEntries: 1 >>> >>> >>> 3. Copy the examples as mentioned from the readme. >>> 4. You only need to modify >>> /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is. >>> 5. There, set: >>> >>> vars.domain = ldap.mydomain.com >>> vars.user = ldap@${global:vars.domain} >>> vars.password = Passw@rd >>> >>> 6. Restart ovirt engine service >>> 7. Log in as admin@einternal and add user rights and roles from the new >>> provider >>> >>> Hope this helps. >>> >>> On 22.09.2015 16 <22.09.2015%2016>:46, Budur Nagaraju wrote: >>> > >>> > below are the three files which I have modified. >>> > >>> > >>> > [root@cstlb2 extensions.d]# cat profile1-authn.properties >>> > ovirt.engine.extension.name <http://ovirt.engine.extension.name> = >>> cloudspin-authn >>> > ovirt.engine.extension.bindings.method = jbossmodule >>> > ovirt.engine.extension.binding.jbossmodule.module = >>> > org.ovirt.engine-extensions.aaa.ldap >>> > ovirt.engine.extension.binding.jbossmodule.class = >>> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension >>> > ovirt.engine.extension.provides = >>> org.ovirt.engine.api.extensions.aaa.Authn >>> > ovirt.engine.aaa.authn.profile.name < >>> http://ovirt.engine.aaa.authn.profile.name> >>> > = cloudspin >>> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth >>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties >>> > >>> > >>> > [root@cstlb2 extensions.d]# ls >>> > profile1-authn.properties profile1-authz.properties >>> > [root@cstlb2 extensions.d]# cat profile1-authz.properties >>> > ovirt.engine.extension.name <http://ovirt.engine.extension.name> = >>> cloudspin-authz >>> > ovirt.engine.extension.bindings.method = jbossmodule >>> > ovirt.engine.extension.binding.jbossmodule.module = >>> > org.ovirt.engine-extensions.aaa.ldap >>> > ovirt.engine.extension.binding.jbossmodule.class = >>> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension >>> > ovirt.engine.extension.provides = >>> org.ovirt.engine.api.extensions.aaa.Authz >>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties >>> > [root@cstlb2 extensions.d]# >>> > >>> > >>> > >>> > [root@cstlb2 aaa]# pwd >>> > /etc/ovirt-engine/aaa >>> > [root@cstlb2 aaa]# ls >>> > ldap1.properties >>> > [root@cstlb2 aaa]# cat ldap1.properties >>> > # >>> > # Select one >>> > # >>> > include = <openldap.properties> >>> > #include = <389ds.properties> >>> > #include = <rhds.properties> >>> > #include = <ipa.properties> >>> > #include = <iplanet.properties> >>> > #include = <rfc2307.properties> >>> > #include = <rfc2307-openldap.properties> >>> > >>> > # >>> > # Server >>> > # >>> > vars.server = my.abc.net < <http://my.abc.net>http://my.abc.net> >>> > >>> > # >>> > # Search user and its password. >>> > # >>> > vars.user = >>> > >>> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net >>> > vars.password = company >>> > >>> > pool.default.serverset.single.server = ${global:vars.server} >>> > pool.default.auth.simple.bindDN = ${global:vars.user} >>> > pool.default.auth.simple.password = ${global:vars.password} >>> > >>> > # Create keystore, import certificate chain and uncomment >>> > # if using ssl/tls. >>> > #pool.default.ssl.startTLS = true >>> > #pool.default.ssl.truststore.file = >>> ${local:_basedir}/${global:vars.server}.jks >>> > #pool.default.ssl.truststore.password = changeit >>> > [root@cstlb2 aaa]# >>> > >>> > >>> > >>> > >>> > >>> > >>> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev <alo...@redhat.com >>> > <mailto: <alo...@redhat.com>alo...@redhat.com>> wrote: >>> > >>> > >>> > >>> > ----- Original Message ----- >>> > > From: "Budur Nagaraju" <nbud...@gmail.com <mailto: >>> nbud...@gmail.com>> >>> > > To: "Alon Bar-Lev" < <alo...@redhat.com>alo...@redhat.com >>> <mailto:alo...@redhat.com>> >>> > > Cc:users@ovirt.org <mailto:users@ovirt.org> >>> > > Sent: Tuesday, September 22, 2015 5:35:16 PM >>> > > Subject: Re: [ovirt-users] LDAP Authentication >>> > > >>> > > its too complicated ,you have any script or video ? >>> > >>> > in 3.6 we have a setup script. >>> > for now: >>> > >>> > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/ >>> > >>> > this is written in the README. >>> > >>> > then customize files at /etc/ovirt-engine/extnesions.d/* >>> > /etc/ovirt-engine/aaa/* to match your setup >>> > >>> > > >>> > > >>> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev < >>> <alo...@redhat.com>alo...@redhat.com <mailto:alo...@redhat.com>> wrote: >>> > > >>> > > > >>> > > > >>> > > > ----- Original Message ----- >>> > > > > From: "Budur Nagaraju" <nbud...@gmail.com <mailto: >>> nbud...@gmail.com>> >>> > > > > To: "Alon Bar-Lev" <alo...@redhat.com <mailto: >>> alo...@redhat.com>> >>> > > > > <cc%3aus...@ovirt.org>Cc:users@ovirt.org <mailto: >>> users@ovirt.org> >>> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM >>> > > > > Subject: Re: [ovirt-users] LDAP Authentication >>> > > > > >>> > > > > HI Alon, >>> > > > > >>> > > > > Below is the configuration which I have done ,but unable to >>> search the >>> > > > > users in UI >>> > > > > can you pls help me ? >>> > > > >>> > > > you need three files, see the >>> > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple >>> > > > >>> > > > > >>> > > > > >>> > > > > [root@cstlb2 aaa]# cat ldap1.properties >>> > > > > # >>> > > > > # Select one >>> > > > > # >>> > > > > include = <openldap.properties> >>> > > > > #include = <389ds.properties> >>> > > > > #include = <rhds.properties> >>> > > > > #include = <ipa.properties> >>> > > > > #include = <iplanet.properties> >>> > > > > #include = <rfc2307.properties> >>> > > > > #include = <rfc2307-openldap.properties> >>> > > > > >>> > > > > # >>> > > > > # Server >>> > > > > # >>> > > > > vars.server =my.abc.net < <http://my.abc.net> >>> http://my.abc.net> >>> > > > > >>> > > > > # >>> > > > > # Search user and its password. >>> > > > > # >>> > > > > vars.user = >>> > > > > >>> > > > >>> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net >>> > > > > vars.password = company1 >>> > > > > >>> > > > > pool.default.serverset.single.server = ${global:vars.server} >>> > > > > pool.default.auth.simple.bindDN = ${global:vars.user} >>> > > > > pool.default.auth.simple.password = ${global:vars.password} >>> > > > > >>> > > > > # Create keystore, import certificate chain and uncomment >>> > > > > # if using ssl/tls. >>> > > > > #pool.default.ssl.startTLS = true >>> > > > > #pool.default.ssl.truststore.file = >>> > > > > ${local:_basedir}/${global:vars.server}.jks >>> > > > > #pool.default.ssl.truststore.password = changeit >>> > > > > [root@cstlb2 aaa]# >>> > > > > >>> > > > > >>> > > > > >>> > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev < >>> <alo...@redhat.com>alo...@redhat.com <mailto:alo...@redhat.com>> wrote: >>> > > > > >>> > > > > > >>> > > > > > >>> > > > > > ----- Original Message ----- >>> > > > > > > From: "Budur Nagaraju" < <nbud...@gmail.com> >>> nbud...@gmail.com <mailto:nbud...@gmail.com>> >>> > > > > > > <To:users@ovirt.org>To:users@ovirt.org <mailto: >>> users@ovirt.org> >>> > > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM >>> > > > > > > Subject: [ovirt-users] LDAP Authentication >>> > > > > > > >>> > > > > > > HI All, >>> > > > > > > >>> > > > > > > Can someone help me in configuring LDAP authentication >>> for Ovirt ? >>> > > > > > >>> > > > > > Please review: >>> > > > > > <http://www.ovirt.org/Features/AAA> >>> http://www.ovirt.org/Features/AAA >>> > > > > > >>> > > > > > >>> > > > >>> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0 >>> > > > > > >>> > > > > >>> > > > >>> > > >>> > >>> > >>> >>> -- >>> Daniel Helgenberger >>> m box bewegtbild GmbH >>> >>> P: +49/30/2408781-22 >>> F: +49/30/2408781-10 >>> >>> ACKERSTR. 19 >>> D-10115 BERLIN >>> >>> >>> www.m-box.de <http://www.monkeymen.tv>www.monkeymen.tv >>> >>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner >>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767 >>> >> >> >> >> _______________________________________________ >> Users mailing >> listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users >> >> >> > >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users