Hi Ondra, I assigned permissions to an LDAP group and it just needed me to remove that group and re-add it for it to authorize again.
Yes, the UPN is user@domain in our case. Not a big deal, but is there a plan to change the display name? I get confused looks and questions when people log in. All working now, many thanks once again for all your help! Cheers, Cam On Mon, Oct 17, 2016 at 10:06 AM, Ondra Machacek <[email protected]> wrote: > Hi Cam, > > this is OK, because we use user principal name(UPN)[1] for the > 'username' field of the oVirt. So the result username will consist of > UPN@authz-extension, so if your user's UPN is 'user@domain' and you > will name your authz extension as 'domain', then the result username > will be 'user@domain@domain'. > > The problem, that you can't get authorized is that you didn't assigned > any permissions to your user. > > [1] https://msdn.microsoft.com/en-us/library/ms680857(v=vs.85).aspx > > On 10/14/2016 04:30 PM, cmc wrote: > >> Hi Ondra, >> >> It manages to authenticate, but appends the domain again once I'm logged >> in, for instance, if I log in as user 'cam', it will log me in, >> and display the login name in the top right corner as >> '[email protected]@domain.com <http://domain.com>' (this shows up in the >> log as well: it shows me >> logging in as [email protected] <mailto:[email protected]>, but then returns >> an error as user [email protected]@domain.com <http://domain.com> is not >> authorized). My thought was >> that something done earlier when I was playing around with sssd, >> kerberos and AD is doing this, though I have removed these packages >> and run authconfig to remove sssd. Any ideas? >> >> Cheers, >> >> Cam >> >> On Thu, Oct 13, 2016 at 2:04 PM, cmc <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Ondra, >> >> That is good to know that we don't need Kerberos - it complicates >> things a lot. >> >> I think the errors might be the options I'd selected during the >> setup. I was thrown a bit that >> it passed all the internal tests provided by the setup script, but >> failed on the web GUI. When >> I've seen 'unspecified GSS failure' and 'peer not authenticated' >> it's usually been due to >> Kerberos (though admittedly these are just generic errors). So I >> tried the Redhat guide for SSO at: >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterp >> rise_Virtualization/3.6/html/Administration_Guide/Configuri >> ng_LDAP_and_Kerberos_for_Single_Sign-on.html >> <https://access.redhat.com/documentation/en-US/Red_Hat_Enter >> prise_Virtualization/3.6/html/Administration_Guide/Configuri >> ng_LDAP_and_Kerberos_for_Single_Sign-on.html> >> >> which uses Kerberos (in ovirt-sso.conf) I had to remove the symlink >> to the Apache >> config it says to create, as it results in internal server errors in >> Apache. It uses an SPN for >> Apache in the keytab. >> >> Now that you've confirmed that it can actually work without any need >> for the Kerberos stuff, >> I will start afresh from a clean setup and apply what I've learnt >> during this process. >> >> I'll try it out and let you know either way. >> >> Many thanks for all the help! >> >> Kind regards, >> >> Cam >> >> >> >> Yes, you really do not need anything kerberos related to >> securely bind >> to AD via LDAP simple bind over TLS/SSL. This is really strange >> to me >> what errors you are getting, but you probably configured apache >> (or >> something else?) to require keytab, but you don't have to, and >> you can >> remove that configuration. >> >> >> Thanks, >> >> Cam >> >> >> >> >> Thanks, >> >> Cam >> >> _______________________________________________ >> >> Users mailing list >> [email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>> >> <mailto:[email protected] <mailto:[email protected]> >> <mailto:[email protected] <mailto:[email protected]>>> >> >> http://lists.ovirt.org/mailman/listinfo/users >> <http://lists.ovirt.org/mailman/listinfo/users> >> <http://lists.ovirt.org/mailman/listinfo/users >> <http://lists.ovirt.org/mailman/listinfo/users>> >> >> <http://lists.ovirt.org/mailman/listinfo/users >> <http://lists.ovirt.org/mailman/listinfo/users> >> <http://lists.ovirt.org/mailman/listinfo/users >> <http://lists.ovirt.org/mailman/listinfo/users>>> >> >> >> >> >> >>
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
