Hi, I seem to experience the same problem right now and am at a bit of a loss as to where to dig for some more troubleshooting information. I would highly appreciate some help.
Here is what I have and what I did: ovirt-engine-4.1.0.4-1.el7.centos.noarch ovirt-engine-extension-aaa-ldap-1.3.0-1.el7.noarch I executed ovirt-engine-extension-aaa-ldap-setup. My LDAP provider is 389ds (FreeIPA). I can successfully run a search and also login from the setup script. After running the setup I rebootet the Engine VM to make sure everything is restarted. In the web UI configuration for 'System Permissions' I'm able to find users from LDAP but when I try to 'Add' a selected user the UI shows me this error: 'User admin@internal-authz failed to grant permission for Role SuperUser on System to User/Group <UNKNOWN>.'. In then engine.log the following lines are generated: 2017-03-09 14:02:49,308+01 INFO [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-4) [1ebae5e0-e5f6-49ba-ac80-95266c582893] Running command: AddSystemPermissionCommand internal: false. Entities affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group MANIPULATE_PERMISSIONS with role type USER, ID: aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER 2017-03-09 14:02:49,319+01 ERROR [org.ovirt.engine.core.bll.AddSystemPermissionCommand] (org.ovirt.thread.pool-6-thread-4) [1ebae5e0-e5f6-49ba-ac80-95266c582893] Transaction rolled-back for command 'org.ovirt.engine.core.bll.AddSystemPermissionCommand'. 2017-03-09 14:02:49,328+01 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (org.ovirt.thread.pool-6-thread-4) [1ebae5e0-e5f6-49ba-ac80-95266c582893] EVENT_ID: USER_ADD_SYSTEM_PERMISSION_FAILED(867), Correlation ID: 1ebae5e0-e5f6-49ba-ac80-95266c582893, Call Stack: null, Custom Event ID: -1, Message: User admin@internal-authz failed to grant permission for Role SuperUser on System to User/Group <UNKNOWN>. So far I've re-run the ldap-setup routine. I made sure all newly generated files in /etc/ovirt-engine/[aaa|extensions.d] are owned by ovirt:ovirt (instead of root) and have 0600 as permission (instead of 0644). That didn't change anything. I've also found an older bug report but for oVirt 3.5 https://bugzilla.redhat.com/show_bug.cgi?id=1121954 That didn't reveal any new either. Any ideas what I could try next? Thanks! Cheers Richard On 10/06/2016 04:36 PM, Ondra Machacek wrote: > On 10/06/2016 01:47 PM, Michael Burch wrote: >> I'm using the latest ovirt on CentOS7 with the aaa-ldap extension. >> I can >> successfully authenticate as an LDAP user. I can also login as >> admin@internal and search for, find, and select LDAP users but I >> cannot >> add permissions for them. Each time I get the error "User >> admin@internal-authz failed to grant permission for Role UserRole on >> System to User/Group <UNKNOWN>." > > This error usually means bad unique attribute used. > >> >> >> I have no control over the LDAP server, which uses custom >> objectClasses >> and uses groupOfNames instead of PosixGroups. I assume I need to set >> sequence variables to accommodate our group configuration but I'm >> at a >> loss as to where to begin. the The config I have is as follows: >> >> >> include = <rfc2307-generic.properties> >> >> vars.server = labauth.lan.lab.org >> >> pool.authz.auth.type = none >> pool.default.serverset.type = single >> pool.default.serverset.single.server = ${global:vars.server} >> pool.default.ssl.startTLS = true >> pool.default.ssl.insecure = true >> >> pool.default.connection-options.connectTimeoutMillis = 10000 >> pool.default.connection-options.responseTimeoutMillis = 90000 >> sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars >> sequence.my-basedn-init-vars.010.description = set baseDN >> sequence.my-basedn-init-vars.010.type = var-set >> sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN >> sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB >> >> sequence-init.init.101-my-objectclass-init-vars = >> my-objectclass-init-vars >> sequence.my-objectclass-init-vars.020.description = set objectClass >> sequence.my-objectclass-init-vars.020.type = var-set >> sequence.my-objectclass-init-vars.020.var-set.variable = >> simple_filterUserObject >> sequence.my-objectclass-init-vars.020.var-set.value = >> (objectClass=labPerson)(uid=*) >> >> search.default.search-request.derefPolicy = NEVER >> >> sequence-init.init.900-local-init-vars = local-init-vars >> sequence.local-init-vars.010.description = override name space >> sequence.local-init-vars.010.type = var-set >> sequence.local-init-vars.010.var-set.variable = >> simple_namespaceDefault >> sequence.local-init-vars.010.var-set.value = * > > What's this^ for? I think it's unusable. > >> >> sequence.local-init-vars.020.description = apply filter to users >> sequence.local-init-vars.020.type = var-set >> sequence.local-init-vars.020.var-set.variable = >> simple_filterUserObject >> sequence.local-init-vars.020.var-set.value = >> ${seq:simple_filterUserObject}(employeeStatus=3) >> >> sequence.local-init-vars.030.description = apply filter to groups >> sequence.local-init-vars.030.type = var-set >> sequence.local-init-vars.030.var-set.variable = >> simple_filterGroupObject >> sequence.local-init-vars.030.var-set.value = >> (objectClass=groupOfUniqueNames) > > This looks as hard to maintain file. I would suggest you to insert > into this file just following: > > include = <rfc2307-mycustom.properties> > > vars.server = labauth.lan.lab.org > > pool.authz.auth.type = none > pool.default.serverset.type = single > pool.default.serverset.single.server = ${global:vars.server} > pool.default.ssl.startTLS = true > pool.default.ssl.insecure = true > > pool.default.connection-options.connectTimeoutMillis = 10000 > pool.default.connection-options.responseTimeoutMillis = 90000 > > # Set custom base DN > sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars > sequence.my-basedn-init-vars.010.description = set baseDN > sequence.my-basedn-init-vars.010.type = var-set > sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN > sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB > > And then create in directory > '/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file > 'rfc2307-mycustom.properties' with content: > > include = <rfc2307.properties> > > sequence-init.init.100-rfc2307-mycustom-init-vars = > rfc2307-mycustom-init-vars > sequence.rfc2307-mycustom-init-vars.010.description = set unique attr > sequence.rfc2307-mycustom-init-vars.010.type = var-set > sequence.rfc2307-mycustom-init-vars.010.var-set.variable = > rfc2307_attrsUniqueId > sequence.rfc2307-mycustom-init-vars.010.var-set.value = FIND_THIS_ONE > > sequence.rfc2307-mycustom-init-vars.020.type = var-set > sequence.rfc2307-mycustom-init-vars.020.var-set.variable = > simple_filterUserObject > sequence.rfc2307-mycustom-init-vars.020.var-set.value = > (objectClass=labPerson)(employeeStatus=3)(${seq:simple_attrsUserName}=*) > > > > The FIND_*THIS_ONE* replace with the unique attribute of labPerson(I > guess). It can be extended attribute(+,++). > > $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H > ldap://labauth.lan.lab.org 'objectClass=labPerson' > > maybe (or even with two +): > $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H > ldap://labauth.lan.lab.org 'objectClass=labPerson' + > > The question is if even your implementation has unique attribute, does > it? > > Also may you share what's your LDAP provider? And maybe if you share > content of some user it would help as well. > >> >> >> >> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.ovirt.org/mailman/listinfo/users >> > _______________________________________________ > Users mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/users -- /dev/null
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
