On 03/10/2017 09:46 AM, Ondra Machacek wrote: > So what's your provider 389ds or FreeIPA? > > Note that both use differrent unique ID. IPA is using 'ipaUniqueID', > and 389ds is using 'nsuniqueid'. DId you tried both?
Thanks for pointing that out! It works perfectly if I use IPA. I didn't know they have different identifiers (though it might have been obvious to me since there is a separate IPA option...). I clung to the thought that FreeIPA uses 389ds internally. Thanks a lot! Richard > > I can successfully run a search and also login > from the setup script. > > After running the setup I rebootet the Engine VM to make sure > everything is restarted. > > In the web UI configuration for 'System Permissions' I'm able to > find users from LDAP but when I try to 'Add' a selected user the UI > shows me this error: 'User admin@internal-authz failed to grant > permission for Role SuperUser on System to User/Group <UNKNOWN>.'. > > In then engine.log the following lines are generated: > 2017-03-09 14:02:49,308+01 INFO > [org.ovirt.engine.core.bll.AddSystemPermissionCommand] > (org.ovirt.thread.pool-6-thread-4) > [1ebae5e0-e5f6-49ba-ac80-95266c582893] Running command: > AddSystemPermissionCommand internal: false. Entities affected : ID: > aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group > MANIPULATE_PERMISSIONS with role type USER, ID: > aaa00000-0000-0000-0000-123456789aaa Type: SystemAction group > ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER > 2017-03-09 14:02:49,319+01 ERROR > [org.ovirt.engine.core.bll.AddSystemPermissionCommand] > (org.ovirt.thread.pool-6-thread-4) > [1ebae5e0-e5f6-49ba-ac80-95266c582893] Transaction rolled-back for > command 'org.ovirt.engine.core.bll.AddSystemPermissionCommand'. > 2017-03-09 14:02:49,328+01 ERROR > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (org.ovirt.thread.pool-6-thread-4) > [1ebae5e0-e5f6-49ba-ac80-95266c582893] EVENT_ID: > USER_ADD_SYSTEM_PERMISSION_FAILED(867), Correlation ID: > 1ebae5e0-e5f6-49ba-ac80-95266c582893, Call Stack: null, Custom Event > ID: -1, Message: User admin@internal-authz failed to grant > permission for Role SuperUser on System to User/Group <UNKNOWN>. > > > So far I've re-run the ldap-setup routine. I made sure all newly > generated files in /etc/ovirt-engine/[aaa|extensions.d] are owned by > ovirt:ovirt (instead of root) and have 0600 as permission (instead > of 0644). That didn't change anything. > > I've also found an older bug report but for oVirt 3.5 > https://bugzilla.redhat.com/show_bug.cgi?id=1121954 > <https://bugzilla.redhat.com/show_bug.cgi?id=1121954> > That didn't reveal any new either. > > Any ideas what I could try next? > > Thanks! > Cheers > Richard > > > > > On 10/06/2016 04:36 PM, Ondra Machacek wrote: > > On 10/06/2016 01:47 PM, Michael Burch wrote: > >> I'm using the latest ovirt on CentOS7 with the aaa-ldap > extension. > >> I can > >> successfully authenticate as an LDAP user. I can also login as > >> admin@internal and search for, find, and select LDAP users but I > >> cannot > >> add permissions for them. Each time I get the error "User > >> admin@internal-authz failed to grant permission for Role > UserRole on > >> System to User/Group <UNKNOWN>." > > > > This error usually means bad unique attribute used. > > > >> > >> > >> I have no control over the LDAP server, which uses custom > >> objectClasses > >> and uses groupOfNames instead of PosixGroups. I assume I need > to set > >> sequence variables to accommodate our group configuration but I'm > >> at a > >> loss as to where to begin. the The config I have is as follows: > >> > >> > >> include = <rfc2307-generic.properties> > >> > >> vars.server = labauth.lan.lab.org <http://labauth.lan.lab.org> > >> > >> pool.authz.auth.type = none > >> pool.default.serverset.type = single > >> pool.default.serverset.single.server = ${global:vars.server} > >> pool.default.ssl.startTLS = true > >> pool.default.ssl.insecure = true > >> > >> pool.default.connection-options.connectTimeoutMillis = 10000 > >> pool.default.connection-options.responseTimeoutMillis = 90000 > >> sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars > >> sequence.my-basedn-init-vars.010.description = set baseDN > >> sequence.my-basedn-init-vars.010.type = var-set > >> sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN > >> sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB > >> > >> sequence-init.init.101-my-objectclass-init-vars = > >> my-objectclass-init-vars > >> sequence.my-objectclass-init-vars.020.description = set > objectClass > >> sequence.my-objectclass-init-vars.020.type = var-set > >> sequence.my-objectclass-init-vars.020.var-set.variable = > >> simple_filterUserObject > >> sequence.my-objectclass-init-vars.020.var-set.value = > >> (objectClass=labPerson)(uid=*) > >> > >> search.default.search-request.derefPolicy = NEVER > >> > >> sequence-init.init.900-local-init-vars = local-init-vars > >> sequence.local-init-vars.010.description = override name space > >> sequence.local-init-vars.010.type = var-set > >> sequence.local-init-vars.010.var-set.variable = > >> simple_namespaceDefault > >> sequence.local-init-vars.010.var-set.value = * > > > > What's this^ for? I think it's unusable. > > > >> > >> sequence.local-init-vars.020.description = apply filter to users > >> sequence.local-init-vars.020.type = var-set > >> sequence.local-init-vars.020.var-set.variable = > >> simple_filterUserObject > >> sequence.local-init-vars.020.var-set.value = > >> ${seq:simple_filterUserObject}(employeeStatus=3) > >> > >> sequence.local-init-vars.030.description = apply filter to groups > >> sequence.local-init-vars.030.type = var-set > >> sequence.local-init-vars.030.var-set.variable = > >> simple_filterGroupObject > >> sequence.local-init-vars.030.var-set.value = > >> (objectClass=groupOfUniqueNames) > > > > This looks as hard to maintain file. I would suggest you to insert > > into this file just following: > > > > include = <rfc2307-mycustom.properties> > > > > vars.server = labauth.lan.lab.org <http://labauth.lan.lab.org> > > > > pool.authz.auth.type = none > > pool.default.serverset.type = single > > pool.default.serverset.single.server = ${global:vars.server} > > pool.default.ssl.startTLS = true > > pool.default.ssl.insecure = true > > > > pool.default.connection-options.connectTimeoutMillis = 10000 > > pool.default.connection-options.responseTimeoutMillis = 90000 > > > > # Set custom base DN > > sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars > > sequence.my-basedn-init-vars.010.description = set baseDN > > sequence.my-basedn-init-vars.010.type = var-set > > sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN > > sequence.my-basedn-init-vars.010.var-set.value = o=LANLAB > > > > And then create in directory > > '/usr/share/ovirt-engine-extension-aaa-ldap/profiles/' file > > 'rfc2307-mycustom.properties' with content: > > > > include = <rfc2307.properties> > > > > sequence-init.init.100-rfc2307-mycustom-init-vars = > > rfc2307-mycustom-init-vars > > sequence.rfc2307-mycustom-init-vars.010.description = set > unique attr > > sequence.rfc2307-mycustom-init-vars.010.type = var-set > > sequence.rfc2307-mycustom-init-vars.010.var-set.variable = > > rfc2307_attrsUniqueId > > sequence.rfc2307-mycustom-init-vars.010.var-set.value = > FIND_THIS_ONE > > > > sequence.rfc2307-mycustom-init-vars.020.type = var-set > > sequence.rfc2307-mycustom-init-vars.020.var-set.variable = > > simple_filterUserObject > > sequence.rfc2307-mycustom-init-vars.020.var-set.value = > > > (objectClass=labPerson)(employeeStatus=3)(${seq:simple_attrsUserName}=*) > > > > > > > > The FIND_*THIS_ONE* replace with the unique attribute of > labPerson(I > > guess). It can be extended attribute(+,++). > > > > $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H > > ldap://labauth.lan.lab.org <http://labauth.lan.lab.org> > 'objectClass=labPerson' > > > > maybe (or even with two +): > > $ LDAPTLS_REQCERT=never ldapsearch -ZZ -x -b 'o=LANLAB' -H > > ldap://labauth.lan.lab.org <http://labauth.lan.lab.org> > 'objectClass=labPerson' + > > > > The question is if even your implementation has unique > attribute, does > > it? > > > > Also may you share what's your LDAP provider? And maybe if you > share > > content of some user it would help as well. > > > >> > >> > >> > >> > >> _______________________________________________ > >> Users mailing list > >> [email protected] <mailto:[email protected]> > >> http://lists.ovirt.org/mailman/listinfo/users > <http://lists.ovirt.org/mailman/listinfo/users> > >> > > _______________________________________________ > > Users mailing list > > [email protected] <mailto:[email protected]> > > http://lists.ovirt.org/mailman/listinfo/users > <http://lists.ovirt.org/mailman/listinfo/users> > > > -- > /dev/null > > -- /dev/null
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
