You can create a profile that has the proper permissions to allow what you are looking for, and then assign that profile to the groups you wish. I wrote a post on this quite a while back on how to setup oVirt to appear to be multi-tenant.
Happy to see you don't have an ldap issue :) >This will be a problem for us to now create group permissions for all 100+ groups since Everyone === No-one. -sigh- On Mon, Jun 11, 2018 at 6:34 AM, Callum Smith <cal...@well.ox.ac.uk> wrote: > Ah, this appears to be an issue with the proxy - setting up the spice > proxy as indicated in the guides is causing this issue, and likely will > need support. > > https://www.ovirt.org/documentation/admin-guide/chap-Proxies/ > > Regards, > Callum > > -- > > Callum Smith > Research Computing Core > Wellcome Trust Centre for Human Genetics > University of Oxford > e. cal...@well.ox.ac.uk > > On 11 Jun 2018, at 11:29, Callum Smith <cal...@well.ox.ac.uk> wrote: > > Ok, the user now logs in! This will be a problem for us to now create > group permissions for all 100+ groups since Everyone === No-one. -sigh- > > A new issue, when in the VM portal as the LDAP user, i get HTTP basic auth > login prompts, and a "Authorization expired" error, then a page reload. > Nothing in the logs seem to indicate an issue. > > Regards, > Callum > > -- > > Callum Smith > Research Computing Core > Wellcome Trust Centre for Human Genetics > University of Oxford > e. cal...@well.ox.ac.uk > > On 11 Jun 2018, at 11:26, Donny Davis <do...@fortnebula.com> wrote: > > Try giving your user system permissions as a superuser and see if it goes > away. > > I wouldn't leave it like that, but it will help isolate your issue. I > don't think you have an ldap issue... the log entry is telling you that > user has no permissions > >The user callum@Biomedical Research Computing is not authorized to > perform login > > On Mon, Jun 11, 2018 at 6:23 AM, Callum Smith <cal...@well.ox.ac.uk> > wrote: > >> Dear Donny, >> >> No, though the user shows the permissions inherited from the Everyone >> group: >> <Screen Shot 2018-06-11 at 11.22.42.png> >> Regards, >> Callum >> >> -- >> >> Callum Smith >> Research Computing Core >> Wellcome Trust Centre for Human Genetics >> University of Oxford >> e. cal...@well.ox.ac.uk >> >> On 11 Jun 2018, at 11:21, Donny Davis <do...@fortnebula.com> wrote: >> >> Just a shot in the dark, but after you setup ldap did you go in as the >> default admin and give an ldap account permissions? >> >> On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith <cal...@well.ox.ac.uk> >> wrote: >> >>> Dear All, >>> >>> Could this be as our LDAP is fairly short on attributes? >>> >>> 2018-06-11 11:00:52,856+01 INFO >>> [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] >>> (default task-5) [5dff9eb0] Running command: CreateUserSessionCommand >>> internal: false. >>> 2018-06-11 11:00:52,884+01 ERROR [org.ovirt.engine.core.dal.dbb >>> roker.auditloghandling.AuditLogDirector] (default task-5) [5dff9eb0] >>> EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research >>> Computing connecting from '--ipaddr--' failed to log in<UNKNOWN>. >>> 2018-06-11 11:00:52,884+01 ERROR >>> [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] >>> (default task-5) [] The user callum@Biomedical Research Computing is >>> not authorized to perform login >>> >>> I note that a number of variables are included in this action, but which >>> are required and which are optional is the question: >>> >>> https://github.com/oVirt/ovirt-engine/blob/master/backend/ma >>> nager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/ >>> servlet/SsoPostLoginServlet.java#L88 >>> >>> Regards, >>> Callum >>> >>> -- >>> >>> Callum Smith >>> Research Computing Core >>> Wellcome Trust Centre for Human Genetics >>> University of Oxford >>> e. cal...@well.ox.ac.uk >>> >>> On 11 Jun 2018, at 09:35, Callum Smith <cal...@well.ox.ac.uk> wrote: >>> >>> What would be the next step to help solve this issue? All users >>> authenticating through LDAP get "This user is not authorised to perform >>> authentication". >>> >>> Regards, >>> Callum >>> >>> -- >>> >>> Callum Smith >>> Research Computing Core >>> Wellcome Trust Centre for Human Genetics >>> University of Oxford >>> e. cal...@well.ox.ac.uk >>> >>> On 5 Jun 2018, at 11:42, Callum Smith <cal...@well.ox.ac.uk> wrote: >>> >>> Ok I spoke too soon, I have resolved the groups, but authentication >>> still isn't working for LDAP users, same error as before (114). >>> >>> Regards, >>> Callum >>> >>> -- >>> >>> Callum Smith >>> Research Computing Core >>> Wellcome Trust Centre for Human Genetics >>> University of Oxford >>> e. cal...@well.ox.ac.uk >>> >>> On 5 Jun 2018, at 10:14, Callum Smith <cal...@well.ox.ac.uk> wrote: >>> >>> Dear Ondra, all, >>> >>> Managed to solve this once i got my head around the properties file. >>> Conceptually the problem is that users are typically not a member of their >>> primary group in a POSIX scenario, and their primary group is set by the >>> gidNumber of the user's record, with additional group memberships specified >>> by memberUid entries against a posixGroup entry. >>> >>> search.rfc2307-resolve-groups-memberUid.search-request.filter = >>> &(objectClass=posixGroup)(|(memberUid=${seq:_rfc2307_uid_enc >>> oded})(gidNumber=${seq:_rfc2307_gid_encoded})) >>> >>> search.rfc2307-resolve-principal-uid.search-request.attributes = uid, >>> gidNumber >>> >>> sequence.bmrc-resolve-groups.010.description = set dn >>> sequence.bmrc-resolve-groups.010.type = var-set >>> sequence.bmrc-resolve-groups.010.var-set.variable = _rfc2307_dn >>> sequence.bmrc-resolve-groups.010.var-set.value = ${seq:dn} >>> sequence.bmrc-resolve-groups.010.description = resolve uid >>> sequence.bmrc-resolve-groups.020.type = fetch-record >>> sequence.bmrc-resolve-groups.020.fetch-record.search = >>> rfc2307-resolve-principal-uid >>> sequence.bmrc-resolve-groups.020.fetch-record.map.uid.name = >>> _rfc2307_uid >>> sequence.bmrc-resolve-groups.030.description = resolve gid >>> sequence.bmrc-resolve-groups.030.type = fetch-record >>> sequence.bmrc-resolve-groups.030.fetch-record.search = >>> rfc2307-resolve-principal-uid >>> sequence.bmrc-resolve-groups.030.fetch-record.map.gidNumber.name >>> <http://sequence.bmrc-resolve-groups.030.fetch-record.map.gidnumber.name/> >>> = _rfc2307_gid >>> sequence.bmrc-resolve-groups.040.description = query groups >>> sequence.bmrc-resolve-groups.040.type = search-open >>> sequence.bmrc-resolve-groups.040.search-open.search = >>> rfc2307-resolve-groups-memberUid >>> sequence.bmrc-resolve-groups.040.search-open.variable = >>> queryRFC2307ByMemberUid >>> >>> sequence.rfc2307-resolve-groups.020.call.name = bmrc-resolve-groups >>> >>> >>> Regards, >>> Callum >>> >>> -- >>> >>> Callum Smith >>> Research Computing Core >>> Wellcome Trust Centre for Human Genetics >>> University of Oxford >>> e. cal...@well.ox.ac.uk >>> >>> On 4 Jun 2018, at 15:07, Callum Smith <cal...@well.ox.ac.uk> wrote: >>> >>> Dear Ondra, >>> >>> I went for openldap-rfc2307 as that best describes our ldap setup. The >>> issue seems to be that the gidNumber is set, but users are not a member of >>> their primary group within the LDAP. So, user's gidNumber represents >>> primary group and posixGroup membership (memberUid) represents their >>> secondary groups. What's the best way to approach this (fix the filters on >>> oVirt end or change the LDAP? This is a question of what is most compliant >>> with standards really). >>> >>> Regards, >>> Callum >>> >>> -- >>> >>> Callum Smith >>> Research Computing Core >>> Wellcome Trust Centre for Human Genetics >>> University of Oxford >>> e. cal...@well.ox.ac.uk >>> >>> On 29 May 2018, at 11:29, Ondra Machacek <omach...@redhat.com> wrote: >>> >>> What's you LDAP and what profile did you choose? This looks like you >>> have chosen incorect profile during setup. Are you sure you arent using >>> posix group and using non-posix aaa profile? Sharing a debug log of >>> ovirt-engine-extensions-tool would be helpfull. >>> >>> >>> On Fri, May 25, 2018, 10:04 AM Callum Smith <cal...@well.ox.ac.uk> >>> wrote: >>> >>>> Dear All, >>>> >>>> I'm having problems getting LDAP running, login works, but I'm getting >>>> "user is not authorised to perform login" - this is even if i specify the >>>> UserRole specifically to the LDAP group the user is in. >>>> >>>> 2018-05-25 08:56:16,212+01 INFO >>>> [org.ovirt.engine.core.sso.utils.AuthenticationUtils] >>>> (default task-23) [] User callum@Biomedical Research Computing >>>> successfully logged in with scopes: ovirt-app-admin ovirt-app-api >>>> ovirt-app-portal ovirt-ext=auth:sequence-priority=~ >>>> ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search >>>> ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate >>>> ovirt-ext=token:password-access >>>> 2018-05-25 08:56:16,391+01 INFO >>>> [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] >>>> (default task-25) [63e60fe9] Running command: CreateUserSessionCommand >>>> internal: false. >>>> 2018-05-25 08:56:16,430+01 ERROR [org.ovirt.engine.core.dal.dbb >>>> roker.auditloghandling.AuditLogDirector] (default task-25) [63e60fe9] >>>> EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research >>>> Computing connecting from '192.168.65.254' failed to log in<UNKNOWN>. >>>> 2018-05-25 08:56:16,430+01 ERROR >>>> [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] >>>> (default task-25) [] The user callum@Biomedical Research Computing is >>>> not authorized to perform login >>>> >>>> >>>> on a side note: is it possible to assign permissions to all members of >>>> an LDAP tree where they dont have a common group membership? >>>> >>>> Regards, >>>> Callum >>>> >>>> -- >>>> >>>> Callum Smith >>>> Research Computing Core >>>> Wellcome Trust Centre for Human Genetics >>>> University of Oxford >>>> e. cal...@well.ox.ac.uk >>>> >>>> _______________________________________________ >>>> Users mailing list -- users@ovirt.org >>>> To unsubscribe send an email to users-le...@ovirt.org >>>> >>> >>> _______________________________________________ >>> Users mailing list -- users@ovirt.org >>> To unsubscribe send an email to users-le...@ovirt.org >>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>> oVirt Code of Conduct: https://www.ovirt.org/communit >>> y/about/community-guidelines/ >>> List Archives: https://lists.ovirt.org/archiv >>> es/list/users@ovirt.org/message/NAEUHLW3YMYAP6L44RRS5MCLRU2OTXPZ/ >>> >>> >>> _______________________________________________ >>> Users mailing list -- users@ovirt.org >>> To unsubscribe send an email to users-le...@ovirt.org >>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>> oVirt Code of Conduct: https://www.ovirt.org/communit >>> y/about/community-guidelines/ >>> List Archives: https://lists.ovirt.org/archiv >>> es/list/users@ovirt.org/message/2WR4PGLW4Z4PM2UOVN4YZUJHSBRYVMOJ/ >>> >>> >>> _______________________________________________ >>> Users mailing list -- users@ovirt.org >>> To unsubscribe send an email to users-le...@ovirt.org >>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>> oVirt Code of Conduct: https://www.ovirt.org/communit >>> y/about/community-guidelines/ >>> List Archives: https://lists.ovirt.org/archiv >>> es/list/users@ovirt.org/message/O7DLMLFEBHLNCE2VCCCNNOXXGGERKAKZ/ >>> >>> >>> _______________________________________________ >>> Users mailing list -- users@ovirt.org >>> To unsubscribe send an email to users-le...@ovirt.org >>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>> oVirt Code of Conduct: https://www.ovirt.org/communit >>> y/about/community-guidelines/ >>> List Archives: https://lists.ovirt.org/archiv >>> es/list/users@ovirt.org/message/BNZ5KRXOYYRFZCQIQQU6IJVDNNBDVZSF/ >>> >>> >>> >>> _______________________________________________ >>> Users mailing list -- users@ovirt.org >>> To unsubscribe send an email to users-le...@ovirt.org >>> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >>> oVirt Code of Conduct: https://www.ovirt.org/communit >>> y/about/community-guidelines/ >>> List Archives: https://lists.ovirt.org/archiv >>> es/list/users@ovirt.org/message/EOWAPL6ZQE63S3732NQRH5YVJC26CQDR/ >>> >>> >> >> > > >
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/HAB54A2Q6BSCJDSJD237UQMP47ZSYRPK/