HI All, After rectifying this able to search the domain in the users in UI, but unable to login getting the below error ,
2015-09-23 12:41:47,482 WARN [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user [email protected]. Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION Thanks, Nagaraju On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek <[email protected]> wrote: > Hi, > > as Alon already said, you have trailing space in your configuration > > 'my.abc.net ' <-- space at the end > > Please remove this space and try again. > > Ondra > > > On 09/23/2015 05:35 AM, Budur Nagaraju wrote: > > HI Alon, > > Tried all the options but no luck , > > I have copied the logs in the pastebin below is the link , warning > message is that unable to resolve the DNS ,let me know any help would I get > . > > http://pastebin.com/7qN9QnHK > > Thanks, > Nagaraju > > > On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger < > [email protected]> wrote: > >> Hello Budur, >> >> I've done this recently. Alon, no offense, but the docs are not quite >> strait forward... >> >> Requirements: >> - LDAP server (obviously) - called here ldap.mydomain.com >> - LDAP bind account - called here <[email protected]>[email protected], >> password 'Passw@rd' >> - At least one existing account in ladp, called <[email protected]> >> [email protected] >> >> Please note, the most common issue will be DNS. >> >> I'll describe in short what steps need to be taken. All this needs to be >> done on your engine host. In the end this was quite easy :) >> >> 1. Install the packages: ovirt-engine-extension-aaa-ldap and >> openldap-clients (these are only for testing your setup) >> 2. Test if ldap is working in general. (The extension uses the global >> catalog at least for AD, this was news to me): >> # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap:// >> ldap.mydomain.com:3268/ -x \ >> -D '[email protected]' -w Passw@rd -b '' '(userPrincipalName= >> <[email protected]>[email protected])' cn userPrincipalName >> >> If this command does not return details of the user, do debug your ldap >> and continue once this works. Example: >> >> # extended LDIF >> # >> # LDAPv3 >> # base <> with scope subtree >> # filter: ([email protected]) >> # requesting: cn userPrincipalName >> # with pagedResults control: size=1024 >> # >> >> # Some Name, some-ou, mydomain.com >> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com >> cn: Some Name >> userPrincipalName: [email protected] >> >> # search result >> search: 2 >> result: 0 Success >> control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA= >> pagedresults: cookie= >> >> # numResponses: 2 >> # numEntries: 1 >> >> >> 3. Copy the examples as mentioned from the readme. >> 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; >> leave the rest as is. >> 5. There, set: >> >> vars.domain = ldap.mydomain.com >> vars.user = ldap@${global:vars.domain} >> vars.password = Passw@rd >> >> 6. Restart ovirt engine service >> 7. Log in as admin@einternal and add user rights and roles from the new >> provider >> >> Hope this helps. >> >> On 22.09.2015 16:46, Budur Nagaraju wrote: >> > >> > below are the three files which I have modified. >> > >> > >> > [root@cstlb2 extensions.d]# cat profile1-authn.properties >> > ovirt.engine.extension.name < <http://ovirt.engine.extension.name> >> http://ovirt.engine.extension.name> = cloudspin-authn >> > ovirt.engine.extension.bindings.method = jbossmodule >> > ovirt.engine.extension.binding.jbossmodule.module = >> > org.ovirt.engine-extensions.aaa.ldap >> > ovirt.engine.extension.binding.jbossmodule.class = >> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension >> > ovirt.engine.extension.provides = >> org.ovirt.engine.api.extensions.aaa.Authn >> > ovirt.engine.aaa.authn.profile.name < >> http://ovirt.engine.aaa.authn.profile.name> >> > = cloudspin >> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth >> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties >> > >> > >> > [root@cstlb2 extensions.d]# ls >> > profile1-authn.properties profile1-authz.properties >> > [root@cstlb2 extensions.d]# cat profile1-authz.properties >> > ovirt.engine.extension.name < <http://ovirt.engine.extension.name> >> http://ovirt.engine.extension.name> = cloudspin-authz >> > ovirt.engine.extension.bindings.method = jbossmodule >> > ovirt.engine.extension.binding.jbossmodule.module = >> > org.ovirt.engine-extensions.aaa.ldap >> > ovirt.engine.extension.binding.jbossmodule.class = >> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension >> > ovirt.engine.extension.provides = >> org.ovirt.engine.api.extensions.aaa.Authz >> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties >> > [root@cstlb2 extensions.d]# >> > >> > >> > >> > [root@cstlb2 aaa]# pwd >> > /etc/ovirt-engine/aaa >> > [root@cstlb2 aaa]# ls >> > ldap1.properties >> > [root@cstlb2 aaa]# cat ldap1.properties >> > # >> > # Select one >> > # >> > include = <openldap.properties> >> > #include = <389ds.properties> >> > #include = <rhds.properties> >> > #include = <ipa.properties> >> > #include = <iplanet.properties> >> > #include = <rfc2307.properties> >> > #include = <rfc2307-openldap.properties> >> > >> > # >> > # Server >> > # >> > vars.server = my.abc.net <http://my.abc.net> >> > >> > # >> > # Search user and its password. >> > # >> > vars.user = >> > >> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net >> > vars.password = company >> > >> > pool.default.serverset.single.server = ${global:vars.server} >> > pool.default.auth.simple.bindDN = ${global:vars.user} >> > pool.default.auth.simple.password = ${global:vars.password} >> > >> > # Create keystore, import certificate chain and uncomment >> > # if using ssl/tls. >> > #pool.default.ssl.startTLS = true >> > #pool.default.ssl.truststore.file = >> ${local:_basedir}/${global:vars.server}.jks >> > #pool.default.ssl.truststore.password = changeit >> > [root@cstlb2 aaa]# >> > >> > >> > >> > >> > >> > >> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev < <[email protected]> >> [email protected] >> > <mailto: <[email protected]>[email protected]>> wrote: >> > >> > >> > >> > ----- Original Message ----- >> > > From: "Budur Nagaraju" <[email protected] <mailto: >> [email protected]>> >> > > To: "Alon Bar-Lev" < <[email protected]>[email protected] >> <mailto:[email protected]>> >> > > Cc:[email protected] <mailto:[email protected]> >> > > Sent: Tuesday, September 22, 2015 5:35:16 PM >> > > Subject: Re: [ovirt-users] LDAP Authentication >> > > >> > > its too complicated ,you have any script or video ? >> > >> > in 3.6 we have a setup script. >> > for now: >> > >> > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/ >> > >> > this is written in the README. >> > >> > then customize files at /etc/ovirt-engine/extnesions.d/* >> > /etc/ovirt-engine/aaa/* to match your setup >> > >> > > >> > > >> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <[email protected] >> <mailto:[email protected]>> wrote: >> > > >> > > > >> > > > >> > > > ----- Original Message ----- >> > > > > From: "Budur Nagaraju" <[email protected] <mailto: >> [email protected]>> >> > > > > To: "Alon Bar-Lev" < <[email protected]>[email protected] >> <mailto:[email protected]>> >> > > > > Cc:[email protected] <mailto:[email protected]> >> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM >> > > > > Subject: Re: [ovirt-users] LDAP Authentication >> > > > > >> > > > > HI Alon, >> > > > > >> > > > > Below is the configuration which I have done ,but unable to >> search the >> > > > > users in UI >> > > > > can you pls help me ? >> > > > >> > > > you need three files, see the >> > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple >> > > > >> > > > > >> > > > > >> > > > > [root@cstlb2 aaa]# cat ldap1.properties >> > > > > # >> > > > > # Select one >> > > > > # >> > > > > include = <openldap.properties> >> > > > > #include = <389ds.properties> >> > > > > #include = <rhds.properties> >> > > > > #include = <ipa.properties> >> > > > > #include = <iplanet.properties> >> > > > > #include = <rfc2307.properties> >> > > > > #include = <rfc2307-openldap.properties> >> > > > > >> > > > > # >> > > > > # Server >> > > > > # >> > > > > vars.server =my.abc.net < <http://my.abc.net> >> http://my.abc.net> >> > > > > >> > > > > # >> > > > > # Search user and its password. >> > > > > # >> > > > > vars.user = >> > > > > >> > > > >> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net >> > > > > vars.password = company1 >> > > > > >> > > > > pool.default.serverset.single.server = ${global:vars.server} >> > > > > pool.default.auth.simple.bindDN = ${global:vars.user} >> > > > > pool.default.auth.simple.password = ${global:vars.password} >> > > > > >> > > > > # Create keystore, import certificate chain and uncomment >> > > > > # if using ssl/tls. >> > > > > #pool.default.ssl.startTLS = true >> > > > > #pool.default.ssl.truststore.file = >> > > > > ${local:_basedir}/${global:vars.server}.jks >> > > > > #pool.default.ssl.truststore.password = changeit >> > > > > [root@cstlb2 aaa]# >> > > > > >> > > > > >> > > > > >> > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev < >> <[email protected]>[email protected] <mailto:[email protected]>> wrote: >> > > > > >> > > > > > >> > > > > > >> > > > > > ----- Original Message ----- >> > > > > > > From: "Budur Nagaraju" <[email protected] <mailto: >> [email protected]>> >> > > > > > > <to%[email protected]>To:[email protected] <mailto: >> [email protected]> >> > > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM >> > > > > > > Subject: [ovirt-users] LDAP Authentication >> > > > > > > >> > > > > > > HI All, >> > > > > > > >> > > > > > > Can someone help me in configuring LDAP authentication >> for Ovirt ? >> > > > > > >> > > > > > Please review: >> > > > > >http://www.ovirt.org/Features/AAA >> > > > > > >> > > > > > >> > > > >> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0 >> > > > > > >> > > > > >> > > > >> > > >> > >> > >> >> -- >> Daniel Helgenberger >> m box bewegtbild GmbH >> >> P: +49/30/2408781-22 >> F: +49/30/2408781-10 >> >> ACKERSTR. 19 >> D-10115 BERLIN >> >> >> www.m-box.de <http://www.monkeymen.tv>www.monkeymen.tv >> >> Geschäftsführer: Martin Retschitzegger / Michaela Göllner >> Handeslregister: Amtsgericht Charlottenburg / HRB 112767 >> > > > > _______________________________________________ > Users mailing [email protected]http://lists.ovirt.org/mailman/listinfo/users > > >
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
