Just a shot in the dark, but after you setup ldap did you go in as the default admin and give an ldap account permissions?
On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith <[email protected]> wrote: > Dear All, > > Could this be as our LDAP is fairly short on attributes? > > 2018-06-11 11:00:52,856+01 INFO > [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] > (default task-5) [5dff9eb0] Running command: CreateUserSessionCommand > internal: false. > 2018-06-11 11:00:52,884+01 ERROR [org.ovirt.engine.core.dal. > dbbroker.auditloghandling.AuditLogDirector] (default task-5) [5dff9eb0] > EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research > Computing connecting from '--ipaddr--' failed to log in<UNKNOWN>. > 2018-06-11 11:00:52,884+01 ERROR > [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] > (default task-5) [] The user callum@Biomedical Research Computing is not > authorized to perform login > > I note that a number of variables are included in this action, but which > are required and which are optional is the question: > > https://github.com/oVirt/ovirt-engine/blob/master/ > backend/manager/modules/aaa/src/main/java/org/ovirt/ > engine/core/aaa/servlet/SsoPostLoginServlet.java#L88 > > Regards, > Callum > > -- > > Callum Smith > Research Computing Core > Wellcome Trust Centre for Human Genetics > University of Oxford > e. [email protected] > > On 11 Jun 2018, at 09:35, Callum Smith <[email protected]> wrote: > > What would be the next step to help solve this issue? All users > authenticating through LDAP get "This user is not authorised to perform > authentication". > > Regards, > Callum > > -- > > Callum Smith > Research Computing Core > Wellcome Trust Centre for Human Genetics > University of Oxford > e. [email protected] > > On 5 Jun 2018, at 11:42, Callum Smith <[email protected]> wrote: > > Ok I spoke too soon, I have resolved the groups, but authentication still > isn't working for LDAP users, same error as before (114). > > Regards, > Callum > > -- > > Callum Smith > Research Computing Core > Wellcome Trust Centre for Human Genetics > University of Oxford > e. [email protected] > > On 5 Jun 2018, at 10:14, Callum Smith <[email protected]> wrote: > > Dear Ondra, all, > > Managed to solve this once i got my head around the properties file. > Conceptually the problem is that users are typically not a member of their > primary group in a POSIX scenario, and their primary group is set by the > gidNumber of the user's record, with additional group memberships specified > by memberUid entries against a posixGroup entry. > > search.rfc2307-resolve-groups-memberUid.search-request.filter = > &(objectClass=posixGroup)(|(memberUid=${seq:_rfc2307_uid_ > encoded})(gidNumber=${seq:_rfc2307_gid_encoded})) > > search.rfc2307-resolve-principal-uid.search-request.attributes = uid, > gidNumber > > sequence.bmrc-resolve-groups.010.description = set dn > sequence.bmrc-resolve-groups.010.type = var-set > sequence.bmrc-resolve-groups.010.var-set.variable = _rfc2307_dn > sequence.bmrc-resolve-groups.010.var-set.value = ${seq:dn} > sequence.bmrc-resolve-groups.010.description = resolve uid > sequence.bmrc-resolve-groups.020.type = fetch-record > sequence.bmrc-resolve-groups.020.fetch-record.search = > rfc2307-resolve-principal-uid > sequence.bmrc-resolve-groups.020.fetch-record.map.uid.name = _rfc2307_uid > sequence.bmrc-resolve-groups.030.description = resolve gid > sequence.bmrc-resolve-groups.030.type = fetch-record > sequence.bmrc-resolve-groups.030.fetch-record.search = > rfc2307-resolve-principal-uid > sequence.bmrc-resolve-groups.030.fetch-record.map.gidNumber.name = > _rfc2307_gid > sequence.bmrc-resolve-groups.040.description = query groups > sequence.bmrc-resolve-groups.040.type = search-open > sequence.bmrc-resolve-groups.040.search-open.search = > rfc2307-resolve-groups-memberUid > sequence.bmrc-resolve-groups.040.search-open.variable = > queryRFC2307ByMemberUid > > sequence.rfc2307-resolve-groups.020.call.name = bmrc-resolve-groups > > > Regards, > Callum > > -- > > Callum Smith > Research Computing Core > Wellcome Trust Centre for Human Genetics > University of Oxford > e. [email protected] > > On 4 Jun 2018, at 15:07, Callum Smith <[email protected]> wrote: > > Dear Ondra, > > I went for openldap-rfc2307 as that best describes our ldap setup. The > issue seems to be that the gidNumber is set, but users are not a member of > their primary group within the LDAP. So, user's gidNumber represents > primary group and posixGroup membership (memberUid) represents their > secondary groups. What's the best way to approach this (fix the filters on > oVirt end or change the LDAP? This is a question of what is most compliant > with standards really). > > Regards, > Callum > > -- > > Callum Smith > Research Computing Core > Wellcome Trust Centre for Human Genetics > University of Oxford > e. [email protected] > > On 29 May 2018, at 11:29, Ondra Machacek <[email protected]> wrote: > > What's you LDAP and what profile did you choose? This looks like you have > chosen incorect profile during setup. Are you sure you arent using posix > group and using non-posix aaa profile? Sharing a debug log of > ovirt-engine-extensions-tool would be helpfull. > > > On Fri, May 25, 2018, 10:04 AM Callum Smith <[email protected]> wrote: > >> Dear All, >> >> I'm having problems getting LDAP running, login works, but I'm getting >> "user is not authorised to perform login" - this is even if i specify the >> UserRole specifically to the LDAP group the user is in. >> >> 2018-05-25 08:56:16,212+01 INFO >> [org.ovirt.engine.core.sso.utils.AuthenticationUtils] >> (default task-23) [] User callum@Biomedical Research Computing >> successfully logged in with scopes: ovirt-app-admin ovirt-app-api >> ovirt-app-portal ovirt-ext=auth:sequence-priority=~ >> ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search >> ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate >> ovirt-ext=token:password-access >> 2018-05-25 08:56:16,391+01 INFO >> [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] >> (default task-25) [63e60fe9] Running command: CreateUserSessionCommand >> internal: false. >> 2018-05-25 08:56:16,430+01 ERROR [org.ovirt.engine.core.dal. >> dbbroker.auditloghandling.AuditLogDirector] (default task-25) [63e60fe9] >> EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research >> Computing connecting from '192.168.65.254' failed to log in<UNKNOWN>. >> 2018-05-25 08:56:16,430+01 ERROR >> [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] >> (default task-25) [] The user callum@Biomedical Research Computing is >> not authorized to perform login >> >> >> on a side note: is it possible to assign permissions to all members of an >> LDAP tree where they dont have a common group membership? >> >> Regards, >> Callum >> >> -- >> >> Callum Smith >> Research Computing Core >> Wellcome Trust Centre for Human Genetics >> University of Oxford >> e. [email protected] >> >> _______________________________________________ >> Users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> > > _______________________________________________ > Users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: https://www.ovirt.org/community/about/community- > guidelines/ > List Archives: https://lists.ovirt.org/archives/list/[email protected]/ > message/NAEUHLW3YMYAP6L44RRS5MCLRU2OTXPZ/ > > > _______________________________________________ > Users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: https://www.ovirt.org/community/about/community- > guidelines/ > List Archives: https://lists.ovirt.org/archives/list/[email protected]/ > message/2WR4PGLW4Z4PM2UOVN4YZUJHSBRYVMOJ/ > > > _______________________________________________ > Users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: https://www.ovirt.org/community/about/community- > guidelines/ > List Archives: https://lists.ovirt.org/archives/list/[email protected]/ > message/O7DLMLFEBHLNCE2VCCCNNOXXGGERKAKZ/ > > > _______________________________________________ > Users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: https://www.ovirt.org/community/about/community- > guidelines/ > List Archives: https://lists.ovirt.org/archives/list/[email protected]/ > message/BNZ5KRXOYYRFZCQIQQU6IJVDNNBDVZSF/ > > > > _______________________________________________ > Users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: https://www.ovirt.org/community/about/community- > guidelines/ > List Archives: https://lists.ovirt.org/archives/list/[email protected]/ > message/EOWAPL6ZQE63S3732NQRH5YVJC26CQDR/ > >
_______________________________________________ Users mailing list -- [email protected] To unsubscribe send an email to [email protected] Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/[email protected]/message/XCGOY6RHH3MT4V64EPFJDWIBRAQKUOBY/
