[ovirt-users] Can not configure with simple LDAP.
Hello, I'm running oVirt Engine, OpenLDAP and BIND on same machine. and running oVirt host (hypervisor) on another machine. I tried to configure OpenLDAP using ovirt-engine-extension-aaa-ldap, but No LDAP users can search and add from Web Admin Portal. CentOS release 6.5 (Final) ovirt-engine.noarch 3.5.0-0.0.master.20140821064931.gitb794d66.el6 ovirt-engine-extension-aaa-ldap.noarch 0.0.0-0.0.master.20140904095149.gitc7bd415.el6 openldap-clients.x86_64 2.4.23-34.el6_5.1 openldap-servers.x86_64 2.4.23-34.el6_5.1 cyrus-sasl-gssapi.x86_64 2.1.23-13.el6_3.1 bind.x86_64 32:9.8.2-0.23.rc1.el6_5.1 My setup procedures: --- # yum -y install openldap-servers openldap-clients # yum -y install cyrus-sasl-gssapi --- # rm -rf /etc/openldap/slapd.d # rm -rf /var/lib/ldap/* --- (Copy slapd.conf template) # cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf --- # vi /etc/openldap/slapd.conf (snip) # remove comment out moduleload memberof.la (snip) # modify value by dn.exact=cn=Manager,dc=rxc05271,dc=com read (snip) # add next two lines right under database definitions authz-regexp gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth cn=Manager,dc=rxc05271,dc=com (snip) # modify value suffix dc=rxc05271,dc=com (snip) # modify value rootdn cn=Manager,dc=rxc05271,dc=com (snip) # remove comment out rootpw secret (snip) # add next line to end of the file overlay memberof loglevel 4 --- (Enabling SSL/TLS) # vi /etc/sysconfig/ldap SLAPD_LDAPS=yes --- (Enabling OpenLDAP log output) # echo local4.* /var/log/ldap.log /etc/rsyslog.d/ldaplog.conf # service rsyslog restart --- # service slapd start # chkconfig slapd on --- # vi ldapconfig.ldif dn: dc=rxc05271,dc=com objectClass: dcObject objectClass: organization dc: rxc05271 o: RXC05271 dn: ou=Groups,dc=rxc05271,dc=com objectclass: organizationalUnit ou: Groups dn: ou=Users,dc=rxc05271,dc=com objectclass: organizationalUnit ou: Users dn: uid=tani,ou=Users,dc=rxc05271,dc=com objectclass: inetOrgPerson objectclass: uidObject uid: tani cn: Tani givenName: Fumihide mail: t...@rxc05271.com sn: 0 dn: cn=Power-Users,ou=Groups,dc=rxc05271,dc=com objectclass: groupOfNames cn: Power-Users member: uid=tani,ou=Users,dc=rxc05271,dc=com --- # ldapadd -x -D cn=Manager,dc=rxc05271,dc=com -w secret -f ldapconfig.ldif --- # vi setsasl.ldif replace: olcSaslSecProps olcSaslSecProps: noanonymous,noplain,minssf=1 - --- # ldapmodify -x -D cn=Manager,dc=rxc05271,dc=com -w secret -f setsasl.ldif --- # ldapsearch -LL -Y EXTERNAL -H ldapi:/// (uid=tani) -b dc=rxc05271,dc=com memberOf SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 version: 1 dn: uid=tani,ou=Users,dc=rxc05271,dc=com memberOf: cn=Power-Users,ou=Groups,dc=rxc05271,dc=com --- # yum install ovirt-engine-extension-aaa-ldap --- # vi /etc/ovirt-engine/extensions.d/authn-company.properties ovirt.engine.extension.name = authn-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = rxc05271.com ovirt.engine.aaa.authn.authz.plugin = authz-company config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties --- # vi /etc/ovirt-engine/aaa/rxc05271.properties include = openldap.properties vars.user = cn=Manager,dc=rxc05271,dc=com vars.password = 12345678 vars.server = ldap.rxc05271.com pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/openldap/certs/ldap.jks pool.default.ssl.truststore.password = 12345678
Re: [ovirt-users] Can not configure with simple LDAP.
- Original Message - From: Alon Bar-Lev alo...@redhat.com To: Fumihide Tani rxc05...@nifty.com Cc: users@ovirt.org Sent: Sunday, September 21, 2014 10:19:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP. Hi, You need to create authz extension as well (authz-company). The configuration you provided is establishing authentication only (authn) which refer to authz-company but you did not add it. The terms are: 1. authn - who the user is. 2. authz - what user is permitted. 3. profile - combination of the two. - # vi /etc/ovirt-engine/extensions.d/authz-company.properties ovirt.engine.extension.name = authz-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension Sorry: org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties -- Regards, Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can not configure with simple LDAP.
Hi, You need to create authz extension as well (authz-company). The configuration you provided is establishing authentication only (authn) which refer to authz-company but you did not add it. The terms are: 1. authn - who the user is. 2. authz - what user is permitted. 3. profile - combination of the two. - # vi /etc/ovirt-engine/extensions.d/authz-company.properties ovirt.engine.extension.name = authz-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties -- Regards, Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon Very thanks for your help. My problem was solved and the AAA is working now. I could add LDAP user. :) Fumihide Tani (2014/09/21 16:19), Alon Bar-Lev wrote: - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Fumihide Tani rxc05...@nifty.com Cc: users@ovirt.org Sent: Sunday, September 21, 2014 10:19:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP. Hi, You need to create authz extension as well (authz-company). The configuration you provided is establishing authentication only (authn) which refer to authz-company but you did not add it. The terms are: 1. authn - who the user is. 2. authz - what user is permitted. 3. profile - combination of the two. - # vi /etc/ovirt-engine/extensions.d/authz-company.properties ovirt.engine.extension.name = authz-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension Sorry: org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties -- Regards, Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can not configure with simple LDAP.
- Original Message - From: Fumihide Tani rxc05...@nifty.com To: Alon Bar-Lev alo...@redhat.com Cc: users@ovirt.org Sent: Sunday, September 21, 2014 11:11:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP. Hi, Alon Very thanks for your help. My problem was solved and the AAA is working now. I could add LDAP user. :) Great. Can you please send me a patch or modified README to make it better? Alon Fumihide Tani (2014/09/21 16:19), Alon Bar-Lev wrote: - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Fumihide Tani rxc05...@nifty.com Cc: users@ovirt.org Sent: Sunday, September 21, 2014 10:19:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP. Hi, You need to create authz extension as well (authz-company). The configuration you provided is establishing authentication only (authn) which refer to authz-company but you did not add it. The terms are: 1. authn - who the user is. 2. authz - what user is permitted. 3. profile - combination of the two. - # vi /etc/ovirt-engine/extensions.d/authz-company.properties ovirt.engine.extension.name = authz-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension Sorry: org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties -- Regards, Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] ovirt loop delete vm which had been removed
Sep 20 16:42:56 whxg-pii-vm01 vdsm vm.Vm WARNING vmId=`ca86997d-a7b8-44df-b418-8e6d49ffebfb`::trying to set state to Powering down when already Down Sep 20 16:42:56 whxg-pii-vm01 vdsm root ERROR Removing file: /var/lib/libvirt/qemu/channels/ca86997d-a7b8-44df-b418-8e6d49ffebfb.com.redhat.rhevm.vdsm failed#012Traceback (most recent call last):#012 File /usr/lib64/python2.6/site-packages/vdsm/utils.py, line 126, in rmFile#012 os.unlink(fileToRemove)#012OSError: [Errno 13] Permission denied: '/var/lib/libvirt/qemu/channels/ca86997d-a7b8-44df-b418-8e6d49ffebfb.com.redhat.rhevm.vdsm' Sep 20 16:42:56 whxg-pii-vm01 vdsm vds ERROR unexpected error#012Traceback (most recent call last):#012 File /usr/share/vdsm/BindingXMLRPC.py, line 1070, in wrapper#012res = f(*args, **kwargs)#012 File /usr/share/vdsm/BindingXMLRPC.py, line 285, in vmDestroy#012return vm.destroy()#012 File /usr/share/vdsm/API.py, line 331, in destroy#012 res = v.destroy()#012 File /usr/share/vdsm/vm.py, line 4697, in destroy#012response = self.releaseVm()#012 File /usr/share/vdsm/vm.py, line 4663, in releaseVm#012self._cleanup()#012 File /usr/share/vdsm/vm.py, line 3028, in _cleanup#012 self._cleanupGuestAgent()#012 File /usr/share/vdsm/vm.py, line 2747, in _cleanupGuestAgent#012self._guestSockCleanup(self._guestSocketFile)#012 File /usr/share/vdsm/vm.py, line 3020, in _guestSockCleanup#012 utils.rmFile(sock)#012 File /usr/lib64/python2.6/site-packages/vdsm/utils.py, line 126, in rmFile#012 os.unlink(fileToRemove)#012OSError: [Errno 13] Permission denied: '/var/lib/libvirt/qemu/channels/ca86997d-a7b8-44df-b418-8e6d49ffebfb.com.redhat.rhevm.vdsm' Sep 20 16:42:59 whxg-pii-vm01 vdsm vm.Vm WARNING vmId=`ca86997d-a7b8-44df-b418-8e6d49ffebfb`::trying to set state to Powering down when already Down Sep 20 16:42:59 whxg-pii-vm01 vdsm root ERROR Removing file: /var/lib/libvirt/qemu/channels/ca86997d-a7b8-44df-b418-8e6d49ffebfb.com.redhat.rhevm.vdsm failed#012Traceback (most recent call last):#012 File /usr/lib64/python2.6/site-packages/vdsm/utils.py, line 126, in rmFile#012 os.unlink(fileToRemove)#012OSError: [Errno 13] Permission denied: '/var/lib/libvirt/qemu/channels/ca86997d-a7b8-44df-b418-8e6d49ffebfb.com.redhat.rhevm.vdsm' Sep 20 16:42:59 whxg-pii-vm01 vdsm vds ERROR unexpected error#012Traceback (most recent call last):#012 File /usr/share/vdsm/BindingXMLRPC.py, line 1070, in wrapper#012res = f(*args, **kwargs)#012 File /usr/share/vdsm/BindingXMLRPC.py, line 285, in vmDestroy#012return vm.destroy()#012 File /usr/share/vdsm/API.py, line 331, in destroy#012 res = v.destroy()#012 File /usr/share/vdsm/vm.py, line 4697, in destroy#012response = self.releaseVm()#012 File /usr/share/vdsm/vm.py, line 4663, in releaseVm#012self._cleanup()#012 File /usr/share/vdsm/vm.py, line 3028, in _cleanup#012 self._cleanupGuestAgent()#012 File /usr/share/vdsm/vm.py, line 2747, in _cleanupGuestAgent#012self._guestSockCleanup(self._guestSocketFile)#012 File /usr/share/vdsm/vm.py, line 3020, in _guestSockCleanup#012 utils.rmFile(sock)#012 File /usr/lib64/python2.6/site-packages/vdsm/utils.py, line 126, in rmFile#012 os.unlink(fileToRemove)#012OSError: [Errno 13] Permission denied: '/var/lib/libvirt/qemu/channels/ca86997d-a7b8-44df-b418-8e6d49ffebfb.com.redhat.rhevm.vdsm' Sep 20 16:43:02 whxg-pii-vm01 vdsm vm.Vm WARNING vmId=`ca86997d-a7b8-44df-b418-8e6d49ffebfb`::trying to set state to Powering down when already Down Sep 20 16:43:02 whxg-pii-vm01 vdsm root ERROR Removing file: /var/lib/libvirt/qemu/channels/ca86997d-a7b8-44df-b418-8e6d49ffebfb.com.redhat.rhevm.vdsm failed#012Traceback (most recent call last):#012 File /usr/lib64/python2.6/site-packages/vdsm/utils.py, line 126, in rmFile#012 os.unlink(fileToRemove)#012OSError: [Errno 13] Permission denied: '/var/lib/libvirt/qemu/channels/ca86997d-a7b8-44df-b418-8e6d49ffebfb.com.redhat.rhevm.vdsm' Sep 20 16:43:02 whxg-pii-vm01 vdsm vds ERROR unexpected error#012Traceback (most recent call last):#012 File /usr/share/vdsm/BindingXMLRPC.py, line 1070, in wrapper#012res = f(*args, **kwargs)#012 File /usr/share/vdsm/BindingXMLRPC.py, line 285, in vmDestroy#012return vm.destroy()#012 File /usr/share/vdsm/API.py, line 331, in destroy#012 res = v.destroy()#012 File /usr/share/vdsm/vm.py, line 4697, in destroy#012response = self.releaseVm()#012 File /usr/share/vdsm/vm.py, line 4663, in releaseVm#012self._cleanup()#012 File /usr/share/vdsm/vm.py, line 3028, in _cleanup#012 self._cleanupGuestAgent()#012 File /usr/share/vdsm/vm.py, line 2747, in _cleanupGuestAgent#012self._guestSockCleanup(self._guestSocketFile)#012 File /usr/share/vdsm/vm.py, line 3020, in _guestSockCleanup#012 utils.rmFile(sock)#012 File /usr/lib64/python2.6/site-packages/vdsm/utils.py, line 126, in rmFile#012 os.unlink(fileToRemove)#012OSError: [Errno 13] Permission denied:
Re: [ovirt-users] How to disconnect hosted-engine NFS storage pool?
- Original Message - From: Ryan Groten ryan.gro...@stantec.com To: users@ovirt.org Sent: Friday, September 19, 2014 1:51:13 AM Subject: [ovirt-users] How to disconnect hosted-engine NFS storage pool? I want to unmounted the hosted-engine NFS share without affecting all the other running VMs on the host. When I shutdown the hosted-engine and enable global maintenance, the storage pool is still mounted and I can’t unmount it because the “sanlock” process is using it. Is there any way to disconnect the storage pool? There is a hosted-engine --connect-storage option but I see nothing to disconnect it. Thanks, Ryan Hi Ryan, Hosted engine does not unmount the share since there may be other VMs using it (as a general rule). However this may deserve some additional thoughts. Do you mind opening an RFE for it? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] connetcion noVNC via FireFox only?
Hi. Like subject this is only available on FireFox Browser? and as it is with Internet Explorer? -- G.Sz. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can not configure with simple LDAP.
Hi, Alon, Following Alon's advice, I added authz-company.properties file to the configuration directory. Then OpenLDAP users can searched from oVirt Web admin. and I could add it's users to the portal successfully. But I have another problem. These OpenLDAP users that I added can not login to ovirt web user portal. User Name: Fumihide (This is shown on Web Admin Portal Users tab as First Name) Password: (I specified it as OpenLDAP's userPassword for Fumihide) Domain: rxc05271.com (I selected instead of internal) ? Please advice me, it's so thanksfull. Fumihide Tani (2014/09/21 17:13), Alon Bar-Lev wrote: - Original Message - From: Fumihide Tani rxc05...@nifty.com To: Alon Bar-Lev alo...@redhat.com Cc: users@ovirt.org Sent: Sunday, September 21, 2014 11:11:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP. Hi, Alon Very thanks for your help. My problem was solved and the AAA is working now. I could add LDAP user. :) Great. Can you please send me a patch or modified README to make it better? Alon Fumihide Tani (2014/09/21 16:19), Alon Bar-Lev wrote: - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Fumihide Tani rxc05...@nifty.com Cc: users@ovirt.org Sent: Sunday, September 21, 2014 10:19:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP. Hi, You need to create authz extension as well (authz-company). The configuration you provided is establishing authentication only (authn) which refer to authz-company but you did not add it. The terms are: 1. authn - who the user is. 2. authz - what user is permitted. 3. profile - combination of the two. - # vi /etc/ovirt-engine/extensions.d/authz-company.properties ovirt.engine.extension.name = authz-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension Sorry: org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties -- Regards, Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can not configure with simple LDAP.
- Original Message - From: Fumihide Tani rxc05...@nifty.com To: Alon Bar-Lev alo...@redhat.com Cc: users@ovirt.org Sent: Sunday, September 21, 2014 6:00:48 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP. Hi, Alon, Following Alon's advice, I added authz-company.properties file to the configuration directory. Then OpenLDAP users can searched from oVirt Web admin. and I could add it's users to the portal successfully. But I have another problem. These OpenLDAP users that I added can not login to ovirt web user portal. User Name: Fumihide (This is shown on Web Admin Portal Users tab as First Name) Password: (I specified it as OpenLDAP's userPassword for Fumihide) Domain: rxc05271.com (I selected instead of internal) ? 1. What error do you get at ui? 2. Please look at engine.log while attempting to login, if you see something helpful. 3. Please make sure that the following is a success: $ ldapsearch -h HOST -x -W -D LOGIN_USER_DN -b BASE_DN uid=LOGIN_NAME 4. If working please modify /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in --- file-handler name=ENGINE autoflush=true -level name=INFO/ -level name=FINEST/ snip + logger category=org.ovirt.engineextensions.aaa.ldap +level name=FINEST/ + /logger logger category=org.ovirt.engine.core.bll --- Restart engine, attempt login, send me the output. Please advice me, it's so thanksfull. Fumihide Tani (2014/09/21 17:13), Alon Bar-Lev wrote: - Original Message - From: Fumihide Tani rxc05...@nifty.com To: Alon Bar-Lev alo...@redhat.com Cc: users@ovirt.org Sent: Sunday, September 21, 2014 11:11:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP. Hi, Alon Very thanks for your help. My problem was solved and the AAA is working now. I could add LDAP user. :) Great. Can you please send me a patch or modified README to make it better? Alon Fumihide Tani (2014/09/21 16:19), Alon Bar-Lev wrote: - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Fumihide Tani rxc05...@nifty.com Cc: users@ovirt.org Sent: Sunday, September 21, 2014 10:19:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP. Hi, You need to create authz extension as well (authz-company). The configuration you provided is establishing authentication only (authn) which refer to authz-company but you did not add it. The terms are: 1. authn - who the user is. 2. authz - what user is permitted. 3. profile - combination of the two. - # vi /etc/ovirt-engine/extensions.d/authz-company.properties ovirt.engine.extension.name = authz-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension Sorry: org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties -- Regards, Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] [oVirt 3.4.3] RDP Browser plug-in - SSO
Hi. I have a little problem with log-in to Windows VMs via SSO. When connect to VM in username filed i get a example text /user@domain What going on wit this sign / -- G.Sz. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Can not configure with simple LDAP.
(2014/09/22 0:16), Alon Bar-Lev wrote: - Original Message - From: Fumihide Tani rxc05...@nifty.com To: Alon Bar-Lev alo...@redhat.com Cc: users@ovirt.org Sent: Sunday, September 21, 2014 6:00:48 PM Subject: Re: [ovirt-users] Can not configure with simple LDAP. Hi, Alon, Following Alon's advice, I added authz-company.properties file to the configuration directory. Then OpenLDAP users can searched from oVirt Web admin. and I could add it's users to the portal successfully. But I have another problem. These OpenLDAP users that I added can not login to ovirt web user portal. User Name: Fumihide (This is shown on Web Admin Portal Users tab as First Name) Password: (I specified it as OpenLDAP's userPassword for Fumihide) Domain: rxc05271.com (I selected instead of internal) ? 1. What error do you get at ui? The user name or password is incorrect. 2. Please look at engine.log while attempting to login, if you see something helpful. 2014-09-22 09:53:27,669 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-2) Cant login user Fumihide with authentication profile rxc05271.com because the authentication failed. 2014-09-22 09:53:27,685 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 09:53:27,693 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 09:53:27,693 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD 3. Please make sure that the following is a success: $ ldapsearch -h HOST -x -W -D LOGIN_USER_DN -b BASE_DN uid=LOGIN_NAME [root@ovirt ~]# ldapsearch -H ldapi:/// -x -W -D uid=tani,ou=Users,dc=rxc05271,dc=com -b 'dc=rxc05271,dc=com' -x '(uid=tani)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base dc=rxc05271,dc=com with scope subtree # filter: (uid=tani) # requesting: ALL # # tani, Users, rxc05271.com dn: uid=tani,ou=Users,dc=rxc05271,dc=com objectClass: inetOrgPerson objectClass: uidObject uid: tani cn: Fumihide Tani givenName: Fumihide mail: t...@rxc05271.com sn: Tani userPassword:: a3VtaXRhbg== # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ovirt ~]# 4. If working please modify /usr/share/ovirt-enigne/services/ovirt-enigne/ovirt-enigne.xml.in --- file-handler name=ENGINE autoflush=true -level name=INFO/ -level name=FINEST/ snip + logger category=org.ovirt.engineextensions.aaa.ldap +level name=FINEST/ + /logger logger category=org.ovirt.engine.core.bll --- Restart engine, attempt login, send me the output. 2014-09-22 10:03:57,517 INFO [org.ovirt.engine.core.bll.aaa.LoginBaseCommand] (ajp--127.0.0.1-8702-7) Cant login user Fumihide with authentication profile rxc05271.com because the authentication failed. 2014-09-22 10:03:57,534 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide cannot login, please verify the username and password. 2014-09-22 10:03:57,545 ERROR [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (ajp--127.0.0.1-8702-7) Correlation ID: null, Call Stack: null, Custom Event ID: -1, Message: User Fumihide failed to log in. 2014-09-22 10:03:57,545 WARN [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-7) CanDoAction of action LoginUser failed. Reasons:USER_FAILED_TO_AUTHENTICATE_WRONG_USERNAME_OR_PASSWORD (logger level is not changed to FINEST? outputs is same as above.) Thanks, Fumihide Tani Please advice me, it's so thanksfull. Fumihide Tani (2014/09/21 17:13), Alon Bar-Lev wrote: - Original Message - From: Fumihide Tani rxc05...@nifty.com To: Alon Bar-Lev alo...@redhat.com Cc: users@ovirt.org Sent: Sunday, September 21, 2014 11:11:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP. Hi, Alon Very thanks for your help. My problem was solved and the AAA is working now. I could add LDAP user. :) Great. Can you please send me a patch or modified README to make it better? Alon Fumihide Tani (2014/09/21 16:19), Alon Bar-Lev wrote: - Original Message - From: Alon Bar-Lev alo...@redhat.com To: Fumihide Tani rxc05...@nifty.com Cc: users@ovirt.org Sent: Sunday, September 21, 2014 10:19:11 AM Subject: Re: [ovirt-users] Can not configure with simple LDAP. Hi, You need to create authz extension as well (authz-company). The configuration you provided is establishing authentication only (authn) which refer to authz-company
Re: [ovirt-users] Bug: Spice port changed!!!!!
Dear David: I am trying figure it out using my way. So I used virsh edit vm, I change the port the 5980 5981, but still not work!!! I found after virsh edit, there is a xml file here /etc/libvirt/qemu which I edit using virsh edit vm. And I also run this command :virsh define vm.xml also not work.Can you tell me where is the file I can fixed the spice port. Sincerely yours, PaulCheung tel: 180-8882-7173 Subject: Re: [ovirt-users] Bug: Spice port changed! From: dj...@redhat.com To: eq2...@msn.com CC: users@ovirt.org Date: Thu, 18 Sep 2014 15:27:50 +0200 Hi, 2) is not a file, it's a key in engine-config 3) is a VDSM custom hook that needs to be in all the hypervisors in DC/Cluster Follow vdsm custom hook documentation (I don't have a link from top of my head but web or ML archives will surely help). David On Thu, 2014-09-18 at 14:51 +0800, PaulCheung wrote: Dear David, Thank you for your help . Your answer is very professional. I still can't not find a way to stick with static port assignments For I don't understand you telling me , 23, where I can find the file to modify? However, if you _really_ want to stick with static port assignments, do the following: 1) designate the port range so that it doesn't collide with other ranges in use (e.g. RHEV uses 5900-6023, so 5800-5899 could be safe) 2) add a custom VM properties to the engine for setting of port and tls-port 3) add a vdsm hook to before_vm_start directory on each host that will add port and tlsPort parameters to the graphics element of libvirt domain xml Sincerely yours, PaulCheung tel: 180-8882-7173 Subject: Re: [ovirt-users] Bug: Spice port changed! From: dj...@redhat.com To: eq2...@msn.com CC: users@ovirt.org Date: Wed, 17 Sep 2014 10:40:42 +0200 Hi Paul, This behaviour is by design. It is a bad idea to override it. A good approach to your problem would be to write a launcher script that would: 1) connect to the REST API 2) get the VM connection details 3) get new VM ticket 4) write this info down to a temporary .vv file [3] 5) launch remote-viewer Some info how to use REST API is described here [1] and .vv file format is documented in virt-viewer sources [2]. Please note that [1] is a bit outdated: * you can use HTTP header filter: true to be able to log in as non-admin * you only have to use password login once when you use prefer: persistent-auth HTTP header and you send the cookie you got in a response to first request. In the future, the steps 2-4 will become a one step of getting a ready-to-use .vv file from the API [3] but we aren't there yet. [1] http://www.ovirt.org/How_to_Connect_to_SPICE_Console_Without_Portal [2] https://git.fedorahosted.org/cgit/virt-viewer.git/tree/src/virt-viewer-file.c#n30 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1128763 However, if you _really_ want to stick with static port assignments, do the following: 1) designate the port range so that it doesn't collide with other ranges in use (e.g. RHEV uses 5900-6023, so 5800-5899 could be safe) 2) add a custom VM properties to the engine for setting of port and tls-port 3) add a vdsm hook to before_vm_start directory on each host that will add port and tlsPort parameters to the graphics element of libvirt domain xml Best regards, David On St, 2014-09-17 at 10:41 +0800, PaulCheung wrote: Dear all, After shutdown the VM, then restart the VM the Vm's spice port is changed! Because I have 10 terminal ARM-Box running spice client connected to the vm, but after the VM shutdown and start again, the vm not the one whice the one before. I wish you can let us have a option, to let the VM with a fixed spice port, like: vm1: spice port : 5900 tls:5901 vm2: 5902 5903 And I have another recommond: have a fuction to do that : if the vm shutdown by user, it will start the VM automatic. That means the VM can not be shutdown! I hope you can have this two fuction! That means a lot to those who are using Terminal box user like me. I am sorry for my poor English. But I hope you all can understand what I am saying. Sincerely yours, PaulCheung tel: 180-8882-7173 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org
[ovirt-users] [oVirt 3.4.3] Problem with connect VMs via RDP+Browser plug-in
Hi, like suject I have a problem with connect VM (only Windows type Desctop) I get an Error: Error connecting to Virtual Machine using RPD: DNS Lookup Failed G.Sz. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users