Re: [ovirt-users] oVirt 3.6 AAA LDAP cannot not log in when end of UPN is different from domain base

2016-03-26 Thread Ondra Machacek 

On 03/26/2016 02:09 PM, Karli Sjöberg wrote:



On 26 Mar 2016, at 13:49, Karli Sjöberg > wrote:



On 26 Mar 2016, at 11:35, Ondra Machacek > wrote:

For me it's working completelly fine:

...
config.mapUser.type = regex
config.mapUser.regex.pattern = ^(?[^@]*)$
config.mapUser.regex.replacement = ${user}@DOMAINX.com

config.mapUser.regex.mustMatch = false
...

$ ovirt-engine-extensions-tool aaa login-user
--password=pass:password --user-name=user@DOMAINY --profile=ad

INFOAPI: -->Mapping.InvokeCommands.MAP_USER profile='ad'
user='user@DOMAINY'
INFOAPI: <--Mapping.InvokeCommands.MAP_USER profile='ad'
user='user@DOMAINY'

$ ovirt-engine-extensions-tool aaa login-user
--password=pass:password --user-name=user --profile=ad

INFOAPI: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user'
INFOAPI: <--Mapping.InvokeCommands.MAP_USER profile='ad'
user='u...@domainx.com '

As you can see it's correctly mapped.

Please check once again the regex is correct, if it still won't work,
please send log output again.


/etc/ovirt-engine/extensions.d/mapping-suffix.properties:
ovirt.engine.extension.name = mapping-suffix
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class
= org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Mapping
config.mapUser.type = regex
config.mapUser.regex.pattern = ^(?[^@]*)$
config.mapUser.regex.replacement = ${user}@foo.bar
config.mapUser.regex.mustMatch = false

# ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
--profile=baz.foo.bar-new --user-name=u...@baz.foo.bar

# grep Mapping.InvokeCommands.MAP_USER login.log
2016-03-26 13:27:40 INFOAPI: -->Mapping.InvokeCommands.MAP_USER
user='u...@baz.foo.bar '
2016-03-26 13:27:40 INFOAPI: <--Mapping.InvokeCommands.MAP_USER
user='u...@baz.foo.bar '

And here is the log:
https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download

/K


Eureka! I changed ‘vars.user’ in ‘baz.foo.bar-new.properties’ from one
with suffix ‘@baz.foo.bar’ to mine that has a ‘@foo.bar’ ending and now
it works, for some reason. Very strange, but anyway... How do I go about
changing from UPN to samAccountName, if I´d want that instead?


Well, we support only UPN, because sam support only 15characters in 
username.




/K





On 03/26/2016 10:07 AM, Karli Sjöberg wrote:

What the heck, my message disappeares! Trying again.

Ok, so it's mapping now but the only thing working is:
config.mapUser.regex.pattern = u...@baz.foo.bar

config.mapUser.regex.replacement = u...@foo.bar 

And that isn't very useful. Please advice!

/K

On 03/25/2016 12:26 AM, Karli Sjöberg wrote:


Den 25 mars 2016 12:10 fm skrev Karli Sjöberg >:
 >
 >
 > Den 24 mars 2016 11:26 em skrev Ondra Machacek
>:
 > >
 > > On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
 > > >
 > > > Den 24 mars 2016 7:26 em skrev Ondra Machacek
>:
 > > >  >
 > > >  > On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
 > > >  > > Hi!
 > > >  > >
 > > >  > >
 > > >  > > Starting new thread instead of jacking someone else´s.
 > > >  > >
 > > >  > >
 > > >  > > Managed to migrate from old 'engine-manage-domains' auth to
 > > > aaa-ldap using:
 > > >  > >
 > > >  > > #| ovirt-engine-kerbldap-migration-tool --domain
baz.foo.bar
--cacert
 > > >  > > /tmp/ca.crt --apply
 > > >  > > |
 > > >  > >
 > > >  > >
 > > >  > > All OK, no errors, but cannot log in:
 > > >  > >
 > > >  > > # ovirt-engine-extensions-tool aaa login-user
--profile=baz.foo.bar-new
 > > >  > > --user-name=user:
 > > >  >
 > > >  > If you want to login with user with different upn suffix,
then
just
 > > >  > append that suffix
 > > >  >
 > > >  > $ ovirt-engine-extensions-tool aaa login-user
--profile=baz.foo.bar-new
 > > >  > --user-name=u...@foo.bar 
 > > >
 > > > OK, some progress, that works!
 > > >
 > > >  >
 > > >  > If you have more suffixes and want to have some as
default you
can use
 > > >  > following approach:
 > > >  >
 > > >  > 1) install ovirt-engine-extension-aaa-misc
 > > >  >
 > > >  > 2) create new mapping extension like this:
 > > >  > /etc/ovirt-engine/extensions.d/mapping-suffix.properties
 > > >  >
 > > >  > ovirt.engine.extension.name = mapping-suffix
 > > >  > ovirt.engine.extension.bindings.method = jbossmodule
 > > >  > ovirt.engine.extension.binding.jbossmodule.module =
 > > >  > org.ovirt.engine-extensions.aaa.misc
 > > >  >

Re: [ovirt-users] Error Installing Self hosted Engine on Centos 7

2016-03-26 Thread Modou Conteh 
Thanks for your reponse, No I have not tried that but I was able use the
iso image and install the vm but when the vm starts it does not have
internet connection even after configuring eth0 with a valid ip address.  I
decided to start over but there is no easy way to start over. Also the disk
that was used for installing the VM could not be reused even though there
is plenty of space on it.  It seems it says it could not be initialized, I
had to use the delete the raid config and readd through the BOIS setup to
be able to reuse the disk.
I am trying again one more time and see.  I hope there is a way to make the
disk available again after a failed setup instead of the above mentioned
method.

Thanks
On Mar 25, 2016 04:01, "Simone Tiraboschi"  wrote:

> On Wed, Mar 23, 2016 at 8:15 PM, Modou Conteh
>  wrote:
> >
> > I am seeking some assistance installing Ovirt Self hosted Engine, but I
> keep getting and error at the end "System not stable or unable to read
> dev/mapper etc.  here is the log file from my last try.  I am testing this
> for use at work as a test environment, there I have a single server to run
> this on the reason I choose the Self Hosted Engine.  I guess the
> instructions is not clear either, i.e when i try to disk install with Cento
> OVA I get and error, and finally when I choose the cdrom it work fine until
> the end and fail to initialize /dev/mapper, etc.
> > Any assistance will be highly appreciated.
> >
>
> Did you tried running
>  yum install ovirt-engine-appliance
> ?
>
> It will download a ready to use Centos base appliance with oVirt engine on
> it.
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[ovirt-users] oVirt Browser Not Optimal

2016-03-26 Thread Andrew Pease 
I know this has been mentioned several times, but I'm unable to find a
solution.

On my Mac, I've tried Firefox, Chrome, Safari
On Linux, I've tried Iceweasel and Firefox
On Windows, I've tried Edge

All of these state that the browser is not optimal and things either never
render, or in the case of FF, render after about 2-3 minutes per click.
Beyond the occasional break in speed, the browsers are completely
inoperational.

I'm at the end of the "oVirt Installation" in the oVirt Quick Start Guide (
https://www.ovirt.org/documentation/quickstart/quickstart-guide/). There's
a lot of mention around Spice, but I think that's something further down
the road after I can interact with the Engine portal.

Any help would be appreciated on figuring out what secret handshake is
needed to get a usable browser

oVirt Engine:
Version 3.6.3.4-1.el7.centos
CentOS 7.2

Thanks in advance.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] Delete Failed to update OVF disks, OVF data isn't updated on those OVF stores (Data Center Default, Storage Domain hostedengine_nfs).

2016-03-26 Thread Maor Lipchuk 
Hi Paul,

Can you please update whether the upgrade for 3.6.4 has helped.
Regarding the OVF_STORE disks, those disks should not be deleted since
deleting them might reflect on the Disaster Recovery scenarios

Regards,
Maor

On Thu, Mar 24, 2016 at 10:10 PM, Paul Groeneweg | Pazion 
wrote:

> I believe my problem is related to this bug
> https://bugzilla.redhat.com/show_bug.cgi?id=1303316
>
> As you can see in the screenshot the hostedengine storage is unassigned
> and so both ovf_stores are OK, but not linked and therefore  can't be
> updated?!
>
> So for now I guess I'll wait for update 3.6.4 and cross my fingers and
> updates solves the event log error.
>
> Op do 24 mrt. 2016 om 20:15 schreef Paul Groeneweg | Pazion <
> p...@pazion.nl>:
>
>> I checked, the OVf, but I can only remove the OVF.
>>
>> http://screencast.com/t/vCx0CQiXm
>>
>> What happens when I remove them, is it safe?
>>
>> I checked agent.log and do not see the errors there
>>
>> MainThread::INFO::2016-03-24
>> 20:12:28,154::image::116::ovirt_hosted_engine_ha.lib.image.Image::(prepare_images)
>> Preparing images
>>
>> MainThread::INFO::2016-03-24
>> 20:12:28,811::hosted_engine::684::ovirt_hosted_engine_ha.agent.hosted_engine.HostedEngine::(_initialize_storage_images)
>> Reloading vm.conf from the shared storage domain
>>
>> MainThread::INFO::2016-03-24
>> 20:12:28,811::config::205::ovirt_hosted_engine_ha.agent.hosted_engine.HostedEngine.config::(refresh_local_conf_file)
>> Trying to get a fresher copy of vm configuration from the OVF_STORE
>>
>> MainThread::INFO::2016-03-24
>> 20:12:28,936::ovf_store::100::ovirt_hosted_engine_ha.lib.ovf.ovf_store.OVFStore::(scan)
>> Found OVF_STORE: imgUUID:18c50ea6-4654-4525-b241-09e15acf5e99,
>> volUUID:2f2ccb59-a3f3-43bf-87eb-53595af01cf5
>>
>> MainThread::INFO::2016-03-24
>> 20:12:29,147::ovf_store::100::ovirt_hosted_engine_ha.lib.ovf.ovf_store.OVFStore::(scan)
>> Found OVF_STORE: imgUUID:6e14348b-af7a-49bc-9af2-8b703c17a53d,
>> volUUID:fabdd6f4-b8d6-4ffe-889c-df86b34619ca
>>
>> MainThread::INFO::2016-03-24
>> 20:12:29,420::ovf_store::109::ovirt_hosted_engine_ha.lib.ovf.ovf_store.OVFStore::(getEngineVMOVF)
>> Extracting Engine VM OVF from the OVF_STORE
>>
>> MainThread::INFO::2016-03-24
>> 20:12:29,580::ovf_store::116::ovirt_hosted_engine_ha.lib.ovf.ovf_store.OVFStore::(getEngineVMOVF)
>> OVF_STORE volume path: /rhev/data-center/mnt/hostedstorage.pazion.nl:
>> _opt_hosted-engine/88b69eba-ef4f-4dbe-ba53-20dadd424d0e/images/6e14348b-af7a-49bc-9af2-8b703c17a53d/fabdd6f4-b8d6-4ffe-889c-df86b34619ca
>>
>> MainThread::INFO::2016-03-24
>> 20:12:29,861::config::225::ovirt_hosted_engine_ha.agent.hosted_engine.HostedEngine.config::(refresh_local_conf_file)
>> Found an OVF for HE VM, trying to convert
>>
>> MainThread::INFO::2016-03-24
>> 20:12:29,865::config::230::ovirt_hosted_engine_ha.agent.hosted_engine.HostedEngine.config::(refresh_local_conf_file)
>> Got vm.conf from OVF_STORE
>>
>> MainThread::INFO::2016-03-24
>> 20:12:29,997::hosted_engine::462::ovirt_hosted_engine_ha.agent.hosted_engine.HostedEngine::(start_monitoring)
>> Current state EngineUp (score: 3400)
>>
>>
>> So leaves me wondering if I should worry about the errors in the event
>> log.
>>
>>
>>
>> Op do 24 mrt. 2016 om 16:18 schreef Paul Groeneweg | Pazion <
>> p...@pazion.nl>:
>>
>>>
>>> These OVF stores are created on my hosted-engine storage instance. I did
>>> not found any reference in the hosted-engine.conf, so you are sure they
>>> can't be deleted?
>>>
>>> So it holds only info about the hosted-engine disk? So when detaching,
>>> do I have any risk destroying my hosted-engine?
>>>
>>> I can just detach them in this screen:
>>> http://screencast.com/t/ymnzsNHj7e and then re-attach?
>>>
>>> I check file permissions, but this looked good compared to the other
>>> images. So really strange this eventlog.
>>>
>>> Regards,
>>> Paul
>>>
>>>
>>> Op do 24 mrt. 2016 om 10:01 schreef Maor Lipchuk :
>>>
 Met vriendelijke groeten,

 Paul Groeneweg
 Pazion
 Webdevelopment  -  Hosting  -  Apps

 T +31 26 3020038
 M +31 614 277 577
 E  p...@pazion.nl

  ***disclaimer***
 "This e-mail and any attachments thereto may contain information which
 is confidential and/or protected by intellectual property rights and are
 intended for the sole use of the recipient(s) named above. Any use of the
 information contained herein (including, but not limited to, total or
 partial reproduction, communication or distribution in any form) by persons
 other than the designated recipient(s) is prohibited. If you have received
 this e-mail in error, please notify the sender either by telephone or by
 e-mail and delete the material from any computer. Thank you for your
 cooperation."

 On Thu, Mar 24, 2016 at 12:12 AM, Paul Groeneweg | Pazion <
 p...@pazion.nl> wrote:

>
> After the 3.6 updates ( which didn't went without a hitch )

Re: [ovirt-users] oVirt 3.6 AAA LDAP cannot not log in when end of UPN is different from domain base

2016-03-26 Thread Karli Sjöberg 

On 26 Mar 2016, at 13:49, Karli Sjöberg 
> wrote:


On 26 Mar 2016, at 11:35, Ondra Machacek 
> wrote:

For me it's working completelly fine:

...
config.mapUser.type = regex
config.mapUser.regex.pattern = ^(?[^@]*)$
config.mapUser.regex.replacement = ${user}@DOMAINX.com
config.mapUser.regex.mustMatch = false
...

$ ovirt-engine-extensions-tool aaa login-user --password=pass:password 
--user-name=user@DOMAINY --profile=ad

INFOAPI: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINY'
INFOAPI: <--Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINY'

$ ovirt-engine-extensions-tool aaa login-user --password=pass:password 
--user-name=user --profile=ad

INFOAPI: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user'
INFOAPI: <--Mapping.InvokeCommands.MAP_USER profile='ad' 
user='u...@domainx.com'

As you can see it's correctly mapped.

Please check once again the regex is correct, if it still won't work, please 
send log output again.

/etc/ovirt-engine/extensions.d/mapping-suffix.properties:
ovirt.engine.extension.name = mapping-suffix
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapUser.type = regex
config.mapUser.regex.pattern = ^(?[^@]*)$
config.mapUser.regex.replacement = ${user}@foo.bar
config.mapUser.regex.mustMatch = false

# ovirt-engine-extensions-tool --log-level=FINEST aaa login-user 
--profile=baz.foo.bar-new 
--user-name=u...@baz.foo.bar
# grep Mapping.InvokeCommands.MAP_USER login.log
2016-03-26 13:27:40 INFOAPI: -->Mapping.InvokeCommands.MAP_USER 
user='u...@baz.foo.bar'
2016-03-26 13:27:40 INFOAPI: <--Mapping.InvokeCommands.MAP_USER 
user='u...@baz.foo.bar'

And here is the log:
https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download

/K

Eureka! I changed ‘vars.user’ in ‘baz.foo.bar-new.properties’ from one with 
suffix ‘@baz.foo.bar’ to mine that has a ‘@foo.bar’ ending and now it works, 
for some reason. Very strange, but anyway... How do I go about changing from 
UPN to samAccountName, if I´d want that instead?

/K



On 03/26/2016 10:07 AM, Karli Sjöberg wrote:
What the heck, my message disappeares! Trying again.

Ok, so it's mapping now but the only thing working is:
config.mapUser.regex.pattern = u...@baz.foo.bar
config.mapUser.regex.replacement = u...@foo.bar

And that isn't very useful. Please advice!

/K

On 03/25/2016 12:26 AM, Karli Sjöberg wrote:

Den 25 mars 2016 12:10 fm skrev Karli Sjöberg 
>:
 >
 >
 > Den 24 mars 2016 11:26 em skrev Ondra Machacek 
 > >:
 > >
 > > On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
 > > >
 > > > Den 24 mars 2016 7:26 em skrev Ondra Machacek 
 > > > >:
 > > >  >
 > > >  > On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
 > > >  > > Hi!
 > > >  > >
 > > >  > >
 > > >  > > Starting new thread instead of jacking someone else´s.
 > > >  > >
 > > >  > >
 > > >  > > Managed to migrate from old 'engine-manage-domains' auth to
 > > > aaa-ldap using:
 > > >  > >
 > > >  > > #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar
--cacert
 > > >  > > /tmp/ca.crt --apply
 > > >  > > |
 > > >  > >
 > > >  > >
 > > >  > > All OK, no errors, but cannot log in:
 > > >  > >
 > > >  > > # ovirt-engine-extensions-tool aaa login-user
--profile=baz.foo.bar-new
 > > >  > > --user-name=user:
 > > >  >
 > > >  > If you want to login with user with different upn suffix, then
just
 > > >  > append that suffix
 > > >  >
 > > >  > $ ovirt-engine-extensions-tool aaa login-user
--profile=baz.foo.bar-new
 > > >  > --user-name=u...@foo.bar
 > > >
 > > > OK, some progress, that works!
 > > >
 > > >  >
 > > >  > If you have more suffixes and want to have some as default you
can use
 > > >  > following approach:
 > > >  >
 > > >  > 1) install ovirt-engine-extension-aaa-misc
 > > >  >
 > > >  > 2) create new mapping extension like this:
 > > >  > /etc/ovirt-engine/extensions.d/mapping-suffix.properties
 > > >  >
 > > >  > ovirt.engine.extension.name = mapping-suffix
 > > >  > ovirt.engine.extension.bindings.method = jbossmodule
 > > >  > ovirt.engine.extension.binding.jbossmodule.module =
 > > >  > org.ovirt.engine-extensions.aaa.misc
 > > >  > ovirt.engine.extension.binding.jbossmodule.class =
 > > >  > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
 > > >

Re: [ovirt-users] oVirt 3.6 AAA LDAP cannot not log in when end of UPN is different from domain base

2016-03-26 Thread Karli Sjöberg 

On 26 Mar 2016, at 11:35, Ondra Machacek 
> wrote:

For me it's working completelly fine:

...
config.mapUser.type = regex
config.mapUser.regex.pattern = ^(?[^@]*)$
config.mapUser.regex.replacement = ${user}@DOMAINX.com
config.mapUser.regex.mustMatch = false
...

$ ovirt-engine-extensions-tool aaa login-user --password=pass:password 
--user-name=user@DOMAINY --profile=ad

INFOAPI: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINY'
INFOAPI: <--Mapping.InvokeCommands.MAP_USER profile='ad' user='user@DOMAINY'

$ ovirt-engine-extensions-tool aaa login-user --password=pass:password 
--user-name=user --profile=ad

INFOAPI: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user'
INFOAPI: <--Mapping.InvokeCommands.MAP_USER profile='ad' 
user='u...@domainx.com'

As you can see it's correctly mapped.

Please check once again the regex is correct, if it still won't work, please 
send log output again.

/etc/ovirt-engine/extensions.d/mapping-suffix.properties:
ovirt.engine.extension.name = mapping-suffix
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module = 
org.ovirt.engine-extensions.aaa.misc
ovirt.engine.extension.binding.jbossmodule.class = 
org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Mapping
config.mapUser.type = regex
config.mapUser.regex.pattern = ^(?[^@]*)$
config.mapUser.regex.replacement = ${user}@foo.bar
config.mapUser.regex.mustMatch = false

# ovirt-engine-extensions-tool --log-level=FINEST aaa login-user 
--profile=baz.foo.bar-new 
--user-name=u...@baz.foo.bar
# grep Mapping.InvokeCommands.MAP_USER login.log
2016-03-26 13:27:40 INFOAPI: -->Mapping.InvokeCommands.MAP_USER 
user='u...@baz.foo.bar'
2016-03-26 13:27:40 INFOAPI: <--Mapping.InvokeCommands.MAP_USER 
user='u...@baz.foo.bar'

And here is the log:
https://dropoff.slu.se/index.php/s/SK9T8vOUO7yB3PM/download

/K


On 03/26/2016 10:07 AM, Karli Sjöberg wrote:
What the heck, my message disappeares! Trying again.

Ok, so it's mapping now but the only thing working is:
config.mapUser.regex.pattern = u...@baz.foo.bar
config.mapUser.regex.replacement = u...@foo.bar

And that isn't very useful. Please advice!

/K

On 03/25/2016 12:26 AM, Karli Sjöberg wrote:

Den 25 mars 2016 12:10 fm skrev Karli Sjöberg 
>:
 >
 >
 > Den 24 mars 2016 11:26 em skrev Ondra Machacek 
 > >:
 > >
 > > On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
 > > >
 > > > Den 24 mars 2016 7:26 em skrev Ondra Machacek 
 > > > >:
 > > >  >
 > > >  > On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
 > > >  > > Hi!
 > > >  > >
 > > >  > >
 > > >  > > Starting new thread instead of jacking someone else´s.
 > > >  > >
 > > >  > >
 > > >  > > Managed to migrate from old 'engine-manage-domains' auth to
 > > > aaa-ldap using:
 > > >  > >
 > > >  > > #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar
--cacert
 > > >  > > /tmp/ca.crt --apply
 > > >  > > |
 > > >  > >
 > > >  > >
 > > >  > > All OK, no errors, but cannot log in:
 > > >  > >
 > > >  > > # ovirt-engine-extensions-tool aaa login-user
--profile=baz.foo.bar-new
 > > >  > > --user-name=user:
 > > >  >
 > > >  > If you want to login with user with different upn suffix, then
just
 > > >  > append that suffix
 > > >  >
 > > >  > $ ovirt-engine-extensions-tool aaa login-user
--profile=baz.foo.bar-new
 > > >  > --user-name=u...@foo.bar
 > > >
 > > > OK, some progress, that works!
 > > >
 > > >  >
 > > >  > If you have more suffixes and want to have some as default you
can use
 > > >  > following approach:
 > > >  >
 > > >  > 1) install ovirt-engine-extension-aaa-misc
 > > >  >
 > > >  > 2) create new mapping extension like this:
 > > >  > /etc/ovirt-engine/extensions.d/mapping-suffix.properties
 > > >  >
 > > >  > ovirt.engine.extension.name = mapping-suffix
 > > >  > ovirt.engine.extension.bindings.method = jbossmodule
 > > >  > ovirt.engine.extension.binding.jbossmodule.module =
 > > >  > org.ovirt.engine-extensions.aaa.misc
 > > >  > ovirt.engine.extension.binding.jbossmodule.class =
 > > >  > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
 > > >  > ovirt.engine.extension.provides =
 > > >  > org.ovirt.engine.api.extensions.aaa.Mapping
 > > >  > config.mapUser.type = regex
 > > >  > config.mapUser.pattern = ^(?[^@]*)$
 > > >
 > > > Is that supposed to really say '' or should it be changed to a
 > > > real user name? Either way, it doesn't work, I tried it all.
 > >
 > > '?' is just a named group in that regex so you can later use
it in
 > > 'config.mapUser.replacement'  option. It should take

Re: [ovirt-users] oVirt 3.6 AAA LDAP cannot not log in when end of UPN is different from domain base

2016-03-26 Thread Ondra Machacek 

For me it's working completelly fine:

...
config.mapUser.type = regex
config.mapUser.regex.pattern = ^(?[^@]*)$
config.mapUser.regex.replacement = ${user}@DOMAINX.com
config.mapUser.regex.mustMatch = false
...

$ ovirt-engine-extensions-tool aaa login-user --password=pass:password 
--user-name=user@DOMAINY --profile=ad


 INFOAPI: -->Mapping.InvokeCommands.MAP_USER profile='ad' 
user='user@DOMAINY'
 INFOAPI: <--Mapping.InvokeCommands.MAP_USER profile='ad' 
user='user@DOMAINY'


$ ovirt-engine-extensions-tool aaa login-user --password=pass:password 
--user-name=user --profile=ad


 INFOAPI: -->Mapping.InvokeCommands.MAP_USER profile='ad' user='user'
 INFOAPI: <--Mapping.InvokeCommands.MAP_USER profile='ad' 
user='u...@domainx.com'


As you can see it's correctly mapped.

Please check once again the regex is correct, if it still won't work, 
please send log output again.


On 03/26/2016 10:07 AM, Karli Sjöberg wrote:

What the heck, my message disappeares! Trying again.

Ok, so it's mapping now but the only thing working is:
config.mapUser.regex.pattern = u...@baz.foo.bar
config.mapUser.regex.replacement = u...@foo.bar

And that isn't very useful. Please advice!

/K

On 03/25/2016 12:26 AM, Karli Sjöberg wrote:


Den 25 mars 2016 12:10 fm skrev Karli Sjöberg :
  >
  >
  > Den 24 mars 2016 11:26 em skrev Ondra Machacek :
  > >
  > > On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
  > > >
  > > > Den 24 mars 2016 7:26 em skrev Ondra Machacek :
  > > >  >
  > > >  > On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
  > > >  > > Hi!
  > > >  > >
  > > >  > >
  > > >  > > Starting new thread instead of jacking someone else´s.
  > > >  > >
  > > >  > >
  > > >  > > Managed to migrate from old 'engine-manage-domains' auth to
  > > > aaa-ldap using:
  > > >  > >
  > > >  > > #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar
--cacert
  > > >  > > /tmp/ca.crt --apply
  > > >  > > |
  > > >  > >
  > > >  > >
  > > >  > > All OK, no errors, but cannot log in:
  > > >  > >
  > > >  > > # ovirt-engine-extensions-tool aaa login-user
--profile=baz.foo.bar-new
  > > >  > > --user-name=user:
  > > >  >
  > > >  > If you want to login with user with different upn suffix, then
just
  > > >  > append that suffix
  > > >  >
  > > >  > $ ovirt-engine-extensions-tool aaa login-user
--profile=baz.foo.bar-new
  > > >  > --user-name=u...@foo.bar
  > > >
  > > > OK, some progress, that works!
  > > >
  > > >  >
  > > >  > If you have more suffixes and want to have some as default you
can use
  > > >  > following approach:
  > > >  >
  > > >  > 1) install ovirt-engine-extension-aaa-misc
  > > >  >
  > > >  > 2) create new mapping extension like this:
  > > >  > /etc/ovirt-engine/extensions.d/mapping-suffix.properties
  > > >  >
  > > >  > ovirt.engine.extension.name = mapping-suffix
  > > >  > ovirt.engine.extension.bindings.method = jbossmodule
  > > >  > ovirt.engine.extension.binding.jbossmodule.module =
  > > >  > org.ovirt.engine-extensions.aaa.misc
  > > >  > ovirt.engine.extension.binding.jbossmodule.class =
  > > >  > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
  > > >  > ovirt.engine.extension.provides =
  > > >  > org.ovirt.engine.api.extensions.aaa.Mapping
  > > >  > config.mapUser.type = regex
  > > >  > config.mapUser.pattern = ^(?[^@]*)$
  > > >
  > > > Is that supposed to really say '' or should it be changed to a
  > > > real user name? Either way, it doesn't work, I tried it all.
  > >
  > > '?' is just a named group in that regex so you can later use
it in
  > > 'config.mapUser.replacement'  option. It should take everything until
  > > first '@'.
  > >
  > > >
  > > >  > config.mapUser.replacement = ${user}@foo.bar
  > > >  > config.mapUser.mustMatch = false
  > > >  >
  > > >  > 3) select a mapping plugin in authn configuration:
  > > >  >
  > > >  > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
  > > >  >
  > > >  > With above configuration in use, your user 'user' witll be
mapped to
  > > >  > user 'u...@foo.bar'
  > > >  > and users 'u...@anotherdomain.foo.bar' will remain
  > > >  > 'u...@anotherdomain.foo.bar'.
  > > >
  > > > This however does not, it doesn't replace the suffix as it's supposed
  > > > to. I tried with many different types of the 'mapUser.pattern' but it
  > > > simply won't change it, even if I type in '= ^u...@baz.foo.bar$', the
  > > > error is the same:(
  > >
  > > Hmm, hard to say what's wrong, try to run:
  > > $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
  > > --profile=baz.foo.bar-new --user-name=user
  > >
  > > and search for a mapping part in log.
  >
  > Wow what a mouthfull:) Can you make anything out of it?
  >
  > https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
  >
  > /K

Just noticed after logging in to webadmin as "u...@foo.bar" (which
worked btw, so good there) that the "User Name" in Users main tab looks
really odd:

Re: [ovirt-users] Using REST API to get a proxyticket

2016-03-26 Thread Ollie Armstrong 
Ah brilliant!  I never thought to try using SPICE instead.

Thanks, Juan.

On 25 March 2016 at 09:11, Juan Hernández  wrote:
> On 03/24/2016 07:17 PM, Ollie Armstrong wrote:
>> Thanks.
>>
>> Unfortunately that still gives me the same NPE in the engine.log that
>> I uploaded in my first email.  I think I'll report this on BZ as it
>> isn't working for me when it works for you.
>>
>
> This is the effect of the following bug:
>
>   sign websocket proxy ticket via RESTapi when VM have VNC graphics protocol
>   https://bugzilla.redhat.com/1305837
>
> It should be fixed in version 3.6.5 of the engine.
>
> To clarify how to use the action, you don't have to send anything, just
> "", and it will return you the ticket. For example, using curl:
>
> ---8<---
> #!/bin/sh -ex
>
> url="https://engine.example.com/ovirt-engine/api;
> user="admin@internal"
> password="..."
> vmid="..."
> consoleid="..."
>
> curl \
> --verbose \
> --cacert /etc/pki/ovirt-engine/ca.pem \
> --request POST \
> --user "${user}:${password}" \
> --header "Content-Type: application/xml" \
> --header "Accept: application/xml" \
> --data '
> 
> ' \
> "${url}/vms/${vmid}/graphicsconsoles/${consoleid}/proxyticket"
> --->8---
>
> This will return a response like this:
>
>   
> 
>ey..A1==
> 
>   
>
> That long "value" is the Base64 encoded ticket.
>
>> On 24 March 2016 at 18:11, Gonzalo Rafuls  wrote:
>>> Apparently you can get it as well with something like
>>> "".
>>>
>>> Only thing to change then is between curly brackets {}.
>
> --
> Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
> 3ºD, 28016 Madrid, Spain
> Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.



-- 

Ollie Armstrong

Web Developer / Sysadmin
ol...@fubra.com fubra.com
Fubra is a company limited by shares and registered in England and
Wales with number 3967214 at Manor Coach House, Church Hill,
Aldershot, Hampshire, GU12 4RQ. We are registered for VAT with number
GB733667024, and as a data controller with number Z5193400. We are
members of RIPE, Nominet, the Italian RA and registered with OfCom as
a provider of electronic communications services.
*Calls to this number will cost 5p per minute plus your network access charge
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] oVirt 3.6 AAA LDAP cannot not log in when end of UPN is different from domain base

2016-03-26 Thread Karli Sjöberg 
What the heck, my message disappeares! Trying again.

Ok, so it's mapping now but the only thing working is:
config.mapUser.regex.pattern = u...@baz.foo.bar
config.mapUser.regex.replacement = u...@foo.bar

And that isn't very useful. Please advice!

/K

On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
>
> Den 25 mars 2016 12:10 fm skrev Karli Sjöberg :
>  >
>  >
>  > Den 24 mars 2016 11:26 em skrev Ondra Machacek :
>  > >
>  > > On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
>  > > >
>  > > > Den 24 mars 2016 7:26 em skrev Ondra Machacek :
>  > > >  >
>  > > >  > On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
>  > > >  > > Hi!
>  > > >  > >
>  > > >  > >
>  > > >  > > Starting new thread instead of jacking someone else´s.
>  > > >  > >
>  > > >  > >
>  > > >  > > Managed to migrate from old 'engine-manage-domains' auth to
>  > > > aaa-ldap using:
>  > > >  > >
>  > > >  > > #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar
> --cacert
>  > > >  > > /tmp/ca.crt --apply
>  > > >  > > |
>  > > >  > >
>  > > >  > >
>  > > >  > > All OK, no errors, but cannot log in:
>  > > >  > >
>  > > >  > > # ovirt-engine-extensions-tool aaa login-user
> --profile=baz.foo.bar-new
>  > > >  > > --user-name=user:
>  > > >  >
>  > > >  > If you want to login with user with different upn suffix, then
> just
>  > > >  > append that suffix
>  > > >  >
>  > > >  > $ ovirt-engine-extensions-tool aaa login-user
> --profile=baz.foo.bar-new
>  > > >  > --user-name=u...@foo.bar
>  > > >
>  > > > OK, some progress, that works!
>  > > >
>  > > >  >
>  > > >  > If you have more suffixes and want to have some as default you
> can use
>  > > >  > following approach:
>  > > >  >
>  > > >  > 1) install ovirt-engine-extension-aaa-misc
>  > > >  >
>  > > >  > 2) create new mapping extension like this:
>  > > >  > /etc/ovirt-engine/extensions.d/mapping-suffix.properties
>  > > >  >
>  > > >  > ovirt.engine.extension.name = mapping-suffix
>  > > >  > ovirt.engine.extension.bindings.method = jbossmodule
>  > > >  > ovirt.engine.extension.binding.jbossmodule.module =
>  > > >  > org.ovirt.engine-extensions.aaa.misc
>  > > >  > ovirt.engine.extension.binding.jbossmodule.class =
>  > > >  > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
>  > > >  > ovirt.engine.extension.provides =
>  > > >  > org.ovirt.engine.api.extensions.aaa.Mapping
>  > > >  > config.mapUser.type = regex
>  > > >  > config.mapUser.pattern = ^(?[^@]*)$
>  > > >
>  > > > Is that supposed to really say '' or should it be changed to a
>  > > > real user name? Either way, it doesn't work, I tried it all.
>  > >
>  > > '?' is just a named group in that regex so you can later use
> it in
>  > > 'config.mapUser.replacement'  option. It should take everything until
>  > > first '@'.
>  > >
>  > > >
>  > > >  > config.mapUser.replacement = ${user}@foo.bar
>  > > >  > config.mapUser.mustMatch = false
>  > > >  >
>  > > >  > 3) select a mapping plugin in authn configuration:
>  > > >  >
>  > > >  > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
>  > > >  >
>  > > >  > With above configuration in use, your user 'user' witll be
> mapped to
>  > > >  > user 'u...@foo.bar'
>  > > >  > and users 'u...@anotherdomain.foo.bar' will remain
>  > > >  > 'u...@anotherdomain.foo.bar'.
>  > > >
>  > > > This however does not, it doesn't replace the suffix as it's supposed
>  > > > to. I tried with many different types of the 'mapUser.pattern' but it
>  > > > simply won't change it, even if I type in '= ^u...@baz.foo.bar$', the
>  > > > error is the same:(
>  > >
>  > > Hmm, hard to say what's wrong, try to run:
>  > > $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
>  > > --profile=baz.foo.bar-new --user-name=user
>  > >
>  > > and search for a mapping part in log.
>  >
>  > Wow what a mouthfull:) Can you make anything out of it?
>  >
>  > https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
>  >
>  > /K
>
> Just noticed after logging in to webadmin as "u...@foo.bar" (which
> worked btw, so good there) that the "User Name" in Users main tab looks
> really odd:
> u...@foo.bar@baz.foo.bar-new-authz

Sorry you are right, it don't work. I've sent you incorrect
cofiguration,  the correct one is:

/etc/ovirt-engine/extensions.d/mapping-suffix.properties

...
config.mapUser.regex.pattern = ^(?[^@]*)$
config.mapUser.regex.replacement = ${user}@foo.bar
config.mapUser.regex.mustMatch = false
...

Notice there was missing 'regex', after 'mapUser'.

>
> /K
>
>  >
>  > >
>  > > >
>  > > > /K
>  > > >
>  > > >  >
>  > > >  > >
>  > > >  > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
> result=SUCCESS
>  > > >  > >
>  > > >  > >
>  > > >  > > but:
>  > > >  > >
>  > > >  > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
>  > > >  > > principal='u...@baz.foo.bar'
>  > > >  > > SEVERE  Cannot resolve principal 'u...@baz.foo.bar'
>  > > >  > >
>  > > >  > >
>  > > >  > > So it fails.
>  > > >  >

Re: [ovirt-users] oVirt 3.6 AAA LDAP cannot not log in when end of UPN is different from domain base

2016-03-26 Thread Karli Sjöberg 

Den 25 mars 2016 9:32 em skrev Ondra Machacek :
>
> On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
> >

On 03/25/2016 12:26 AM, Karli Sjöberg wrote:
>
> Den 25 mars 2016 12:10 fm skrev Karli Sjöberg :
>  >
>  >
>  > Den 24 mars 2016 11:26 em skrev Ondra Machacek :
>  > >
>  > > On 03/24/2016 11:14 PM, Karli Sjöberg wrote:
>  > > >
>  > > > Den 24 mars 2016 7:26 em skrev Ondra Machacek :
>  > > >  >
>  > > >  > On 03/24/2016 06:16 PM, Karli Sjöberg wrote:
>  > > >  > > Hi!
>  > > >  > >
>  > > >  > >
>  > > >  > > Starting new thread instead of jacking someone else´s.
>  > > >  > >
>  > > >  > >
>  > > >  > > Managed to migrate from old 'engine-manage-domains' auth to
>  > > > aaa-ldap using:
>  > > >  > >
>  > > >  > > #| ovirt-engine-kerbldap-migration-tool --domain baz.foo.bar
> --cacert
>  > > >  > > /tmp/ca.crt --apply
>  > > >  > > |
>  > > >  > >
>  > > >  > >
>  > > >  > > All OK, no errors, but cannot log in:
>  > > >  > >
>  > > >  > > # ovirt-engine-extensions-tool aaa login-user
> --profile=baz.foo.bar-new
>  > > >  > > --user-name=user:
>  > > >  >
>  > > >  > If you want to login with user with different upn suffix, then
> just
>  > > >  > append that suffix
>  > > >  >
>  > > >  > $ ovirt-engine-extensions-tool aaa login-user
> --profile=baz.foo.bar-new
>  > > >  > --user-name=u...@foo.bar
>  > > >
>  > > > OK, some progress, that works!
>  > > >
>  > > >  >
>  > > >  > If you have more suffixes and want to have some as default you
> can use
>  > > >  > following approach:
>  > > >  >
>  > > >  > 1) install ovirt-engine-extension-aaa-misc
>  > > >  >
>  > > >  > 2) create new mapping extension like this:
>  > > >  > /etc/ovirt-engine/extensions.d/mapping-suffix.properties
>  > > >  >
>  > > >  > ovirt.engine.extension.name = mapping-suffix
>  > > >  > ovirt.engine.extension.bindings.method = jbossmodule
>  > > >  > ovirt.engine.extension.binding.jbossmodule.module =
>  > > >  > org.ovirt.engine-extensions.aaa.misc
>  > > >  > ovirt.engine.extension.binding.jbossmodule.class =
>  > > >  > org.ovirt.engineextensions.aaa.misc.mapping.MappingExtension
>  > > >  > ovirt.engine.extension.provides =
>  > > >  > org.ovirt.engine.api.extensions.aaa.Mapping
>  > > >  > config.mapUser.type = regex
>  > > >  > config.mapUser.pattern = ^(?[^@]*)$
>  > > >
>  > > > Is that supposed to really say '' or should it be changed to a
>  > > > real user name? Either way, it doesn't work, I tried it all.
>  > >
>  > > '?' is just a named group in that regex so you can later use
> it in
>  > > 'config.mapUser.replacement'  option. It should take everything until
>  > > first '@'.
>  > >
>  > > >
>  > > >  > config.mapUser.replacement = ${user}@foo.bar
>  > > >  > config.mapUser.mustMatch = false
>  > > >  >
>  > > >  > 3) select a mapping plugin in authn configuration:
>  > > >  >
>  > > >  > ovirt.engine.aaa.authn.mapping.plugin = mapping-suffix
>  > > >  >
>  > > >  > With above configuration in use, your user 'user' witll be
> mapped to
>  > > >  > user 'u...@foo.bar'
>  > > >  > and users 'u...@anotherdomain.foo.bar' will remain
>  > > >  > 'u...@anotherdomain.foo.bar'.
>  > > >
>  > > > This however does not, it doesn't replace the suffix as it's supposed
>  > > > to. I tried with many different types of the 'mapUser.pattern' but it
>  > > > simply won't change it, even if I type in '= ^u...@baz.foo.bar$', the
>  > > > error is the same:(
>  > >
>  > > Hmm, hard to say what's wrong, try to run:
>  > > $ ovirt-engine-extensions-tool --log-level=FINEST aaa login-user
>  > > --profile=baz.foo.bar-new --user-name=user
>  > >
>  > > and search for a mapping part in log.
>  >
>  > Wow what a mouthfull:) Can you make anything out of it?
>  >
>  > https://dropoff.slu.se/index.php/s/EMe2NPmOfsWCNTv/download
>  >
>  > /K
>
> Just noticed after logging in to webadmin as "u...@foo.bar" (which
> worked btw, so good there) that the "User Name" in Users main tab looks
> really odd:
> u...@foo.bar@baz.foo.bar-new-authz

Sorry you are right, it don't work. I've sent you incorrect
cofiguration,  the correct one is:

/etc/ovirt-engine/extensions.d/mapping-suffix.properties

...
config.mapUser.regex.pattern = ^(?[^@]*)$
config.mapUser.regex.replacement = ${user}@foo.bar
config.mapUser.regex.mustMatch = false
...

Notice there was missing 'regex', after 'mapUser'.

>
> /K
>
>  >
>  > >
>  > > >
>  > > > /K
>  > > >
>  > > >  >
>  > > >  > >
>  > > >  > > API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
> result=SUCCESS
>  > > >  > >
>  > > >  > >
>  > > >  > > but:
>  > > >  > >
>  > > >  > > API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD
>  > > >  > > principal='u...@baz.foo.bar'
>  > > >  > > SEVERE  Cannot resolve principal 'u...@baz.foo.bar'
>  > > >  > >
>  > > >  > >
>  > > >  > > So it fails.
>  > > >  > >
>  > > >  > >
>  > > >  > > # ldapsearch -x -H ldap://baz.foo.bar -D u...@foo.bar -W -b
>  > > >  > > DC=baz,DC=foo,DC=bar -s