Re: [ovirt-users] Change "ovirt-engine" virtual directory
- Original Message - > From: "Hamid Mazrae Mollaie" > To: "Alon Bar-Lev" > Cc: users@ovirt.org > Sent: Tuesday, December 29, 2015 11:54:58 AM > Subject: Re: [ovirt-users] Change "ovirt-engine" virtual directory > > tank you for reply > but unfortunately branding does not change "ovirt-engine" in webadmin url > path I already responded how it may be achieved, and specified that this will not be supported as indeed the branding interface does not support this kind of change. > > On Mon, Dec 28, 2015 at 2:18 PM, Alon Bar-Lev wrote: > > > > > > > - Original Message - > > > From: "Hamid Mazrae Mollaie" > > > To: users@ovirt.org > > > Sent: Monday, December 28, 2015 12:42:18 PM > > > Subject: [ovirt-users] Change "ovirt-engine" virtual directory > > > > > > hi all > > > i want to change "ovirt-engine" in url's web admin portal for branding. > > > how can i do? > > > tanx > > > > > > > You can probably add a reverse proxy or teak apache ajp proxy, however, > > this configuration will probably not be supported. > > > > Supported branding modifications are outlined here[1]. > > > > [1] > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=blob;f=README.branding;hb=HEAD > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Change "ovirt-engine" virtual directory
- Original Message - > From: "Hamid Mazrae Mollaie" > To: users@ovirt.org > Sent: Monday, December 28, 2015 12:42:18 PM > Subject: [ovirt-users] Change "ovirt-engine" virtual directory > > hi all > i want to change "ovirt-engine" in url's web admin portal for branding. > how can i do? > tanx > You can probably add a reverse proxy or teak apache ajp proxy, however, this configuration will probably not be supported. Supported branding modifications are outlined here[1]. [1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=blob;f=README.branding;hb=HEAD ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Add node to engine 3.6: "no unique id"
- Original Message - > From: "Yaniv Kaul" > To: "Alon Bar-Lev" > Cc: "gregor" , "users" > Sent: Sunday, December 27, 2015 7:49:09 PM > Subject: Re: [ovirt-users] Add node to engine 3.6: "no unique id" > > On Sun, Dec 27, 2015 at 4:19 PM, Alon Bar-Lev wrote: > > > Hi, > > > > This usually happens when bios does not report unique id. > > > > At node, exit to shell using F2 then: > > # uuidgen > /etc/vdsm/vdsm.id > > And retry registration. > > > > Perhaps host installation script should perform this automatically if it > cannot find a unique ID? > (In the case where it's not an issue of a non-unique ID, but rather no ID > whatsoever, which I believe is the common case, though we have seen vendors > supplying the same UUID across their BIOS for all their servers in the past > as well). > Y. This should have been implemented within the replacement of vdsm-reg and the usage of the new host deploy protocol. Although keep in mind that in stateless mode, such machine will register using new id each time booted even if not approved, filling database with phantom hosts. > > > > > > Alternatively, configure root password and add the node via engine. > > > > Regards, > > Alon Bar-Lev. > > > > - Original Message - > > > From: "gregor" > > > To: "users" > > > Sent: Sunday, December 27, 2015 3:37:00 PM > > > Subject: [ovirt-users] Add node to engine 3.6: "no unique id" > > > > > > Hi, > > > > > > I added a oVirt node (3.6) to my engine (3.6) and get the following > > > message when I try to activate it: > > > > > > --- > > > Cannot activate Host. Host has no unique id. > > > --- > > > > > > Image: ovirt-node-iso-3.6-0.999.201512132115.el7.centos.iso > > > > > > regards > > > gregor > > > ___ > > > Users mailing list > > > Users@ovirt.org > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > ___ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Add node to engine 3.6: "no unique id"
Hi, This usually happens when bios does not report unique id. At node, exit to shell using F2 then: # uuidgen > /etc/vdsm/vdsm.id And retry registration. Alternatively, configure root password and add the node via engine. Regards, Alon Bar-Lev. - Original Message - > From: "gregor" > To: "users" > Sent: Sunday, December 27, 2015 3:37:00 PM > Subject: [ovirt-users] Add node to engine 3.6: "no unique id" > > Hi, > > I added a oVirt node (3.6) to my engine (3.6) and get the following > message when I try to activate it: > > --- > Cannot activate Host. Host has no unique id. > --- > > Image: ovirt-node-iso-3.6-0.999.201512132115.el7.centos.iso > > regards > gregor > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] aaa-LDAP schema selection
Hi, Of course only OpenLDAP schamas are to be considered. In most cases it is sufficient to check if user is of uidObject object class which means that you use openldap scehma or posixAccount which means that you are using rfc2307. Regards, Alon - Original Message - > From: "Jamie Lawrence" > To: "users" > Sent: Thursday, December 24, 2015 3:06:56 AM > Subject: [ovirt-users] aaa-LDAP schema selection > > Hello all, > > I’d like to get the LDAP plugin working. We have a lovely LDAP setup deployed > (OpenLDAP), and nobody here has a clue how to map what we have to the > options the installer presents. > > Well, a clue, yes. > > We include the core, cosine, nis, inetorgperson and misc schemas in the > config. > > The RHDS, 389, AD, IPA and Novell options are eliminated because we aren’t > running any of that. I eliminated ‘RFC-2307 Schema (Generic)’ by finding > attributes not included in the RFC, but added by OpenLDAP. > > Assuming what we are running maps to any of them, one of the ‘OpenLDAP > [RFC-2307|Standard] Schema' seem likely. > > Does anyone know of a test (attribute that should be in one, or not in > another, or some such) to figure this out? Can it be inferred from my schema > includes (listed above)? I fear that determining this via process of > elimination is going to be brutal due to difficult-to-replicate weirdness > because of only minor differences, and the fact that there are other moving > parts at the moment with this setup. > > And to those who enjoy them, happy holidays. > > -j > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] [3.6] Change admin password
There is a separate tool for this now ovirt-engine-extension-aaa-jdbc-tool. - Original Message - > From: "Maksim Naumov" > To: "users" > Sent: Friday, November 13, 2015 4:23:45 PM > Subject: [ovirt-users] [3.6] Change admin password > > Hello > > How can I change admin password? > > I tried > > # engine-config -s AdminPassword=interactive > Error setting AdminPassword's value. No such entry. > > But it doesn't work! > > -- > Maksim Naumov > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Moving a Hosted Engine from Fedora 20 to CentOS 7
- Original Message - > From: "Yedidyah Bar David" > To: "John Florian" , "Alon Bar-Lev" > , "Roy Golan" , > "Eli Mesika" > Cc: "users" > Sent: Tuesday, November 10, 2015 10:39:27 AM > Subject: Re: [ovirt-users] Moving a Hosted Engine from Fedora 20 to CentOS 7 > > On Tue, Nov 10, 2015 at 2:16 AM, John Florian wrote: > > On 11/09/2015 06:25 PM, John Florian wrote: > >> I don't think it has anything to do with name resolution either. I > >> believe the telltale clue is this bit... 2015-11-09 18:22:31,738 WARN > >> [org.apache.sshd.client.session.ClientSessionImpl] (pool-20-thread-3) > >> Exception caught: java.lang.IllegalStateException: Unable to negotiate > >> key exchange for kex algorithms (client: diffie-hellman-group1-sha1 / > >> server: > >> curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1) > >> As mentioned, I can ssh from my engine to the host just fine. It > >> appears that the Java-based ssh client however cannot. > > > > I got past the above problem by adding the following line to the > > /etc/ssh/sshd_config of the new F22 host: > > > > KexAlgorithms > > curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > > > > This represents the defaults for F22 -- at least according to > > sshd_config(5) -- but with the addition of diffie-hellman-group1-sha1 > > that the Java-based ssh client seems insistent on using. > > > > Adding Alon for this. Not sure if we can configure the java ssh client > and how. > I think that newer than apache-sshd-0.14 altered its behavior, can you please try to downgrade to apache-sshd-0.13 and see if it helps, if it does we will enforce it. Only in apache-sshd-1.1.0 (unreleased) we will be able to migrate properly (I hope). > > However, all is not rosy. The deploy script ground to a halt with: > > [ INFO ] Waiting for the host to become operational in the engine. This > > may take several minutes... > > The host hosted_engine_2 is in non-operational state. > > Please try to activate it via the engine webadmin UI. > > Retry checking host status or ignore this and continue (Retry, > > Ignore)[Retry]? > > > > So I did as suggested and tried to activate the host from the webadmin > > UI. That didn't work either. The status message at the bottom of the > > browser page shows: > > > > Host hosted_engine_2 is installed with VDSM version () and > > cannot join cluster Default which is compatible with VDSM versions > > [4.13, 4.14, 4.9, 4.16, 4.11, 4.15, 4.12, 4.10]. > > > > The attempt to activate the host via the web UI also caused the > > following to be logged on the engine: > > > > 2015-11-09 19:12:39,828 INFO > > [org.ovirt.engine.core.bll.ActivateVdsCommand] (ajp--127.0.0.1-8702-7) > > [4bf460e8] Lock Acquired to object EngineLock [exclusiveLocks= key: > > fab55ebe-cc0f-4f95-87aa-fc3a5e08a5df value: VDS > > , sharedLocks= ] > > 2015-11-09 19:12:39,838 INFO > > [org.ovirt.engine.core.bll.ActivateVdsCommand] > > (org.ovirt.thread.pool-8-thread-49) [4bf460e8] Running command: > > ActivateVdsCommand internal: false. Entities affected : ID: > > fab55ebe-cc0f-4f95-87aa-fc3a5e08a5df Type: VDSAction group > > MANIPULATE_HOST with role type ADMIN > > 2015-11-09 19:12:39,851 INFO > > [org.ovirt.engine.core.bll.ActivateVdsCommand] > > (org.ovirt.thread.pool-8-thread-49) [4bf460e8] Before acquiring lock in > > order to prevent monitoring for host hosted_engine_2 from data-center > > Default > > 2015-11-09 19:12:39,856 INFO > > [org.ovirt.engine.core.bll.ActivateVdsCommand] > > (org.ovirt.thread.pool-8-thread-49) [4bf460e8] Lock acquired, from now a > > monitoring of host will be skipped for host hosted_engine_2 from > > data-center Default > > 2015-11-09 19:12:39,861 INFO > > [org.ovirt.engine.core.vdsbroker.SetVdsStatusVDSCommand] > > (org.ovirt.thread.pool-8-thread-49) [4bf460e8] START, > > SetVdsStatusVDSCommand(HostName = hosted_engine_2, HostId = > > fab55ebe-cc0f-4f95-87aa-fc3a5e08a5df, status=Unassigned, > > nonOperationalReason=NONE, stopSpmFailureLogged=false), log id: 1d206899 > > 2015-11-09 19:12:39,870 INFO > > [org.ovirt.engine.core.vdsbroker.SetVdsStatusVDSCommand] > > (org.ovirt.thread.pool-8-thread-49) [4bf460e8] FINISH, > > SetVdsStatusVD
Re: [ovirt-users] Migrate from ovirt-manage-domains to aaa
Hi, engine-manage-domains is capable of removing a domain. then you can delete all users with authz name of the old domain by sorting the users in the webadmin UI. if you would like to migrate from one into the other you can use this[1] utility. Regards, Alon Bar-Lev. [1] https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases - Original Message - > From: "Kevin COUSIN" > To: "users" > Sent: Thursday, November 5, 2015 12:16:40 PM > Subject: [ovirt-users] Migrate from ovirt-manage-domains to aaa > > Hi list, > > I setup aaa feature to authenticate to our Active Directory, but how can I > delete old configuration made with engine-manage-domains in ovirt 3.6 ? > > Thanks > > > >COUSIN Kevin > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] LDAP Authentication
- Original Message - > From: "Budur Nagaraju" > To: "Alon Bar-Lev" > Cc: "users" > Sent: Thursday, November 5, 2015 8:28:43 AM > Subject: Re: [ovirt-users] LDAP Authentication > > But am using ovirt 3.5 version ,after restarting engine am not getting any > warning logs. > is there ant resolution ? have you followed instructions at [1] to enable debug log? [1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0#l377 > > > On Thu, Nov 5, 2015 at 11:55 AM, Alon Bar-Lev wrote: > > > > > Extension tool is available since 3.6, will be handy in these cases. > > > > - Original Message - > > > From: "Budur Nagaraju" > > > To: "Alon Bar-Lev" > > > Cc: "users" > > > Sent: Thursday, November 5, 2015 8:17:46 AM > > > Subject: Re: [ovirt-users] LDAP Authentication > > > > > > Getting below error ,tried installing extension tools but no luck > > > > > > # ovirt-engine-extensions-tool aaa abc --profile=ssl --user-name=abc > > > -bash: ovirt-engine-extensions-tool: command not found > > > > > > On Thu, Nov 5, 2015 at 11:39 AM, Alon Bar-Lev wrote: > > > > > > > > > > > I will need a debug log of a login, please follow these[1] > > instructions. > > > > > > > > [1] > > > > > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0#l377 > > > > > > > > - Original Message - > > > > > From: "Budur Nagaraju" > > > > > To: "Alon Bar-Lev" > > > > > Cc: "users" > > > > > Sent: Thursday, November 5, 2015 8:01:54 AM > > > > > Subject: Re: [ovirt-users] LDAP Authentication > > > > > > > > > > Below are the details, > > > > > > > > > > > > > > > rpm -qa |grep ovirt-engine-extension-aaa-ldap > > > > > ovirt-engine-extension-aaa-ldap-1.0.2-1.el6.noarch > > > > > > > > > > Ovirt Engine Version :3.5 > > > > > > > > > > we do not have multiple sites. > > > > > > > > > > -Nagaraju > > > > > > > > > > > > > > > On Thu, Nov 5, 2015 at 11:25 AM, Alon Bar-Lev > > wrote: > > > > > > > > > > > Hi, > > > > > > What version of ovirt? > > > > > > What version of ovirt-engine-extension-aaa-ldap? > > > > > > Do you have a domain that span multiple sites? > > > > > > Regards, > > > > > > Alon > > > > > > > > > > > > - Original Message - > > > > > > > From: "Budur Nagaraju" > > > > > > > To: "users" > > > > > > > Sent: Thursday, November 5, 2015 5:34:18 AM > > > > > > > Subject: [ovirt-users] LDAP Authentication > > > > > > > > > > > > > > HI > > > > > > > > > > > > > > LDAP Authentication is taking 5minutes is there any way to > > resolve > > > > this > > > > > > issue > > > > > > > ? > > > > > > > > > > > > > > Thanks, > > > > > > > Nagaraju > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ___ > > > > > > > Users mailing list > > > > > > > Users@ovirt.org > > > > > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > > > > > > > > > > > > > > > > > > > > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] LDAP Authentication
Extension tool is available since 3.6, will be handy in these cases. - Original Message - > From: "Budur Nagaraju" > To: "Alon Bar-Lev" > Cc: "users" > Sent: Thursday, November 5, 2015 8:17:46 AM > Subject: Re: [ovirt-users] LDAP Authentication > > Getting below error ,tried installing extension tools but no luck > > # ovirt-engine-extensions-tool aaa abc --profile=ssl --user-name=abc > -bash: ovirt-engine-extensions-tool: command not found > > On Thu, Nov 5, 2015 at 11:39 AM, Alon Bar-Lev wrote: > > > > > I will need a debug log of a login, please follow these[1] instructions. > > > > [1] > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0#l377 > > > > - Original Message - > > > From: "Budur Nagaraju" > > > To: "Alon Bar-Lev" > > > Cc: "users" > > > Sent: Thursday, November 5, 2015 8:01:54 AM > > > Subject: Re: [ovirt-users] LDAP Authentication > > > > > > Below are the details, > > > > > > > > > rpm -qa |grep ovirt-engine-extension-aaa-ldap > > > ovirt-engine-extension-aaa-ldap-1.0.2-1.el6.noarch > > > > > > Ovirt Engine Version :3.5 > > > > > > we do not have multiple sites. > > > > > > -Nagaraju > > > > > > > > > On Thu, Nov 5, 2015 at 11:25 AM, Alon Bar-Lev wrote: > > > > > > > Hi, > > > > What version of ovirt? > > > > What version of ovirt-engine-extension-aaa-ldap? > > > > Do you have a domain that span multiple sites? > > > > Regards, > > > > Alon > > > > > > > > - Original Message - > > > > > From: "Budur Nagaraju" > > > > > To: "users" > > > > > Sent: Thursday, November 5, 2015 5:34:18 AM > > > > > Subject: [ovirt-users] LDAP Authentication > > > > > > > > > > HI > > > > > > > > > > LDAP Authentication is taking 5minutes is there any way to resolve > > this > > > > issue > > > > > ? > > > > > > > > > > Thanks, > > > > > Nagaraju > > > > > > > > > > > > > > > > > > > > > > > > > ___ > > > > > Users mailing list > > > > > Users@ovirt.org > > > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > > > > > > > > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] LDAP Authentication
I will need a debug log of a login, please follow these[1] instructions. [1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0#l377 - Original Message - > From: "Budur Nagaraju" > To: "Alon Bar-Lev" > Cc: "users" > Sent: Thursday, November 5, 2015 8:01:54 AM > Subject: Re: [ovirt-users] LDAP Authentication > > Below are the details, > > > rpm -qa |grep ovirt-engine-extension-aaa-ldap > ovirt-engine-extension-aaa-ldap-1.0.2-1.el6.noarch > > Ovirt Engine Version :3.5 > > we do not have multiple sites. > > -Nagaraju > > > On Thu, Nov 5, 2015 at 11:25 AM, Alon Bar-Lev wrote: > > > Hi, > > What version of ovirt? > > What version of ovirt-engine-extension-aaa-ldap? > > Do you have a domain that span multiple sites? > > Regards, > > Alon > > > > - Original Message - > > > From: "Budur Nagaraju" > > > To: "users" > > > Sent: Thursday, November 5, 2015 5:34:18 AM > > > Subject: [ovirt-users] LDAP Authentication > > > > > > HI > > > > > > LDAP Authentication is taking 5minutes is there any way to resolve this > > issue > > > ? > > > > > > Thanks, > > > Nagaraju > > > > > > > > > > > > > > > ___ > > > Users mailing list > > > Users@ovirt.org > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] LDAP Authentication
Hi, What version of ovirt? What version of ovirt-engine-extension-aaa-ldap? Do you have a domain that span multiple sites? Regards, Alon - Original Message - > From: "Budur Nagaraju" > To: "users" > Sent: Thursday, November 5, 2015 5:34:18 AM > Subject: [ovirt-users] LDAP Authentication > > HI > > LDAP Authentication is taking 5minutes is there any way to resolve this issue > ? > > Thanks, > Nagaraju > > > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Domain ordering in the user portal login form
You can also file a bug as a feature request to add an option. - Original Message - > From: "Cristian Mammoli" > To: "Jiri Belka" > Cc: "users" > Sent: Saturday, October 31, 2015 12:17:33 PM > Subject: Re: [ovirt-users] Domain ordering in the user portal login form > > Thank you, now I have to decide if I like more > > zzz_internal > or > aaa_mydomain > > :) > Il 31/10/2015 01:24, Jiri Belka ha scritto: > >> I have 3.6, what file should I modify in > >> > >> /etc/ovirt-engine/extensions.d/? > > See how it works here > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html-single/Administration_Guide/index.html#sect-Directory_Users > > > > j. > > -- > Mammoli Cristian > System administrator > T. +39 0731 22911 > Via Brodolini 6 | 60035 Jesi (an) > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Domain ordering in the user portal login form
Hi, I do not think there is a specific default but alphabetic sort(). Regards, Alon - Original Message - > From: "Jiri Belka" > To: "Cristian Mammoli" > Cc: "users" > Sent: Saturday, October 31, 2015 2:24:24 AM > Subject: Re: [ovirt-users] Domain ordering in the user portal login form > > > I have 3.6, what file should I modify in > > > > /etc/ovirt-engine/extensions.d/? > > See how it works here > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html-single/Administration_Guide/index.html#sect-Directory_Users > > j. > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
- Original Message - > From: "Cristian Mammoli" > To: "Alon Bar-Lev" > Cc: "Shahar Havivi" , "users" > Sent: Friday, October 30, 2015 9:48:04 PM > Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain > join > > As long as I user engine-manage-domains SSO with spice client worked fine: > User logins in the user portal, clicks on a vm and get logged in the > windows vm > > With ovirt-engine-extension-aaa-ldap, configured with > ovirt-engine-extension-aaa-ldap-setup, the SSO didn't work. The vm says > I tried t login with an invalid username or password. > > After enabling audit logs in the vm I see that the spice clients tries > to login as > > user@domain-authz > > I changed "ovirt.engine.extension.name" from "domain-authz" to "domain" in > "/etc/ovirt-engine/extensions.d/domain.net-authz.properties" > > and "ovirt.engine.aaa.authn.authz.plugin" from "domain-authz" to "domain" in > "/etc/ovirt-engine/extensions.d/domain-authn.properties" > > And now SSO works fine > > Is it the correct way to go?? Oh... I did not understand this is what you are trying to do. Yes, this is [1]. There are lots of invalid assumptions in the product, one of them is that the profile name within the ovirt application matches the domain name of the VM. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137#c7 > > Il 30/10/2015 20:37, Alon Bar-Lev ha scritto: > > What do you mean? > > Maybe the password delegation into the virtual machine? > > If engine does not know the password, it cannot delegate it to virtual > > machine. > > Solution is described here[1], so far no resources were allocated. > > > > [1] http://www.ovirt.org/Features/SSO > > > > - Original Message - > >> From: "Cristian Mammoli" > >> To: "Shahar Havivi" , "Alon Bar-Lev" > >> > >> Cc: "users" > >> Sent: Friday, October 30, 2015 9:33:02 PM > >> Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep > >> domain join > >> > >> It works fine, but it kills SSO as user... > >> > >> Poking in the windows logs I see a failed login as: > >> > >> myu...@mydomain.tld-authz !! > >> > >> Il 27/10/2015 11:51, Shahar Havivi ha scritto: > >>> On 27.10.15 05:25, Alon Bar-Lev wrote: > >>>> yes, you should probably only customize: $JoinDomain$, > >>>> $DomainAdminPassword$, $DomainAdmin$ > >>>> maybe, not sure: $JoinDomain$, $MachineObjectOU$ > >>>> the rest should be the same as any other. > >>> Please make sure that the file is the full sysprep file such as you can > >>> find > >>> in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. > >>> You can leave the variables such as $OrgName$ which will be replaces > >>> (exept > >>> from the variables that Alon mentioned which where the original problem). > >>> > >>>> - Original Message - > >>>>> From: "Cristian Mammoli" > >>>>> To: "Shahar Havivi" , "Alon Bar-Lev" > >>>>> > >>>>> Cc: "users" > >>>>> Sent: Tuesday, October 27, 2015 11:19:02 AM > >>>>> Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep > >>>>> domain join > >>>>> > >>>>> So just pasting there the contents of a modified > >>>>> /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should > >>>>> work right? > >>>>> > >>>>> The variables like '![CDATA[$OrgName$' will be replaced? > >>>>> > >>>>> Il 26/10/2015 12:43, Shahar Havivi ha scritto: > >>>>>> On 26.10.15 06:23, Alon Bar-Lev wrote: > >>>>>>> Hi, > >>>>>>> The usage of the engine-manage-domain user to anything else but ldap > >>>>>>> searches is something that is unexpected and insecure. > >>>>>>> As a solution, you may either paste a modified sysprep file into the > >>>>>>> pool > >>>>>>> at UI or set up a different osinfo profile with modified sysprep > >>>>>>> file, > >>>>>>> this modified sysprep file can contain the credentials of the user > >>>>>>> that > >>>>>>> is being used for joining the domain. > >>>>>>> CCing Shahar which may assist farther. > >>>>>> Hi, > >>>>>> You can paste a modified sysprep file to "new Pool"->"Initial > >>>>>> run"->"Custom > >>>>>> Script" > >>>>>> As Alon mentioned. > >>>>> -- > >>>>> Mammoli Cristian > >>>>> System administrator > >>>>> T. +39 0731 22911 > >>>>> Via Brodolini 6 | 60035 Jesi (an) > >>>>> > >>>>> > >> -- > >> Mammoli Cristian > >> System administrator > >> T. +39 0731 22911 > >> Via Brodolini 6 | 60035 Jesi (an) > >> > >> > > -- > Mammoli Cristian > System administrator > T. +39 0731 22911 > Via Brodolini 6 | 60035 Jesi (an) > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
What do you mean? Maybe the password delegation into the virtual machine? If engine does not know the password, it cannot delegate it to virtual machine. Solution is described here[1], so far no resources were allocated. [1] http://www.ovirt.org/Features/SSO - Original Message - > From: "Cristian Mammoli" > To: "Shahar Havivi" , "Alon Bar-Lev" > Cc: "users" > Sent: Friday, October 30, 2015 9:33:02 PM > Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain > join > > It works fine, but it kills SSO as user... > > Poking in the windows logs I see a failed login as: > > myu...@mydomain.tld-authz !! > > Il 27/10/2015 11:51, Shahar Havivi ha scritto: > > On 27.10.15 05:25, Alon Bar-Lev wrote: > >> yes, you should probably only customize: $JoinDomain$, > >> $DomainAdminPassword$, $DomainAdmin$ > >> maybe, not sure: $JoinDomain$, $MachineObjectOU$ > >> the rest should be the same as any other. > > Please make sure that the file is the full sysprep file such as you can > > find > > in /packaging/conf/sysprep/sysprep.w7 which is a windows 7 sysprep file. > > You can leave the variables such as $OrgName$ which will be replaces (exept > > from the variables that Alon mentioned which where the original problem). > > > >> - Original Message - > >>> From: "Cristian Mammoli" > >>> To: "Shahar Havivi" , "Alon Bar-Lev" > >>> > >>> Cc: "users" > >>> Sent: Tuesday, October 27, 2015 11:19:02 AM > >>> Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep > >>> domain join > >>> > >>> So just pasting there the contents of a modified > >>> /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should > >>> work right? > >>> > >>> The variables like '![CDATA[$OrgName$' will be replaced? > >>> > >>> Il 26/10/2015 12:43, Shahar Havivi ha scritto: > >>>> On 26.10.15 06:23, Alon Bar-Lev wrote: > >>>>> Hi, > >>>>> The usage of the engine-manage-domain user to anything else but ldap > >>>>> searches is something that is unexpected and insecure. > >>>>> As a solution, you may either paste a modified sysprep file into the > >>>>> pool > >>>>> at UI or set up a different osinfo profile with modified sysprep file, > >>>>> this modified sysprep file can contain the credentials of the user that > >>>>> is being used for joining the domain. > >>>>> CCing Shahar which may assist farther. > >>>> Hi, > >>>> You can paste a modified sysprep file to "new Pool"->"Initial > >>>> run"->"Custom > >>>> Script" > >>>> As Alon mentioned. > >>> -- > >>> Mammoli Cristian > >>> System administrator > >>> T. +39 0731 22911 > >>> Via Brodolini 6 | 60035 Jesi (an) > >>> > >>> > > -- > Mammoli Cristian > System administrator > T. +39 0731 22911 > Via Brodolini 6 | 60035 Jesi (an) > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
yes, you should probably only customize: $JoinDomain$, $DomainAdminPassword$, $DomainAdmin$ maybe, not sure: $JoinDomain$, $MachineObjectOU$ the rest should be the same as any other. - Original Message - > From: "Cristian Mammoli" > To: "Shahar Havivi" , "Alon Bar-Lev" > Cc: "users" > Sent: Tuesday, October 27, 2015 11:19:02 AM > Subject: Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain > join > > So just pasting there the contents of a modified > /usr/share/ovirt-engine/conf/sysprep/sysprep.w7x64 (for example) should > work right? > > The variables like '![CDATA[$OrgName$' will be replaced? > > Il 26/10/2015 12:43, Shahar Havivi ha scritto: > > On 26.10.15 06:23, Alon Bar-Lev wrote: > >> Hi, > >> The usage of the engine-manage-domain user to anything else but ldap > >> searches is something that is unexpected and insecure. > >> As a solution, you may either paste a modified sysprep file into the pool > >> at UI or set up a different osinfo profile with modified sysprep file, > >> this modified sysprep file can contain the credentials of the user that > >> is being used for joining the domain. > >> CCing Shahar which may assist farther. > > Hi, > > You can paste a modified sysprep file to "new Pool"->"Initial run"->"Custom > > Script" > > As Alon mentioned. > >> > > -- > Mammoli Cristian > System administrator > T. +39 0731 22911 > Via Brodolini 6 | 60035 Jesi (an) > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] aaa ldap+http sso & user portal
- Original Message - > From: "Sigbjorn Lie" > To: Users@ovirt.org > Sent: Monday, October 26, 2015 8:18:24 PM > Subject: [ovirt-users] aaa ldap+http sso & user portal > > Hi, > > The aaa ldap+http sso works perfectly in 3.5.:) > > However when logging in to the User Portal there is a slight problem. As I am > logged in directly, I am unable to uncheck the “Connect Automatcally” > checkbox. The user has access to several machines (Linux and Windows), and > it’s not a good idea to simply connect to any one of them. > > I have’t been able to find anywhere I can disable the “Connect > Automatically”. I see that it’s code for having is configurable per user in > a later version, but how may I make this go away in the current version? > Perhaps a hack which rips out the ConnectAutomatically() function entirely > and replaces it with a simple “return true”? What version do you use? I think it was fixed in 3.5.5[1] [1] https://bugzilla.redhat.com/show_bug.cgi?id=1256662 > > > Regards, > Siggi > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain join
Hi, The usage of the engine-manage-domain user to anything else but ldap searches is something that is unexpected and insecure. As a solution, you may either paste a modified sysprep file into the pool at UI or set up a different osinfo profile with modified sysprep file, this modified sysprep file can contain the credentials of the user that is being used for joining the domain. CCing Shahar which may assist farther. Regards, Alon - Original Message - > From: "Cristian Mammoli" > To: "users" > Sent: Monday, October 26, 2015 12:01:54 PM > Subject: [ovirt-users] ovirt-engine-extension-aaa-ldap and sysprep domain > join > > Hi, I tried to migrate to ovirt-engine-extension-aaa-ldap from > engine-manage-domains. Everything seems to work fine so far except the > automatic join to domain during sysprep. > > Is it supposed to work? Where should I investigate further? > > Thank you > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] LDAP authentication with TLS
Summary: Using legacy ldaps protocol the user's expected certificate was retrieved. Using startTLS a different and a self signed certificate was retrieved. Two different identities via the two interfaces which should have returned a single identity. - Original Message - > From: "Alon Bar-Lev" > To: "Steve Dainard" > Cc: "users" > Sent: Wednesday, October 7, 2015 12:01:59 AM > Subject: Re: [ovirt-users] LDAP authentication with TLS > > Hi, > > Can you please send me the profile, the keystore you created and the output > of: > > openssl s_client -connect server:636 -showcerts < /dev/null > > Thanks! > > - Original Message - > > From: "Steve Dainard" > > To: "users" > > Sent: Tuesday, October 6, 2015 11:50:41 PM > > Subject: [ovirt-users] LDAP authentication with TLS > > > > Hello, > > > > Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication. > > > > I've configured the appropriate aaa profile but I'm getting TLS errors > > when I search for users to add via ovirt: > > > > The connection reader was unable to successfully complete TLS > > negotiation: javax_net_ssl_SSLHandshakeException: > > sun_security_validator_ValidatorException: No trusted certificate > > found caused by sun_security_validator_ValidatorException: No trusted > > certificate found > > > > I added the external CA certificate using keytool as per > > https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with > > appropriate adjustments of course: > > > > keytool -importcert -noprompt -trustcacerts -alias myrootca \ > >-file myrootca.pem -keystore myrootca.jks -storepass changeit > > > > I know this certificate works, and can connect to LDAP with TLS as I'm > > using the same LDAP configuration/certificate with SSSD. > > > > Can anyone clarify whether I should be adding the external CA > > certificate or the LDAP host certificate with keytool or any other > > suggestions? > > > > Thanks, > > Steve > > ___ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] LDAP
Yes, see[1] [1] https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases - Original Message - > From: "Fernando Fuentes" > To: users@ovirt.org > Sent: Wednesday, October 7, 2015 6:46:38 PM > Subject: [ovirt-users] LDAP > > I migrated from 3.4 to 3.5 and I see that my kerberos/ldap is no longer > working and looking further now I see that 3.5 uses AAA. > Is there a migration process to move my kerberos/ldap to AAA or a guide > to this? > > TIA! > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] LDAP authentication with TLS
Hi, Can you please send me the profile, the keystore you created and the output of: openssl s_client -connect server:636 -showcerts < /dev/null Thanks! - Original Message - > From: "Steve Dainard" > To: "users" > Sent: Tuesday, October 6, 2015 11:50:41 PM > Subject: [ovirt-users] LDAP authentication with TLS > > Hello, > > Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication. > > I've configured the appropriate aaa profile but I'm getting TLS errors > when I search for users to add via ovirt: > > The connection reader was unable to successfully complete TLS > negotiation: javax_net_ssl_SSLHandshakeException: > sun_security_validator_ValidatorException: No trusted certificate > found caused by sun_security_validator_ValidatorException: No trusted > certificate found > > I added the external CA certificate using keytool as per > https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with > appropriate adjustments of course: > > keytool -importcert -noprompt -trustcacerts -alias myrootca \ >-file myrootca.pem -keystore myrootca.jks -storepass changeit > > I know this certificate works, and can connect to LDAP with TLS as I'm > using the same LDAP configuration/certificate with SSSD. > > Can anyone clarify whether I should be adding the external CA > certificate or the LDAP host certificate with keytool or any other > suggestions? > > Thanks, > Steve > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] LDAP Authentication
.4.319 false MIQXGSGSGSgEABAA=
> pagedresults: cookie=
>
> # numResponses: 2
> # numEntries: 1
>
>
> 3. Copy the examples as mentioned from the readme.
> 4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties;
> leave the rest as is.
> 5. There, set:
>
> vars.domain = ldap.mydomain.com
> vars.user = ldap@${global:vars.domain}
> vars.password = Passw@rd
>
> 6. Restart ovirt engine service
> 7. Log in as admin@einternal and add user rights and roles from the new
> provider
>
> Hope this helps.
>
> On 22.09.2015 16 :46, Budur Nagaraju wrote:
> >
> > below are the three files which I have modified.
> >
> >
> > [root@cstlb2 extensions.d]# cat profile1-authn.properties
> > ovirt.engine.extension.name < http://ovirt.engine.extension.name > =
> > cloudspin-authn
> > ovirt.engine.extension.bindings.method = jbossmodule
> > ovirt.engine.extension.binding.jbossmodule.module =
> > org.ovirt.engine-extensions.aaa.ldap
> > ovirt.engine.extension.binding.jbossmodule.class =
> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> > ovirt.engine.aaa.authn.profile.name <
> > http://ovirt.engine.aaa.authn.profile.name >
> > = cloudspin
> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
> >
> >
> > [root@cstlb2 extensions.d]# ls
> > profile1-authn.properties profile1-authz.properties
> > [root@cstlb2 extensions.d]# cat profile1-authz.properties
> > ovirt.engine.extension.name < http://ovirt.engine.extension.name > =
> > cloudspin-authz
> > ovirt.engine.extension.bindings.method = jbossmodule
> > ovirt.engine.extension.binding.jbossmodule.module =
> > org.ovirt.engine-extensions.aaa.ldap
> > ovirt.engine.extension.binding.jbossmodule.class =
> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> > ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
> > [root@cstlb2 extensions.d]#
> >
> >
> >
> > [root@cstlb2 aaa]# pwd
> > /etc/ovirt-engine/aaa
> > [root@cstlb2 aaa]# ls
> > ldap1.properties
> > [root@cstlb2 aaa]# cat ldap1.properties
> > #
> > # Select one
> > #
> > include =
> > #include = <389ds.properties>
> > #include =
> > #include =
> > #include =
> > #include =
> > #include =
> >
> > #
> > # Server
> > #
> > vars.server = my.abc.net < http://my.abc.net >
> >
> > #
> > # Search user and its password.
> > #
> > vars.user =
> > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
> > vars.password = company
> >
> > pool.default.serverset.single.server = ${global:vars.server}
> > pool.default.auth.simple.bindDN = ${global:vars.user}
> > pool.default.auth.simple.password = ${global:vars.password}
> >
> > # Create keystore, import certificate chain and uncomment
> > # if using ssl/tls.
> > #pool.default.ssl.startTLS = true
> > #pool.default.ssl.truststore.file =
> > ${local:_basedir}/${global:vars.server}.jks
> > #pool.default.ssl.truststore.password = changeit
> > [root@cstlb2 aaa]#
> >
> >
> >
> >
> >
> >
> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev < alo...@redhat.com
> > > wrote:
> >
> >
> >
> > - Original Message -
> > > From: "Budur Nagaraju" < nbud...@gmail.com >
> > > To: "Alon Bar-Lev" < alo...@redhat.com >
> > > Cc:users@ovirt.org
> > > Sent: Tuesday, September 22, 2015 5:35:16 PM
> > > Subject: Re: [ovirt-users] LDAP Authentication
> > >
> > > its too complicated ,you have any script or video ?
> >
> > in 3.6 we have a setup script.
> > for now:
> >
> > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
> >
> > this is written in the README.
> >
> > then customize files at /etc/ovirt-engine/extnesions.d/*
> > /etc/ovirt-engine/aaa/* to match your setup
> >
> > >
> > >
> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev < alo...@redhat.com
> > > > wrote:
> > >
> > > >
> > > >
> > > > - Original Message -
> > > > > From: "Budur Nagaraju" < nbud...@gmail.com >
Re: [ovirt-users] LDAP Authentication
- Original Message - > From: "Daniel Helgenberger" > To: "Budur Nagaraju" , "Alon Bar-Lev" > Cc: users@ovirt.org > Sent: Tuesday, September 22, 2015 6:14:50 PM > Subject: Re: [ovirt-users] LDAP Authentication > > Hello Budur, > > I've done this recently. Alon, no offense, but the docs are not quite strait > forward... > Patches to documentation will be most welcomed. However, these should not assume a specific environment nor mode. Thanks! ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] LDAP Authentication
please do not paste logs inline, either attach or pastebin. please try to read errors and warnings before sending out, you have trailing space in configuration I guess. 2015-09-22 20:21:51,533 WARN [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-8) [ovirt-engine-extension-aaa-ldap.authn::cloudspin-authn] Cannot initialize LDAP framework, deferring initialization. Error: An error occurred while attempting to resolve address 'psbngdc01.psecure.net ': java.net.UnknownHostException: psbngdc01.psecure.net : Name or service not known - Original Message - > From: "Budur Nagaraju" > To: "Alon Bar-Lev" > Cc: users@ovirt.org > Sent: Tuesday, September 22, 2015 5:53:10 PM > Subject: Re: [ovirt-users] LDAP Authentication > > Below is the log I have got, > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] LDAP Authentication
looks ok, now restart engine and see if you have any error at
/var/log/ovirt-engine/engine.log
- Original Message -
> From: "Budur Nagaraju"
> To: "Alon Bar-Lev"
> Cc: users@ovirt.org
> Sent: Tuesday, September 22, 2015 5:45:42 PM
> Subject: Re: [ovirt-users] LDAP Authentication
>
> below are the three files which I have modified.
>
>
> [root@cstlb2 extensions.d]# cat profile1-authn.properties
> ovirt.engine.extension.name = cloudspin-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name = cloudspin
> ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
> config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
>
>
> [root@cstlb2 extensions.d]# ls
> profile1-authn.properties profile1-authz.properties
> [root@cstlb2 extensions.d]# cat profile1-authz.properties
> ovirt.engine.extension.name = cloudspin-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
> [root@cstlb2 extensions.d]#
>
>
>
> [root@cstlb2 aaa]# pwd
> /etc/ovirt-engine/aaa
> [root@cstlb2 aaa]# ls
> ldap1.properties
> [root@cstlb2 aaa]# cat ldap1.properties
> #
> # Select one
> #
> include =
> #include = <389ds.properties>
> #include =
> #include =
> #include =
> #include =
> #include =
>
> #
> # Server
> #
> vars.server = my.abc.net
>
> #
> # Search user and its password.
> #
> vars.user =
> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
> vars.password = company
>
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file =
> ${local:_basedir}/${global:vars.server}.jks
> #pool.default.ssl.truststore.password = changeit
> [root@cstlb2 aaa]#
>
>
>
>
>
>
> On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev wrote:
>
> >
> >
> > - Original Message -
> > > From: "Budur Nagaraju"
> > > To: "Alon Bar-Lev"
> > > Cc: users@ovirt.org
> > > Sent: Tuesday, September 22, 2015 5:35:16 PM
> > > Subject: Re: [ovirt-users] LDAP Authentication
> > >
> > > its too complicated ,you have any script or video ?
> >
> > in 3.6 we have a setup script.
> > for now:
> >
> > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
> >
> > this is written in the README.
> >
> > then customize files at /etc/ovirt-engine/extnesions.d/*
> > /etc/ovirt-engine/aaa/* to match your setup
> >
> > >
> > >
> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev wrote:
> > >
> > > >
> > > >
> > > > - Original Message -
> > > > > From: "Budur Nagaraju"
> > > > > To: "Alon Bar-Lev"
> > > > > Cc: users@ovirt.org
> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM
> > > > > Subject: Re: [ovirt-users] LDAP Authentication
> > > > >
> > > > > HI Alon,
> > > > >
> > > > > Below is the configuration which I have done ,but unable to search
> > the
> > > > > users in UI
> > > > > can you pls help me ?
> > > >
> > > > you need three files, see the
> > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
> > > >
> > > > >
> > > > >
> > > > > [root@cstlb2 aaa]# cat ldap1.properties
> > > > > #
> > > > > # Select one
> > > > > #
> > > > > include =
> > > > > #include = <389ds.properties>
> > > > > #include =
> > > > > #include =
> >
Re: [ovirt-users] LDAP Authentication
- Original Message -
> From: "Budur Nagaraju"
> To: "Alon Bar-Lev"
> Cc: users@ovirt.org
> Sent: Tuesday, September 22, 2015 5:35:16 PM
> Subject: Re: [ovirt-users] LDAP Authentication
>
> its too complicated ,you have any script or video ?
in 3.6 we have a setup script.
for now:
cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
this is written in the README.
then customize files at /etc/ovirt-engine/extnesions.d/*
/etc/ovirt-engine/aaa/* to match your setup
>
>
> On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev wrote:
>
> >
> >
> > ----- Original Message -
> > > From: "Budur Nagaraju"
> > > To: "Alon Bar-Lev"
> > > Cc: users@ovirt.org
> > > Sent: Tuesday, September 22, 2015 5:24:36 PM
> > > Subject: Re: [ovirt-users] LDAP Authentication
> > >
> > > HI Alon,
> > >
> > > Below is the configuration which I have done ,but unable to search the
> > > users in UI
> > > can you pls help me ?
> >
> > you need three files, see the
> > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
> >
> > >
> > >
> > > [root@cstlb2 aaa]# cat ldap1.properties
> > > #
> > > # Select one
> > > #
> > > include =
> > > #include = <389ds.properties>
> > > #include =
> > > #include =
> > > #include =
> > > #include =
> > > #include =
> > >
> > > #
> > > # Server
> > > #
> > > vars.server = my.abc.net
> > >
> > > #
> > > # Search user and its password.
> > > #
> > > vars.user =
> > >
> > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
> > > vars.password = company1
> > >
> > > pool.default.serverset.single.server = ${global:vars.server}
> > > pool.default.auth.simple.bindDN = ${global:vars.user}
> > > pool.default.auth.simple.password = ${global:vars.password}
> > >
> > > # Create keystore, import certificate chain and uncomment
> > > # if using ssl/tls.
> > > #pool.default.ssl.startTLS = true
> > > #pool.default.ssl.truststore.file =
> > > ${local:_basedir}/${global:vars.server}.jks
> > > #pool.default.ssl.truststore.password = changeit
> > > [root@cstlb2 aaa]#
> > >
> > >
> > >
> > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev wrote:
> > >
> > > >
> > > >
> > > > - Original Message -
> > > > > From: "Budur Nagaraju"
> > > > > To: users@ovirt.org
> > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM
> > > > > Subject: [ovirt-users] LDAP Authentication
> > > > >
> > > > > HI All,
> > > > >
> > > > > Can someone help me in configuring LDAP authentication for Ovirt ?
> > > >
> > > > Please review:
> > > > http://www.ovirt.org/Features/AAA
> > > >
> > > >
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
> > > >
> > >
> >
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] LDAP Authentication
- Original Message -
> From: "Budur Nagaraju"
> To: "Alon Bar-Lev"
> Cc: users@ovirt.org
> Sent: Tuesday, September 22, 2015 5:24:36 PM
> Subject: Re: [ovirt-users] LDAP Authentication
>
> HI Alon,
>
> Below is the configuration which I have done ,but unable to search the
> users in UI
> can you pls help me ?
you need three files, see the
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
>
>
> [root@cstlb2 aaa]# cat ldap1.properties
> #
> # Select one
> #
> include =
> #include = <389ds.properties>
> #include =
> #include =
> #include =
> #include =
> #include =
>
> #
> # Server
> #
> vars.server = my.abc.net
>
> #
> # Search user and its password.
> #
> vars.user =
> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
> vars.password = company1
>
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file =
> ${local:_basedir}/${global:vars.server}.jks
> #pool.default.ssl.truststore.password = changeit
> [root@cstlb2 aaa]#
>
>
>
> On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev wrote:
>
> >
> >
> > - Original Message -
> > > From: "Budur Nagaraju"
> > > To: users@ovirt.org
> > > Sent: Tuesday, September 22, 2015 4:34:46 PM
> > > Subject: [ovirt-users] LDAP Authentication
> > >
> > > HI All,
> > >
> > > Can someone help me in configuring LDAP authentication for Ovirt ?
> >
> > Please review:
> > http://www.ovirt.org/Features/AAA
> >
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
> >
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] LDAP Authentication
- Original Message - > From: "Budur Nagaraju" > To: users@ovirt.org > Sent: Tuesday, September 22, 2015 4:34:46 PM > Subject: [ovirt-users] LDAP Authentication > > HI All, > > Can someone help me in configuring LDAP authentication for Ovirt ? Please review: http://www.ovirt.org/Features/AAA https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] FreeIPA
- Original Message - > From: supo...@logicworks.pt > To: "users" > Sent: Friday, September 18, 2015 5:45:18 PM > Subject: [ovirt-users] FreeIPA > > Hi, > > Is there any documentation about FreeIPA integration with oVirt 3.5 and how > to configure it? > Hi, Please find documentation at [1][2]. Regards, Alon Bar-Lev. [1] http://www.ovirt.org/Features/AAA [2] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Default user id password
Please try: 1. blank. 2. the engine admin password. I know recently sysprep default was modified to blank. - Original Message - > From: "Budur Nagaraju" > To: users@ovirt.org > Sent: Friday, September 18, 2015 2:08:25 PM > Subject: [ovirt-users] Default user id password > > HI > > After installing windows 7 OS in ovirt ,by default its creating the user id > as "user" ,May I know the default password for the vms ? > > Thanks, > Nagaraju > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Issues while deploying
Turns our that nss-3.16.1-14.el6 was the root cause of this issue, updating it to recent version resolved it. - Original Message - > From: "Budur Nagaraju" > To: "Alon Bar-Lev" > Cc: "Fabian Deutsch" , users@ovirt.org > Sent: Wednesday, September 16, 2015 10:55:04 AM > Subject: Re: [ovirt-users] Issues while deploying > > Thank you :) > > On Wed, Sep 16, 2015 at 1:24 PM, Alon Bar-Lev wrote: > > > > > That's strange! > > Will send you a test program offlist. > > > > - Original Message - > > > From: "Budur Nagaraju" > > > To: "Alon Bar-Lev" > > > Cc: "Fabian Deutsch" , users@ovirt.org > > > Sent: Wednesday, September 16, 2015 10:49:48 AM > > > Subject: Re: [ovirt-users] Issues while deploying > > > > > > Tried Manually connecting SSH able to login,but while adding the host > > > unable to connect. > > > > > > Below is the ssh-keyscan, > > > > > > [root@cstlb2 ~]# ssh-keyscan 10.204.206.7 > > > # 10.204.206.7 SSH-2.0-OpenSSH_6.6.1 > > > 10.204.206.7 ssh-rsa > > > > > B3NzaC1yc2EDAQABAAABAQDTFQooTNdLyckvBUZKMDVvbhW1NR2WG/zUm941XpEvxSo35rXdUxJV/SyBq2xNiueXDB/H2yJ/SMPrczAnmyzCT9JYjeiwDTsx0l6s9X8dO3jGYHWhGk5Ls4S8pVZRhUYR7jPXPHpT5U4OQGaGMkUsR+cf5Vk6ehw1gROhvB+g0+vyjuwNAX2vLlfYHX0orjA4pvDHFtcd5/+1er8k2wY3zY20V9dRYAejXvnhthx6sZpkIoI4nTxLmu2rKkwQVBSNPfc6sI4Zmh03CHAnn+5CYOKGWVgCH/niXBiAzNXs996c62EoNBI0HEjWklj3zZ3hl27lgsf+Euoy+XTcvZfn > > > [root@cstlb2 ~]# > > > > > > > > > On Wed, Sep 16, 2015 at 1:08 PM, Alon Bar-Lev wrote: > > > > > > > > > > > java.io.IOException: SSH session closed during connection ' > > > > root@10.204.206.7' > > > > > > > > Please try to connect manually using ssh. > > > > please provide output of ssh-keyscan 10.204.206.7. > > > > > > > > thanks! > > > > > > > > - Original Message - > > > > > From: "Budur Nagaraju" > > > > > To: "Fabian Deutsch" > > > > > Cc: "Alon Bar-Lev" , users@ovirt.org > > > > > Sent: Wednesday, September 16, 2015 10:32:52 AM > > > > > Subject: Re: [ovirt-users] Issues while deploying > > > > > > > > > > HI All, > > > > > > > > > > Installed node from the mentioned URL and facing issues while adding > > the > > > > > node,below are the logs, > > > > > > > > > > > > > > > > > > > > [root@cstlb2 ~]# tail -f /var/log/ovirt-engine/engine.log > > > > > at > > > > > > > > > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > > > > > at > > > > org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:466) > > > > > at > > > > > > > > > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > > > > > at > > > > > > > > > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) > > > > > at > > > > org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:505) > > > > > at > > > > > > > > > > > org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:445) > > > > > at > > > > > > > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) > > > > > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85] > > > > > > > > > > 2015-09-16 13:00:20,598 WARN > > [org.ovirt.engine.core.bll.AddVdsCommand] > > > > > (ajp--127.0.0.1-8702-7) [3b0b9751] CanDoAction of action AddVds > > failed > > > > for > > > > > user admin@internal. Reasons: > > VAR__ACTION__ADD,VAR__TYPE__HOST,$server > > > > > 10.204.206.7,VDS_CANNOT_CONNECT_TO_SERVER > > > > > 2015-09-16 13:01:06,656 ERROR > > [org.ovirt.engine.core.bll.AddVdsCommand] > > > > > (ajp--127.0.0.1-8702-1) [1ec16662] Failed to establish session with > > host > > > > > testing: java.io.IOException: SSH session closed during connection ' > > > > > root@10.204.206.7' > > > > > at > > > > > > > org.ovirt.engine.cor
Re: [ovirt-users] Issues while deploying
That's strange! Will send you a test program offlist. - Original Message - > From: "Budur Nagaraju" > To: "Alon Bar-Lev" > Cc: "Fabian Deutsch" , users@ovirt.org > Sent: Wednesday, September 16, 2015 10:49:48 AM > Subject: Re: [ovirt-users] Issues while deploying > > Tried Manually connecting SSH able to login,but while adding the host > unable to connect. > > Below is the ssh-keyscan, > > [root@cstlb2 ~]# ssh-keyscan 10.204.206.7 > # 10.204.206.7 SSH-2.0-OpenSSH_6.6.1 > 10.204.206.7 ssh-rsa > B3NzaC1yc2EDAQABAAABAQDTFQooTNdLyckvBUZKMDVvbhW1NR2WG/zUm941XpEvxSo35rXdUxJV/SyBq2xNiueXDB/H2yJ/SMPrczAnmyzCT9JYjeiwDTsx0l6s9X8dO3jGYHWhGk5Ls4S8pVZRhUYR7jPXPHpT5U4OQGaGMkUsR+cf5Vk6ehw1gROhvB+g0+vyjuwNAX2vLlfYHX0orjA4pvDHFtcd5/+1er8k2wY3zY20V9dRYAejXvnhthx6sZpkIoI4nTxLmu2rKkwQVBSNPfc6sI4Zmh03CHAnn+5CYOKGWVgCH/niXBiAzNXs996c62EoNBI0HEjWklj3zZ3hl27lgsf+Euoy+XTcvZfn > [root@cstlb2 ~]# > > > On Wed, Sep 16, 2015 at 1:08 PM, Alon Bar-Lev wrote: > > > > > java.io.IOException: SSH session closed during connection ' > > root@10.204.206.7' > > > > Please try to connect manually using ssh. > > please provide output of ssh-keyscan 10.204.206.7. > > > > thanks! > > > > - Original Message - > > > From: "Budur Nagaraju" > > > To: "Fabian Deutsch" > > > Cc: "Alon Bar-Lev" , users@ovirt.org > > > Sent: Wednesday, September 16, 2015 10:32:52 AM > > > Subject: Re: [ovirt-users] Issues while deploying > > > > > > HI All, > > > > > > Installed node from the mentioned URL and facing issues while adding the > > > node,below are the logs, > > > > > > > > > > > > [root@cstlb2 ~]# tail -f /var/log/ovirt-engine/engine.log > > > at > > > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > > > at > > org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:466) > > > at > > > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > > > at > > > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) > > > at > > org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:505) > > > at > > > > > org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:445) > > > at > > > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) > > > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85] > > > > > > 2015-09-16 13:00:20,598 WARN [org.ovirt.engine.core.bll.AddVdsCommand] > > > (ajp--127.0.0.1-8702-7) [3b0b9751] CanDoAction of action AddVds failed > > for > > > user admin@internal. Reasons: VAR__ACTION__ADD,VAR__TYPE__HOST,$server > > > 10.204.206.7,VDS_CANNOT_CONNECT_TO_SERVER > > > 2015-09-16 13:01:06,656 ERROR [org.ovirt.engine.core.bll.AddVdsCommand] > > > (ajp--127.0.0.1-8702-1) [1ec16662] Failed to establish session with host > > > testing: java.io.IOException: SSH session closed during connection ' > > > root@10.204.206.7' > > > at > > > org.ovirt.engine.core.uutils.ssh.SSHClient.connect(SSHClient.java:309) > > > [uutils.jar:] > > > at > > > > > org.ovirt.engine.core.bll.utils.EngineSSHClient.connect(EngineSSHClient.java:59) > > > [bll.jar:] > > > at > > > > > org.ovirt.engine.core.bll.AddVdsCommand.canConnect(AddVdsCommand.java:465) > > > [bll.jar:] > > > at > > > > > org.ovirt.engine.core.bll.AddVdsCommand.canDoAction(AddVdsCommand.java:364) > > > [bll.jar:] > > > at > > > > > org.ovirt.engine.core.bll.CommandBase.internalCanDoAction(CommandBase.java:768) > > > [bll.jar:] > > > at > > > org.ovirt.engine.core.bll.CommandBase.executeAction(CommandBase.java:347) > > > [bll.jar:] > > > at org.ovirt.engine.core.bll.Backend.runAction(Backend.java:435) > > > [bll.jar:] > > > at > > > org.ovirt.engine.core.bll.Backend.runActionImpl(Backend.java:416) > > [bll.jar:] > > > at org.ovirt.engine.core.bll.Backend.runAction(Backend.java:374) > > > [bll.jar:] > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > [rt.jar:1.7.0_85] > > > at > > > > > sun.reflect.NativeMethodA
Re: [ovirt-users] Issues while deploying
java.io.IOException: SSH session closed during connection 'root@10.204.206.7' Please try to connect manually using ssh. please provide output of ssh-keyscan 10.204.206.7. thanks! - Original Message - > From: "Budur Nagaraju" > To: "Fabian Deutsch" > Cc: "Alon Bar-Lev" , users@ovirt.org > Sent: Wednesday, September 16, 2015 10:32:52 AM > Subject: Re: [ovirt-users] Issues while deploying > > HI All, > > Installed node from the mentioned URL and facing issues while adding the > node,below are the logs, > > > > [root@cstlb2 ~]# tail -f /var/log/ovirt-engine/engine.log > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:466) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) > at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:505) > at > org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:445) > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_85] > > 2015-09-16 13:00:20,598 WARN [org.ovirt.engine.core.bll.AddVdsCommand] > (ajp--127.0.0.1-8702-7) [3b0b9751] CanDoAction of action AddVds failed for > user admin@internal. Reasons: VAR__ACTION__ADD,VAR__TYPE__HOST,$server > 10.204.206.7,VDS_CANNOT_CONNECT_TO_SERVER > 2015-09-16 13:01:06,656 ERROR [org.ovirt.engine.core.bll.AddVdsCommand] > (ajp--127.0.0.1-8702-1) [1ec16662] Failed to establish session with host > testing: java.io.IOException: SSH session closed during connection ' > root@10.204.206.7' > at > org.ovirt.engine.core.uutils.ssh.SSHClient.connect(SSHClient.java:309) > [uutils.jar:] > at > org.ovirt.engine.core.bll.utils.EngineSSHClient.connect(EngineSSHClient.java:59) > [bll.jar:] > at > org.ovirt.engine.core.bll.AddVdsCommand.canConnect(AddVdsCommand.java:465) > [bll.jar:] > at > org.ovirt.engine.core.bll.AddVdsCommand.canDoAction(AddVdsCommand.java:364) > [bll.jar:] > at > org.ovirt.engine.core.bll.CommandBase.internalCanDoAction(CommandBase.java:768) > [bll.jar:] > at > org.ovirt.engine.core.bll.CommandBase.executeAction(CommandBase.java:347) > [bll.jar:] > at org.ovirt.engine.core.bll.Backend.runAction(Backend.java:435) > [bll.jar:] > at > org.ovirt.engine.core.bll.Backend.runActionImpl(Backend.java:416) [bll.jar:] > at org.ovirt.engine.core.bll.Backend.runAction(Backend.java:374) > [bll.jar:] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > [rt.jar:1.7.0_85] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > [rt.jar:1.7.0_85] > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > [rt.jar:1.7.0_85] > at java.lang.reflect.Method.invoke(Method.java:606) > [rt.jar:1.7.0_85] > at > org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:374) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.as.weld.ejb.Jsr299BindingsInterceptor.delegateInterception(Jsr299BindingsInterceptor.java:114) > [jboss-as-weld-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.as.weld.ejb.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:125) > [jboss-as-weld-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.as.weld.ejb.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:135) > [jboss-as-weld-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36) > [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final] > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:374) > [jboss-invocation-1.1.1.Final.jar:1.1.1.Final] > at > org.ovirt.engine.core.bll.interceptors.
Re: [ovirt-users] Extension aaa: No search for principal
- Original Message - > From: "Daniel Helgenberger" > To: "Alon Bar-Lev" > Cc: Users@ovirt.org > Sent: Tuesday, September 15, 2015 11:09:45 PM > Subject: Re: [ovirt-users] Extension aaa: No search for principal > > I think I did find the issue here; > > my domain is named int.corp.com > > I have defined several UPN aliases and our real world users do use the UPN > @corp.com. > > Using some internal user with UPN int.corp.com the authentication works as > expected; while my real world users fail. > > I tried to create a new profile for that; but it fails to load off course > because the domain corp.com cannot be connected. > the user is upn, users should specify their full upn if this non default domain suffix. you do not need a new profile. in your case it would probably be us...@corp.com for user1. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Extension aaa: No search for principal
- Original Message - > From: "Daniel Helgenberger" > To: "Alon Bar-Lev" > Cc: Users@ovirt.org > Sent: Tuesday, September 15, 2015 2:41:02 PM > Subject: Re: [ovirt-users] Extension aaa: No search for principal > > > > On 11.09.2015 17:00, Alon Bar-Lev wrote: > > > > > > - Original Message - > >> From: "Daniel Helgenberger" > >> To: "Alon Bar-Lev" > >> Cc: Users@ovirt.org > >> Sent: Friday, September 11, 2015 5:33:21 PM > >> Subject: Re: [ovirt-users] Extension aaa: No search for principal > >> > >> sorry, forgot one: > >> > >> On 11.09.2015 12:48, Alon Bar-Lev wrote: > >>> Hi! > >>> > >>> Thank you for the information, for some reason the administrator user > >>> cannot be resolved to userPrincipalName during login, is it specific for > >>> Administrator or any user? > >> This is the default domain administrator account witch exits in any > >> forest. But just in case I created a new domain user just for the > >> purpose; same outcome > > > Sorry for the delay, Alon. > > > I am unsure what actually happens... > I might have an idea, at least from the commands you supplied. > > > Something in global catalog is out of sync. > > Usually - you do not add domain administrator to external application... > > there is no need to expose it. > > By default Administrator does not have "login from network" and "user > > principal suffix". > > > > Also in my environment I do not get result for administrator, but I do get > > one for regular user that has upn suffix in user record, you can see these > > fields in user and domain manager. > > > > So please use regular unprivileged users which belongs to "Domain Users" > > from now on. > > > > To test if user has userPrincipalName use the following command (assuming > > we search for u...@int.corp.de): > > > > $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H > > ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'b...@int.corp.de' -w > > PASSWORD -b '' '(userPrincipalName=u...@int.corp.de)' cn userPrincipalName > It seams with Active Directory (at least) the search base cannot be > empty (-b '') but needs to be provided. > > In my case, the above command fails with: > > # search result > > search: 2 > > result: 32 No such object > > text: 208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, > > best match of: > > While adding the most basic search path it succeeds: > > $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H > ldap://int.corp.de:389/ -x -D 'b...@int.corp.de' -w PASSWORD -b > 'dc=int,dc=corp,dc=de' '(userPrincipalName=administra...@int.corp.de)' > cn userPrincipalName > > # search reference > > ref: > > ldap://ForestDnsZones.int.corp.de/DC=ForestDnsZones,DC=int,DC=corp,DC=de > > > > # search reference > > ref: > > ldap://DomainDnsZones.int.corp.de/DC=DomainDnsZones,DC=int,DC=corp,DC=de > > > > # search reference > > ref: ldap://int.corp.de/CN=Configuration,DC=int,DC=corp,DC=de > > > > # search result > > search: 2 > > result: 0 Success > > control: 1.2.840.113556.1.4.319 false DDDSSSDDMM= > > pagedresults: cookie= > > > > # numResponses: 4 > > # numReferences: 3 But I asked to query a specific port... the global catalog, port 3268, see my command above. > > It succeeds with every user I tried. what we see is not a success... :( I also asked not to use administrator as a reference user, please create a standard non privileged user for these tests, so skip oddness of builtin administrator for now. > I would set the search base; but i am not sure where to do so. > > > > > This should find the user (return one result), if not, please checkout user > > in Users and Domains manager for the domain suffix, maybe it is empty. > > > > To find user without userPrincipalName such as Administrator use the > > following command: > > > > $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H > > ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'b...@int.corp.de' -w > > PASSWORD -b '' '(sAMAccountName=user)' cn userPrincipalName > > > > For example, the above will work for Administrator, but for kerberos to > > work properly user principal name must be defined, so these users will not > > work. > > > > You can dump entire G
Re: [ovirt-users] Extension aaa: No search for principal
- Original Message - > From: "Daniel Helgenberger" > To: "Alon Bar-Lev" > Cc: Users@ovirt.org > Sent: Friday, September 11, 2015 5:33:21 PM > Subject: Re: [ovirt-users] Extension aaa: No search for principal > > sorry, forgot one: > > On 11.09.2015 12:48, Alon Bar-Lev wrote: > > Hi! > > > > Thank you for the information, for some reason the administrator user > > cannot be resolved to userPrincipalName during login, is it specific for > > Administrator or any user? > This is the default domain administrator account witch exits in any > forest. But just in case I created a new domain user just for the > purpose; same outcome I am unsure what actually happens... Something in global catalog is out of sync. Usually - you do not add domain administrator to external application... there is no need to expose it. By default Administrator does not have "login from network" and "user principal suffix". Also in my environment I do not get result for administrator, but I do get one for regular user that has upn suffix in user record, you can see these fields in user and domain manager. So please use regular unprivileged users which belongs to "Domain Users" from now on. To test if user has userPrincipalName use the following command (assuming we search for u...@int.corp.de): $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'b...@int.corp.de' -w PASSWORD -b '' '(userPrincipalName=u...@int.corp.de)' cn userPrincipalName This should find the user (return one result), if not, please checkout user in Users and Domains manager for the domain suffix, maybe it is empty. To find user without userPrincipalName such as Administrator use the following command: $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'b...@int.corp.de' -w PASSWORD -b '' '(sAMAccountName=user)' cn userPrincipalName For example, the above will work for Administrator, but for kerberos to work properly user principal name must be defined, so these users will not work. You can dump entire GC and send me a user record if no result so I can determine what is different from expectations: $ ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://qa1.qa.lab.tlv.redhat.com:3268/ -x -D 'b...@int.corp.de' -w PASSWORD -b '' > /tmp/dump.out Regards, Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Extension aaa: No search for principal
Hi!
Thank you for the information, for some reason the administrator user cannot be
resolved to userPrincipalName during login, is it specific for Administrator or
any user?
Can you please attach the extension configuration for both authn/authz as well?
I will also need debug log with ALL level, see [1] for instructions.
Thanks!
Alon
[1]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0#l377
- Original Message -
> From: "Daniel Helgenberger"
> To: Users@ovirt.org
> Sent: Friday, September 11, 2015 1:28:10 PM
> Subject: [ovirt-users] Extension aaa: No search for principal
>
> Hello,
>
> I am stuck in configuring ovirt-engine-extension-aaa-ldap with AD for
> ovirt 3.5.4. I am following the [readme.md] and so far it was quite
> strait forward:
> > include =
> >
> > #
> > # Active directory domain name.
> > #
> > vars.domain = int.corp.de
> >
> > #
> > # Search user and its password.
> > #
> > vars.user = bind@${global:vars.domain}
> > vars.password = [redacted]
> >
> > #
> > # Optional DNS servers, if enterprise
> > # DNS server cannot resolve the domain srvrecord.
> > #
> > #vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
> >
> > pool.default.serverset.type = srvrecord
> > pool.default.serverset.srvrecord.domain = ${global:vars.domain}
> > pool.default.auth.simple.bindDN = ${global:vars.user}
> > pool.default.auth.simple.password = ${global:vars.password}
> >
> > # Uncomment if using custom DNS
> > #pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
> > = ${global:vars.dns}
> > #pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
> >
> > # Create keystore, import certificate chain and uncomment
> > # if using ssl/tls.
> > #pool.default.ssl.startTLS = true
> > #pool.default.ssl.truststore.file =
> > ${local:_basedir}/${global:vars.domain}.jks
> > #pool.default.ssl.truststore.password = changeit
>
>
>
> The config seems to work; at least the domain and binddn part. I can
> browse and add users to ovirt as suggested in step (3). All quotes are
> from engine.log:
>
> > 2015-09-11 11:54:50,261 INFO
> > [org.ovirt.engine.core.bll.AddSystemPermissionCommand]
> > (org.ovirt.thread.pool-8-thread-24) [73bff0e9] Running command:
> > AddSystemPermissionCommand internal: false. Entities affected : ID:
> > aaa0----123456789aaa Type: SystemAction group
> > MANIPULATE_PERMISSIONS with role type USER, ID:
> > aaa0----123456789aaa Type: SystemAction group
> > ADD_USERS_AND_GROUPS_FROM_DIRECTORY with role type USER
> > 2015-09-11 11:54:50,268 INFO
> > [org.ovirt.engine.core.bll.aaa.AddUserCommand]
> > (org.ovirt.thread.pool-8-thread-24) [21867e72] Running command:
> > AddUserCommand internal: true. Entities affected : ID:
> > aaa0----123456789aaa Type: SystemAction group
> > MANIPULATE_USERS with role type ADMIN
> > 2015-09-11 11:54:50,301 INFO
> > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> > (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 21867e72,
> > Call Stack: null, Custom Event ID: -1, Message: User 'Administrator' was
> > added successfully to the system.
> > 2015-09-11 11:54:50,379 INFO
> > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
> > (org.ovirt.thread.pool-8-thread-24) [21867e72] Correlation ID: 73bff0e9,
> > Call Stack: null, Custom Event ID: -1, Message: User/Group Administrator
> > was granted permission for Role SuperUser on System by admin@internal.
>
> Yet, when loging in as a user administrator I get:
>
> > {Extkey[name=EXTENSION_INVOKE_RESULT;type=class
> > java.lang.Integer;uuid=EXTENSION_INVOKE_RESULT[0909d91d-8bde-40fb-b6c0-099c772ddd4e];]=2,
> > Extkey[name=EXTENSION_INVOKE_MESSAGE;type=class
> > java.lang.String;uuid=EXTENSION_INVOKE_MESSAGE[b7b053de-dc73-4bf7-9d26-b8bdb72f5893];]=No
> > search for principal 'administra...@int.corp.com'}
>
> Followed by a java stack trace.
> I did not find any configurable search path.
>
> The config seems to load:
> > 2015-09-11 12:01:34,897 INFO
> > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> > thread 1-2) Loading extension 'builtin-authn-internal'
> > 2015-09-11 12:01:34,903 INFO
> > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> > thread 1-2) Extension 'builtin-authn-internal' loaded
> > 2015-09-11 12:01:34,905 INFO
> > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> > thread 1-2) Loading extension 'internal'
> > 2015-09-11 12:01:34,907 INFO
> > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> > thread 1-2) Extension 'internal' loaded
> > 2015-09-11 12:01:34,919 INFO
> > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service
> > thread 1-2) Loading extension 'corp-authn'
> > 2015-09-11 12:01:34,967 INFO
> > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC ser
Re: [ovirt-users] Issues while deploying
Indeed. Fabian, where is the 3.5 node iso located? Should be at[1], right? [1] http://resources.ovirt.org/pub/ovirt-3.5/iso/ - Original Message - > From: "Budur Nagaraju" > To: "Alon Bar-Lev" > Cc: users@ovirt.org > Sent: Friday, September 11, 2015 12:18:49 PM > Subject: Re: [ovirt-users] Issues while deploying > > Hi Alon, > > No ISO is available in the mentioned URL. > > Thanks, > Nagaraju > > > On Thu, Sep 10, 2015 at 5:15 PM, Alon Bar-Lev wrote: > > > > > > > - Original Message - > > > From: "Budur Nagaraju" > > > To: "Alon Bar-Lev" > > > Cc: users@ovirt.org > > > Sent: Thursday, September 10, 2015 2:41:28 PM > > > Subject: Re: [ovirt-users] Issues while deploying > > > > > > Hi Alon, > > > > > > Thanks for your quick response, > > > > > > How to resolve this ? in the ovirt portal I have not found the latest one > > > hypervisor node. > > > > Try[1]. > > When it comes up again. > > > > [1] http://resources.ovirt.org/pub/ovirt-3.5/iso/ > > > > > > > > > > Thanks > > > On Sep 10, 2015 5:04 PM, "Alon Bar-Lev" wrote: > > > > > > > > > > > - Original Message - > > > > > From: "Budur Nagaraju" > > > > > To: users@ovirt.org > > > > > Sent: Thursday, September 10, 2015 6:18:36 AM > > > > > Subject: [ovirt-users] Issues while deploying > > > > > > > > > > HI > > > > > > > > > > Installed ovirt3.5 and wile adding ovirt-node its getting stuck at > > > > > "non-responsive" state ,as shown in the sreenshot. > > > > > > > > Non operational != non responsive :) > > > > > > > > > Below are the the ovirt-Engine logs, > > > > > > > > Next time please attach logs. > > > > > > > > As far as I can see the following is the actual issue: > > > > > > > > 2015-09-10 08:45:42,384 INFO > > > > [org.ovirt.engine.core.vdsbroker.SetVdsStatusVDSCommand] > > > > (DefaultQuartzScheduler_Worker-74) [41a02af3] START, > > > > SetVdsStatusVDSCommand(HostName = test, HostId = > > > > 400e5335-5e1c-4d7c-8470-d13b5438ad4a, status=NonOperational, > > > > nonOperationalReason=CLUSTER_VERSION_INCOMPATIBLE_WITH_CLUSTER, > > > > stopSpmFailureLogged=false), log id: 4d27a1fe > > > > > > > > I guess the repository configuration of the host is ovirt-3.4 and not > > > > ovirt-3.5. > > > > > > > > Regards, > > > > Alon > > > > > > > > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Issues while deploying
- Original Message - > From: "Budur Nagaraju" > To: "Alon Bar-Lev" > Cc: users@ovirt.org > Sent: Thursday, September 10, 2015 2:41:28 PM > Subject: Re: [ovirt-users] Issues while deploying > > Hi Alon, > > Thanks for your quick response, > > How to resolve this ? in the ovirt portal I have not found the latest one > hypervisor node. Try[1]. When it comes up again. [1] http://resources.ovirt.org/pub/ovirt-3.5/iso/ > > Thanks > On Sep 10, 2015 5:04 PM, "Alon Bar-Lev" wrote: > > > > > - Original Message - > > > From: "Budur Nagaraju" > > > To: users@ovirt.org > > > Sent: Thursday, September 10, 2015 6:18:36 AM > > > Subject: [ovirt-users] Issues while deploying > > > > > > HI > > > > > > Installed ovirt3.5 and wile adding ovirt-node its getting stuck at > > > "non-responsive" state ,as shown in the sreenshot. > > > > Non operational != non responsive :) > > > > > Below are the the ovirt-Engine logs, > > > > Next time please attach logs. > > > > As far as I can see the following is the actual issue: > > > > 2015-09-10 08:45:42,384 INFO > > [org.ovirt.engine.core.vdsbroker.SetVdsStatusVDSCommand] > > (DefaultQuartzScheduler_Worker-74) [41a02af3] START, > > SetVdsStatusVDSCommand(HostName = test, HostId = > > 400e5335-5e1c-4d7c-8470-d13b5438ad4a, status=NonOperational, > > nonOperationalReason=CLUSTER_VERSION_INCOMPATIBLE_WITH_CLUSTER, > > stopSpmFailureLogged=false), log id: 4d27a1fe > > > > I guess the repository configuration of the host is ovirt-3.4 and not > > ovirt-3.5. > > > > Regards, > > Alon > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Issues while deploying
- Original Message - > From: "Budur Nagaraju" > To: users@ovirt.org > Sent: Thursday, September 10, 2015 6:18:36 AM > Subject: [ovirt-users] Issues while deploying > > HI > > Installed ovirt3.5 and wile adding ovirt-node its getting stuck at > "non-responsive" state ,as shown in the sreenshot. Non operational != non responsive :) > Below are the the ovirt-Engine logs, Next time please attach logs. As far as I can see the following is the actual issue: 2015-09-10 08:45:42,384 INFO [org.ovirt.engine.core.vdsbroker.SetVdsStatusVDSCommand] (DefaultQuartzScheduler_Worker-74) [41a02af3] START, SetVdsStatusVDSCommand(HostName = test, HostId = 400e5335-5e1c-4d7c-8470-d13b5438ad4a, status=NonOperational, nonOperationalReason=CLUSTER_VERSION_INCOMPATIBLE_WITH_CLUSTER, stopSpmFailureLogged=false), log id: 4d27a1fe I guess the repository configuration of the host is ovirt-3.4 and not ovirt-3.5. Regards, Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Question about upgrading ovirt 3.5.3 to 3.5.4
- Original Message - > From: "Jason Keltz" > To: "users" > Sent: Wednesday, September 9, 2015 10:08:31 PM > Subject: [ovirt-users] Question about upgrading ovirt 3.5.3 to 3.5.4 > > Hi. > > I have a system consisting of an engine + several hosts running 3.5.3, > and I want to upgrade everything to 3.5.4. According to the release > notes, all I should do is: > > > # yum update "ovirt-engine-setup*" > > # engine-setup > > I did this with engine, and it seemed to upgrade okay. > > I'm puzzled whether this applies to the hosts as well? The release > notes aren't clear to me in that respect. > > Thanks for any assistance! At host you can run "yum update" or "yum update vdsm" if you like to update specific. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Problem with kerberos authentication and ovirt-engine-sdk-python
Hi, I guess this will be available only in 3.6, see[1]. You can probably use pre-release of the sdk for now. Regards, Alon [1] https://bugzilla.redhat.com/show_bug.cgi?id=1249485 - Original Message - > From: "Martynov Alexander" > To: users@ovirt.org > Sent: Friday, September 4, 2015 5:34:55 PM > Subject: [ovirt-users] Problem with kerberos authentication and > ovirt-engine-sdk-python > > Hello. I have problem with kerberos authentication. I use > ovirt-engine-sdk-python from https://github.com/oVirt/ovirt-engine-sdk.git. > > I have RHEL manager and IPA server. > > I created a virtual machine and installed RedHat 7.0 on the vm. > I did command ipa-client-install on this vm. Command id diplayed a valid > value for user admin. > I got with wget ca.crt file from manager. > > When I executed following commands: > api = API(url="https://rhevm.dev.ru/ovirt-engine/api";, > username="ad...@dev.ru", password="something", ca_file = "/tmp/ca.crt") > that's all correct. I got api and I could use this api. > > Then: > I cloned git repo > git clone https://github.com/oVirt/ovirt-engine-sdk.git > created ovirt-engine-sdk-python rpm with kerberos authentication support. > make rpm > installed this package on my vm. > rpm -ihv ovirt-engine-sdk-python-4.0.0.0-0.1.el7.noarch.rpm > I got kerberos ticket: > kinit admin > klist displayed that is valid ticket. > And when I executed following commands: > api = API(url="https://rhevm.dev.ru/ovirt-engine/api";, kerberos = True, > ca_file = "/tmp/ca.crt") > I got error 401 Unauthorized. > > Is what is incorrect? > > Redhat 7.0, RHEL 3.5 > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] ovirt 3.5 engine web certificate
- Original Message - > From: "Baptiste Agasse" > To: "users" > Sent: Monday, August 31, 2015 6:54:28 PM > Subject: [ovirt-users] ovirt 3.5 engine web certificate > > Hi all, > > I've followed the procedure to replace self signed certificate to one issued > by our internal PKI to avoid security failure when users access to the webui > (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https). > The connection to the webui now works fine without any security warning (the > internal PKI CA is in the trusted CA of our clients OS). But on the other > hand, i've some troubles: > > * I've to specify the --ca-file option for ovirt-shell and > engine-iso-uploader (i didn't test the engine-image-upload command), it will > be nice if the documentation provide a way to replace this by default (or > use the trusted ca store of the OS ?). This is not a bug just some feedback > on the certificate change procedure that don't cover these side effects. This is [1], probably you want to modify the configuration files of these tools at /etc so you will have proper defaults. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1146710 > * I can't add new ovirt-node anymore. If ovirt-node was added using previous certificate it "Remembers" that certificate. You can remove it from /etc/pki/vdsm/engine_web_ca.pem and try to register again. > * The ovirt-hosted-engine --deploy fails > on new nodes with an SSL error. To workaround this i've to modify the file > "/usr/lib/python2.7/site-packages/ovirtsdk/web/connection.py" around line > 233 to make an insecure connection to the engine and add the new node. I > didn't have tested to add a new node from the ovirt engine cli/webui but i > think it will be the same issue because the error occurs on the vdsm > activation that is common to the 'new hosted engine node' and 'new node' > deployment. I've seen https://bugzilla.redhat.com/show_bug.cgi?id=1059952 > but the workaround noted in the comment #8 didn't work for me. CC sandro for this. > > Someone have more info on this issue or have the same problem ? > > This deployment is on ovirt 3.5.3, CentOS 7 (engine and nodes). > > Have a nice day. > > Regards. > > -- > Baptiste > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Stuck at "Enrolling serial console certificate"
- Original Message -
> From: "Sahina Bose"
> To: "Juan Hernández" , "Alon Bar-Lev"
> Cc: "users"
> Sent: Tuesday, August 25, 2015 5:40:07 PM
> Subject: Re: [ovirt-users] Stuck at "Enrolling serial console certificate"
>
>
>
> On 08/21/2015 11:02 PM, Juan Hernández wrote:
> > On 08/21/2015 12:22 PM, Sahina Bose wrote:
> >>
> >> On 08/21/2015 03:50 PM, Alon Bar-Lev wrote:
> >>> Interesting.
> >>>
> >>> Please execute manually:
> >>>
> >>> # /usr/share/ovirt-engine/bin/pki-enroll-openssh-cert.sh
> >>> --name=rhsdev9.lab.eng.blr.redhat.com-ssh --host
> >>> --id=rhsdev9.lab.eng.blr.redhat.com
> >>> --principals=rhsdev9.lab.eng.blr.redhat.com --days=1825
> >>
> >> It returns immediately with:
> >> [root@dhcp43-86 ~]#
> >> /usr/share/ovirt-engine/bin/pki-enroll-openssh-cert.sh
> >> --name=rhsdev9.lab.eng.blr.redhat.com-ssh --host
> >> --id=rhsdev9.lab.eng.blr.redhat.com
> >> --principals=rhsdev9.lab.eng.blr.redhat.com --days=1825
> >> Signed host key
> >> /etc/pki/ovirt-engine/certs/rhsdev9.lab.eng.blr.redhat.com-ssh-cert.pub:
> >> id "rhsdev9.lab.eng.blr.redhat.com" serial 0 for
> >> rhsdev9.lab.eng.blr.redhat.com valid from 2015-08-21T02:51:27 to
> >> 2020-08-19T03:51:27
> >>
> >>
> > Check your SELinux log file. Most probably SELinux is blocking some
> > access to the generated files, and then ssh-keygen is asking
> > interactively, and thus blocking for ever.
>
>
> Thanks, Juan. I do see some AVC denial errors, but am yet to try with
> SELinux disabled. Will do so and report back.
>
> /var/log/audit/audit.log:type=AVC msg=audit(1440108177.899:9542): avc:
> denied { open } for pid=11827 comm="ssh-keygen"
> path="/tmp/tmp.KlPjsec4X3" dev="dm-0" ino=102401913
> scontext=system_u:system_r:ssh_keygen_t:s0
> tcontext=system_u:object_r:init_tmp_t:s0 tclass=file
>
h this is bad the ssh-keygen should run within same context of
caller not switch into different type.
even if switching into different type, it should permit accessing temp files.
will try to figure out what is the right solution (if any).
thanks juan!
I opened [1] for followup.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1258154
>
> ovirt11827 11821 0 Aug21 ?00:00:00 ssh-keygen -s
> /tmp/tmp.KlPjsec4X3 -I rhsdev9.lab.eng.blr.redhat.com -h -V -1h:+1825d
> -n rhsdev9.lab.eng.blr.redhat.com
> /etc/pki/ovirt-engine/certs/rhsdev9.lab.eng.blr.redhat.com-ssh.pub
>
>
>
> >
> >>> let's see what happens.
> >>>
> >>> - Original Message -
> >>>> From: "Sahina Bose"
> >>>> To: "Alon Bar-Lev"
> >>>> Cc: "users"
> >>>> Sent: Friday, August 21, 2015 1:15:03 PM
> >>>> Subject: Re: [ovirt-users] Stuck at "Enrolling serial console
> >>>> certificate"
> >>>>
> >>>>
> >>>>
> >>>> On 08/21/2015 02:58 PM, Alon Bar-Lev wrote:
> >>>>> the only thing I can think of is that your engine is out of random, so
> >>>>> it
> >>>>> waits for more to be able to generate a new key.
> >>>>> please while this is happening, execute: "find /" or anything that will
> >>>>> create some activity.
> >>>>> if that's not helping, please send me "ps -efa" output so at least I
> >>>>> see
> >>>>> what is running.
> >>>>> thanks!
> >>>> output of ps -efa
> >>>>
> >>>> http://fpaste.org/257513/44015204/
> >>>>
> >>>>
> >>>>> - Original Message -
> >>>>>> From: "Sahina Bose"
> >>>>>> To: "Alon Bar-Lev"
> >>>>>> Cc: "users"
> >>>>>> Sent: Friday, August 21, 2015 12:23:11 PM
> >>>>>> Subject: Re: [ovirt-users] Stuck at "Enrolling serial console
> >>>>>> certificate"
> >>>>>>
> >>>>>> Attached engine.log and host-deploy.log
> >>>>>>
> >>>>>>
> >>>>>> On 08/21/2015 02:29 PM, Alon Bar-Lev wrote:
> >>>>>>> Log would be nice.
> >>>>>>>
> >>>>>>> - Original Message -
> >>>>>>>> From: "Sahina Bose"
> >>>>>>>> To: "users"
> >>>>>>>> Sent: Friday, August 21, 2015 11:27:56 AM
> >>>>>>>> Subject: [ovirt-users] Stuck at "Enrolling serial console
> >>>>>>>> certificate"
> >>>>>>>>
> >>>>>>>> Hi all,
> >>>>>>>>
> >>>>>>>> While installing a host to ovirt-3.6 engine, the host installation
> >>>>>>>> is
> >>>>>>>> stuck at "Enrolling serial console certificate"
> >>>>>>>>
> >>>>>>>> I installed the engine from ovirt-release36, and answered No to
> >>>>>>>> setting
> >>>>>>>> up WebConsole-proxy as well as VM Console proxy on the engine.
> >>>>>>>>
> >>>>>>>> Does anyone know how to debug this?
> >>>>>>>>
> >>>>>>>> thanks
> >>>>>>>> sahina
> >>>>>>>> ___
> >>>>>>>> Users mailing list
> >>>>>>>> Users@ovirt.org
> >>>>>>>> http://lists.ovirt.org/mailman/listinfo/users
> >>>>>>>>
> >> ___
> >> Users mailing list
> >> Users@ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >>
> >
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Stuck at "Enrolling serial console certificate"
Interesting. Please execute manually: # /usr/share/ovirt-engine/bin/pki-enroll-openssh-cert.sh --name=rhsdev9.lab.eng.blr.redhat.com-ssh --host --id=rhsdev9.lab.eng.blr.redhat.com --principals=rhsdev9.lab.eng.blr.redhat.com --days=1825 let's see what happens. - Original Message - > From: "Sahina Bose" > To: "Alon Bar-Lev" > Cc: "users" > Sent: Friday, August 21, 2015 1:15:03 PM > Subject: Re: [ovirt-users] Stuck at "Enrolling serial console certificate" > > > > On 08/21/2015 02:58 PM, Alon Bar-Lev wrote: > > the only thing I can think of is that your engine is out of random, so it > > waits for more to be able to generate a new key. > > please while this is happening, execute: "find /" or anything that will > > create some activity. > > if that's not helping, please send me "ps -efa" output so at least I see > > what is running. > > thanks! > > output of ps -efa > > http://fpaste.org/257513/44015204/ > > > > > > - Original Message - > >> From: "Sahina Bose" > >> To: "Alon Bar-Lev" > >> Cc: "users" > >> Sent: Friday, August 21, 2015 12:23:11 PM > >> Subject: Re: [ovirt-users] Stuck at "Enrolling serial console certificate" > >> > >> Attached engine.log and host-deploy.log > >> > >> > >> On 08/21/2015 02:29 PM, Alon Bar-Lev wrote: > >>> Log would be nice. > >>> > >>> - Original Message - > >>>> From: "Sahina Bose" > >>>> To: "users" > >>>> Sent: Friday, August 21, 2015 11:27:56 AM > >>>> Subject: [ovirt-users] Stuck at "Enrolling serial console certificate" > >>>> > >>>> Hi all, > >>>> > >>>> While installing a host to ovirt-3.6 engine, the host installation is > >>>> stuck at "Enrolling serial console certificate" > >>>> > >>>> I installed the engine from ovirt-release36, and answered No to setting > >>>> up WebConsole-proxy as well as VM Console proxy on the engine. > >>>> > >>>> Does anyone know how to debug this? > >>>> > >>>> thanks > >>>> sahina > >>>> ___ > >>>> Users mailing list > >>>> Users@ovirt.org > >>>> http://lists.ovirt.org/mailman/listinfo/users > >>>> > >> > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Stuck at "Enrolling serial console certificate"
the only thing I can think of is that your engine is out of random, so it waits for more to be able to generate a new key. please while this is happening, execute: "find /" or anything that will create some activity. if that's not helping, please send me "ps -efa" output so at least I see what is running. thanks! - Original Message - > From: "Sahina Bose" > To: "Alon Bar-Lev" > Cc: "users" > Sent: Friday, August 21, 2015 12:23:11 PM > Subject: Re: [ovirt-users] Stuck at "Enrolling serial console certificate" > > Attached engine.log and host-deploy.log > > > On 08/21/2015 02:29 PM, Alon Bar-Lev wrote: > > Log would be nice. > > > > - Original Message - > >> From: "Sahina Bose" > >> To: "users" > >> Sent: Friday, August 21, 2015 11:27:56 AM > >> Subject: [ovirt-users] Stuck at "Enrolling serial console certificate" > >> > >> Hi all, > >> > >> While installing a host to ovirt-3.6 engine, the host installation is > >> stuck at "Enrolling serial console certificate" > >> > >> I installed the engine from ovirt-release36, and answered No to setting > >> up WebConsole-proxy as well as VM Console proxy on the engine. > >> > >> Does anyone know how to debug this? > >> > >> thanks > >> sahina > >> ___ > >> Users mailing list > >> Users@ovirt.org > >> http://lists.ovirt.org/mailman/listinfo/users > >> > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Stuck at "Enrolling serial console certificate"
Log would be nice. - Original Message - > From: "Sahina Bose" > To: "users" > Sent: Friday, August 21, 2015 11:27:56 AM > Subject: [ovirt-users] Stuck at "Enrolling serial console certificate" > > Hi all, > > While installing a host to ovirt-3.6 engine, the host installation is > stuck at "Enrolling serial console certificate" > > I installed the engine from ovirt-release36, and answered No to setting > up WebConsole-proxy as well as VM Console proxy on the engine. > > Does anyone know how to debug this? > > thanks > sahina > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] [ATN] LDAP Users please read
- Original Message -
> From: "Alon Bar-Lev"
> To: "Joop"
> Cc: users@ovirt.org
> Sent: Thursday, August 6, 2015 7:05:38 PM
> Subject: Re: [ovirt-users] [ATN] LDAP Users please read
>
>
>
> - Original Message -
> > From: "Joop"
> > To: users@ovirt.org
> > Sent: Thursday, August 6, 2015 4:28:00 PM
> > Subject: Re: [ovirt-users] [ATN] LDAP Users please read
> >
> > Hi Alon,
> >
> > I'll take the bait :-)
>
> Good!
>
> > I have just installed the extension and the examples are there.
> > I also installed the migration tool. Now it comes.
> > We use Samba4 as our AD provider and have succesfully connected
> > Foreman-1.8 to it using the cert that I got from the server.
> > The same cert doesn't work with the migration tool. So either I'm
> > confused or .. The first possibility is most likely. I always trip over
> > certs and terminology.
> > Error I got:
> > [root@mgmt01 ~]# ovirt-engine-kerbldap-migration-tool --debug --domain
> > ad.nieuwland.nl --cacert ad02.pem
> > [INFO ] tool: ovirt-engine-kerbldap-migration-1.0.2
> > (ovirt-engine-kerbldap-migration-1.0.2-1.el6ev)
> > [INFO ] Connecting to database
> > [INFO ] Sanity checks
> > [INFO ] Loading options
> > [INFO ] Using ldap URI: ldap://ad01.ad.nieuwland.nl:389
> > [ERROR ] Conversion failed: {'info': "TLS error -8172:Peer's
> > certificate issuer has been marked as not trusted by the user.", 'desc':
> > 'Connect error'}
> >
> > And now...
>
> Interesting.
>
> Can you please attach the ad02.pem certificate, and paste the output of the
> following command?
>
> $ openssl s_client -connect ad01.ad.nieuwland.nl:636 -showcerts < /dev/null
>
> There is no leak of sensitive information, it will enable me to determine
> what is wrong,.
Hi Joop,
I am curios what went wrong, when you find time please send me the above
information.
Thanks!
Alon
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] [ATN] LDAP Users please read
- Original Message - > From: "Jason Keltz" > To: "Alon Bar-Lev" > Cc: users@ovirt.org > Sent: Friday, August 7, 2015 4:12:40 PM > Subject: Re: [ovirt-users] [ATN] LDAP Users please read > > Hi Alon. > > Thanks for your detailed response. > > I decided to give the new system a try. Rather than migrate, I prefer > to re-add from scratch, so I did: > > # engine-manage-domains delete --domain=EECS.YORKU.CA > # systemctl restart ovirt-engine Good, but you could have first added the new one and only after you have all working delete the legacy one :) Not important right now. > # yum install ovirt-engine-extension-aaa-ldap > ... but I ran into my first trouble when I tried the following as per > your AAA-LDAP documentation: > > > QUICK START > > --- > > > > USING INSTALLER > > > > Install ovirt-engine-extension-aaa-ldap-setup and execute: > > > > # ovirt-engine-extension-aaa-ldap-setup > > > > The setup will guide you throughout the process of most common use cases. > > There's no command ovirt-engine-extension-aaa-ldap-setup. I checked the > repository, and I can't find any package that includes that command. I > guess that's something in 3.6 only.I don't want to use the manual > installation method. The method that I use should match the simplicity > of "engine-manage-domains". Correct this is new in 3.6, in 3.5 you should follow the documentation of 1.0[1] [1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0 > I re-add back my existing domain so that I can "migrate" it. So.. > > # engine-manage-domains add --domain=EECS.YORKU.CA --provider=ipa > --user=ovirtadmin > Enter password: > > I downloaded the ovirt-engine-kerlab-migration-1.0.2-1.el7ev.noarch.rpm > from > https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases and > installed it: > > # rpm -i ovirt-engine-kerbldap-migration-1.0.2-1.el7ev.noarch.rpm > > I need to provide to the tool the domain, and the cacert. It's too bad > about having to provide the cacert -- the previous method of specifying > a provider, username, password, and auto-downloading the cert seemed > more user friendly. The documentation doesn't tell me where I might > find the cacert. Without much experience using the Red Hat IPA product, > it's buried. Is it the /root/cacert.p12 file? I copied that file to > /tmp on my engine server, and then: there is no standard method to get CA certificate. we provided some information at[1] under: "3. [Optional] Obtaining LDAP CA certificate." """ FreeIPA Copy /etc/ipa/ca.crt to your oVirt machine into /tmp. """ [1] https://github.com/machacekondra/ovirt-engine-kerbldap-migration > > # ovirt-engine-kerbldap-migration-tool --domain EECS.YORKU.CA --cacert > /tmp/cacert.p12 PKCS#12 file should never leave your IPA machine :) > sh-4.2# ovirt-engine-kerbldap-migration-tool --domain EECS.YORKU.CA > --cacert /home/jas/cacert.p12 > [INFO ] tool: ovirt-engine-kerbldap-migration-1.0.2 > (ovirt-engine-kerbldap-migration-1.0.2-1.el7ev) > [INFO ] Connecting to database > [INFO ] Sanity checks > [INFO ] Loading options > [ERROR ] Conversion failed: Domain EECS.YORKU.CA not exists in > configuration. > > (minor correction in that last line: "does not exist" instead of "not > exists"). thanks! will fix. can you please add --debug and --log=/tmp/debug.log and send os the debug.log? probably we cannot resolve dns srvrecord correctly. $ dig +noall +answer srv _ldap._tcp.EECS.YORKU.CA should return a set of LDAP servers for your domain, if you do not have srvrecord we can workaround this by specifying a specific ldap server using --ldapserver parameter. > Of course the domain does actually exist. I can login to engine with my > domain login. yes, true, the question is what wrong in our conversion program :) > > Jason. > > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] [ATN] LDAP Users please read
- Original Message - > From: "Jason Keltz" > To: users@ovirt.org > Sent: Thursday, August 6, 2015 7:47:26 PM > Subject: Re: [ovirt-users] [ATN] LDAP Users please read > > On 04.08.2015 09:56, Alon Bar-Lev wrote: > >> Hello LDAP Users, > >> > >> If you migrated from 3.4 or if you used engine-managed-domains to add LDAP > >> support into engine - this message is for you. > >> > >> In 3.5 we introduced a new LDAP provider[1][2], it is superset of the > >> previous implementation, highlights includes: > >>* Better response times. > >>* Simplicity, Use of LDAP protocol only - kerberos is no longer needed. > >>* More LDAP implementations are supported. > >>* Flexible configuration, can be customized on site to support special > >>setups. > >>* Supportability, better logs and feedbacks to enable remote support. > >>* Variety of fallback policies, examples: srvrecord, failover, > >>round-robin and more. > >>* Active Directory: supports multiple domain in forest. > >> > >> In 3.5 the previous LDAP provider is marked as legacy, users' issues will > >> be resolved by migration to the new provider. > >> > >> Upgrade to 4.0 will not be possible if legacy provider is being used. > >> > >> The new provider is working without any issue for quite some time, we > >> would like to eliminate the remaining usage of the legacy provider as > >> soon as possible. > >> > >> A tool was created[3] to automate the process, it should perform > >> everything in safe and automatic process, while enables customization if > >> such required. The one prerequisite that we could not automate easily is > >> obtaining the CA certificate used by the LDAP server to communicate using > >> SSL/TLS, you should acquire this manually and provide it as parameter. > >> > >> We (Ondra CCed and I) will help anyone that is experiencing issues with > >> the process, please do not delay migration to the point it becomes > >> emergency. > >> > >> Let's define a virtual goal -- in 1 month no legacy LDAP usage anywhere. > >> > >> Regards, > >> Alon Bar-Lev. > >> > >> [1] http://www.ovirt.org/Features/AAA > >> [2] > >> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0 > Sorry Alon.. > > I'm puzzled. I setup RHEL IPA server to act as an authentication > front-end for my ovirt installation. It also acts as an IPA server for > all the servers involved in my ovirt installation. > > I enabled my engine installation to authenticate with my IPA server like > this: > > engine# engine-manage-domains add --domain=EECS.YORKU.CA --provider=ipa > > --user=ovirtadmin > Your new system refers to only LDAP, and not Kerberos, other than saying > that it "obsoletes the legacy Kerberos/LDAP implementation". Will > Kerberos support now be obsolete? Since I've already invested the time > to get engine working with IPA and Kerberos, I don't really see the > point in changing things now, but I'd also rather deal with this now, > rather than down the line when I want to upgrade and find that my > existing installation is no longer compatible.Sooo -- does this > change still affect my current installation? Should I migrate? What do I > migrate to? and How? Not at all. The IPA provides several services, at least LDAP, DNS, Kerberos: These two are not actually related and used for two different purposes: 1. LDAP - a protocol to access a repository (database) holding entity information. 2. DNS - a protocol to locate resources within network. 3. Kerberos - single sign on infrastructure, enables to create trust between entities and single server, while after successful authentication, entity can access other entities without presenting credentials. Why do we use LDAP? LDAP is standard [simple(?)] protocol to acquire entity information. Why do we use Kerberos? Mainly for users will not require to enter their passwords over and over to access services (SSO), and to not expose their credentials to services. For various of incorrect reasons the legacy LDAP provider implementation used Kerberos to authenticate between the engine machine and the LDAP server. This actually breaks one of the major kerberos principals - do not expose the credentials to service. In our case the engine machine is the service and the user and password are sent to the engine machine so it can issue Kerberos ticket instead of it accepting restrict
Re: [ovirt-users] [ATN] LDAP Users please read
- Original Message -
> From: "Joop"
> To: users@ovirt.org
> Sent: Thursday, August 6, 2015 4:28:00 PM
> Subject: Re: [ovirt-users] [ATN] LDAP Users please read
>
> Hi Alon,
>
> I'll take the bait :-)
Good!
> I have just installed the extension and the examples are there.
> I also installed the migration tool. Now it comes.
> We use Samba4 as our AD provider and have succesfully connected
> Foreman-1.8 to it using the cert that I got from the server.
> The same cert doesn't work with the migration tool. So either I'm
> confused or .. The first possibility is most likely. I always trip over
> certs and terminology.
> Error I got:
> [root@mgmt01 ~]# ovirt-engine-kerbldap-migration-tool --debug --domain
> ad.nieuwland.nl --cacert ad02.pem
> [INFO ] tool: ovirt-engine-kerbldap-migration-1.0.2
> (ovirt-engine-kerbldap-migration-1.0.2-1.el6ev)
> [INFO ] Connecting to database
> [INFO ] Sanity checks
> [INFO ] Loading options
> [INFO ] Using ldap URI: ldap://ad01.ad.nieuwland.nl:389
> [ERROR ] Conversion failed: {'info': "TLS error -8172:Peer's
> certificate issuer has been marked as not trusted by the user.", 'desc':
> 'Connect error'}
>
> And now...
Interesting.
Can you please attach the ad02.pem certificate, and paste the output of the
following command?
$ openssl s_client -connect ad01.ad.nieuwland.nl:636 -showcerts < /dev/null
There is no leak of sensitive information, it will enable me to determine what
is wrong,.
Thanks!
Alon
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] [ATN] LDAP Users please read
- Original Message - > From: "Daniel Helgenberger" > To: "Alon Bar-Lev" , "users" > Sent: Thursday, August 6, 2015 1:24:23 PM > Subject: Re: [ovirt-users] [ATN] LDAP Users please read > > Hello Alon, > > On 04.08.2015 09:56, Alon Bar-Lev wrote: > > Hello LDAP Users, > > > > If you migrated from 3.4 or if you used engine-managed-domains to add LDAP > > support into engine - this message is for you. > > > > In 3.5 we introduced a new LDAP provider[1][2], it is superset of the > > previous implementation, highlights includes: > > * Better response times. > > * Simplicity, Use of LDAP protocol only - kerberos is no longer needed. > > * More LDAP implementations are supported. > > * Flexible configuration, can be customized on site to support special > > setups. > > * Supportability, better logs and feedbacks to enable remote support. > > * Variety of fallback policies, examples: srvrecord, failover, > > round-robin and more. > > * Active Directory: supports multiple domain in forest. > > > > In 3.5 the previous LDAP provider is marked as legacy, users' issues will > > be resolved by migration to the new provider. > > > > Upgrade to 4.0 will not be possible if legacy provider is being used. > > > > The new provider is working without any issue for quite some time, we would > > like to eliminate the remaining usage of the legacy provider as soon as > > possible. > > > > A tool was created[3] to automate the process, it should perform everything > > in safe and automatic process, while enables customization if such > > required. The one prerequisite that we could not automate easily is > > obtaining the CA certificate used by the LDAP server to communicate using > > SSL/TLS, you should acquire this manually and provide it as parameter. > > > > We (Ondra CCed and I) will help anyone that is experiencing issues with the > > process, please do not delay migration to the point it becomes emergency. > > > > Let's define a virtual goal -- in 1 month no legacy LDAP usage anywhere. > > > > Regards, > > Alon Bar-Lev. > > > > [1] http://www.ovirt.org/Features/AAA > > [2] > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0 > > Sorry for the ignorance on my part, > > but I tried one more and could not find any qualified docs/howtos on the > new AAA feature. > > This readme is the only thing witch comes close so far, but running > Engine 3.5.3 at least my installation is missing > > /usr/share/ovirt-engine-extension-aaa-ldap*/examples > > Does the tool run without them? The new provider is distributed as standalone and optional package, please install ovirt-engine-extension-aaa-ldap and you will be set up. > As for my part, I only need engine authentication domains; I used: > engine-manage-domains add --domain ... > > Should I migrate to the new provider? Yes, this is exactly the reason why I sent this message, all 3.5 installations should migrate to the new provider so we can provide better service and support. I will be happy to assist. Regards, Alon > Thanks; > > > [3] > > https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases > > ___ > > Users mailing list > > Users@ovirt.org > > http://lists.ovirt.org/mailman/listinfo/users > > > > -- > Daniel Helgenberger > m box bewegtbild GmbH > > P: +49/30/2408781-22 > F: +49/30/2408781-10 > > ACKERSTR. 19 > D-10115 BERLIN > > > www.m-box.de www.monkeymen.tv > > Geschäftsführer: Martin Retschitzegger / Michaela Göllner > Handeslregister: Amtsgericht Charlottenburg / HRB 112767 > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] [ATN] LDAP Users please read
Hello LDAP Users, If you migrated from 3.4 or if you used engine-managed-domains to add LDAP support into engine - this message is for you. In 3.5 we introduced a new LDAP provider[1][2], it is superset of the previous implementation, highlights includes: * Better response times. * Simplicity, Use of LDAP protocol only - kerberos is no longer needed. * More LDAP implementations are supported. * Flexible configuration, can be customized on site to support special setups. * Supportability, better logs and feedbacks to enable remote support. * Variety of fallback policies, examples: srvrecord, failover, round-robin and more. * Active Directory: supports multiple domain in forest. In 3.5 the previous LDAP provider is marked as legacy, users' issues will be resolved by migration to the new provider. Upgrade to 4.0 will not be possible if legacy provider is being used. The new provider is working without any issue for quite some time, we would like to eliminate the remaining usage of the legacy provider as soon as possible. A tool was created[3] to automate the process, it should perform everything in safe and automatic process, while enables customization if such required. The one prerequisite that we could not automate easily is obtaining the CA certificate used by the LDAP server to communicate using SSL/TLS, you should acquire this manually and provide it as parameter. We (Ondra CCed and I) will help anyone that is experiencing issues with the process, please do not delay migration to the point it becomes emergency. Let's define a virtual goal -- in 1 month no legacy LDAP usage anywhere. Regards, Alon Bar-Lev. [1] http://www.ovirt.org/Features/AAA [2] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0 [3] https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Troubleshooting Windows SSO
- Original Message - > From: "Cristian Mammoli" > To: "Alon Bar-Lev" > Cc: users@ovirt.org > Sent: Friday, July 24, 2015 1:00:46 PM > Subject: Re: [ovirt-users] Troubleshooting Windows SSO > > Are you referring to this: http://www.ovirt.org/Features/AAA ? > > I only configured the engine with "engine-manage-domains" isn't it enough? engine-manage-domain is obsoleted since 3.5, please upgrade to the new provider which performs much better. if you use this legacy provider, the name of the provider matches the name of the domain, the bug will not be manifested. > > Anyway this is engine.log: > > 2015-07-24 11:59:42,337 INFO > [org.ovirt.engine.core.bll.aaa.LoginUserCommand] (ajp--127.0.0.1-8702-2) > Running command: LoginUserCommand internal: false. > 2015-07-24 11:59:42,348 INFO > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp--127.0.0.1-8702-2) Correlation ID: null, Call Stack: null, Custom > Event ID: -1, Message: User c.mamm...@apra.it logged in. > 2015-07-24 11:59:44,364 INFO > [org.ovirt.engine.core.bll.SetVmTicketCommand] (ajp--127.0.0.1-8702-9) > [44b9b110] Running command: SetVmTicketCommand internal: false. Entities > affected : ID: 01453005-cbcf-47b1-a066-015777d158b5 Type: VMAction > group CONNECT_TO_VM with role type USER > 2015-07-24 11:59:44,370 INFO > [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] > (ajp--127.0.0.1-8702-9) [44b9b110] START, SetVmTicketVDSCommand(HostName > = kvm02, HostId = 4aeb8095-1198-4afe-aab2-d9c6408c88c2, > vmId=01453005-cbcf-47b1-a066-015777d158b5, ticket=rdFW/mdMiBxO, > validTime=120,m userName=c.mammoli, > userId=d69d8d20-68b7-4fed-9c08-5c2ecb257583), log id: 25c99c46 > 2015-07-24 11:59:44,412 INFO > [org.ovirt.engine.core.vdsbroker.vdsbroker.SetVmTicketVDSCommand] > (ajp--127.0.0.1-8702-9) [44b9b110] FINISH, SetVmTicketVDSCommand, log > id: 25c99c46 > 2015-07-24 11:59:44,436 INFO > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (ajp--127.0.0.1-8702-9) [44b9b110] Correlation ID: 44b9b110, Call Stack: > null, Custom Event ID: -1, Message: user c.mamm...@apra.it initiated > console session for VM TestPoolMan-1 > 2015-07-24 11:59:44,610 WARN > [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] > (ajp--127.0.0.1-8702-3) [27c3ee74] The message key VmLogon is missing > from bundles/ExecutionMessages > 2015-07-24 11:59:44,637 INFO [org.ovirt.engine.core.bll.VmLogonCommand] > (ajp--127.0.0.1-8702-3) [27c3ee74] Running command: VmLogonCommand > internal: false. Entities affected : ID: > 01453005-cbcf-47b1-a066-015777d158b5 Type: VMAction group CONNECT_TO_VM > with role type USER > 2015-07-24 11:59:44,642 INFO > [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] > (ajp--127.0.0.1-8702-3) [27c3ee74] START, VmLogonVDSCommand(HostName = > kvm02, HostId = 4aeb8095-1198-4afe-aab2-d9c6408c88c2, > vmId=01453005-cbcf-47b1-a066-015777d158b5, domain=apra.it, > password=**, userName=c.mamm...@apra.it), log id: 6bf25e51 this^ is good, so now should provide the guest agent log. > 2015-07-24 11:59:44,652 INFO > [org.ovirt.engine.core.vdsbroker.vdsbroker.VmLogonVDSCommand] > (ajp--127.0.0.1-8702-3) [27c3ee74] FINISH, VmLogonVDSCommand, log id: > 6bf25e51 > 2015-07-24 11:59:58,888 INFO > [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] > (DefaultQuartzScheduler_Worker-63) Correlation ID: null, Call Stack: > null, Custom Event ID: -1, Message: User c.mamm...@apra.it is connected > to VM TestPoolMan-1. > > Il 24/07/2015 11:02, Alon Bar-Lev ha scritto: > > Any log will be helpful, engine side and guest agent side. > > > > Also, please note this bug[1], due to incorrect assumptions in > > implementation, your authz provider name must match the active directory > > name in order password delegation to properly work. > > > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137 > > > > - Original Message - > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Troubleshooting Windows SSO
Any log will be helpful, engine side and guest agent side. Also, please note this bug[1], due to incorrect assumptions in implementation, your authz provider name must match the active directory name in order password delegation to properly work. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1133137 - Original Message - > From: "Cristian Mammoli" > To: users@ovirt.org > Sent: Friday, July 24, 2015 11:16:01 AM > Subject: [ovirt-users] Troubleshooting Windows SSO > > Hi, I can't get SSO in the spice console to work > The engine is linked to a windows AD domain ant users logon work fine > In the vms I configured a gpo to enable SAS: > > Disable or enable software Secure Attention Sequence > Enabled > Set which software is allowed to generate the Secure Attention > Sequence Services and Ease of Access applications > > > Anyway SSO does not work, when I open the spice console as a user I'm > presented with the usual Windows login screen > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] LDAP bind DN generation problem
- Original Message - > From: "Mitja Mihelič" > To: "Alon Bar-Lev" > Cc: "Ondra Machacek" , users@ovirt.org > Sent: Friday, June 19, 2015 4:54:32 PM > Subject: Re: [ovirt-users] LDAP bind DN generation problem > > > On 19. 06. 2015 12:44, Alon Bar-Lev wrote: > > > > - Original Message - > >> From: "Mitja Mihelič" > >> To: "Ondra Machacek" , users@ovirt.org > >> Sent: Friday, June 19, 2015 1:39:14 PM > >> Subject: Re: [ovirt-users] LDAP bind DN generation problem > >> > >> On 18/06/15 14:49, Ondra Machacek wrote: > >> > >> > >> On 06/18/2015 02:07 PM, Mitja Mihelič wrote: > >> > >> > >> Hi! > >> Hi > >> > >> > >> > >> We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the LDAP > >> domain on the login screen. Only internal is available. > >> Our LDAP server is actually a 389DS instance and we are using for > >> authentication in oVirt without Kerberos. The existing setup has worked > >> since the days of 3.2. > >> > >> When we try to validate the domain, we get > >> [root@brda ~]# engine-manage-domains validate > >> Error: Cannot authenticate user ovirt to domain guest.arnes.si, details: > >> [LDAP: error code 32 - No Such Object]; nested exception is > >> javax.naming.AuthenticationException: [LDAP: error code 32 - No Such > >> Object] > >> Failure while testing domain guest.arnes.si. Details: Cannot authenticate > >> user to LDAP server. > >> > >> The LDAP log reports > >> [18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND > >> dn="uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si" method=128 version=3 > >> As you can see there is a comma missing before "dc=guest,dc=arnes,dc=si". > >> > >> Before the upgrade the bind DN was generated properly as > >> [18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND > >> dn="uid=ovirt,ou=People,dc=arnes,dc=si" method=128 version=3 > >> > >> So what is your search user's DN ? > >> Is it: > >> dn="uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si" > >> > >> or > >> > >> dn="uid=ovirt,ou=People,dc=arnes,dc=si" > >> > >> Is it possible for you to try if different user works fine? > >> Because user with very similar DN works for me just OK. > >> At the time of posting I did not notice the difference, thanks for the > >> spot. > >> The correct DN is dn="uid=ovirt,ou=People,dc=arnes,dc=si". > >> Although that means that after upgrading to 3.5 the DN for the search user > >> is > >> formatted differently when issuing an LDAP bind request. > >> > >> In the end we noticed that the AAA part of oVirt was reworked in 3.5. We > >> deleted the old LDAP domain, that we manually inserted into the database > >> back in 3.2 days. Then we added LDAP as an authentication source as per > >> AAA > >> instructions, which we found a bit vague. The README on github for the AAA > >> extension provided most of the information. > >> > >> We also found that the format of external_id in the users table had been > >> changed from fdfc627c-d875-11e0-90f0-83df133b58cc to > >> fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not log in. > >> Instead additional users were created with this new format external_id, a > >> namespace with "dc=arnes,dc=si" and a new user_id. > >> We manually deleted the faux users, updated the external_id to the new > >> format > >> and added a namespace entry for existing users. > >> That worked for us. > > the conversion tool should have taken care of all these. have you tried to > > use it? > Sorry, no. We didn't know of its existence then. Can you provide a link > to its page? https://github.com/machacekondra/ovirt-engine-kerbldap-migration > > > >> Kind regards, Mitja > >> > >> > >> > >> > >> > >> > >> This looks like a bug. > >> Is there a quick fix we can do to fix this typo? > >> > >> We are also interested in knowing what is the correct way in 3.5 to add a > >> domain that uses an LDAP server for its authentication source without > >> Kerberos. > >> > >> Please see following links: > >> * > >> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-
Re: [ovirt-users] LDAP bind DN generation problem
- Original Message - > From: "Mitja Mihelič" > To: "Ondra Machacek" , users@ovirt.org > Sent: Friday, June 19, 2015 1:39:14 PM > Subject: Re: [ovirt-users] LDAP bind DN generation problem > > On 18/06/15 14:49, Ondra Machacek wrote: > > > On 06/18/2015 02:07 PM, Mitja Mihelič wrote: > > > Hi! > Hi > > > > We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the LDAP > domain on the login screen. Only internal is available. > Our LDAP server is actually a 389DS instance and we are using for > authentication in oVirt without Kerberos. The existing setup has worked > since the days of 3.2. > > When we try to validate the domain, we get > [root@brda ~]# engine-manage-domains validate > Error: Cannot authenticate user ovirt to domain guest.arnes.si, details: > [LDAP: error code 32 - No Such Object]; nested exception is > javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object] > Failure while testing domain guest.arnes.si. Details: Cannot authenticate > user to LDAP server. > > The LDAP log reports > [18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND > dn="uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si" method=128 version=3 > As you can see there is a comma missing before "dc=guest,dc=arnes,dc=si". > > Before the upgrade the bind DN was generated properly as > [18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND > dn="uid=ovirt,ou=People,dc=arnes,dc=si" method=128 version=3 > > So what is your search user's DN ? > Is it: > dn="uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si" > > or > > dn="uid=ovirt,ou=People,dc=arnes,dc=si" > > Is it possible for you to try if different user works fine? > Because user with very similar DN works for me just OK. > At the time of posting I did not notice the difference, thanks for the spot. > The correct DN is dn="uid=ovirt,ou=People,dc=arnes,dc=si". > Although that means that after upgrading to 3.5 the DN for the search user is > formatted differently when issuing an LDAP bind request. > > In the end we noticed that the AAA part of oVirt was reworked in 3.5. We > deleted the old LDAP domain, that we manually inserted into the database > back in 3.2 days. Then we added LDAP as an authentication source as per AAA > instructions, which we found a bit vague. The README on github for the AAA > extension provided most of the information. > > We also found that the format of external_id in the users table had been > changed from fdfc627c-d875-11e0-90f0-83df133b58cc to > fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not log in. > Instead additional users were created with this new format external_id, a > namespace with "dc=arnes,dc=si" and a new user_id. > We manually deleted the faux users, updated the external_id to the new format > and added a namespace entry for existing users. > That worked for us. the conversion tool should have taken care of all these. have you tried to use it? > > Kind regards, Mitja > > > > > > > This looks like a bug. > Is there a quick fix we can do to fix this typo? > > We are also interested in knowing what is the correct way in 3.5 to add a > domain that uses an LDAP server for its authentication source without > Kerberos. > > Please see following links: > * > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD > * > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD > * http://www.ovirt.org/Features/AAA * > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD > * > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6 > * https://github.com/machacekondra/ovirt-engine-kerbldap-migration > > > > > Kind regards, Mitja > -- > -- > Mitja Mihelič > ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia > tel: +386 1 479 8800, fax: +386 1 479 88 99 > > > ___ > Users mailing list Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Ovirt-engine certificate SHA256
- Original Message - > From: "Kevin C" > To: users@ovirt.org > Sent: Friday, June 12, 2015 5:19:37 PM > Subject: [ovirt-users] Ovirt-engine certificate SHA256 > > Hi list, > > Is it possible to renew the ovirt-engine certificate to generate a new one > with > SHA256 . > Never tried that, and as the certificate should not be exposed, it should not be very important. However, you should be able to update /etc/pki/ovirt-engine/openssl.conf before installation and modify: -default_md = sha1 +default_md = sha256 I am unsure how python (vdsm) will digest that. Regards, Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Error while executing action: Cannot add Host. Host with the same UUID already exists.
Please compare: # dmidecode -s system-uuid At both machines. If equals then your bios has well known bug, the method to override it is to manually create /etc/vdsm/vdsm.id - Original Message - > From: m...@ohnewald.net > To: "Юрий Полторацкий" , "Alon Bar-Lev" > > Cc: users@ovirt.org > Sent: Thursday, June 18, 2015 4:08:55 PM > Subject: Re: [ovirt-users] Error while executing action: Cannot add Host. > Host with the same UUID already exists. > > Thanks, > > i solved it by: > > uuidgen > /etc/vdsm/vdsm.id > > I was just confused because /etc/vdsm/vdsm.id did not exist at that > point on my new node. > > Thanks. > > Mario > > > Am 18.06.15 um 15:05 schrieb Юрий Полторацкий: > > Hi, > > > > I have resolved this in such way. > > > > On the engine host connect to db: > > su postgres > > psql -s engine > > > > Then delete host from db manualy: > > select vds_id from vds_static where host_name = 'HOST_NAME'; > > delete from vds_statistics where vds_id = 'id'; > > delete from vds_dynamic where vds_id = 'id'; > > delete from vds_static where vds_id = 'id'; > > > > 2015-06-18 16:04 GMT+03:00 Alon Bar-Lev > <mailto:alo...@redhat.com>>: > > > > > > A log will be nice. > > However, can you please compare /etc/vdsm/vdsm.id <http://vdsm.id> > > in both hosts? > > If not available at new host it might be a bios issue, try to > > uuidgen > /etc/vdsm/vdsm.id <http://vdsm.id> and add host. > > > > - Original Message - > > > From: m...@ohnewald.net <mailto:m...@ohnewald.net> > > > To: users@ovirt.org <mailto:users@ovirt.org> > > > Sent: Thursday, June 18, 2015 3:54:25 PM > > > Subject: [ovirt-users] Error while executing action: Cannot add > > Host. Host with the same UUID already exists. > > > > > > Hello List, > > > > > > i am using oVirt Engine Version: 3.5.2.1-1.el6. > > > > > > I would like to remove a node from a GlusterFS Cluster and use it > > > for > > > local storage. > > > > > > So i put my node into maintance. Reinstalled it freshly with > > > CentOS7. > > > > > > Now i would like to add it to a New Cluster with local storage, > > but i get: > > > > > > Error while executing action: Cannot add Host. Host with the same > > UUID > > > already exists. > > > > > > > > > > > > How can i resolve this problem? > > > > > > > > > I can NOT remove my old host from the Gluster: Cannot remove Host. > > > Server having Gluster volume. > > > > > > > > > > > > Thanks, > > > Mario > > > > > > ___ > > > Users mailing list > > > Users@ovirt.org <mailto:Users@ovirt.org> > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > ___ > > Users mailing list > > Users@ovirt.org <mailto:Users@ovirt.org> > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Error while executing action: Cannot add Host. Host with the same UUID already exists.
A log will be nice. However, can you please compare /etc/vdsm/vdsm.id in both hosts? If not available at new host it might be a bios issue, try to uuidgen > /etc/vdsm/vdsm.id and add host. - Original Message - > From: m...@ohnewald.net > To: users@ovirt.org > Sent: Thursday, June 18, 2015 3:54:25 PM > Subject: [ovirt-users] Error while executing action: Cannot add Host. Host > with the same UUID already exists. > > Hello List, > > i am using oVirt Engine Version: 3.5.2.1-1.el6. > > I would like to remove a node from a GlusterFS Cluster and use it for > local storage. > > So i put my node into maintance. Reinstalled it freshly with CentOS7. > > Now i would like to add it to a New Cluster with local storage, but i get: > > Error while executing action: Cannot add Host. Host with the same UUID > already exists. > > > > How can i resolve this problem? > > > I can NOT remove my old host from the Gluster: Cannot remove Host. > Server having Gluster volume. > > > > Thanks, > Mario > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Bug in hostdeploy / baseurl - RepoError: Cannot find a valid baseurl for repo: base/7/x86_64
- Original Message -
> From: "Daniel Helgenberger"
> To: "Alon Bar-Lev"
> Cc: Users@ovirt.org
> Sent: Wednesday, June 17, 2015 2:26:18 PM
> Subject: Re: [ovirt-users] Bug in hostdeploy / baseurl - RepoError: Cannot
> find a valid baseurl for repo:
> base/7/x86_64
>
> Hello Alon,
>
> On 17.06.2015 13:22, Alon Bar-Lev wrote:
> > Please do not use multiple channels to discuss the same issue.
>
> I just make a habit of posting bug links on the ML as well. I see this
> as an 'FYI', since I often miss BZ if not posted on the list Of course,
> further discussion sould continue in BZ.
Please do not do that. Discuss in list first, then if a bug should be opened
you will instructed to do so.
If you open a bug, avoid discussion in other mediums.
Thanks.
>
> If you think this is not right will stop doing so.
>
> >
> > - Original Message -
> >> From: "Daniel Helgenberger"
> >> To: Users@ovirt.org
> >> Sent: Wednesday, June 17, 2015 2:21:58 PM
> >> Subject: [ovirt-users] Bug in hostdeploy / baseurl - RepoError: Cannot
> >> find a valid baseurl for repo: base/7/x86_64
> >>
> >> Hello,
> >>
> >> I just went ahead and filed [BZ1232714] because with ovirt 3.5.3 host
> >> deploy seens to fail on CentOS7 if there is no baseurl setting in yum
> >> repos:
> >>
> >> RepoError: Cannot find a valid baseurl for repo: base/7/x86_64
> >>
> >> [BZ1232714] https://bugzilla.redhat.com/show_bug.cgi?id=1232714
> >>
> >> -8<-
> >>> 2015-06-17 12:27:37 DEBUG otopi.transaction transaction._prepare:77
> >>> preparing 'Yum Transaction'
> >>> Loaded plugins: fastestmirror
> >>> 2015-06-17 12:27:37 DEBUG otopi.context context._executeMethod:138 Stage
> >>> internal_packages METHOD
> >>> otopi.plugins.otopi.network.hostname.Plugin._internal_packages
> >>> 2015-06-17 12:27:37 DEBUG otopi.plugins.otopi.packagers.yumpackager
> >>> yumpackager.verbose:88 Yum queue package iproute for install
> >>> Loading mirror speeds from cached hostfile
> >>> 2015-06-17 12:27:37 ERROR otopi.plugins.otopi.packagers.yumpackager
> >>> yumpackager.error:97 Yum Cannot queue package iproute: Cannot find a
> >>> valid
> >>> baseurl for repo: base/7/x86_64
> >>> 2015-06-17 12:27:37 DEBUG otopi.context context._executeMethod:152 method
> >>> exception
> >>> Traceback (most recent call last):
> >>>File "/tmp/ovirt-s3ofZ9o6Pq/pythonlib/otopi/context.py", line 142, in
> >>>_executeMethod
> >>> method['method']()
> >>>File "/tmp/ovirt-s3ofZ9o6Pq/otopi-plugins/otopi/network/hostname.py",
> >>>line 66, in _internal_packages
> >>> self.packager.install(packages=('iproute',))
> >>>File
> >>>"/tmp/ovirt-s3ofZ9o6Pq/otopi-plugins/otopi/packagers/yumpackager.py",
> >>>line 303, in install
> >>> ignoreErrors=ignoreErrors
> >>>File "/tmp/ovirt-s3ofZ9o6Pq/pythonlib/otopi/miniyum.py", line 865, in
> >>>install
> >>> **kwargs
> >>>File "/tmp/ovirt-s3ofZ9o6Pq/pythonlib/otopi/miniyum.py", line 509, in
> >>>_queue
> >>> provides = self._queryProvides(packages=(package,))
> >>>File "/tmp/ovirt-s3ofZ9o6Pq/pythonlib/otopi/miniyum.py", line 447, in
> >>>_queryProvides
> >>> for po in self._yb.searchPackageProvides(args=packages):
> >>>File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 3406, in
> >>>searchPackageProvides
> >>> where = self.returnPackagesByDep(arg)
> >>>File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 4232, in
> >>>returnPackagesByDep
> >>> return self.pkgSack.searchProvides(depstring)
> >>>File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 1079, in
> >>>
> >>> pkgSack = property(fget=lambda self: self._getSacks(),
> >>>File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 784, in
> >>>_getSacks
> >>> self.repos.populateSack(which=repos)
> >>>File "/usr/lib/python2.7/site-packages/yum/repos.py", line 344, in
> >>>populateSack
> >>> self.doSetup()
> &g
Re: [ovirt-users] Bug in hostdeploy / baseurl - RepoError: Cannot find a valid baseurl for repo: base/7/x86_64
Please do not use multiple channels to discuss the same issue.
- Original Message -
> From: "Daniel Helgenberger"
> To: Users@ovirt.org
> Sent: Wednesday, June 17, 2015 2:21:58 PM
> Subject: [ovirt-users] Bug in hostdeploy / baseurl - RepoError: Cannot find a
> valid baseurl for repo: base/7/x86_64
>
> Hello,
>
> I just went ahead and filed [BZ1232714] because with ovirt 3.5.3 host
> deploy seens to fail on CentOS7 if there is no baseurl setting in yum repos:
>
> RepoError: Cannot find a valid baseurl for repo: base/7/x86_64
>
> [BZ1232714] https://bugzilla.redhat.com/show_bug.cgi?id=1232714
>
> -8<-
> > 2015-06-17 12:27:37 DEBUG otopi.transaction transaction._prepare:77
> > preparing 'Yum Transaction'
> > Loaded plugins: fastestmirror
> > 2015-06-17 12:27:37 DEBUG otopi.context context._executeMethod:138 Stage
> > internal_packages METHOD
> > otopi.plugins.otopi.network.hostname.Plugin._internal_packages
> > 2015-06-17 12:27:37 DEBUG otopi.plugins.otopi.packagers.yumpackager
> > yumpackager.verbose:88 Yum queue package iproute for install
> > Loading mirror speeds from cached hostfile
> > 2015-06-17 12:27:37 ERROR otopi.plugins.otopi.packagers.yumpackager
> > yumpackager.error:97 Yum Cannot queue package iproute: Cannot find a valid
> > baseurl for repo: base/7/x86_64
> > 2015-06-17 12:27:37 DEBUG otopi.context context._executeMethod:152 method
> > exception
> > Traceback (most recent call last):
> > File "/tmp/ovirt-s3ofZ9o6Pq/pythonlib/otopi/context.py", line 142, in
> > _executeMethod
> > method['method']()
> > File "/tmp/ovirt-s3ofZ9o6Pq/otopi-plugins/otopi/network/hostname.py",
> > line 66, in _internal_packages
> > self.packager.install(packages=('iproute',))
> > File
> > "/tmp/ovirt-s3ofZ9o6Pq/otopi-plugins/otopi/packagers/yumpackager.py",
> > line 303, in install
> > ignoreErrors=ignoreErrors
> > File "/tmp/ovirt-s3ofZ9o6Pq/pythonlib/otopi/miniyum.py", line 865, in
> > install
> > **kwargs
> > File "/tmp/ovirt-s3ofZ9o6Pq/pythonlib/otopi/miniyum.py", line 509, in
> > _queue
> > provides = self._queryProvides(packages=(package,))
> > File "/tmp/ovirt-s3ofZ9o6Pq/pythonlib/otopi/miniyum.py", line 447, in
> > _queryProvides
> > for po in self._yb.searchPackageProvides(args=packages):
> > File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 3406, in
> > searchPackageProvides
> > where = self.returnPackagesByDep(arg)
> > File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 4232, in
> > returnPackagesByDep
> > return self.pkgSack.searchProvides(depstring)
> > File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 1079, in
> >
> > pkgSack = property(fget=lambda self: self._getSacks(),
> > File "/usr/lib/python2.7/site-packages/yum/__init__.py", line 784, in
> > _getSacks
> > self.repos.populateSack(which=repos)
> > File "/usr/lib/python2.7/site-packages/yum/repos.py", line 344, in
> > populateSack
> > self.doSetup()
> > File "/usr/lib/python2.7/site-packages/yum/repos.py", line 158, in
> > doSetup
> > self.ayum.plugins.run('postreposetup')
> > File "/usr/lib/python2.7/site-packages/yum/plugins.py", line 188, in run
> > func(conduitcls(self, self.base, conf, **kwargs))
> > File "/usr/lib/yum-plugins/fastestmirror.py", line 197, in
> > postreposetup_hook
> > if downgrade_ftp and _len_non_ftp(repo.urls) == 1:
> > File "/usr/lib/python2.7/site-packages/yum/yumRepo.py", line 871, in
> >
> > urls = property(fget=lambda self: self._geturls(),
> > File "/usr/lib/python2.7/site-packages/yum/yumRepo.py", line 868, in
> > _geturls
> > self._baseurlSetup()
> > File "/usr/lib/python2.7/site-packages/yum/yumRepo.py", line 834, in
> > _baseurlSetup
> > self.check()
> > File "/usr/lib/python2.7/site-packages/yum/yumRepo.py", line 554, in
> > check
> > 'Cannot find a valid baseurl for repo: %s' % self.ui_id
> > RepoError: Cannot find a valid baseurl for repo: base/7/x86_64
> > 2015-06-17 12:27:37 ERROR otopi.context context._executeMethod:161 Failed
> > to execute stage 'Environment packages setup': Cannot find a valid baseurl
> > for repo: base/7/x86_64
> > 2015-06-17 12:27:37 DEBUG otopi.transaction transaction.abort:131 aborting
> > 'Yum Transaction'
> > 2015-06-17 12:27:37 INFO otopi.plugins.otopi.packagers.yumpackager
> > yumpackager.info:92 Yum Performing yum transaction rollback
> > Could not retrieve mirrorlist
> > http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=stock
> > error was
> > 14: curl#7 - "Failed connect to mirrorlist.centos.org:80; No route to host"
> > Loaded plugins: fastestmirror
> > 2015-06-17 12:27:37 DEBUG otopi.context context.dumpEnvironment:490
> > ENVIRONMENT DUMP - BEGIN
> > 2015-06-17 12:27:37 DEBUG otopi.context context.dumpEnvironment:500 ENV
> > BASE/error=bool:'True'
> > 2015-06-17 12:27:37 DEBUG otopi.context context.dumpEnvironment:500 ENV
> > BASE/exceptionInfo=list:'[(, RepoE
Re: [ovirt-users] Adding users through LDAP fails on "external_id"
- Original Message -
> From: "Zach La Celle"
> To: "Alon Bar-Lev"
> Cc: users@ovirt.org
> Sent: Tuesday, June 16, 2015 12:38:21 AM
> Subject: Re: [ovirt-users] Adding users through LDAP fails on "external_id"
>
> I understand we were using the incorrect driver, and I've switched to
> the RFC2307-compatible driver. However, now the TLS sessions won't start.
>
> I've verified that I can do ldapsearch from the oVirt machine without
> issue, complete with STARTTLS. So, it seems to be an issue solely in
> our oVirt configuration.
>
> Error message and config are below, with your changes. I cannot seem to
> get a configuration of the truststore that functions.
>
> Here's the current error message, the SSLPeerUnverifiedException:
>
> 2015-06-15 17:32:49,252 DEBUG
> [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread
> 1-6) Ignoring Exception: LDAPException(resultCode=91 (connect error),
> errorMessage='An error occurred\
> while attempting to connect to server
> directory.roboticresearch.com:389: java.io.IOException: Unable to
> verify an attempt to to establish a secure connection to
> 'directory.roboticresearch.com:389' becau\
> se an unexpected error was encountered during validation processing:
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated')
>
> The config file is below. Notably, I changed it to use the already
> installed java cacerts keystore (which I verified opens with the
> changeit password).
>
> include =
>
> pool.default.serverset.type = single
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.serverset.single.port = 389
please remove this port settings ^ as this is the default.
> pool.default.ssl.startTLS = true
> pool.default.ssl.truststore.file = /etc/pki/java/cacerts
> pool.default.ssl.truststore.password = changeit
can you please create your own keystore with only top level certificate[1]?
[1]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l155
> pool.default.ssl.enable = true
please remove this ^
> pool.default.ssl.host-name-verify.enable = true
> pool.default.ssl.host-name-verify.wildcards = false
please remove these ^
> pool.default.ssl.insecure = false
> pool.default.ssl.protocol = TLSv1
> pool.default.ssl.startTLSProtocol = TLSv1
please remove these ^
> pool.default.auth.type = none
please remove this ^ not sure why you added it.
>
> On 06/15/2015 04:29 PM, Alon Bar-Lev wrote:
> > There are two issues.
> >
> > 1. Trust store issue, which is common to both startTLS and SSL, the same
> > trust store is being used and should work in both cases, unless for some
> > reason your server present a different certificate for each channel, which
> > is very odd configuration, are you sure your
> > pool.default.ssl.truststore.file is uncommented and reference to a valid
> > trust store?
> >
> > 2. Incorrect ldap driver, which should probably be rfc2307-openldap.
> >
> > - Original Message -
> >> From: "Zach La Celle"
> >> To: "Alon Bar-Lev" , users@ovirt.org
> >> Sent: Monday, June 15, 2015 11:25:25 PM
> >> Subject: Re: [ovirt-users] Adding users through LDAP fails on
> >> "external_id"
> >>
> >> I have tried the following combinations of certificates added to the
> >> keystore:
> >>
> >> * PositiveSSL CA bundle (SHA-1 and SHA256) -- This is the source of our
> >> SSL certificates
> >> * All CA certificates from the LDAP machine
> >> * All CA certificates from the LDAP machine plus the machine's own
> >> certificate
> >> * The machine's own certificate only
> >>
> >> None fix the issue. As I understand it, adding just the CA bundle from
> >> PositiveSSL should work. Or, adding the CA bundles offered by Ubuntu
> >> should also work.
> >>
> >> Previously (when using port 636 and TLS/SSL), to fix
> >> SSLPeerUnverifiedException, I added all of the CA certificates from the
> >> LDAP machine, plus its own certificate (this last part fixed it).
> >>
> >> In the mean time, to try and fix the original issue of "external_id", is
> >> there any way to disable certificate verification for STARTTLS?
> >>
> >> On 06/15/2015 03:57 PM, Alon Bar-Lev wrote:
> >>> You should add *ONLY* the ca certificate top level to the keystore.
> >>>
> >>> - Original Message -
> >>>> From: "Zach La Celle"
> >
Re: [ovirt-users] Adding users through LDAP fails on "external_id"
There are two issues.
1. Trust store issue, which is common to both startTLS and SSL, the same trust
store is being used and should work in both cases, unless for some reason your
server present a different certificate for each channel, which is very odd
configuration, are you sure your pool.default.ssl.truststore.file is
uncommented and reference to a valid trust store?
2. Incorrect ldap driver, which should probably be rfc2307-openldap.
- Original Message -
> From: "Zach La Celle"
> To: "Alon Bar-Lev" , users@ovirt.org
> Sent: Monday, June 15, 2015 11:25:25 PM
> Subject: Re: [ovirt-users] Adding users through LDAP fails on "external_id"
>
> I have tried the following combinations of certificates added to the
> keystore:
>
> * PositiveSSL CA bundle (SHA-1 and SHA256) -- This is the source of our
> SSL certificates
> * All CA certificates from the LDAP machine
> * All CA certificates from the LDAP machine plus the machine's own
> certificate
> * The machine's own certificate only
>
> None fix the issue. As I understand it, adding just the CA bundle from
> PositiveSSL should work. Or, adding the CA bundles offered by Ubuntu
> should also work.
>
> Previously (when using port 636 and TLS/SSL), to fix
> SSLPeerUnverifiedException, I added all of the CA certificates from the
> LDAP machine, plus its own certificate (this last part fixed it).
>
> In the mean time, to try and fix the original issue of "external_id", is
> there any way to disable certificate verification for STARTTLS?
>
> On 06/15/2015 03:57 PM, Alon Bar-Lev wrote:
> > You should add *ONLY* the ca certificate top level to the keystore.
> >
> > - Original Message -
> >> From: "Zach La Celle"
> >> To: "Alon Bar-Lev"
> >> Sent: Monday, June 15, 2015 10:54:02 PM
> >> Subject: Re: [ovirt-users] Adding users through LDAP fails on
> >> "external_id"
> >>
> >> OK, started using the STARTTLS protocol. Tested working using
> >> ldapsearch, but now ovirt-engine's engine.log complains:
> >>
> >> java.io.IOException: Unable to verify an attempt to to establish a
> >> secure connection to 'directory.roboticresearch.com:389' becau\
> >> se an unexpected error was encountered during validation processing:
> >> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> >>
> >> Not sure what is wrong. We fixed this before by adding the
> >> ca-certificates from the LDAP server as well as the LDAP server
> >> certificate into the .jks keystore.
> >>
> >> On 06/15/2015 03:21 PM, Alon Bar-Lev wrote:
> >>> - Original Message -
> >>>> From: "Zach La Celle"
> >>>> To: "Alon Bar-Lev"
> >>>> Sent: Monday, June 15, 2015 10:14:34 PM
> >>>> Subject: Re: [ovirt-users] Adding users through LDAP fails on
> >>>> "external_id"
> >>>>
> >>>> My mistake. We're using OpenLDAP 2.4.28-1.1ubuntu4.4 on Ubuntu 12.04.
> >>>>
> >>>> The full configuration files are as follows (I removed commented-out
> >>>> lines for brevity). Communications with the LDAP server seem to work
> >>>> correctly now.
> >>>>
> >>>> __profile1.properties__
> >>>>
> >>>> #
> >>>>
> >>>> # Select
> >>>> one
> >>>>
> >>>> #
> >>>>
> >>>> include =
> >>> reading bellow, you may want to try rfc2307-openldap as your schema seems
> >>> to be rfc2307 compatible.
> >>>
> >>>
> >>>
> >>>> pool.default.serverset.type = single
> >>>> pool.default.serverset.single.server = ${global:vars.server}
> >>>> pool.default.serverset.single.port = 636
> >>> why do you modify port? please use startTLS on default port.
> >>>
> >>>> #pool.default.auth.simple.bindDN = ${global:vars.user}
> >>>> #pool.default.auth.simple.password = ${global:vars.password}
> >>> why did you comment this, do you allow anonymous access?
> >>>
> >>>> # Create keystore, import certificate chain and uncomment
> >>>> # if using ssl/tls.
> >>>> #pool.default.ssl.startTLS = true
> >>> please uncomment this^
> >>>
> >>>> pool.default.ssl.truststore.file =
> >>>> ${local:_basedir}/${global:vars.serve
Re: [ovirt-users] Adding users through LDAP fails on "external_id"
This probably state that you do not use the correct driver.
You did not mention what LDAP server do you use, and you pasted only partial
profile.
- Original Message -
> From: "Zach La Celle"
> To: users@ovirt.org
> Sent: Monday, June 15, 2015 10:04:47 PM
> Subject: [ovirt-users] Adding users through LDAP fails on "external_id"
>
> Hello,
>
> We have a small oVirt cluster set up, and are trying to get it
> integrated with our LDAP server.
>
> I've changed some configuration values in order to try and make it
> function, and it seems to communicate correctly with the LDAP server.
> However, when trying to add the user, I get the following error upon SQL
> entry add:
>
> 2015-06-15 14:44:49,439 ERROR
> [org.ovirt.engine.core.bll.aaa.AddUserCommand] (ajp--127.0.0.1-8702-6)
> [3b15cbfe] Command org.ovirt.engine.core.bll.aaa.AddUserCommand throw
> exception: org.springframework.da\
> o.DataIntegrityViolationException: CallableStatementCallback; SQL [{call
> insertuser(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)}]; ERROR: null
> value in column "external_id" violates not-null constraint
> Where: SQL statement "INSERT INTO users(department, domain, email,
> groups, name, note, role, active, surname, user_id, username, group_ids,
> external_id,namespace) VALUES( $1 , $2 , $3 , $4 , $5 , $\
> 6 , $7 , $8 , $9 , $10 , $11 , $12 , $13 , $14 )"
> PL/pgSQL function "insertuser" line 2 at SQL statement; nested exception
> is org.postgresql.util.PSQLException: ERROR: null value in column
> "external_id" violates not-null constraint
> Where: SQL statement "INSERT INTO users(department, domain, email,
> groups, name, note, role, active, surname, user_id, username, group_ids,
> external_id,namespace) VALUES( $1 , $2 , $3 , $4 , $5 , $\
> 6 , $7 , $8 , $9 , $10 , $11 , $12 , $13 , $14 )"
>
> I can't figure out what maps from the LDAP user to "external_id" for the
> SQL table entry.
>
> Here are the changes I made to profile1.properties:
>
> #Mapping changes
> attrmap.map-principal-record.attr.PrincipalRecord_DISPLAY_NAME.map = cn
> attrmap.map-principal-record.attr.PrincipalRecord_EMAIL.map = Email
> attrmap.map-group-record.attr.GroupRecord_DISPLAY_NAME.map = cn
>
> #LDAP value changes
> sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn,
> givenName, sn, Email
> sequence.openldap-init-vars.040.var-set.value =
> (objectClass=posixAccount)(uid=*)
> sequence.openldap-init-vars.050.var-set.value = entryUUID, cn
> sequence.openldap-init-vars.060.var-set.value = (objectClass=posixGroup)
> sequence.openldap-init-vars.070.var-set.value = memberUid
>
> Any help is appreciated!
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] SPICE Through a Router? Squid?
Please refer to this[1] page. [1] http://www.ovirt.org/Features/Spice_Proxy - Original Message - > From: "Юрий Полторацкий" > To: alexmcwhir...@triadic.us > Cc: users@ovirt.org > Sent: Monday, June 1, 2015 10:14:48 AM > Subject: Re: [ovirt-users] SPICE Through a Router? Squid? > > I have installed VPN server with access to the management networks, I think > this is 'best practices'. > > 2015-06-01 1:54 GMT+03:00 < alexmcwhir...@triadic.us > : > > > I have a dual host setup working right now. Host 1 runs the engine and is > also a node. Host 2 does DB storage and NFS storage. The WebSockets proxy is > running on Host1. > > My question is how do I run this behind a router? I am correct in > understanding that the WebSockets proxy acts as the spice access point for > all of the nodes in the cluster / datacetner? or does each node host need a > direct connection for spice? > > the .vv file I receive from the management console specifies the engine's > private IP address which works fine when inside the ovirt management LAN, > but it wont route from WAN obviously. > > So essentially i guess i need squid to rewrite the served vv file to the > public IP and somehow make the ports work correctly, which is difficult > considering every time a VM is created it also adds its own spice port, > correct? > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] AAA LDAP Authentication
blank suggests that there is initialization error.
please attach (do not paste) the ldap profile, extension properties and
engine.log.
I may need debug log as well, but lets start with this.
- Original Message -
> From: "David Smith"
> To: "Alon Bar-Lev"
> Cc: "users"
> Sent: Wednesday, May 6, 2015 12:49:09 AM
> Subject: Re: [ovirt-users] AAA LDAP Authentication
>
> I added that to the end, since there wasn't any reference on it as to where
> to put it;
> I restarted the engine and didn't notice any changes, the namespace still
> reads the same as before, and no users show up
> Note that in the field to the right of namespace it's blank, whereby with
> "internal" or our other pre-aaa ldap config it shows "*" and can be changed
> to a username as a filter, in this case it doesn't allow me to enter
> anything
>
> On Tue, May 5, 2015 at 2:34 PM, Alon Bar-Lev wrote:
>
> >
> > I beginning to understand... although I cannot figure out how login works
> > while search not.
> >
> > Anyway, try to add this to your profile:
> >
> > sequence-init.init.900-local-init-vars = local-init-vars
> > sequence.local-init-vars.010.description = override name space
> > sequence.local-init-vars.010.type = var-set
> > sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault
> > sequence.local-init-vars.010.var-set.value =
> > cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > sequence.local-init-vars.020.description = apply filter to users
> > sequence.local-init-vars.020.type = var-set
> > sequence.local-init-vars.020.var-set.variable = simple_filterUserObject
> > sequence.local-init-vars.020.var-set.value =
> > ${seq:simple_filterUserObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)
> > sequence.local-init-vars.030.description = apply filter to groups
> > sequence.local-init-vars.030.type = var-set
> > sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject
> > sequence.local-init-vars.030.var-set.value =
> > ${seq:simple_filterGroupObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)
> >
> >
> > - Original Message -
> > > From: "David Smith"
> > > To: "Alon Bar-Lev"
> > > Cc: "users"
> > > Sent: Wednesday, May 6, 2015 12:17:59 AM
> > > Subject: Re: [ovirt-users] AAA LDAP Authentication
> > >
> > > I can log into ovirt, I can see the profile, it doesn't throw any errors.
> > > However, it doesn't display any users. This is because the automatic
> > rootDN
> > > is wrong.
> > > oVirt shows "Namespace: dc=corp, dc=ft, dc=com" if this is the search
> > base
> > > it actually needs to be cn=users, cn=accounts, dc=corp, dc=ft, dc=com
> > > Hence my desire to configure rootDN
> > >
> > > Then, I also want to filter based on the above (sorry the traffic part
> > was
> > > a comment from testlink, the line should be)
> > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)';
> > > That filter is was makes sure the results only show users in the specific
> > > group I want to give access to.
> > >
> > > Thanks,
> > > David
> > >
> > > On Tue, May 5, 2015 at 2:08 PM, Alon Bar-Lev wrote:
> > >
> > > > Hi,
> > > >
> > > > So your configuration is working, just you want to filter users?
> > > >
> > > > I do not follow what organization filter is.
> > > >
> > > > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; //
> > e.g.
> > > > > '(organizationname=*Traffic)'
> > > >
> > > > It looks to me that you want to narrow the results based on specific
> > > > attribute value.
> > > >
> > > > But first you should confirm that all is working for you, only then we
> > can
> > > > start customize the provider to meet your special needs.
> > > >
> > > > Thanks,
> > > > Alon.
> > > >
> > > > - Original Message -
> > > > > From: "David Smith"
> > > > > To: "Alon Bar-Lev"
> > > > > Cc: "users"
> > > > > Sent: Wednesday, May 6, 2015 12:01:28 AM
> > > > > Subject: Re: [ovirt-users] AAA LDAP Authentication
> > > > >
> > > > > Hi Alon,
> > > > >
> >
Re: [ovirt-users] AAA LDAP Authentication
I beginning to understand... although I cannot figure out how login works while
search not.
Anyway, try to add this to your profile:
sequence-init.init.900-local-init-vars = local-init-vars
sequence.local-init-vars.010.description = override name space
sequence.local-init-vars.010.type = var-set
sequence.local-init-vars.010.var-set.variable = simple_namespaceDefault
sequence.local-init-vars.010.var-set.value =
cn=users,cn=accounts,dc=corp,dc=ft,dc=com
sequence.local-init-vars.020.description = apply filter to users
sequence.local-init-vars.020.type = var-set
sequence.local-init-vars.020.var-set.variable = simple_filterUserObject
sequence.local-init-vars.020.var-set.value =
${seq:simple_filterUserObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)
sequence.local-init-vars.030.description = apply filter to groups
sequence.local-init-vars.030.type = var-set
sequence.local-init-vars.030.var-set.variable = simple_filterGroupObject
sequence.local-init-vars.030.var-set.value =
${seq:simple_filterGroupObject}(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)
- Original Message -
> From: "David Smith"
> To: "Alon Bar-Lev"
> Cc: "users"
> Sent: Wednesday, May 6, 2015 12:17:59 AM
> Subject: Re: [ovirt-users] AAA LDAP Authentication
>
> I can log into ovirt, I can see the profile, it doesn't throw any errors.
> However, it doesn't display any users. This is because the automatic rootDN
> is wrong.
> oVirt shows "Namespace: dc=corp, dc=ft, dc=com" if this is the search base
> it actually needs to be cn=users, cn=accounts, dc=corp, dc=ft, dc=com
> Hence my desire to configure rootDN
>
> Then, I also want to filter based on the above (sorry the traffic part was
> a comment from testlink, the line should be)
> '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)';
> That filter is was makes sure the results only show users in the specific
> group I want to give access to.
>
> Thanks,
> David
>
> On Tue, May 5, 2015 at 2:08 PM, Alon Bar-Lev wrote:
>
> > Hi,
> >
> > So your configuration is working, just you want to filter users?
> >
> > I do not follow what organization filter is.
> >
> > > '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; // e.g.
> > > '(organizationname=*Traffic)'
> >
> > It looks to me that you want to narrow the results based on specific
> > attribute value.
> >
> > But first you should confirm that all is working for you, only then we can
> > start customize the provider to meet your special needs.
> >
> > Thanks,
> > Alon.
> >
> > - Original Message -
> > > From: "David Smith"
> > > To: "Alon Bar-Lev"
> > > Cc: "users"
> > > Sent: Wednesday, May 6, 2015 12:01:28 AM
> > > Subject: Re: [ovirt-users] AAA LDAP Authentication
> > >
> > > Hi Alon,
> > >
> > > Thanks for the quick reply.
> > > openldap works fine; I use it with testlink (as shown in the example
> > > config). We're not using active directory; Just LDAP. The example config
> > I
> > > provided is fully inclusive of all configuration required for "testlink"
> > to
> > > use LDAP, I also have jenkins and mantis configured using the same
> > > parameters (although their terminology on where to enter the parameters
> > is
> > > varied, they use all the same information)
> > >
> > > The rootDSE is being determined automatically; however for my use it's
> > > wrong and needs to be provided manually. Again, I have no control over
> > > this. It's a company-wide configuration that won't be changed just for
> > me.
> > >
> > > How would I be able to specify the organization filter line if I added
> > some
> > > other include directive of whatever driver? I don't even understand what
> > > you're saying, exactly. Not all ovirt users/managers are programming
> > > experts.
> > >
> > > I use LDAPS because thats what my company supports. StartTLS is NOT
> > > supported (as I stated). Silly on their part, right?
> > >
> > > Thanks,
> > > David
> > >
> > > On Tue, May 5, 2015 at 1:18 PM, Alon Bar-Lev wrote:
> > >
> > > > Hello,
> > > >
> > > > Resources includes sysadmin documentation[1], integrator
> > documentation[2],
> > > > overview[3], examples[4].
> > > >
> > > > You did not specify what LDAP vendor it is.
> > >
Re: [ovirt-users] AAA LDAP Authentication
Hi,
So your configuration is working, just you want to filter users?
I do not follow what organization filter is.
> '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; // e.g.
> '(organizationname=*Traffic)'
It looks to me that you want to narrow the results based on specific attribute
value.
But first you should confirm that all is working for you, only then we can
start customize the provider to meet your special needs.
Thanks,
Alon.
- Original Message -
> From: "David Smith"
> To: "Alon Bar-Lev"
> Cc: "users"
> Sent: Wednesday, May 6, 2015 12:01:28 AM
> Subject: Re: [ovirt-users] AAA LDAP Authentication
>
> Hi Alon,
>
> Thanks for the quick reply.
> openldap works fine; I use it with testlink (as shown in the example
> config). We're not using active directory; Just LDAP. The example config I
> provided is fully inclusive of all configuration required for "testlink" to
> use LDAP, I also have jenkins and mantis configured using the same
> parameters (although their terminology on where to enter the parameters is
> varied, they use all the same information)
>
> The rootDSE is being determined automatically; however for my use it's
> wrong and needs to be provided manually. Again, I have no control over
> this. It's a company-wide configuration that won't be changed just for me.
>
> How would I be able to specify the organization filter line if I added some
> other include directive of whatever driver? I don't even understand what
> you're saying, exactly. Not all ovirt users/managers are programming
> experts.
>
> I use LDAPS because thats what my company supports. StartTLS is NOT
> supported (as I stated). Silly on their part, right?
>
> Thanks,
> David
>
> On Tue, May 5, 2015 at 1:18 PM, Alon Bar-Lev wrote:
>
> > Hello,
> >
> > Resources includes sysadmin documentation[1], integrator documentation[2],
> > overview[3], examples[4].
> >
> > You did not specify what LDAP vendor it is.
> >
> > I can guess your directory is Active Directory, hence all you need to do
> > is follow the "QUICK START"[5].
> >
> > The rootDSE is determined automatically, all you need is to provide a
> > valid user and password.
> >
> > What you are missing in your configuration is the include directive of the
> > proper driver.
> > Not sure why you use LDAPS and not LDAP with startTLS, startTLS is more
> > flexible and should be used unless there is an issue.
> >
> > Alon
> >
> > [1]
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
> > [2]
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD
> > [3] http://www.ovirt.org/Features/AAA
> > [4]
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD
> > [5]
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6
> >
> > - Original Message -
> > > From: "David Smith"
> > > To: "users"
> > > Sent: Tuesday, May 5, 2015 11:09:25 PM
> > > Subject: [ovirt-users] AAA LDAP Authentication
> > >
> > > I'm trying to set up the new 3.5 AAA LDAP Auth, but it's lacking some
> > serious
> > > detail in documentation, the rest is java-programmer-oriented docs only
> > that
> > > I can find;
> > >
> > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git
> > >
> > > Here's a sample config (sanitized) that I need to adapt to ovirt; *I
> > HAVE NO
> > > control over the LDAP server.
> > >
> > > So far I've managed to figure out through search after search to use
> > LDAPS
> > > (TLS isn't an option, thanks!)
> > > Two parts I can't figure out; setting rootDN and setting the organization
> > > filter-- members of that particular organization should have access to
> > > ovirt, and none others.
> > >
> > > vars.server = directory.ft.com
> > >
> > > #
> > > # Search user and its password.
> > > #
> > > vars.user = uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > > vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> > > vars.password = Ft##
> > >
> > > pool.default.serverset.single.server = ${global:vars.server}
> > > pool.default.serverset.single.port = 636
> > > pool.default.
Re: [ovirt-users] AAA LDAP Authentication
Hello,
Resources includes sysadmin documentation[1], integrator documentation[2],
overview[3], examples[4].
You did not specify what LDAP vendor it is.
I can guess your directory is Active Directory, hence all you need to do is
follow the "QUICK START"[5].
The rootDSE is determined automatically, all you need is to provide a valid
user and password.
What you are missing in your configuration is the include directive of the
proper driver.
Not sure why you use LDAPS and not LDAP with startTLS, startTLS is more
flexible and should be used unless there is an issue.
Alon
[1]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
[2]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD
[3] http://www.ovirt.org/Features/AAA
[4]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD
[5]
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6
- Original Message -
> From: "David Smith"
> To: "users"
> Sent: Tuesday, May 5, 2015 11:09:25 PM
> Subject: [ovirt-users] AAA LDAP Authentication
>
> I'm trying to set up the new 3.5 AAA LDAP Auth, but it's lacking some serious
> detail in documentation, the rest is java-programmer-oriented docs only that
> I can find;
>
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git
>
> Here's a sample config (sanitized) that I need to adapt to ovirt; *I HAVE NO
> control over the LDAP server.
>
> So far I've managed to figure out through search after search to use LDAPS
> (TLS isn't an option, thanks!)
> Two parts I can't figure out; setting rootDN and setting the organization
> filter-- members of that particular organization should have access to
> ovirt, and none others.
>
> vars.server = directory.ft.com
>
> #
> # Search user and its password.
> #
> vars.user = uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> vars.urootdn = cn=users,cn=accounts,dc=corp,dc=ft,dc=com
> vars.password = Ft##
>
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.serverset.single.port = 636
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.rootDN = ${global:vars.urootdn}
> pool.default.auth.simple.password = ${global:vars.password}
>
> # enable SSL
> pool.default.ssl.enable = true
> #pool.default.ssl.insecure = false
>
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> pool.default.ssl.truststore.file =
> ${local:_basedir}/${global:vars.server}.jks
> pool.default.ssl.truststore.password = changeit
>
>
> example config from testlink
> $tlCfg->authentication['method'] = 'LDAP';
>
> /** LDAP authentication credentials */
> $tlCfg->authentication['ldap_server'] = 'ldaps:// directory.ft.com ';
> $tlCfg->authentication['ldap_port'] = '636';
> $tlCfg->authentication['ldap_version'] = '3';
> $tlCfg->authentication['ldap_root_dn'] =
> 'cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> $tlCfg->authentication['ldap_bind_dn'] =
> 'uid=newproductslab,cn=users,cn=accounts,dc=corp,dc=ft,dc=com';
> $tlCfg->authentication['ldap_bind_passwd'] = 'Ft##';
> $tlCfg->authentication['ldap_tls'] = false; // true -> use tls
> $tlCfg->authentication['ldap_organization'] =
> '(nsRoleDN=cn=newproductslab,cn=accounts,dc=corp,dc=ft,dc=com)'; // e.g.
> '(organizationname=*Traffic)'
> $tlCfg->authentication['ldap_uid_field'] = 'uid'; // Use 'sAMAccountName' for
> Active Directory
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Disable admin@internal account
- Original Message - > From: "Jorick Astrego" > To: users@ovirt.org > Sent: Wednesday, April 15, 2015 1:30:29 PM > Subject: Re: [ovirt-users] Disable admin@internal account > > > > On 04/15/2015 12:08 PM, Николаев Алексей wrote: > > > > Hi community! > The Red_Hat_Enterprise_Virtualization-3.5-Administration_Guide says how to > add users from external directory. > But now i want to disable admin@internal account for security reasons and use > it only for disaster recovery situations (or then ldaps servers not > available). Can i do it? > What are best practises for use only external directory? > If i delete admin@internal account can i add it again? > > > ___ > Users mailing list Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > Should be possible last time I asked, see response below: > > > > > Subject: Re: [ovirt-users] oVirt 3.5 and FreeIpa > Date: Thu, 22 Jan 2015 06:59:52 -0500 (EST) > From: Alon Bar-Lev > To: Jorick Astrego > CC: users@ovirt.org > > > Also can we get rid of the internal admin or better just disable internal > authenticationt without problems? As we have ipa we don't want local login > enabled, but in emergency situations we might need to turn it on quickly. > > Yes, you can disable the internal by creating > /etc/ovirt-engine/engine.conf.d/50-disable-internal.conf > --- > ENGINE_EXTENSION_ENABLED_builtin-authn-internal = false > --- > > Hmmm we have a bug in this case... will fix, so let's just disable the > authz for now. > --- > ENGINE_EXTENSION_ENABLED_internal = false > should work now properly using: ENGINE_EXTENSION_ENABLED_builtin_authn_internal = false ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Issue with vdsm on EL6 nodes
- Original Message - > From: "ybronhei" > To: "Alon Bar-Lev" , "Dan Kenigsberg" > Cc: users@ovirt.org, "Oved Ourfalli" , de...@ovirt.org > Sent: Sunday, April 12, 2015 1:56:18 PM > Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes > > On 04/12/2015 12:17 PM, ybronhei wrote: > > On 04/07/2015 04:45 PM, Alon Bar-Lev wrote: > >> > >> > >> - Original Message - > >>> From: "knarra" > >>> To: "Alon Bar-Lev" > >>> Cc: users@ovirt.org > >>> Sent: Tuesday, April 7, 2015 3:39:58 PM > >>> Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes > >>> > >>> On 04/07/2015 05:58 PM, Alon Bar-Lev wrote: > >>>> > >>>> - Original Message - > >>>>> From: "knarra" > >>>>> To: "Alon Bar-Lev" > >>>>> Cc: users@ovirt.org > >>>>> Sent: Tuesday, April 7, 2015 3:25:07 PM > >>>>> Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes > >>>>> > >>>>> On 04/07/2015 05:50 PM, Alon Bar-Lev wrote: > >>>>>> - Original Message - > >>>>>>> From: "knarra" > >>>>>>> To: users@ovirt.org > >>>>>>> Sent: Tuesday, April 7, 2015 3:15:12 PM > >>>>>>> Subject: [ovirt-users] Issue with vdsm on EL6 nodes > >>>>>>> > >>>>>> > >>>>>> > >>>>>>> SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL > >>>>>>> routines:SSL3_READ_BYTES:tlsv1 alert protocol version > >>>>>>> > >>>>>>> Can some one help me to resolve this issue. > >>>>>> your openssl is patched to disable ssv3, and engine is trying to > >>>>>> communicate using sslv3. > >>>>>> > >>>>>> please upgrade engine to latest z-stream, it should be resolved. > >>>>> Hi Alon, > >>>>> > >>>>>I checked the following value in my database and my engine > >>>>> is using > >>>>> TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch. > >>>>> > >>>>> engine=# select option_name,option_value from vdc_options where > >>>>> option_name = 'VdsmSSLProtocol'; > >>>>> option_name | option_value > >>>>> -+-- > >>>>> VdsmSSLProtocol | TLSv1 > >>>>> (1 row) > >>>> hmmm and you say you get this when you use vdsClient, so maybe > >>>> it tries > >>>> to connect using sslv3. > >>>> > >>>> is engine working proberly? > >>> yes, engine works fine, i have few other nodes where i have the same > >>> vdsm version added to same engine and i do not hit this issue there. I > >>> am just wondering how is this happening. > >>> > >> > >> compare openssl version. > >> > >> yaniv, please fix the vdsClient to use TLSv1 > >> > > should it use v1 always (forcefully)? we can do that, but currently it > > chooses the highest version both parties are able to use > > > > > Vdsm uses ssl.PROTOCOL_SSLv23 which chooses the right tls version in > python 2.7. In el6 we have python 2.6 which picks sslv2 or sslv3 when > using ssl.PROTOCOL_SSLv23 (the highest version both sides support) - > > ovirt 3.6 (vdsm 4.17 and above) doesn't support el6 anymore therefore > current 3.6 code works as expected in el7\fedora>20. > > If we want to fix vdsm 4.16.x (ovirt 3.5 package) to use explicitly > ssl.PROTOCOL_TLSv1 we can do so - but it will be ovirt-3.5 branch only > > do we want that? if so we need bug for 3.5 as far as I understand the ssl.PROTOCOL_SSLv23 will also use TLSv1, the problem is at client side not at server side. Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Issue with vdsm on EL6 nodes
- Original Message - > From: "ybronhei" > To: "Alon Bar-Lev" > Cc: "knarra" , users@ovirt.org, "Dima Kuznetsov" > > Sent: Sunday, April 12, 2015 12:17:03 PM > Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes > > On 04/07/2015 04:45 PM, Alon Bar-Lev wrote: > > > > > > - Original Message - > >> From: "knarra" > >> To: "Alon Bar-Lev" > >> Cc: users@ovirt.org > >> Sent: Tuesday, April 7, 2015 3:39:58 PM > >> Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes > >> > >> On 04/07/2015 05:58 PM, Alon Bar-Lev wrote: > >>> > >>> - Original Message - > >>>> From: "knarra" > >>>> To: "Alon Bar-Lev" > >>>> Cc: users@ovirt.org > >>>> Sent: Tuesday, April 7, 2015 3:25:07 PM > >>>> Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes > >>>> > >>>> On 04/07/2015 05:50 PM, Alon Bar-Lev wrote: > >>>>> - Original Message - > >>>>>> From: "knarra" > >>>>>> To: users@ovirt.org > >>>>>> Sent: Tuesday, April 7, 2015 3:15:12 PM > >>>>>> Subject: [ovirt-users] Issue with vdsm on EL6 nodes > >>>>>> > >>>>> > >>>>> > >>>>>> SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL > >>>>>> routines:SSL3_READ_BYTES:tlsv1 alert protocol version > >>>>>> > >>>>>> Can some one help me to resolve this issue. > >>>>> your openssl is patched to disable ssv3, and engine is trying to > >>>>> communicate using sslv3. > >>>>> > >>>>> please upgrade engine to latest z-stream, it should be resolved. > >>>> Hi Alon, > >>>> > >>>>I checked the following value in my database and my engine is > >>>>using > >>>> TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch. > >>>> > >>>> engine=# select option_name,option_value from vdc_options where > >>>> option_name = 'VdsmSSLProtocol'; > >>>> option_name | option_value > >>>> -+-- > >>>> VdsmSSLProtocol | TLSv1 > >>>> (1 row) > >>> hmmm and you say you get this when you use vdsClient, so maybe it > >>> tries > >>> to connect using sslv3. > >>> > >>> is engine working proberly? > >> yes, engine works fine, i have few other nodes where i have the same > >> vdsm version added to same engine and i do not hit this issue there. I > >> am just wondering how is this happening. > >> > > > > compare openssl version. > > > > yaniv, please fix the vdsClient to use TLSv1 > > > should it use v1 always (forcefully)? we can do that, but currently it > chooses the highest version both parties are able to use it looks like it uses SSLv3 per this report. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] simple-sso w. kerberos & iplanet ldap - login slow and unreliable (ovirt 3.5.1.1)
Hi,
Just for me to understand... sometime it works and sometime it does not work
with same user aneil2?
>From the log I can see that you probably have Basic Authorization Headers
>enabled, are you sure you do not type user/password in the browser credentials
>dialog? can you please add KrbMethodK5Passwd off to the apache configuration
>to make sure it is not prompted? To clear this, if you use firefox go to
>History->Clear Recent and select only Active Logins.
What I see is that aneil2 cannot be located, and fallback to Basic
Authorization Headers is probably performed, and in these the aneil2 is
specified without @profile suffix (as expected) and it fails.
Alon
- Original Message -
> From: "Alastair Neil"
> To: "Ovirt Users"
> Sent: Thursday, April 9, 2015 9:46:09 PM
> Subject: [ovirt-users] simple-sso w. kerberos & iplanet ldap - login slow and
> unreliable (ovirt 3.5.1.1)
>
> I have configured the simple-sso with kerberos. I can successfully login most
> of the time, but often the login fails and I am dropped at the portal login
> window and prompted for the internal account username and password. Host is
> FC 20. Also, adding users in the GMU-authz o= gmu.edu namespace is
> agonisingly slow returning from the directory lookup.
>
> I can see from the apache logs that the kerberos authentication is
> successful, but in the engine logs I see many errors:
>
>
>
> 2015-04-09 13:39:28,493 ERROR
> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
> (ajp--127.0.0.1-8702-11) Cannot obtain profile for user aneil2
>
> and eventually:
>
>
>
> 2015-04-09 13:39:28,342 ERROR
> [org.ovirt.engine.core.aaa.filters.BasicAuthenticationFilter]
> (ajp--127.0.0.1-8702-5) Cannot obtain profile for user aneil2
> {Extkey[name=EXTENSION_INVOKE_CONTEXT;type=class
> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_INVOKE_CONTEXT[886d2ebb-312a-49ae-9cc3-e1f849834b7d];]={Extkey[name=EXTENSION_INTERFACE_VERSION_MAX;type=class
> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MAX[f4cff49f-2717-4901-8ee9-df362446e3e7];]=0,
> Extkey[name=EXTENSION_LICENSE;type=class
> java.lang.String;uuid=EXTENSION_LICENSE[8a61ad65-054c-4e31-9c6d-1ca4d60a4c18];]=ASL
> 2.0, Extkey[name=EXTENSION_NOTES;type=class
> java.lang.String;uuid=EXTENSION_NOTES[2da5ad7e-185a-4584-aaff-97f66978e4ea];]=Display
> name: ovirt-engine-extension-aaa-ldap-1.0.2-1.fc20,
> Extkey[name=EXTENSION_HOME_URL;type=class
> java.lang.String;uuid=EXTENSION_HOME_URL[4ad7a2f4-f969-42d4-b399-72d192e18304];]=
> http://www.ovirt.org , Extkey[name=EXTENSION_LOCALE;type=class
> java.lang.String;uuid=EXTENSION_LOCALE[0780b112-0ce0-404a-b85e-8765d778bb29];]=en_US,
> Extkey[name=EXTENSION_NAME;type=class
> java.lang.String;uuid=EXTENSION_NAME[651381d3-f54f-4547-bf28-b0b01a103184];]=ovirt-engine-extension-aaa-ldap.authz,
> Extkey[name=EXTENSION_INTERFACE_VERSION_MIN;type=class
> java.lang.Integer;uuid=EXTENSION_INTERFACE_VERSION_MIN[2b84fc91-305b-497b-a1d7-d961b9d2ce0b];]=0,
> Extkey[name=EXTENSION_CONFIGURATION;type=class
> java.util.Properties;uuid=EXTENSION_CONFIGURATION[2d48ab72-f0a1-4312-b4ae-5068a226b0fc];]=***,
> Extkey[name=EXTENSION_AUTHOR;type=class
> java.lang.String;uuid=EXTENSION_AUTHOR[ef242f7a-2dad-4bc5-9aad-e07018b7fbcc];]=The
> oVirt Project, Extkey[name=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE;type=class
> java.lang.Integer;uuid=AAA_AUTHZ_QUERY_MAX_FILTER_SIZE[2eb1f541-0f65-44a1-a6e3-014e247595f5];]=50,
> Extkey[name=EXTENSION_INSTANCE_NAME;type=class
> java.lang.String;uuid=EXTENSION_INSTANCE_NAME[65c67ff6-aeca-4bd5-a245-8674327f011b];]=GMU-authz,
> Extkey[name=EXTENSION_BUILD_INTERFACE_VERSION;type=class
> java.lang.Integer;uuid=EXTENSION_BUILD_INTERFACE_VERSION[cb479e5a-4b23-46f8-aed3-56a4747a8ab7];]=0,
> Extkey[name=EXTENSION_CONFIGURATION_SENSITIVE_KEYS;type=interface
> java.util.Collection;uuid=EXTENSION_CONFIGURATION_SENSITIVE_KEYS[a456efa1-73ff-4204-9f9b-ebff01e35263];]=[],
> Extkey[name=EXTENSION_GLOBAL_CONTEXT;type=class
> org.ovirt.engine.api.extensions.ExtMap;uuid=EXTENSION_GLOBAL_CONTEXT[9799e72f-7af6-4cf1-bf08-297bc8903676];]=*skip*,
> Extkey[name=EXTENSION_VERSION;type=class
> java.lang.String;uuid=EXTENSION_VERSION[fe35f6a8-8239-4bdb-ab1a-af9f779ce68c];]=1.0.2,
> Extkey[name=AAA_AUTHZ_AVAILABLE_NAMESPACES;type=interface
> java.util.Collection;uuid=AAA_AUTHZ_AVAILABLE_NAMESPACES[6dffa34c-955f-486a-bd35-0a272b45a711];]=[o=
> gmu.edu ], Extkey[name=EXTENSION_MANAGER_TRACE_LOG;type=interface
> org.slf4j.Logger;uuid=EXTENSION_MANAGER_TRACE_LOG[863db666-3ea7-4751-9695-918a3197ad83];]=org.slf4j.impl.Slf4jLogger(org.ovirt.engine.core.extensions.mgr.ExtensionsManager.trace.ovirt-engine-extension-aaa-ldap.authz.GMU-authz),
> Extkey[name=EXTENSION_PROVIDES;type=interface
> java.util.Collection;uuid=EXTENSION_PROVIDES[8cf373a6-65b5-4594-b828-0e275087de91];]=[org.ovirt.engine.api.extensions.aaa.Authz],
> Extkey[name=EXTENSION_CONFIGURATION_FILE;type=class
> java.lang.String;uuid=EXTENSION_CONFIGURATION_FILE[4fb0ffd3-983c-4f3f-98f
Re: [ovirt-users] sign-out with kerberos sso
- Original Message - > From: "Alastair Neil" > To: "Ovirt Users" > Sent: Wednesday, April 8, 2015 6:37:20 AM > Subject: Re: [ovirt-users] sign-out with kerberos sso > > Just a quick follow up. I tried the 3.5.2 RC3 and same issue. > > > On 7 April 2015 at 22:54, Alastair Neil < ajneil.t...@gmail.com > wrote: > > > > I have been setting up aaa, following the recipe in the RedHat portal: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.5/html/Administration_Guide/sect-Directory_Users.html#sect-Single_Sign-On_to_the_Administration_and_User_Portal > > and I can successfully authenticate, however the Sign Out button does not > clear the session properly and does nothing. I found this long standing bug > > https://bugzilla.redhat.com/show_bug.cgi?id=884653 > > this bug was updated last month as supposedly fixed by an errata release of > RHEV 3.5.0. > > I'm using FC20 with ovirt 3.5.1.1, Is there an equivalent fix in ovirt? If so > how can I access it? > > Thanks, Alastair When authenticating using external component, in this case apache, the application cannot force the external component to logout, hence when you logout, you actually automatically log in again. The bug you refer to bug#884653 is not long standing issue, but describe exactly that, read the Doc Text field. In 3.6.0 we hopefully have a switch user capability to enable switching from external to internal authentication. However, when you use kerberos you probably want all users to be control using its policies. Regards, Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] can not deploy local host
- Original Message - > From: "Leandro Roggerone" > To: users@ovirt.org > Sent: Tuesday, April 7, 2015 10:07:49 PM > Subject: [ovirt-users] can not deploy local host > > Hello, guys. > Could not create a new host from virtualization manager. > Mine is a fresh centos 7 server , I followed the video tutorial " oVirt > Open Virtualization Basics -- Single Machine Install" > > Result: > Ovirt engine is up , I can connect to the engine but when creating the > local host it returns > "Failed to install Host local. Failed to execute stage 'Closing up': > Command '/bin/systemctl' failed to execute" > > I have been looking in the las file generated at > /var/log/ovirt-engine/host-deploy, but can not found more information, > just the same line. > > Where can I read a little more to solve it ? Deploying into localhost may cause conflict issues with other components. The preferred method do to it is to install ovirt-engine-setup-plugin-allinone, execute engine-setup and answer yes when you are prompt if you would like to install vdsm on this machine. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Issue with vdsm on EL6 nodes
- Original Message - > From: "knarra" > To: "Alon Bar-Lev" > Cc: users@ovirt.org > Sent: Tuesday, April 7, 2015 3:39:58 PM > Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes > > On 04/07/2015 05:58 PM, Alon Bar-Lev wrote: > > > > - Original Message - > >> From: "knarra" > >> To: "Alon Bar-Lev" > >> Cc: users@ovirt.org > >> Sent: Tuesday, April 7, 2015 3:25:07 PM > >> Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes > >> > >> On 04/07/2015 05:50 PM, Alon Bar-Lev wrote: > >>> - Original Message - > >>>> From: "knarra" > >>>> To: users@ovirt.org > >>>> Sent: Tuesday, April 7, 2015 3:15:12 PM > >>>> Subject: [ovirt-users] Issue with vdsm on EL6 nodes > >>>> > >>> > >>> > >>>> SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL > >>>> routines:SSL3_READ_BYTES:tlsv1 alert protocol version > >>>> > >>>> Can some one help me to resolve this issue. > >>> your openssl is patched to disable ssv3, and engine is trying to > >>> communicate using sslv3. > >>> > >>> please upgrade engine to latest z-stream, it should be resolved. > >> Hi Alon, > >> > >> I checked the following value in my database and my engine is using > >> TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch. > >> > >> engine=# select option_name,option_value from vdc_options where > >> option_name = 'VdsmSSLProtocol'; > >> option_name | option_value > >> -+-- > >>VdsmSSLProtocol | TLSv1 > >> (1 row) > > hmmm and you say you get this when you use vdsClient, so maybe it tries > > to connect using sslv3. > > > > is engine working proberly? > yes, engine works fine, i have few other nodes where i have the same > vdsm version added to same engine and i do not hit this issue there. I > am just wondering how is this happening. > compare openssl version. yaniv, please fix the vdsClient to use TLSv1 ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Issue with vdsm on EL6 nodes
- Original Message - > From: "knarra" > To: "Alon Bar-Lev" > Cc: users@ovirt.org > Sent: Tuesday, April 7, 2015 3:25:07 PM > Subject: Re: [ovirt-users] Issue with vdsm on EL6 nodes > > On 04/07/2015 05:50 PM, Alon Bar-Lev wrote: > > > > - Original Message - > >> From: "knarra" > >> To: users@ovirt.org > >> Sent: Tuesday, April 7, 2015 3:15:12 PM > >> Subject: [ovirt-users] Issue with vdsm on EL6 nodes > >> > > > > > >> SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL > >> routines:SSL3_READ_BYTES:tlsv1 alert protocol version > >> > >> Can some one help me to resolve this issue. > > your openssl is patched to disable ssv3, and engine is trying to > > communicate using sslv3. > > > > please upgrade engine to latest z-stream, it should be resolved. > Hi Alon, > > I checked the following value in my database and my engine is using > TLSv1 and not sslv3 to comminucate. I am on 3.6 master branch. > > engine=# select option_name,option_value from vdc_options where > option_name = 'VdsmSSLProtocol'; > option_name | option_value > -+-- > VdsmSSLProtocol | TLSv1 > (1 row) hmmm and you say you get this when you use vdsClient, so maybe it tries to connect using sslv3. is engine working proberly? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Issue with vdsm on EL6 nodes
- Original Message - > From: "knarra" > To: users@ovirt.org > Sent: Tuesday, April 7, 2015 3:15:12 PM > Subject: [ovirt-users] Issue with vdsm on EL6 nodes > > SSLError: [Errno 1] _ssl.c:1390: error:1409442E:SSL > routines:SSL3_READ_BYTES:tlsv1 alert protocol version > > Can some one help me to resolve this issue. your openssl is patched to disable ssv3, and engine is trying to communicate using sslv3. please upgrade engine to latest z-stream, it should be resolved. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] problem with freeipa aaa-ldap setup
- Original Message - > From: "Sven Kieske" > To: users@ovirt.org > Sent: Tuesday, April 7, 2015 1:23:39 PM > Subject: Re: [ovirt-users] problem with freeipa aaa-ldap setup > > On 03/04/15 12:38, Jorick Astrego wrote: > > It appears I was suffering from a sticky fingers vim bug ;-) In the > > properties instead of "include = " I had "nclude = > > " with the "i" missing. > > > > Maybe we should have an error message but it's working now. > > Does ovirt no syntax checking for this config file? > should I file an RFE? or is this a bug? this is properties file, the syntax was valid. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Cannot install vdsm on RHEL7
- Original Message - > From: "knarra" > To: users@ovirt.org > Sent: Monday, April 6, 2015 12:50:45 PM > Subject: [ovirt-users] Cannot install vdsm on RHEL7 > > Hi, > > I am trying to install vdsm on RHEL7 and i am hitting some > dependency issue. I have following repos enabled on my system. > can some one help me if i need to enable any other repos? > > > epel.repo > epel-testing.repo > ovirt-master-dependencies.repo > ovirt-master-snapshot.repo > > Here is the output from "Yum install vdsm" command > > --> Finished Dependency Resolution > Error: Package: python-six-1.7.3-1.el6.noarch (epel) I am just guessing... you are trying to install vdsm of el6 on el7. > Requires: python(abi) = 2.6 > Installed: python-2.7.5-16.el7.x86_64 (@anaconda/7.1) > python(abi) = 2.7 > python(abi) = 2.7 > Error: Package: unbound-libs-1.5.1-1.el6.x86_64 (epel) > Requires: libpython2.6.so.1.0()(64bit) > Error: Package: unbound-libs-1.5.1-1.el6.x86_64 (epel) > Requires: libevent-1.4.so.2()(64bit) > You could try using --skip-broken to work around the problem > You could try running: rpm -Va --nofiles --nodigest > > > Thanks > kasturi. > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] problem with freeipa aaa-ldap setup
- Original Message - > From: "Jorick Astrego" > Cc: users@ovirt.org > Sent: Friday, April 3, 2015 1:11:06 PM > Subject: Re: [ovirt-users] problem with freeipa aaa-ldap setup > > > > On 04/03/2015 11:59 AM, Alon Bar-Lev wrote: > > Hi, > > > > Can you please send a complete engine.log? > > > > There might be other messages during initialization. > > > > Otherwise, please enable debug log[1] so I can have better visibility. > > > > Thanks! > > > > [1] > > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l308 > > > Here is the log, I will enable debug log and post this too. thanks! this cannot be good: --- 2015-04-03 11:34:51,911 INFO [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread 1-2) [ovirt-engine-extension-aaa-ldap.authz::netbulae-mgmt-authz] Available Namespaces: [] --- it is as defaultNamingContext is not retrieved correctly. yes, I will need the debug log. thanks! > > > > > > Met vriendelijke groet, With kind regards, > > Jorick Astrego > > Netbulae Virtualization Experts > > Tel: 053 20 30 270i...@netbulae.euStaalsteden 4-3AKvK > 08198180 > Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede > BTW NL821234584B01 > > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] problem with freeipa aaa-ldap setup
Hi, Can you please send a complete engine.log? There might be other messages during initialization. Otherwise, please enable debug log[1] so I can have better visibility. Thanks! [1] https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l308 - Original Message - > From: "Jorick Astrego" > To: users@ovirt.org > Sent: Friday, April 3, 2015 12:46:11 PM > Subject: [ovirt-users] problem with freeipa aaa-ldap setup > > Hi again, > > On a fresh ovirt 3.5.3rc3 install I can't get my ipa integration working > anymore. The aaa extension loads correctly and I see the realm in the search > window of "Add system permissions", but no users/groups are displayed. This > used to work fine before and I cannot find any errors. > > > > > 2015-04-03 11:34:51,935 INFO > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread > 1-2) Extension 'internal' initialized > 2015-04-03 11:34:51,935 INFO > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread > 1-2) Start of enabled extensions list > 2015-04-03 11:34:51,936 INFO > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread > 1-2) Instance name: 'netbulae-test-authz', Extension name: > 'ovirt-engine-extension-aaa-ldap.authz', Version: '1.0.2', Notes: 'Display > name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', > Home: ' http://www.ovirt.org ', Author 'The oVirt Project', Build interface > Version: '0', File: > '/etc/ovirt-engine/extensions.d/netbulae.test-authz.properties', > Initialized: 'true' > 2015-04-03 11:34:51,937 INFO > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread > 1-2) Instance name: 'netbulae-test-authn', Extension name: > 'ovirt-engine-extension-aaa-ldap.authn', Version: '1.0.2', Notes: 'Display > name: ovirt-engine-extension-aaa-ldap-1.0.2-1.el7', License: 'ASL 2.0', > Home: ' http://www.ovirt.org ', Author 'The oVirt Project', Build interface > Version: '0', File: > '/etc/ovirt-engine/extensions.d/netbulae.test-authn.properties', > Initialized: 'true' > 2015-04-03 11:34:51,938 INFO > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread > 1-2) Instance name: 'builtin-authn-internal', Extension name: 'Internal > Authn (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: ' > http://www.ovirt.org ', Author 'The oVirt Project', Build interface Version: > '0', File: 'N/A', Initialized: 'true' > 2015-04-03 11:34:51,939 INFO > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread > 1-2) Instance name: 'internal', Extension name: 'Internal Authz (Built-in)', > Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: ' http://www.ovirt.org > ', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', > Initialized: 'true' > 2015-04-03 11:34:51,939 INFO > [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread > 1-2) End of enabled extensions list > > > > > Met vriendelijke groet, With kind regards, > > Jorick Astrego > > Netbulae Virtualization Experts > > Tel: 053 20 30 270i...@netbulae.euStaalsteden 4-3AKvK > 08198180 > Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede > BTW NL821234584B01 > > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Ovirt engine-setup fails, "Cannot get JAVA_HOME"
- Original Message - > From: "Yedidyah Bar David" > To: "Carter Kindley" , "Alon Bar-Lev" > > Cc: users@ovirt.org > Sent: Wednesday, March 11, 2015 7:37:25 AM > Subject: Re: [ovirt-users] Ovirt engine-setup fails, "Cannot get JAVA_HOME" > > - Original Message - > > From: "Carter Kindley" > > To: "Yedidyah Bar David" > > Cc: users@ovirt.org > > Sent: Thursday, March 5, 2015 2:22:31 AM > > Subject: RE: [ovirt-users] Ovirt engine-setup fails, "Cannot get JAVA_HOME" > > > > Hey folks, > > > > Icedtea-7 allows engine-setup to complete - almost... > > > > The setup now fails on cleanup: "[ ERROR ] Failed to execute stage 'Closing > > up': Command '/usr/bin/systemctl' failed to execute". The log files > > indicate > > that systemctl is attempting to start a unit file (presumably > > ovirt-engine.service) which does not exist. I'm happy to write my own, but > > it would be awesome to see what is used as best practice from the oVirt > > community. > > Adding Alon again :-) Perhaps the unit files are not packaged for gentoo? > > Please attach setup log files just to make sure this indeed is the problem. Since 3.5 only devenv is working under Gentoo, too much binary dependencies. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Error during host deploy for 3.5.1, package installation
Yaniv, can you please assist, there seems to be a conflict and multilib issues of vdsm. - Original Message - > From: "Erik Brakke" > To: "Alon Bar-Lev" > Cc: users@ovirt.org > Sent: Tuesday, March 10, 2015 4:21:53 PM > Subject: Re: [ovirt-users] Error during host deploy for 3.5.1, package > installation > > Hi Alon, thanks for replying. > > When I: > yum update vdsm > No packages marked for update > > When I: > yum update vdsm-xmlrpc > Error: package: vdsm-4.14.8.1-0.fc20.i686 (@updates) > Requires: vdsm-xmlrpc = 4.14.8.1-0.fc20.noarch (@updates) > Removing: vdsm-xmlrpc-4.14.8.1-0.fc20.noarch (@updates) > vdsm-xmlrpc-4.14.8.1-0.fc20 > Updated By: vdsm-xmlrpc-4.16.10-8.gitc937927.fc20.noarch (ovirt-3.5) > vdsm-xmlrpc-4.16.10-8.gitc937927.fc20 > Available: vdsm-xmlrpc-4.12.1-1.fc20.noarch (fedora) > vdsm-xmlrpc-4.12.1-1.fc20 > Available: vdsm-xmlrpc-4.16.7-1.gitdb83943.fc20.noarch (ovirt-3.5) > vdsm-xmlrpc-4.16.7-1.gitdb83943.fc20 > Available: vdsm-xmlrpc-4.16.10-0.fc20.noarch (ovirt-3.5) > vdsm-xmlrpc-4.16.10-0.fc20 > > I also get matching results for vdsm-python and vdsm-python-zombiereaper. > > Do I need to disable the Fedora updates repo? > > Thanks! > -Erik > > > > On Tue, Mar 10, 2015 at 2:44 AM, Alon Bar-Lev wrote: > > > Hi, > > > > What do you get when you try to update vdsm manually? > > > > # yum update vdsm > > > > - Original Message - > > > From: "Erik Brakke" > > > To: users@ovirt.org > > > Sent: Tuesday, March 10, 2015 4:25:53 AM > > > Subject: [ovirt-users] Error during host deploy for 3.5.1,package > > installation > > > > > > Hello, > > > When deploying a new host from the admin portal to FC20 target, the > > package > > > dependency check fails (host-deploy log): > > > > > > ERROR otopi.plugins.otopi.packagers.yumpackager yumpackager.error:97 Yum > > > [u'vdsm-4.14.8.1-0.fc20.i686 requires vdsm-xmlrpc = 4.14.8.1-0.fc20', > > > u'vdsm-4.14.8.1-0.fc20.i686 requires vdsm-python = 4.14.8.1-0.fc20', > > > u'vdsm-4.14.8.1-0.fc20.i686 requires vdsm-python-zombiereaper = > > > 4.14.8.1-0.fc20'] > > > > > > I've tried the release 3.5 and 3.5-snapshot repos. Installing the > > packages > > > manually does not satisfy host deploy. It appears vdsm 4.16 packages are > > > available in the repository. > > > > > > Engine was previously running 3.5.0, updated to 3.5.1, no change. I was > > able > > > to deploy hosts in January with 3.5.0. > > > > > > Any assistance greatly appreciated! > > > > > > Best - Erik > > > > > > ___ > > > Users mailing list > > > Users@ovirt.org > > > http://lists.ovirt.org/mailman/listinfo/users > > > > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Error during host deploy for 3.5.1, package installation
Hi, What do you get when you try to update vdsm manually? # yum update vdsm - Original Message - > From: "Erik Brakke" > To: users@ovirt.org > Sent: Tuesday, March 10, 2015 4:25:53 AM > Subject: [ovirt-users] Error during host deploy for 3.5.1,package > installation > > Hello, > When deploying a new host from the admin portal to FC20 target, the package > dependency check fails (host-deploy log): > > ERROR otopi.plugins.otopi.packagers.yumpackager yumpackager.error:97 Yum > [u'vdsm-4.14.8.1-0.fc20.i686 requires vdsm-xmlrpc = 4.14.8.1-0.fc20', > u'vdsm-4.14.8.1-0.fc20.i686 requires vdsm-python = 4.14.8.1-0.fc20', > u'vdsm-4.14.8.1-0.fc20.i686 requires vdsm-python-zombiereaper = > 4.14.8.1-0.fc20'] > > I've tried the release 3.5 and 3.5-snapshot repos. Installing the packages > manually does not satisfy host deploy. It appears vdsm 4.16 packages are > available in the repository. > > Engine was previously running 3.5.0, updated to 3.5.1, no change. I was able > to deploy hosts in January with 3.5.0. > > Any assistance greatly appreciated! > > Best - Erik > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] AD time sync issue.
- Original Message - > From: "Shadow Hunt" > To: users@ovirt.org > Sent: Thursday, February 26, 2015 11:52:09 PM > Subject: [ovirt-users] AD time sync issue. > > Thanks for the add, anyone have experience adding the ovirt engine to Windows > active directory? I keep getting a time synchronization error and I can't > figure it out. I do not understand what you seek. Adding the engine machine to active directory domain like a domain member? How do you attempt to do so? what exact error do you get? ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Ovirt & VPS & SingleSignOn
Hello, You can integrate with any apache mod_authn_* module and ldap as directory. See[1], more precisely[2], you can replace kerberos with any other apache module, the principal is the same, apache performs the authentication and delegate the principal name into the ovirt-engine backend, which in turn fetch user information out of ldap. If the above is insufficient I can help you to implement your own authn/authz extensions. Regards, Alon [1] http://www.ovirt.org/Features/AAA [2] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l171 - Original Message - > From: "Dubravko Sever" > To: users@ovirt.org > Sent: Friday, February 20, 2015 12:24:21 PM > Subject: [ovirt-users] Ovirt & VPS & SingleSignOn > > Hi, > > Currently I'm looking for new solution for providing VPS-s to my > organization users, we don't need biling infrastructure.. Does anyone has > case of ovirt as VPS management and user interface (please provide me some > feedbacks)? > And another question, what about integration with SingleSignOn infrastructure > like shibboleth, based od SAML2? > > Thanks > > Dubravko > > > -- > Dubravko Sever > Sektor za računalne sustave > Sveučilište u Zagrebu, Sveučilišni računski centar (Srce), www.srce.unizg.hr > dubravko.se...@srce.hr, tel: +385 1 616 5807, fax: +385 1 616 5559 > > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] SELinux is preventing /usr/sbin/glusterfsd from write access on the sock_file
this should be part of package. otopi is only just automating sysadmin task, otherwise could have been accomplished using standard yum. please open a bug against gluster packaging. - Original Message - > From: "Nathanaël Blanchet" > To: "ovi >> users@ovirt.org" > Sent: Thursday, February 19, 2015 4:46:13 PM > Subject: [ovirt-users] SELinux is preventing /usr/sbin/glusterfsd from write > access on the sock_file > > On freshly installed el7 hosts, selinux prevents gluster from running. > Setting selinux to permissive or building the relative .pp module > resolves the issue. > Does otopi configure selinux for gluster when installing? > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Problem on the manager
Hello, first make sure that the service log files are rotating, should be. psql database has some limitations, the notable one is that it always grows. there are automatic procedures that are called vacuum, which reclaim space. when vacuum is running there is significant slow down, so these are not run often. if you have storage constraint maybe you need to increase the auto vacuum interval[1], or run manually[2] in the past using other applications I found up that there is lower downtime when simply stopping application and performing backup/restore of the database. but in case of ovirt-engine this option is not valid. Alon [1] http://www.postgresql.org/docs/9.1/static/runtime-config-autovacuum.html [2] http://www.postgresql.org/docs/9.1/static/app-vacuumdb.html - Original Message - > From: "Massimo Mad" > To: users@ovirt.org > Sent: Saturday, February 14, 2015 11:28:42 PM > Subject: [ovirt-users] Problem on the manager > > I have a problem on my oVirt managers , the problem is that the directory / > var / lib / pgsql/data fills . > Initially thinking that my file system / var / log 2Gb was too small now have > increased to 4Gb and is refilled . > How can I prevent this from happening , it may be due to the fact that I have > implemented the backup manage with the script of backup.sh oVirt . > Regards Massimo > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] AAA documentation
- Original Message - > From: "Winfried de Heiden" > To: "Alon Bar-Lev" > Cc: users@ovirt.org > Sent: Thursday, February 12, 2015 1:47:21 PM > Subject: Re: [ovirt-users] AAA documentation > > Hi, > > Thanks, I noticed the "gerrit" pages also, but well, if that's all, some > progress has to be made... No installation/configuration guide for this? This is a read me that is also installed with the ovirt-engine-extension-aaa-ldap package into /usr/share/doc, the fact that it is text and not wiki style does not mean it does not have the required information... nor that it cannot be considered as a guide. Will you give it a chance and read it? I will be happy to help you with any specific issue. > > Winny > > Op 12-02-15 om 12:37 schreef Alon Bar-Lev: > > > > - Original Message - > > > > From: "Winfried de Heiden" To: users@ovirt.org Sent: Thursday, > February 12, 2015 1:36:02 PM > Subject: [ovirt-users] AAA documentation > > Hi all, > > The "old" LDAP for user authentication and information is outdated since > oVirt 3.5; http://www.ovirt.org/LDAP_Quick_Start will tell "ATTENTION: This > page is obsoleted for >=ovirt-engine-3.5 by Features/AAA" > > The page http://www.ovirt.org/Features/AAA does not seem very helpfull in > order to configure (LDAP in my case) this new feature. Were can I find more > information? > it does reference to here[1] > > [1] > http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD > > > > Kind regards, > > Winny > > ___ > Users mailing list Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] AAA documentation
- Original Message - > From: "Winfried de Heiden" > To: users@ovirt.org > Sent: Thursday, February 12, 2015 1:36:02 PM > Subject: [ovirt-users] AAA documentation > > Hi all, > > The "old" LDAP for user authentication and information is outdated since > oVirt 3.5; http://www.ovirt.org/LDAP_Quick_Start will tell "ATTENTION: This > page is obsoleted for >=ovirt-engine-3.5 by Features/AAA" > > The page http://www.ovirt.org/Features/AAA does not seem very helpfull in > order to configure (LDAP in my case) this new feature. Were can I find more > information? it does reference to here[1] [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD > > Kind regards, > > Winny > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Installation issue hypervisor
You should see errors/warnings at event log at user interface (open the bottom
window).
In engine.log you should seek for the error prior for this message.
- Original Message -
> From: "Koen Vanoppen"
> To: users@ovirt.org
> Sent: Thursday, February 5, 2015 3:18:21 PM
> Subject: [ovirt-users] Installation issue hypervisor
>
> Hi All,
>
> I'm trying to add a new hypervisor to oVirt. But for some reason (and I
> already did a few in the mean while ;-) ) this just doesn't want to
> cooperate...
> I'm getting the following error in my engine.log:
>
> 2015-02-05 13:55:21,581 ERROR [org.ovirt.engine.core.uutils.ssh.SSHDialog]
> (org.ovirt.thread.pool-8-thread-16) SSH error running command
> r...@ovirthyp01dev.mydomain.com:'umask 0077;
> MYTMP="$(TMPDIR="${OVIRT_TMPDIR}" mktemp -t ovirt-XX)"; trap "chmod
> -R u+rwX \"${MYTMP}\" > /dev/null 2>&1; rm -fr \"${MYTMP}\" > /dev/null
> 2>&1" 0; rm -fr "${MYTMP}" && mkdir "${MYTMP}" && tar --warning=no-timestamp
> -C "${MYTMP}" -x && "${MYTMP}"/setup DIALOG/dialect=str:machine
> DIALOG/customization=bool:True': java.io.IOException: Command returned
> failure code 1 during SSH session ' r...@ovirthyp01dev.mydomain.com '
> at
> org.ovirt.engine.core.uutils.ssh.SSHClient.executeCommand(SSHClient.java:527)
> [uutils.jar:]
> at
> org.ovirt.engine.core.uutils.ssh.SSHDialog.executeCommand(SSHDialog.java:318)
> [uutils.jar:]
> at org.ovirt.engine.core.bll.VdsDeploy.execute(VdsDeploy.java:1118)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.InstallVdsInternalCommand.installHost(InstallVdsInternalCommand.java:154)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.InstallVdsInternalCommand.executeCommand(InstallVdsInternalCommand.java:81)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.CommandBase.executeWithoutTransaction(CommandBase.java:1193)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.CommandBase.executeActionInTransactionScope(CommandBase.java:1332)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.CommandBase.runInTransaction(CommandBase.java:1957)
> [bll.jar:]
> at
> org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInSuppressed(TransactionSupport.java:174)
> [utils.jar:]
> at
> org.ovirt.engine.core.utils.transaction.TransactionSupport.executeInScope(TransactionSupport.java:116)
> [utils.jar:]
> at org.ovirt.engine.core.bll.CommandBase.execute(CommandBase.java:1356)
> [bll.jar:]
> at org.ovirt.engine.core.bll.CommandBase.executeAction(CommandBase.java:353)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.MultipleActionsRunner.executeValidatedCommand(MultipleActionsRunner.java:193)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.MultipleActionsRunner.runCommands(MultipleActionsRunner.java:160)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.MultipleActionsRunner$2.run(MultipleActionsRunner.java:169)
> [bll.jar:]
> at
> org.ovirt.engine.core.utils.threadpool.ThreadPoolUtil$InternalWrapperRunnable.run(ThreadPoolUtil.java:90)
> [utils.jar:]
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> [rt.jar:1.7.0_65]
> at java.util.concurrent.FutureTask.run(FutureTask.java:262) [rt.jar:1.7.0_65]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> [rt.jar:1.7.0_65]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> [rt.jar:1.7.0_65]
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65]
>
> 2015-02-05 13:55:21,610 ERROR [org.ovirt.engine.core.bll.VdsDeploy]
> (org.ovirt.thread.pool-8-thread-16) [8954c66] Error during host
> ovirthyp01dev.mydomain.com install: java.io.IOException: Command returned
> failure code 1 during SSH session ' r...@ovirthyp01dev.mydomain.com '
> at
> org.ovirt.engine.core.uutils.ssh.SSHClient.executeCommand(SSHClient.java:527)
> [uutils.jar:]
> at
> org.ovirt.engine.core.uutils.ssh.SSHDialog.executeCommand(SSHDialog.java:318)
> [uutils.jar:]
> at org.ovirt.engine.core.bll.VdsDeploy.execute(VdsDeploy.java:1118)
> [bll.jar:]
> at
> org.ovirt.engine.core.bll.InstallVdsInternalCommand.installHost(InstallVdsInternalCommand.java:154)
> ~
> ~
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Where can I get the ovirt-engine MIB?
- Original Message - > From: "Nathanaël Blanchet" > To: users@ovirt.org > Sent: Friday, January 30, 2015 12:38:10 PM > Subject: [ovirt-users] Where can I get the ovirt-engine MIB? > > Hello, > > According to https://bugzilla.redhat.com/show_bug.cgi?id=1136818, we are > now able to get snmtraps with the custom MIB. > This thread provides the sample redhat MIB but where can I get the full > ovirt-enfine mib txt file? /usr/share/doc/ovirt-engine/mibs ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] AAA
main.com > (this one
> resolves to and gives ping back, front end of the pool)
>
> #
> # Search user and its password.
> #
> vars.user = juniper-ad...@mydomain.com
>
> >
> __ mydom a__in.com < http://mydomain.com >
> >>
> vars.password = *
>
> #
> # Optional DNS servers, if enterprise
> # DNS server cannot resolve the domain srvrecord.
> #
> #vars.dns = dns://srvdc03.my.domain
> dns://srvdc04.my.domain (these
> resolve and give a ping back)
>
> pool.default.serverset.type = srvrecord
> #pool.default.serverset. single.server =
> ${global:vars.server}
> pool.default.serverset. srvrecord.domain =
> ${global:vars.domain}
> pool.default.auth.simple. bindDN = ${global:vars.user}
> pool.default.auth.simple. password =
> ${global:vars.password}
>
> # Uncomment if using custom DNS
>
> pool.default.serverset. srvrecord.jndi-properties.
> java.naming.provider.url
> =
> ${global:vars.dns}
> pool.default.socketfactory.___ _resolver.uRL =
> ${global:vars.dns}
>
>
> Thanks for your effort!
>
>
> 2015-01-29 13:50 GMT+01:00 Alon Bar-Lev
> < alo...@redhat.com
> >
>
> >>>:
>
>
>
> - Original Message -
> > From: "Koen Vanoppen" < vanoppen.k...@gmail.com
>
> >
> _ ___com
> >>>
> > To: "Alon Bar-Lev" < alo...@redhat.com
>
> >
>
> >>>
> > Cc:users@ovirt.org
> >
>
> >>
> > Sent: Thursday, January 29, 2015 2:41:52 PM
> > Subject: Re: [ovirt-users] AAA
> >
> > Yes We have:
> >
> > [root@ovirtmgmt01prod ~]# dig
> @ srvdc03.mydomain.com < http://srvdc03.mydomain.com >
> < http://srvdc03.mydomain.com >
> < http://srvdc03.mydomain.com > SRV
> _gc._
> > tcp.mydomain.com < http://tcp.mydomain.com >
> < http://tcp.mydomain.com >
> < http://tcp.mydomain.com >
> >
> > ; <<>> DiG
> 9.8.2rc1-RedHat-9.8.2-0.23.___ _rc1.el6_5.1 <<>>
> @ srvdc03.mydomain.com < http://srvdc03.mydomain.com >
> < http://srvdc03.mydomain.com >
>
> < http://srvdc03.mydomain.com >
> > SRV _gc._ tcp.mydomain.com
> < http://tcp.mydomain.com > < http://tcp.mydomain.com >
> < http://tcp.mydomain.com >
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN,
> id: 33340
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0,
> AUTHORITY: 1,
> ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;_gc._ tcp.mydomain.com < http://tcp.mydomain.com >
> < http://tcp.mydomain.com >
> < http://tcp.mydomain.com >. IN SRV
>
> this ^^^ means that you do not have srv
> record. are you
> sure you
> replace mydomain.com < http://mydomain.com >
> < http://mydomain.com >
> < http://mydomain.com > with your actual active
> directory domain name?
> have you tried to look into your dns manager for this
> information as
> well?
>
> >
> > ;; AUTHORITY SECTION:
> > mydomain.com < http://mydomain.com >
> < http://mydomain.com >
> < http://mydomain.com >. 3600 IN SOA
> srvdc03.mydomain.com < http://srvdc03.mydomain.com >
> < http://srvdc03.mydomain.com >
> < http://srvdc03.mydomain.com >.
> > hostmaster.airport. 1398582 900 600 86400 3600
> >
> > ;; Query time: 12 msec
> > ;; SERVER: 10.110.3.123#53(10.110.3.123)
> > ;; WHEN: Thu Jan 29 13:40:41 2015
> > ;; MSG SIZE rcvd: 98
> >
> >
> >
> > 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev
> < alo...@redhat.com
> >
>>>>:
> >
> > >
> > >
> > > - Original Message -
> > > > From: "Koen Vanoppen"
> < vanoppen.k...@gmail.com
> >
> _ ___com
> >>>
> > > > To: "Alon Bar-Lev" < alo...@redhat.com
>
> >
>>>>,
> users@ovirt.org >
> >>
> > > > Sent: Thursday, January 29, 2015 2:19:32 PM
> > > > Subject: Re: [ovirt-users] AAA
> > > >
> > > > Big thanks for your help, but still the same:
> > > >
> > > > #
> > > > # Active directory domain name.
> > > > #
> > > > vars.domain = mydomain.com
> < http://mydomain.com > < http://mydomain.com >
> < http://mydomain.com >
> > > >
> > > > #
> > > > # Search user and its password.
> > > > #
>
Re: [ovirt-users] AAA
- Original Message -
> From: "Koen Vanoppen"
> To: "Ondra Machacek" , users@ovirt.org
> Sent: Thursday, January 29, 2015 3:46:09 PM
> Subject: Re: [ovirt-users] AAA
>
> I saw that when I pressed the send button. If I do that i again get the
> following:
>
> 2015-01-29 14:28:35,891 WARN
> [org.ovirt.engineextensions.aaa.ldap.AuthzExtension] (MSC service thread
> 1-1) [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot
> initialize LDAP framework, deferring initialization. Error: An error
> occurred while attempting to query DNS in order to retrieve SRV records with
> name '_ldap._ tcp.ldap.mydomain.com ': javax.naming.NameNotFoundException:
> DNS name not found [response code 3]; remaining name '_ldap._
> tcp.ldap.mydomain.com '
> 2015-01-29 14:28:35,924 WARN
> [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread
> 1-1) [ovirt-engine-extension-aaa-ldap.authn::BRU_AIR-authn] Cannot
> initialize LDAP framework, deferring initialization. Error: An error
> occurred while attempting to query DNS in order to retrieve SRV records with
> name '_ldap._ tcp.ldap.mydomain.com ': javax.naming.NameNotFoundException:
> DNS name not found [response code 3]; remaining name '_ldap._
> tcp.ldap.mydomain.com '
>
> And yes I replayed mydomain with the correct one... :-)
Hi Koen,
I keep asking you... please provide the following so we can help:
1. your real domain name that you are using, I guess mydomain.com is not the
correct one and also ldap.mydomain.com is not the active directory domain name,
please determine what is the active directory domain name, you can do this via
the domains and site manager.
2. the command and full output of dig using:
$ dig @srvdc03. SRV _ldap._tcp.
$ dig @srvdc03. SRV _gc._tcp.
these srv records MUST exist within active directory DNS, otherwise the active
directory itself will not work, your task is to find what is in your
environment and what server runs valid DNS.
3. open the dns manager within active directory, expand the _tcp branch, and
attach screen shoot of what you see.
Thanks,
Alon.
>
> 2015-01-29 14:40 GMT+01:00 Ondra Machacek < omach...@redhat.com > :
>
>
>
>
> On 01/29/2015 02:18 PM, Koen Vanoppen wrote:
>
>
> OK... Now I have this one :-)
> WARN [org.ovirt.engineextensions. aaa.ldap.AuthnExtension] (MSC service
> thread 1-2) [ovirt-engine-extension-aaa- ldap.authn::BRU_AIR-authn]
> Cannot initialize LDAP framework, deferring initialization. Error:
> Invalid DNS pseudo-URL(s):
>
> uncomment vars.dns
>
>
>
>
> Changed the properties file to this:
>
> include =
>
> #
> # Active directory domain name.
> #
> vars.domain = ldap.mydomain.com < http://ldap.mydomain.com > (this one
> resolves to and gives ping back, front end of the pool)
>
> #
> # Search user and its password.
> #
> vars.user = juniper-ad...@mydomain.com
> vars.password = *
>
> #
> # Optional DNS servers, if enterprise
> # DNS server cannot resolve the domain srvrecord.
> #
> #vars.dns = dns://srvdc03.my.domain dns://srvdc04.my.domain (these
> resolve and give a ping back)
>
> pool.default.serverset.type = srvrecord
> #pool.default.serverset. single.server = ${global:vars.server}
> pool.default.serverset. srvrecord.domain = ${global:vars.domain}
> pool.default.auth.simple. bindDN = ${global:vars.user}
> pool.default.auth.simple. password = ${global:vars.password}
>
> # Uncomment if using custom DNS
> pool.default.serverset. srvrecord.jndi-properties. java.naming.provider.url =
> ${global:vars.dns}
> pool.default.socketfactory. resolver.uRL = ${global:vars.dns}
>
>
> Thanks for your effort!
>
>
> 2015-01-29 13:50 GMT+01:00 Alon Bar-Lev < alo...@redhat.com
> >:
>
>
>
> - Original Message -
> > From: "Koen Vanoppen" < vanoppen.k...@gmail.com > vanoppen.koen@gmail. com >>
> > To: "Alon Bar-Lev" < alo...@redhat.com >
> > Cc:users@ovirt.org
> > Sent: Thursday, January 29, 2015 2:41:52 PM
> > Subject: Re: [ovirt-users] AAA
> >
> > Yes We have:
> >
> > [root@ovirtmgmt01prod ~]# dig @ srvdc03.mydomain.com <
> > http://srvdc03.mydomain.com > SRV _gc._
> > tcp.mydomain.com < http://tcp.mydomain.com >
> >
> > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23. rc1.el6_5.1 <<>> @
> > srvdc03.mydomain.com < http://srvdc03.mydomain.com >
> > SRV _gc._ tcp.mydomain.com < http://tcp.mydomain.com >
> > ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUER
Re: [ovirt-users] AAA
- Original Message -
> From: "Koen Vanoppen"
> To: "Alon Bar-Lev"
> Cc: users@ovirt.org
> Sent: Thursday, January 29, 2015 2:41:52 PM
> Subject: Re: [ovirt-users] AAA
>
> Yes We have:
>
> [root@ovirtmgmt01prod ~]# dig @srvdc03.mydomain.com SRV _gc._
> tcp.mydomain.com
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @srvdc03.mydomain.com
> SRV _gc._tcp.mydomain.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33340
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;_gc._tcp.mydomain.com. IN SRV
this ^^^ means that you do not have srv record. are you sure you replace
mydomain.com with your actual active directory domain name?
have you tried to look into your dns manager for this information as well?
>
> ;; AUTHORITY SECTION:
> mydomain.com. 3600IN SOA srvdc03.mydomain.com.
> hostmaster.airport. 1398582 900 600 86400 3600
>
> ;; Query time: 12 msec
> ;; SERVER: 10.110.3.123#53(10.110.3.123)
> ;; WHEN: Thu Jan 29 13:40:41 2015
> ;; MSG SIZE rcvd: 98
>
>
>
> 2015-01-29 13:33 GMT+01:00 Alon Bar-Lev :
>
> >
> >
> > - Original Message -
> > > From: "Koen Vanoppen"
> > > To: "Alon Bar-Lev" , users@ovirt.org
> > > Sent: Thursday, January 29, 2015 2:19:32 PM
> > > Subject: Re: [ovirt-users] AAA
> > >
> > > Big thanks for your help, but still the same:
> > >
> > > #
> > > # Active directory domain name.
> > > #
> > > vars.domain = mydomain.com
> > >
> > > #
> > > # Search user and its password.
> > > #
> > > vars.user = admin@${global:vars.domain}
> > > vars.password = *
> > >
> > > #
> > > # Optional DNS servers, if enterprise
> > > # DNS server cannot resolve the domain srvrecord.
> > > #
> > > vars.dns = dns://srvdc03.${global:vars.domain}
> > > dns://srvdc04.${global:vars.domain}
> > >
> > > pool.default.serverset.type = srvrecord
> > > pool.default.serverset.srvrecord.domain = ${global:vars.domain}
> > > pool.default.auth.simple.bindDN = ${global:vars.user}
> > > pool.default.auth.simple.password = ${global:vars.password}
> > >
> > > # Uncomment if using custom DNS
> > >
> > pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url =
> > > ${global:vars.dns}
> > > pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
> > >
> > >
> > >
> > > [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize
> > > LDAP framework, deferring initialization. Error: No DNS SRV records were
> > > found with record name '_gc._tcp.brussels.airport'.
> > >
> > > And I can't put '_gc._tcp.mydomain.com in the dns... Isn't there another
> > > way it just resolves the dns servers I gave him?
> > >
> >
> > Microsoft Domain controller must have gc service entry within DNS to work
> > properly.
> > 1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com ?
> > 2. Can you please execute:
> > $ dig @srvdc03.mydomain.com SRV _gc._tcp.mydomain.com
> > 3. Can you please open the DNS manager within your domain and search for
> > srv records? Maybe you have DNS installed only on few servers, using the
> > DNS manager you can also see which.
> >
> > >
> > > 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev :
> > >
> > > >
> > > >
> > > > - Original Message -
> > > > > From: "Ondra Machacek"
> > > > > To: "Koen Vanoppen" , users@ovirt.org
> > > > > Sent: Thursday, January 29, 2015 1:49:00 PM
> > > > > Subject: Re: [ovirt-users] AAA
> > > > >
> > > > >
> > > > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote:
> > > > > > No, I don't. and I wouldn't know how he got to this name...
> > > > >
> > > > > Well, then you have to, if you want to use
> > 'pool.default.serverset.type
> > > > > = srvrecord'.
> > > > >
> > > > > It just need to know where your global catalog is running, since it's
> > > > > needed for new provider.
> > > > >
> > > > > It searches for global catalog like
Re: [ovirt-users] AAA
- Original Message -
> From: "Koen Vanoppen"
> To: "Alon Bar-Lev" , users@ovirt.org
> Sent: Thursday, January 29, 2015 2:19:32 PM
> Subject: Re: [ovirt-users] AAA
>
> Big thanks for your help, but still the same:
>
> #
> # Active directory domain name.
> #
> vars.domain = mydomain.com
>
> #
> # Search user and its password.
> #
> vars.user = admin@${global:vars.domain}
> vars.password = *
>
> #
> # Optional DNS servers, if enterprise
> # DNS server cannot resolve the domain srvrecord.
> #
> vars.dns = dns://srvdc03.${global:vars.domain}
> dns://srvdc04.${global:vars.domain}
>
> pool.default.serverset.type = srvrecord
> pool.default.serverset.srvrecord.domain = ${global:vars.domain}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> # Uncomment if using custom DNS
> pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url =
> ${global:vars.dns}
> pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
>
>
>
> [ovirt-engine-extension-aaa-ldap.authz::BRU_AIR-authz] Cannot initialize
> LDAP framework, deferring initialization. Error: No DNS SRV records were
> found with record name '_gc._tcp.brussels.airport'.
>
> And I can't put '_gc._tcp.mydomain.com in the dns... Isn't there another
> way it just resolves the dns servers I gave him?
>
Microsoft Domain controller must have gc service entry within DNS to work
properly.
1. Are you sure you have Microsoft DNS installed on srvdc03.mydomain.com ?
2. Can you please execute:
$ dig @srvdc03.mydomain.com SRV _gc._tcp.mydomain.com
3. Can you please open the DNS manager within your domain and search for srv
records? Maybe you have DNS installed only on few servers, using the DNS
manager you can also see which.
>
> 2015-01-29 13:02 GMT+01:00 Alon Bar-Lev :
>
> >
> >
> > - Original Message -
> > > From: "Ondra Machacek"
> > > To: "Koen Vanoppen" , users@ovirt.org
> > > Sent: Thursday, January 29, 2015 1:49:00 PM
> > > Subject: Re: [ovirt-users] AAA
> > >
> > >
> > > On 01/29/2015 12:30 PM, Koen Vanoppen wrote:
> > > > No, I don't. and I wouldn't know how he got to this name...
> > >
> > > Well, then you have to, if you want to use 'pool.default.serverset.type
> > > = srvrecord'.
> > >
> > > It just need to know where your global catalog is running, since it's
> > > needed for new provider.
> > >
> > > It searches for global catalog like this:
> > > dig @${vars.dns} -t SRV _gc._tcp.${vars.domain}
> > >
> > > So you need to have this SRV record in DNS, if you want to use srvrecord
> > > serverset type. Or you don't have to if you use single server type.
> >
> > active directory will not work without access to global catalog.
> > please set one or more of the domain controllers as dns server, for
> > example:
> >
> > vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
> >
> > please also uncomment/add these lines to make vars.dns effective.
> >
> > pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url
> > = ${global:vars.dns}
> > pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
> >
> > Thanks!
> >
> > >
> > > >
> > > > Thanks for the reply!
> > > >
> > > > 2015-01-29 11:53 GMT+01:00 Ondra Machacek > > > <mailto:omach...@redhat.com>>:
> > > >
> > > > On 01/29/2015 11:41 AM, Koen Vanoppen wrote:
> > > >
> > > > Can somebody help me setting up AAA for ovirt 3.5.1?
> > > >
> > > > I'm getting this now:
> > > >
> > > > 2015-01-29 11:35:36,889 WARN
> > > > [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC
> > > > service thread
> > > > 1-1) [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz]
> > > > Cannot
> > > > initialize LDAP framework, deferring initialization. Error: An
> > > > error
> > > > occurred while attempting to query DNS in order to retrieve SRV
> > > > records
> > > > with name '_gc._tcp.brussels.airport':
> > > > javax.naming.__NameNotFoundException: DNS name not found
> > > > [response code
> > &
Re: [ovirt-users] AAA
- Original Message -
> From: "Ondra Machacek"
> To: "Koen Vanoppen" , users@ovirt.org
> Sent: Thursday, January 29, 2015 1:49:00 PM
> Subject: Re: [ovirt-users] AAA
>
>
> On 01/29/2015 12:30 PM, Koen Vanoppen wrote:
> > No, I don't. and I wouldn't know how he got to this name...
>
> Well, then you have to, if you want to use 'pool.default.serverset.type
> = srvrecord'.
>
> It just need to know where your global catalog is running, since it's
> needed for new provider.
>
> It searches for global catalog like this:
> dig @${vars.dns} -t SRV _gc._tcp.${vars.domain}
>
> So you need to have this SRV record in DNS, if you want to use srvrecord
> serverset type. Or you don't have to if you use single server type.
active directory will not work without access to global catalog.
please set one or more of the domain controllers as dns server, for example:
vars.dns = dns://dc1.${global:vars.domain} dns://dc2.${global:vars.domain}
please also uncomment/add these lines to make vars.dns effective.
pool.default.serverset.srvrecord.jndi-properties.java.naming.provider.url =
${global:vars.dns}
pool.default.socketfactory.resolver.uRL = ${global:vars.dns}
Thanks!
>
> >
> > Thanks for the reply!
> >
> > 2015-01-29 11:53 GMT+01:00 Ondra Machacek > >:
> >
> > On 01/29/2015 11:41 AM, Koen Vanoppen wrote:
> >
> > Can somebody help me setting up AAA for ovirt 3.5.1?
> >
> > I'm getting this now:
> >
> > 2015-01-29 11:35:36,889 WARN
> > [org.ovirt.engineextensions.__aaa.ldap.AuthzExtension] (MSC
> > service thread
> > 1-1) [ovirt-engine-extension-aaa-__ldap.authz::BRU_AIR-authz]
> > Cannot
> > initialize LDAP framework, deferring initialization. Error: An
> > error
> > occurred while attempting to query DNS in order to retrieve SRV
> > records
> > with name '_gc._tcp.brussels.airport':
> > javax.naming.__NameNotFoundException: DNS name not found
> > [response code
> > 3]; remaining name '_gc._tcp.brussels.airport'
> >
> >
> > Do you have this '_gc._tcp.brussels.airport' SRV record in DNS ?
> >
> >
> > my 3 configs:
> > _*BRU_AIR-authn.properties*_
> > ovirt.engine.extension.name
> > > > =
> > BRU_AIR-authn
> > ovirt.engine.extension.__bindings.method = jbossmodule
> > ovirt.engine.extension.__binding.jbossmodule.module =
> > org.ovirt.engine-extensions.__aaa.ldap
> > ovirt.engine.extension.__binding.jbossmodule.class =
> > org.ovirt.engineextensions.__aaa.ldap.AuthnExtension
> > ovirt.engine.extension.__provides =
> > org.ovirt.engine.api.__extensions.aaa.Authn
> > ovirt.engine.aaa.authn.__profile.name
> >
> > > > = BRU-AIR
> > ovirt.engine.aaa.authn.authz.__plugin = BRU_AIR-authz
> > config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.__properties
> >
> > _*BRU_AIR-authz.properties*_
> > ovirt.engine.extension.name
> > > > =
> > BRU_AIR-authz
> > ovirt.engine.extension.__bindings.method = jbossmodule
> > ovirt.engine.extension.__binding.jbossmodule.module =
> > org.ovirt.engine-extensions.__aaa.ldap
> > ovirt.engine.extension.__binding.jbossmodule.class =
> > org.ovirt.engineextensions.__aaa.ldap.AuthzExtension
> > ovirt.engine.extension.__provides =
> > org.ovirt.engine.api.__extensions.aaa.Authz
> > config.profile.file.1 = /etc/ovirt-engine/aaa/BRU_AIR.__properties
> >
> > _*BRU_AIR.properties*_
> > include =
> >
> > #
> > # Active directory domain name.
> > #
> > vars.domain = mydomain.com
> >
> >
> > #
> > # Search user and its password.
> > #
> > vars.user = admin@${global:vars.domain}
> > vars.password = ***
> >
> > #
> > # Optional DNS servers, if enterprise
> > # DNS server cannot resolve the domain srvrecord.
> > #
> > vars.dns = dns://dc01.mydomain.com
> >
> >
> > pool.default.serverset.type = srvrecord
> > pool.default.serverset.__srvrecord.domain = ${global:vars.domain}
> > pool.default.auth.simple.__bindDN = ${global:vars.user}
> > pool.default.auth.simple.__password = ${global:vars.password
> >
> > In the GUI for adding user I get this:
> >
> >
