[ovirt-users] LDAP auth and group members

2022-10-21 Thread Jiří Sléžka

Hi,

I have configured oVirt authentication against our MicroFocus/Novell 
eDirectory (edir) ldap. It is working fine on per user base. Now I am 
tried to set permissions per group but it seems does not work.


My CRO.properties

---
include = 

vars.server = ldap.
vars.port = 389
vars.user = cn=***
vars.password = ***

pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = ${global:vars.port}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

pool.default.ssl.startTLS = true
pool.default.socketfactory.resolver.supportIPv6 = false

sequence-init.init.100-my-edir-init-vars = my-edir-init-vars
sequence.my-edir-init-vars.010.description = set baseDN
sequence.my-edir-init-vars.010.type = var-set
sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN
sequence.my-edir-init-vars.010.var-set.value = o=su

search.default.search-request.derefPolicy = ALWAYS
---

I am able search groups in manager but users with permissions per group 
are unable to login with "The user *** with profile [CRO] is not 
authorized to perform login".


When I try debug it with

ovirt-engine-extensions-tool aaa login-user --profile=CRO 
--user-name=***


I can see common attributes (name, email,...) in PrincipalRecord but not 
any record mentioned group membership.


Group which holds this user has posixGroup objectClass and member 
attributes which points to dn of users.


There were also similar post in this list in 2019 which unfortunately 
was not much specific with solution


https://lists.ovirt.org/archives/list/users@ovirt.org/thread/PBQXDJGOZ2ET347YDZFSQPFJGMNSALHD/

Could any suggest how to better debug this or how to modify group search 
filter in my profile to work with member attribute?


Thanks in advance,

Jiri


smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/RPHPO4J42ZYX377KBSBC6QMKVJ26ZA66/


[ovirt-users] LDAP auth error "server_error: Cannot locate principal"

2021-07-21 Thread tbural
Trying to configure LDAP auth on engine. After adding user from LDAP i cannot 
login with this error "server_error: Cannot locate principal"
Errors from engine.log
2021-06-30 17:24:23,830+05 ERROR 
[org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default task-5) 
[686f77b] Internal Server Error: Cannot locate principal 'Domain Reader'
2021-06-30 17:24:23,830+05 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] 
(default task-5) [686f77b] Cannot locate principal 'Domain Reader'
2021-06-30 17:24:23,851+05 ERROR 
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-5) 
[686f77b] server_error: Cannot locate principal 'Domain Reader'
How i can fix this error?

ovirt 4.3.10
Config /etc/ovirt-engine/aaa/openldap_rfc.properties:
include = 

vars.server = LDAP.testdom.local
vars.user = CN=Domain Reader,OU=AD,OU=SERVICE,DC=testdom,DC=local
vars.password = password

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = single
pool.default.serverset.single.server = ${global:vars.server}
pool.default.ssl.startTLS = tlocale
pool.default.ssl.insecure = tlocale

attrmap.map-principal-record.attr.PrincipalRecord_ID.map = uid
attrmap.map-principal-record.attr.PrincipalRecord_PRINCIPAL.map = cn

#LDAP value changes
sequence.openldap-init-vars.030.var-set.value = entryUUID, uid, cn, givenName, 
sn, Email
sequence.openldap-init-vars.040.var-set.value = 
(objectClass=posixAccount)(uid=*)
sequence.openldap-init-vars.050.var-set.value = entryUUID, uid
sequence.openldap-init-vars.060.var-set.value = (objectClass=posixGroup)
sequence.openldap-init-vars.070.var-set.value = membelocalid

User attribures:
ovirt-engine-extensions-tool aaa search --extension-name=openldap_rfc-authz 
--entity=principal --entity-name=domreader
2021-07-21 17:14:33,805+05 INFO

2021-07-21 17:14:33,833+05 INFO Initialization 

2021-07-21 17:14:33,833+05 INFO

2021-07-21 17:14:33,878+05 INFOLoading extension 'internal-authz'
2021-07-21 17:14:33,885+05 INFOExtension 'internal-authz' loaded
--
2021-07-21 17:14:35,885+05 INFO

2021-07-21 17:14:35,886+05 INFO== Execution 
===
2021-07-21 17:14:35,886+05 INFO

2021-07-21 17:14:35,886+05 INFOIteration: 0
2021-07-21 17:14:35,891+05 INFO--- Begin QueryFilterRecord ---
2021-07-21 17:14:35,892+05 INFOAAA_AUTHZ_QUERY_FILTER_OPERATOR: 102
2021-07-21 17:14:35,892+05 INFOAAA_AUTHZ_QUERY_ENTITY: 
AAA_AUTHZ_QUERY_ENTITY_PRINCIPAL[1695cd36-4656-474f-b7bc-4466e12634e4]
2021-07-21 17:14:35,893+05 INFO  --- Begin QueryFilterRecord ---
2021-07-21 17:14:35,893+05 INFO  AAA_AUTHZ_QUERY_FILTER_OPERATOR: 0
2021-07-21 17:14:35,894+05 INFO  AAA_AUTHZ_QUERY_FILTER_KEY: 
Extkey[name=AAA_AUTHZ_PRINCIPAL_NAME;type=class 
java.lang.String;uuid=AAA_AUTHZ_PRINCIPAL_NAME[a0df5bcc-6ead-40a2-8565-2f5cc8773bdd];]
2021-07-21 17:14:35,894+05 INFO  AAA_AUTHZ_PRINCIPAL_NAME: domreader
2021-07-21 17:14:35,894+05 INFO  --- End QueryFilterRecord ---
2021-07-21 17:14:35,895+05 INFO--- End QueryFilterRecord ---
2021-07-21 17:14:35,895+05 INFOAPI: -->Authz.InvokeCommands.QUERY_OPEN 
namespace='dc=testdom,dc=local'
2021-07-21 17:14:35,904+05 INFOAPI: <--Authz.InvokeCommands.QUERY_OPEN
2021-07-21 17:14:35,904+05 INFOAPI: -->Authz.InvokeCommands.QUERY_EXECUTE
2021-07-21 17:16:04,079+05 INFOAPI: <--Authz.InvokeCommands.QUERY_EXECUTE 
count=1
2021-07-21 17:16:04,080+05 INFO--- Begin PrincipalRecord ---
2021-07-21 17:16:04,081+05 INFOAAA_AUTHZ_PRINCIPAL_PRINCIPAL: Domain Reader
2021-07-21 17:16:04,081+05 INFOAAA_AUTHZ_PRINCIPAL_LAST_NAME: Reader
2021-07-21 17:16:04,081+05 INFOAAA_LDAP_UNBOUNDID_DN: cn=Domain 
Reader,ou=AD,ou=SERVICE,dc=testdom,dc=local
2021-07-21 17:16:04,082+05 INFOAAA_AUTHZ_PRINCIPAL_NAMESPACE: 
dc=testdom,dc=local
2021-07-21 17:16:04,082+05 INFOAAA_AUTHZ_PRINCIPAL_ID: domreader
2021-07-21 17:16:04,082+05 INFOAAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: Domain 
Reader
2021-07-21 17:16:04,083+05 INFOAAA_AUTHZ_PRINCIPAL_NAME: domreader
2021-07-21 17:16:04,083+05 INFOAAA_AUTHZ_PRINCIPAL_FIRST_NAME: Domain
2021-07-21 17:16:04,083+05 INFO--- End   PrincipalRecord ---
2021-07-21 17:16:04,084+05 INFOAPI: -->Authz.InvokeCommands.QUERY_EXECUTE
2021-07-21 17:16:04,084+05 INFOAPI: <--Authz.InvokeCommands.QUERY_EXECUTE 
count=END
2021-07-21 17:16:04,084+05 INFOAPI: -->Authz.InvokeCommands.QUERY_CLOSE
2021-07-21 17:16:04,084+05 INFOAPI: <--Authz.InvokeCommands.QUERY_CLOSE

Trying to auth using ovirt-engine-extensio

[ovirt-users] ldap auth problem after upgrade from 4.4.1 to 4.4.2

2020-10-01 Thread Jiří Sléžka
Hi,

I just upgraded my HE to 4.4.2 but now I cannot login using my ldap aaa
profile anymore.

We are using Novell/NetIQ E-directory (load ballanced by haproxy,
probably not important...)

In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol
supported by our edir) from default crypto policies but I was able
revert it by

update-crypto-policies --set LEGACY

after upgrade to 4.4.2 the error is

server_error: An error occurred while attempting to connect to server
ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect
error), errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))

but our ldap server is reachable from ovirt, I tested it via (also ldaps
and startls variants are working)

ldapsearch -H ldap://ldap1.slu.cz -x -D cn=*,ou=**,o=su -w
'' -b 'o=su'

As a workaround I tried to set plain ldap protocol in profile

cat /etc/ovirt-engine/aaa/CRO.properties


include = 

vars.server = ldap1.slu.cz
vars.port = 389
vars.user = cn=*,ou=**,o=su
vars.password = **

pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = ${global:vars.port}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

pool.default.ssl.startTLS = false
pool.default.ssl.enable = false
#pool.default.ssl.protocol = TLSv1
#pool.default.ssl.startTLSProtocol = TLSv1
#pool.default.ssl.insecure = true

sequence-init.init.100-my-edir-init-vars = my-edir-init-vars
sequence.my-edir-init-vars.010.description = set baseDN
sequence.my-edir-init-vars.010.type = var-set
sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN
sequence.my-edir-init-vars.010.var-set.value = o=su

#search.default.search-request.derefPolicy = ALWAYS


but the error is the same...

ovirt-engine-extensions-tool aaa login-user --profile=CRO
--user-name=my_user


WARNING: [ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication]
TLS/SSL insecure mode
...
WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot
initialize LDAP framework, deferring initialization. Error: An error
occurred while attempting to connect to server ldap1.slu.cz:389:
IOException(LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
...
INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
profile='CRO' user='my_user'
Password:
...
WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot
initialize LDAP framework, deferring initialization. Error: An error
occurred while attempting to connect to server ldap1.slu.cz:389:
IOException(LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
Oct 01, 2020 10:57:37 AM
org.ovirt.engine.exttool.core.ExtensionsToolExecutor main
SEVERE: An error occurred while attempting to connect to server
ldap1.slu.cz:389:  IOException(LDAPException(resultCode=91 (connect
error), errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))

debug with tcpdump reveals only that connection is made and there are
only "bindRequest" and "bindResponse success" messages visible (with
correct tcp handshake and close) and nothing more

any help would be appreciated

Cheers,

Jiri



smime.p7s
Description: S/MIME Cryptographic Signature
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4MFGXGJ33R5DFX66HHGENOROHGOTF2D/


[ovirt-users] LDAP/AD issue

2020-08-26 Thread kim . kargaard
Hi all,

We have had our ovirt instance connected to our internal AD for users to log 
into the VM portal for the last year, linked to studentdomene.noroff.no. This 
has been working without any problems. We had it set up and the DNS server had 
a forward record to the DC's. All good. 

Then, of course, the institution decided to introduce student emails and they 
decided to add the domain stud.noroff.no for student emails and made this the 
primary domain in the AD. The problem is that when this is changed, students 
can no longer log into the engine. I have of course changed the ldap settings 
and added a forward record on the DNS to the new domain. However, it seems that 
the domain is studentdomene.noroff.no, but with an added UPN suffix with 
stud.noroff.no 

When students try to log in, with the config changes, they get this error in 
the browser:

server_error: An error occurred while attempting to query DNS in order to 
retrieve SRV records with name '_ldap._tcp.stud.noroff.no': 
NameNotFoundException(DNS name not found [response code 3]), 
ldapSDKVersion=4.0.7, revision=b28fb50058dfe2864171df2448ad2ad2b4c2ad58 

Any ideas on how to solve this issue? 

My config looks like this:

sudo cat /etc/ovirt-engine/aaa/Students.properties 
[sudo] password for noroffadmin: 
include = 

vars.domain = studentdomene.noroff.no
vars.user = CN=ovirt auth,CN=Users,DC=stud,DC=noroff,DC=no
vars.password = PASSWORD

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}

my forward on the DNS server looks like this:
sudo cat /etc/named/named.conf.local
[sudo] password for noroffadmin: 
zone "platform.noroff.no"{
type master;
file "/etc/named/zones/db.platform.noroff.no";  # zone file path
};
zone "stud.noroff.no" {
type forward;
forward only;
forwarders { 172.24.111.20; 172.27.111.20; 172.21.111.20; 
172.16.111.20; };
};
zone "studentdomene.noroff.no" {
type forward;
forward only;
forwarders { 172.24.111.20; 172.27.111.20; 172.21.111.20; 
172.16.111.20; };
};
zone "122.16.172.in-addr.arpa" {
type master;
file "/etc/named/zones/db.122.16.172";  # 172.16.122.0/24 subnet
};

Any pointers would be greatly appreciated :)

Kim
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/4NUUMBLEUD2MYZVAMGY2AJVBS235CEQK/


[ovirt-users] LDAP setup fails on 4.4 reading PEM file

2020-06-11 Thread Stack Korora
Greetings,
I'm having some issues getting LDAP working on CentOS 8 with oVirt 4.4.
I would appreciate some help please.

When I run ovirt-engine-extension-aaa-ldap-setup I choose "11 - RFC-2307
Schema (Generic)" because that's what my LDAP guy said I should do. :-)

Next I select the default Yes for "Use DNS".

I select 4 for "Failover between multiple hosts".

I put in my two hosts "svr1.my.domain srv2.my.domain".

To select the protocol I type "ldaps".

To select the method to obtain the PEM I type "File".

Then the "File path". A full path to the file. Not quoted. Yes, I
checked that I typed it correct. I can copy-paste into "ls" and it's
fine with the correct read permissions and everything. (I can't copy
paste into the script but that's another issue.)

It immediately fails with:
[ ERROR ] Failed to execute stage 'Environment customization': a
byte-like object is required, not 'str'

There is a log file, here is the snippet at the point it goes wrong.

2020-06-11 11:35:49,915-0500 DEBUG otopi.plugins.otopi.dialog.human
dialog.__logString:204 DIALOG:SEND File path:
2020-06-11 11:36:24,373-0500 DEBUG otopi.plugins.otopi.dialog.human
dialog.__logString:204 DIALOG:RECEIVE
/etc/pki/ca-trust/source/anchors/Infrastructure.pem
2020-06-11 11:36:24,375-0500 DEBUG otopi.context
context._executeMethod:145 method exception
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132, in
_executeMethod
method['method']()
  File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 781, in _customization_late
cacert, cacertfile, insecure = self._getCACert()
  File
"/usr/share/ovirt-engine-extension-aaa-ldap/setup/bin/../plugins/ovirt-engine-extension-aaa-ldap/ldap/common.py",
line 357, in _getCACert
_cacertfile.write('\n'.join(cacert) + '\n')
  File "/usr/lib64/python3.6/tempfile.py", line 485, in func_wrapper
return func(*args, **kwargs)
TypeError: a bytes-like object is required, not 'str'
2020-06-11 11:36:24,376-0500 ERROR otopi.context
context._executeMethod:154 Failed to execute stage 'Environment
customization': a bytes-like object is required, not 'str'
2020-06-11 11:36:24,376-0500 DEBUG otopi.context
context.dumpEnvironment:765 ENVIRONMENT DUMP - BEGIN
2020-06-11 11:36:24,376-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV BASE/error=bool:'True'
2020-06-11 11:36:24,376-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV BASE/exceptionInfo=list:'[(, TypeError("a bytes-like object is required, not 'str'",),
)]'
2020-06-11 11:36:24,377-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV OVAAALDAP_LDAP/hosts=str:'svr1.my.domain
srv2.my.domain'
2020-06-11 11:36:24,377-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV OVAAALDAP_LDAP/protocol=str:'ldaps'
2020-06-11 11:36:24,377-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV OVAAALDAP_LDAP/serverset=str:'failover'
2020-06-11 11:36:24,377-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV OVAAALDAP_LDAP/useDNS=bool:'True'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV
QUESTION/1/OVAAALDAP_LDAP_CACERT_FILE=str:'/etc/pki/ca-trust/source/anchors/Infrastructure.pem'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV
QUESTION/1/OVAAALDAP_LDAP_CACERT_METHOD=str:'file'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV
QUESTION/1/OVAAALDAP_LDAP_PROTOCOL=str:'ldaps'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV QUESTION/1/OVAAALDAP_LDAP_SERVERSET=str:'4'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV QUESTION/1/OVAAALDAP_LDAP_USE_DNS=str:'yes'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:775 ENV
QUESTION/2/OVAAALDAP_LDAP_SERVERSET=str:'svr1.my.domain srv2.my.domain'
2020-06-11 11:36:24,378-0500 DEBUG otopi.context
context.dumpEnvironment:779 ENVIRONMENT DUMP - END


Can someone help please?
Thanks!
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MHBAPSJOFLAWFMBT4HPJAZUYB3ODL7BX/


[ovirt-users] LDAP

2020-03-20 Thread Nicholas Emmerling
Would you please provide any documentation you have regarding configuring oVirt 
to work with LDAP. Preferably the guest VMs as well as the Hosts/Nodes 
themselves. Thank you.

nicholas.emmerl...@me.com


Sent from my iPhone
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/CV7IAUQHUC2YIAHITQKDN5YIYSR533AE/


[ovirt-users] LDAP Users constatly can't login on Ovirt Portal

2019-10-25 Thread rubennunes12
Hello,

So we have LDAP Authentication configured on Ovirt with aaa-extension, but the 
users of LDAP are constantly not being able to login, but when i restart 
ovirt-engine they can login again, but after some time they can't again bellow 
i will leave some logs:

2019-10-25 13:38:20,287+01 ERROR [org.ovirt.engine.core.sso.utils.SsoUtils] 
(default task-1) [] Session expired.
2019-10-25 13:39:01,503+01 INFO  
[org.ovirt.engine.extension.aaa.jdbc.core.Tasks] (default task-4) [] (house 
keeping) deleting failed logins prior to 2019-10-18 12:39:01Z.
2019-10-25 13:39:06,659+01 ERROR 
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default 
task-3) [] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User username@ldapprofile 
connecting from '' failed to log in : 'Unable to log in. Verify your login 
information or contact the system administrator.'.

If you need anything else let me now!

Thank you!
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/WAS2GMLJOVBC4DSB7DIHAKJIXZB2TCOX/


[ovirt-users] LDAP Group issue with rfc2307bis

2019-07-17 Thread Timmi

Hi oVirt List,

I'm currently working on my new oVirt setup and want to integrate it 
into our LDAP server.
Accounts are working fine but I have problems to get the groups working 
correctly.


The LDAP server is base on ClearOS which is using the rfc2307bis setup. 
Means I don't have MemberOf inside my users. The user DN is as Member 
inside the group.


I manage that oVirt is able to read the groups while overwriting:
search.rfc2307-resolve-groups-memberUid.search-request.filter = 
&(objectClass=posixGroup)(memberUid=${seq:_rfc2307_uid_encoded})

with
search.rfc2307-resolve-groups-memberUid.search-request.filter = 
&(objectClass=posixGroup)(member=${seq:_rfc2307_dn})


This is working absolutely fine for my admin group in "Administrator 
Portal". I can asign the group to the system permission "SuperUser" and 
everything is working great.


My problem is with the "VM Portal" I have assigned "PowerUser" rights to 
a quota and it is possible to login but I receive the following error in 
the engine.log.


2019-07-18 07:38:12,317+02 ERROR 
[org.ovirt.engine.core.bll.GetPermissionsForObjectQuery] (default 
task-5) [a6828f8b-8ded-422f-a216-5e5406d7bf20] Query execution failed 
due to insufficient permissions.
2019-07-18 07:38:12,319+02 ERROR 
[org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (default 
task-5) [] Operation Failed: query execution failed due to insufficient 
permissions.


I'm able to see the group permission in the user details. So I guess 
that something is already working. But I guess the error is preventing 
me to have the "create VM" button on the "VM Portal".


Would be great if someone could help me out.

I'm running the latest 4.3.4 version.

Best regards
Christoph
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/KML5XQ6QI6JKWQMY3WPQAMJCKSSW2OFS/


[ovirt-users] LDAP - not able to find members of groups

2019-05-08 Thread Timmi

Hi oVirt List,

I manage to connect oVirt to my LDAP and I'm able to search for users 
and groups.


I'm using openLDAP within a ClearOS installation and it looks like this 
is a bit different to the standard openLDAP.


Inside the LDAP groups there is an attribute with is calls "member".

Example:
member    cn=Timmi,ou=Users,ou=Accounts,dc=domain,dc=com

Is someone able to help me how to make sure that oVirt is able to join 
the users to the groups?


Best regards
Timmi
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/PBQXDJGOZ2ET347YDZFSQPFJGMNSALHD/


[ovirt-users] LDAP Bind failing because of SSLHandshakeException after Virtualization Manager was rebooted

2018-11-13 Thread wbhegedus
After moving and rebooting our Red Hat Virtualization Manager box to another 
node in our cluster, we are unable to make LDAP login work using StartTLS. No 
networking or configuration changes were made, but the logs indicate that the 
TLS negotiation is failing with our Active Directory domain controllers now. 
Specifically: 

"2018-11-13 10:33:12,500-05 WARN  
[org.ovirt.engineextensions.aaa.ldap.Framework] (ServerService Thread Pool -- 
49) [] Exception: The connection reader was unable to successfully complete TLS 
negotiation:  SSLHandshakeException(sun.security.validator.ValidatorException: 
No trusted certificate found), ldapSDKVersion=4.0.5, 
revision=b28fb50058dfe2864171df2448ad2ad2b4c2ad58"

I have tried everything I can think of. I removed and reimported the 
certificate for the domain controller in the Java Keystore. I deleted the 
profile entirely and recreated it. I tried using the full certificate chain and 
I tried using single certificates from the chain, and all combinations together.

For now, we have it working by specifying "pool.default.ssl.insecure = true" in 
the .properties file, but I'd prefer to have this working again using StartTLS. 
Is there something I am missing? I want to make sure that I'm not overlooking 
something before submitting any sort of bug report.

Any help is appreciated. Thanks!

PS - this is what the properties file looks like:
[root@rhvm ~]# cat /etc/ovirt-engine/aaa/liberty.edu.properties 
include = 

vars.domain = liberty.edu
vars.user = cn=PREADER,ou=Service 
Accounts,ou=IS,OU=FSA,dc=University,dc=liberty,dc=edu
vars.password = 

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = ${local:_basedir}/liberty.edu.jks
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/MZ3I6BOJFKNP3UPIF6WGGTBXJLTAMTPM/


[ovirt-users] LDAP-Error

2018-09-26 Thread Budur Nagaraju
Hi

Have configured LDAP authentication in oVirt4.2, but unable to login facing
issues below is the error log and configuration, able to search the users
in the UI at same time unable to search the Group.

Can someone help on the same?


Error :

https://pastebin.com/76cZdV7d

Configuration:

https://pastebin.com/nRmibZh7

Thanks,
Nagaraju
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/XYNGCLUPDFRI4QSGBBFSYXS4RIVSZZJU/


[ovirt-users] Ldap-configure

2018-09-26 Thread Budur Nagaraju
Hi

Can you please let us know how to configure LDAP authentication in oVirt
4.2 ?

Thanks,
Nagaraju
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/DNHC4DIEM6OSYWR7XG4SXMHL7I6UUIE7/


[ovirt-users] LDAP authentication does not work after engine upgrade to ovirt 4.6

2018-09-11 Thread Michael Watters
I've just upgraded our ovirt engine server to ovirt 4.6 and it appears
that LDAP logins no longer work.  When I attempt to log in using an AD
account the following errors are shown in the engine log.

2018-09-11 10:03:44,610-04 ERROR
[org.ovirt.engine.core.sso.servlets.InteractiveAuthServlet] (default
task-10) [] Internal Server Error: Cannot locate principal
'usern...@example.com'
2018-09-11 10:03:44,610-04 ERROR
[org.ovirt.engine.core.sso.utils.SsoUtils] (default task-10) [] Cannot
locate principal 'usern...@example.com'
2018-09-11 10:03:44,645-04 ERROR
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default
task-10) [] server_error: Cannot locate principal 'usern...@example.com'

I have not changed any LDAP settings and ldapsearch is able to find this
object without any issues.  Does anybody have any idea what would cause
this?


___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JRRXINSYZXLGD4YCQL5NKEIRGMOCV4AV/


[ovirt-users] LDAP login extension

2018-07-01 Thread Mariusz Kozakowski
Hello,

We managed to setup oVirt Engine with your help, now we're facing other issue.

I'm trying to configure AD auth for web portal, but unfortunately I got error 
during ovirt-engine-extension-aaa-ldap-setup:


  2018-06-27 09:06:21,926+02 INFO

  2018-06-27 09:06:21,926+02 INFO== 
Execution ===
  2018-06-27 09:06:21,926+02 INFO

  2018-06-27 09:06:21,927+02 INFOIteration: 0
  2018-06-27 09:06:21,928+02 INFOProfile='ad' authn='ad-authn' 
authz='ad-authz' mapping='null'
  2018-06-27 09:06:21,928+02 INFOAPI: 
-->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='ad' user='username'
  2018-06-27 09:06:21,945+02 INFOAPI: 
<--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='ad' result=SUCCESS
  2018-06-27 09:06:21,948+02 INFO--- Begin AuthRecord ---
  2018-06-27 09:06:21,949+02 INFOAAA_AUTHN_AUTH_RECORD_PRINCIPAL: 
username
  2018-06-27 09:06:21,949+02 INFO--- End   AuthRecord ---
  2018-06-27 09:06:21,950+02 INFOAPI: 
-->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='username'
  2018-06-27 09:06:21,952+02 WARNING Ignoring records from pool: 'gc'
  2018-06-27 09:06:21,953+02 SEVERE  Cannot resolve principal 'username'

Do you have any idea what's the issue and what we're missing? As it looks like 
credentials are correct - passing wrong username gives fail earlier, so issue 
is somewhere after authentication.


--

Best regards/Pozdrawiam/MfG

Mariusz Kozakowski

Site Reliability Engineer

Dansk Supermarked Group
Baltic Business Park
ul. 1 Maja 38-39
71-627 Szczecin
dansksupermarked.com
___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/6BZXOA6ZXMSN5EPC67LNBUSANJLUBHA7/


[ovirt-users] LDAP logins do not work

2018-06-13 Thread Michael Watters
I've ran the ovirt-engine-extension-aaa-ldap-setup command to configure
LDAP authentication using Active Directory however I am unable to
authenticate using valid credentials.  Here is the output show while
testing the login flow.

[ INFO  ] Executing login sequence...
  Login output:
  2018-06-13 11:27:17,931-04 INFO   

  2018-06-13 11:27:17,960-04 INFO   
 Initialization 
  2018-06-13 11:27:17,960-04 INFO   

  2018-06-13 11:27:17,999-04 INFO    Loading extension
'example.com-authn'
  2018-06-13 11:27:18,072-04 INFO    Extension
'example.com-authn' loaded
  2018-06-13 11:27:18,077-04 INFO    Loading extension
'example.com-authz'
  2018-06-13 11:27:18,089-04 INFO    Extension
'example.com-authz' loaded
  2018-06-13 11:27:18,090-04 INFO    Initializing extension
'example.com-authn'
  2018-06-13 11:27:18,091-04 INFO   
[ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP
pool 'authz'
  2018-06-13 11:27:19,574-04 WARNING Exception: 80090308:
LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e,
v3839
  2018-06-13 11:27:19,576-04 INFO   
[ovirt-engine-extension-aaa-ldap.authn::example.com-authn] Creating LDAP
pool 'authn'
  2018-06-13 11:27:20,668-04 INFO   
[ovirt-engine-extension-aaa-ldap.authn::example.com-authn] LDAP pool
'authn' information: vendor='null' version='null'
  2018-06-13 11:27:20,674-04 WARNING Ignoring records from pool:
'authz'
  2018-06-13 11:27:20,676-04 WARNING Ignoring records from pool:
'authz'
  2018-06-13 11:27:20,676-04 INFO    Extension
'example.com-authn' initialized
  2018-06-13 11:27:20,677-04 INFO    Initializing extension
'example.com-authz'
  2018-06-13 11:27:20,679-04 INFO   
[ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP
pool 'authz'
  2018-06-13 11:27:21,270-04 WARNING Exception: 80090308:
LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e,
v3839
  2018-06-13 11:27:21,273-04 INFO   
[ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Creating LDAP
pool 'gc'
  2018-06-13 11:27:22,065-04 WARNING Exception: 80090308:
LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e,
v1db1
  2018-06-13 11:27:22,069-04 WARNING Ignoring records from pool:
'authz'
  2018-06-13 11:27:22,072-04 WARNING Ignoring records from pool:
'authz'
  2018-06-13 11:27:22,085-04 WARNING Ignoring records from pool:
'authz'
  2018-06-13 11:27:22,086-04 INFO   
[ovirt-engine-extension-aaa-ldap.authz::example.com-authz] Available
Namespaces: []
  2018-06-13 11:27:22,087-04 INFO    Extension
'example.com-authz' initialized
  2018-06-13 11:27:22,088-04 INFO    Start of enabled extensions
list
  2018-06-13 11:27:22,089-04 INFO    Instance name:
'example.com-authz', Extension name:
'ovirt-engine-extension-aaa-ldap.authz', Version: '1.3.7', Notes:
'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos',
License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
Project', Build interface Version: '0',  File:
'/tmp/tmpPQluAI/extensions.d/example.com-authz.properties', Initialized:
'true'
  2018-06-13 11:27:22,089-04 INFO    Instance name:
'example.com-authn', Extension name:
'ovirt-engine-extension-aaa-ldap.authn', Version: '1.3.7', Notes:
'Display name: ovirt-engine-extension-aaa-ldap-1.3.7-1.el7.centos',
License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt
Project', Build interface Version: '0',  File:
'/tmp/tmpPQluAI/extensions.d/example.com-authn.properties', Initialized:
'true'
  2018-06-13 11:27:22,090-04 INFO    End of enabled extensions list
  2018-06-13 11:27:22,090-04 INFO   

  2018-06-13 11:27:22,090-04 INFO   
== Execution ===
  2018-06-13 11:27:22,091-04 INFO   

  2018-06-13 11:27:22,091-04 INFO    Iteration: 0
  2018-06-13 11:27:22,093-04 INFO    Profile='example.com'
authn='example.com-authn' authz='example.com-authz' mapping='null'
  2018-06-13 11:27:22,094-04 INFO    API:
-->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='example.com'
user='d861703'
  2018-06-13 11:27:22,251-04 INFO    API:
<--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile='example.com'
result=CREDENTIALS_INCORRECT
  2018-06-13 11:27:22,262-04 SEVERE  Authn.Result code is:
CREDENTIALS_INCORRECT
[ ERROR ] Login sequence failed

Does anybody know what LdapErr: DSID-0C09042A, comment:
Acce

[ovirt-users] LDAP Authentication issues

2018-05-25 Thread Callum Smith
Dear All,

I'm having problems getting LDAP running, login works, but I'm getting "user is 
not authorised to perform login" - this is even if i specify the UserRole 
specifically to the LDAP group the user is in.

2018-05-25 08:56:16,212+01 INFO  
[org.ovirt.engine.core.sso.utils.AuthenticationUtils] (default task-23) [] User 
callum@Biomedical Research Computing successfully logged in with scopes: 
ovirt-app-admin ovirt-app-api ovirt-app-portal 
ovirt-ext=auth:sequence-priority=~ ovirt-ext=revoke:revoke-all 
ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search 
ovirt-ext=token-info:validate ovirt-ext=token:password-access
2018-05-25 08:56:16,391+01 INFO  
[org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] (default task-25) 
[63e60fe9] Running command: CreateUserSessionCommand internal: false.
2018-05-25 08:56:16,430+01 ERROR 
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] (default 
task-25) [63e60fe9] EVENT_ID: USER_VDC_LOGIN_FAILED(114), User 
callum@Biomedical Research Computing connecting from '192.168.65.254' failed to 
log in.
2018-05-25 08:56:16,430+01 ERROR 
[org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] (default task-25) [] 
The user callum@Biomedical Research Computing is not authorized to perform login


on a side note: is it possible to assign permissions to all members of an LDAP 
tree where they dont have a common group membership?

Regards,
Callum

--

Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. cal...@well.ox.ac.uk

___
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org


Re: [ovirt-users] LDAP sources

2017-11-15 Thread Ondra Machacek
Hello,

On Wed, Nov 15, 2017 at 9:03 AM, Magnus Isaksson  wrote:
> Hello,
>
> I have tried googling and searching in the documentation, but i can't seem
> to find any instructions on how to remove a authentication source.
>
> The background is that i did set up an FreeIPA server for auth, worked
> perfectly, but i ran into some problems using that to auth other systems, so
> i had to setup a new FreeIPA server and added that to oVirt, but now i want
> to remove the old one, but can not seem to find how.
> Anyone sitting on that info?

You have to remove the extension files of the old IPA server. It's
following files:

 - /etc/ovirt-engine/extensions.d/ipa-old-authn.properties
 - /etc/ovirt-engine/extensions.d/ipa-old-authn.properties
 - /etc/ovirt-engine/aaa/ipa-old.properties

Also don't forget to remove all users and groups of the old profile
via webadmin.

>
> And while on the subject, how do i set the FreeIPA auth as default auth
> source in oVirt?

Yes, this is supported since 4.0 release. You can check more info in
this bugzilla:

 https://bugzilla.redhat.com/show_bug.cgi?id=1296274

What you need to do is, add this line:

ovirt.engine.aaa.authn.default.profile=true

to your authn properties file of the profile, you want to have the default.

>
> Regards
>  Magnus
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] LDAP sources

2017-11-15 Thread Magnus Isaksson

Hello,

I have tried googling and searching in the documentation, but i can't 
seem to find any instructions on how to remove a authentication source.


The background is that i did set up an FreeIPA server for auth, worked 
perfectly, but i ran into some problems using that to auth other 
systems, so i had to setup a new FreeIPA server and added that to 
oVirt, but now i want to remove the old one, but can not seem to find 
how.

Anyone sitting on that info?

And while on the subject, how do i set the FreeIPA auth as default auth 
source in oVirt?


Regards
Magnus
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] Ldap authentification filtering with custom attribute

2017-08-16 Thread Jean-mathieu CHANTREIN
Hello. 

Here is a way to filtering a group of ldap user by one of custom attribute and 
not by groups ? By example, I tryed (without success) to put this entry in 
/etc/ovirt-engine/extensions.d/my-ldap-authz.properties : 

search.simple-resolve-groups-memberOf.search-request.filter = 
&(myCustomAttribute=nameOfAttributeToFilter) 

And if it's possible, can I have filtering with more than one attribute (i.e.: 
each attribute will be discriminate like a group) ? 

Thanks for your help. 

Regards. 

Jean-Mathieu 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-15 Thread Nicolás



El 15/08/16 a las 13:28, Ondra Machacek escribió:

On 08/13/2016 12:44 AM, nico...@devels.es wrote:

El 2016-08-12 20:38, Ondra Machacek escribió:

On 08/12/2016 05:53 PM, nico...@devels.es wrote:

El 2016-08-10 14:46, Nicolás escribió:

En 10/8/2016 2:29 p. m., Alexander Wels  escribió:


On Wednesday, August 10, 2016 9:02:16 AM EDT Alexander Wels wrote:



On Wednesday, August 10, 2016 9:10:25 AM EDT nico...@devels.es

wrote:



El 2016-08-10 08:58, Ondra Machacek escribió:



> On 08/10/2016 09:37 AM, Nicolás wrote:



>> Hi,



>>



>> We're running oVirt 4.0.1.1 [1], and we're trying to grant a

permission to



>> a



>> user on a VM. Thing is when we open the 'Permissions' subtab

on that



>> VM,



>> we click on Add, the LDAP backend shows up but any value

entered into



>> the search box returns nothing, even when I know the values

exist.



>>



>> This has been working on oVirt 3.x, we actually migrated to

4.x last



>> week and didn't notice this issue.



>>



>> Additionally, there's no combobox to choose the permission to

grant?



>



> There should be combo box to choose a role.







I've attached a screenshot, seems there's not.







Its highly likely the dropdown is there, but its scrolled below

the bottom



of the dialog and thus you can't see it. I thought I made sure all

the



dialogs were working, seems like I missed one. Let me check it out

and see



what is going on.











Okay I double checked, I went to the VMs main tab, selected a VM,
then went to



the permissions sub tab. Clicked add. The dialog that popped up
looks like the



one attached, which is what I was expecting. The one you attached
appears to



be missing some styling, which is likely what caused the Role to
Assign part



to be scrolled below the bottom of the page.







Can you complete clear your cache (not shift reload, but
settings->clear



cache). If that doesn't work can you tell us the version of the
patternfly rpm



installed on your engine?







Yes, I already did that, also opened the engine on different clients
and the behavior is the same, I believe this is not a client issue.
Patternfly package is patternfly1-1.3.0-1.el7.centos.noarch




Ok, this indeed seems like a graphics problem since I am seeing this
connecting to a machine through a VNC server and the Role combobox is
moved down out of the dialog.

However, the LDAP issue persists. When I choose the 'internal' 
domain, I
can search the 'admin' user successfully, however, if I set it to 
be the

LDAP domain, any search returns nothing.

Any hints or ideas how to debug this?


Can you please enable debug log[1] and send it here?

[1]
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README#L442 






Thanks. I was now able to see why it is failing:

TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (default task-13)
[] SearchRequest: Exception: LDAPSearchException(resultCode=11 (admin
limit exceeded), numEntries=0, numReferences=0, errorMessage='admin
limit exceeded')


This is server error, that number of entries to be returned is higher, 
than the limit set on server.
You should either increase that limit server side, or don't use '*', 
but use some filter. ( ie. user* )




That's the problem, the patterns we enter in the search box are specific 
usernames that usually return only one or 2 results at most from the 
LDAP directory, that's why I think this filter is needlessly too broad 
in our case. I've been making the query more specific on the command 
line (i.e., using ldapsearch) and removing some of the OR (|) clauses 
seems to return a lower number of entries below the limit, that's why I 
asked if it's possible to manually specify the filter.


Do you think it would be useful to open a RFE on BZ asking for a feature 
to allow the user specify the filter?


I'll see what's the best way to workaround this problem as is, either 
defining a user and allowing them a higher number of returned results or 
increasing the limit on the server side.


Thanks.



Indeed, if I run that query using the ldapsearch command I can clearly
see it is returning an "admin limit exceeded" error.

The applied filter is:
(&(objectClass=posixAccount)(uid=*)(|(givenName=username)(sn=username)(displayName=username)(uid=username))) 




Strange thing is this hasn't been an issue on oVirt 3.6.x and we've not
changed our LDAP configuration. Has the filter been changed in 4.x by
default?


It didn't.



If so, is there a way to override the filter to make it simpler? (In our
case we'll always seek by username, so no need to search by givenName,
sn or displayName).



Filtering is constructed on client side, in this case ovirt-engine 
backend,

so unfortunatelly it's not easilly modifiable.


Thanks.



Thanks.







Anyhow, I see there are lots of packages to update so I'll do so
within a few days and report results.







>> All this is done with the admin@internal user, so I guess

this is not



>> a

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-15 Thread Ondra Machacek

On 08/13/2016 12:44 AM, nico...@devels.es wrote:

El 2016-08-12 20:38, Ondra Machacek escribió:

On 08/12/2016 05:53 PM, nico...@devels.es wrote:

El 2016-08-10 14:46, Nicolás escribió:

En 10/8/2016 2:29 p. m., Alexander Wels  escribió:


On Wednesday, August 10, 2016 9:02:16 AM EDT Alexander Wels wrote:



On Wednesday, August 10, 2016 9:10:25 AM EDT nico...@devels.es

wrote:



El 2016-08-10 08:58, Ondra Machacek escribió:



> On 08/10/2016 09:37 AM, Nicolás wrote:



>> Hi,



>>



>> We're running oVirt 4.0.1.1 [1], and we're trying to grant a

permission to



>> a



>> user on a VM. Thing is when we open the 'Permissions' subtab

on that



>> VM,



>> we click on Add, the LDAP backend shows up but any value

entered into



>> the search box returns nothing, even when I know the values

exist.



>>



>> This has been working on oVirt 3.x, we actually migrated to

4.x last



>> week and didn't notice this issue.



>>



>> Additionally, there's no combobox to choose the permission to

grant?



>



> There should be combo box to choose a role.







I've attached a screenshot, seems there's not.







Its highly likely the dropdown is there, but its scrolled below

the bottom



of the dialog and thus you can't see it. I thought I made sure all

the



dialogs were working, seems like I missed one. Let me check it out

and see



what is going on.











Okay I double checked, I went to the VMs main tab, selected a VM,
then went to



the permissions sub tab. Clicked add. The dialog that popped up
looks like the



one attached, which is what I was expecting. The one you attached
appears to



be missing some styling, which is likely what caused the Role to
Assign part



to be scrolled below the bottom of the page.







Can you complete clear your cache (not shift reload, but
settings->clear



cache). If that doesn't work can you tell us the version of the
patternfly rpm



installed on your engine?







Yes, I already did that, also opened the engine on different clients
and the behavior is the same, I believe this is not a client issue.
Patternfly package is patternfly1-1.3.0-1.el7.centos.noarch




Ok, this indeed seems like a graphics problem since I am seeing this
connecting to a machine through a VNC server and the Role combobox is
moved down out of the dialog.

However, the LDAP issue persists. When I choose the 'internal' domain, I
can search the 'admin' user successfully, however, if I set it to be the
LDAP domain, any search returns nothing.

Any hints or ideas how to debug this?


Can you please enable debug log[1] and send it here?

[1]
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README#L442




Thanks. I was now able to see why it is failing:

TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (default task-13)
[] SearchRequest: Exception: LDAPSearchException(resultCode=11 (admin
limit exceeded), numEntries=0, numReferences=0, errorMessage='admin
limit exceeded')


This is server error, that number of entries to be returned is higher, 
than the limit set on server.
You should either increase that limit server side, or don't use '*', but 
use some filter. ( ie. user* )




Indeed, if I run that query using the ldapsearch command I can clearly
see it is returning an "admin limit exceeded" error.

The applied filter is:
(&(objectClass=posixAccount)(uid=*)(|(givenName=username)(sn=username)(displayName=username)(uid=username)))


Strange thing is this hasn't been an issue on oVirt 3.6.x and we've not
changed our LDAP configuration. Has the filter been changed in 4.x by
default?


It didn't.



If so, is there a way to override the filter to make it simpler? (In our
case we'll always seek by username, so no need to search by givenName,
sn or displayName).



Filtering is constructed on client side, in this case ovirt-engine backend,
so unfortunatelly it's not easilly modifiable.


Thanks.



Thanks.







Anyhow, I see there are lots of packages to update so I'll do so
within a few days and report results.







>> All this is done with the admin@internal user, so I guess

this is not



>> a



>> self-permission issue.



>>



>> Interesting thing is that I can successfully log-in to the

user portal



>> with a LDAP based user and manage all the VMs assigned to

them.



>>



>> Just to see if there's been any configuration change, we also

run the



>> ovirt-engine-extension-aaa-ldap-setup tool, the configuration

it



>> returns



>> is pretty similar to ours, and even the test commands (Login,

Search)



>> work successfully (I can see search returning user's data

like name,



>> surname, ...). We even applied this configuration to engine

to see if



>> it



>> makes a difference but the result is the same, the search

dialog



>> returns



>> nothing and neither I can see the permission to grant.



>>



>> Any hint about this?



>



> Maybe you hit similar issue to this one[1].



>



> Can you please share engine.

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-12 Thread nicolas

El 2016-08-12 20:38, Ondra Machacek escribió:

On 08/12/2016 05:53 PM, nico...@devels.es wrote:

El 2016-08-10 14:46, Nicolás escribió:

En 10/8/2016 2:29 p. m., Alexander Wels  escribió:


On Wednesday, August 10, 2016 9:02:16 AM EDT Alexander Wels wrote:



On Wednesday, August 10, 2016 9:10:25 AM EDT nico...@devels.es

wrote:



El 2016-08-10 08:58, Ondra Machacek escribió:



> On 08/10/2016 09:37 AM, Nicolás wrote:



>> Hi,



>>



>> We're running oVirt 4.0.1.1 [1], and we're trying to grant a

permission to



>> a



>> user on a VM. Thing is when we open the 'Permissions' subtab

on that



>> VM,



>> we click on Add, the LDAP backend shows up but any value

entered into



>> the search box returns nothing, even when I know the values

exist.



>>



>> This has been working on oVirt 3.x, we actually migrated to

4.x last



>> week and didn't notice this issue.



>>



>> Additionally, there's no combobox to choose the permission to

grant?



>



> There should be combo box to choose a role.







I've attached a screenshot, seems there's not.







Its highly likely the dropdown is there, but its scrolled below

the bottom



of the dialog and thus you can't see it. I thought I made sure all

the



dialogs were working, seems like I missed one. Let me check it out

and see



what is going on.











Okay I double checked, I went to the VMs main tab, selected a VM,
then went to



the permissions sub tab. Clicked add. The dialog that popped up
looks like the



one attached, which is what I was expecting. The one you attached
appears to



be missing some styling, which is likely what caused the Role to
Assign part



to be scrolled below the bottom of the page.







Can you complete clear your cache (not shift reload, but
settings->clear



cache). If that doesn't work can you tell us the version of the
patternfly rpm



installed on your engine?







Yes, I already did that, also opened the engine on different clients
and the behavior is the same, I believe this is not a client issue.
Patternfly package is patternfly1-1.3.0-1.el7.centos.noarch




Ok, this indeed seems like a graphics problem since I am seeing this
connecting to a machine through a VNC server and the Role combobox is
moved down out of the dialog.

However, the LDAP issue persists. When I choose the 'internal' domain, 
I
can search the 'admin' user successfully, however, if I set it to be 
the

LDAP domain, any search returns nothing.

Any hints or ideas how to debug this?


Can you please enable debug log[1] and send it here?

[1]
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README#L442



Thanks. I was now able to see why it is failing:

TRACE [org.ovirt.engineextensions.aaa.ldap.Framework] (default task-13) 
[] SearchRequest: Exception: LDAPSearchException(resultCode=11 (admin 
limit exceeded), numEntries=0, numReferences=0, errorMessage='admin 
limit exceeded')


Indeed, if I run that query using the ldapsearch command I can clearly 
see it is returning an "admin limit exceeded" error.


The applied filter is: 
(&(objectClass=posixAccount)(uid=*)(|(givenName=username)(sn=username)(displayName=username)(uid=username)))


Strange thing is this hasn't been an issue on oVirt 3.6.x and we've not 
changed our LDAP configuration. Has the filter been changed in 4.x by 
default?


If so, is there a way to override the filter to make it simpler? (In our 
case we'll always seek by username, so no need to search by givenName, 
sn or displayName).


Thanks.



Thanks.







Anyhow, I see there are lots of packages to update so I'll do so
within a few days and report results.







>> All this is done with the admin@internal user, so I guess

this is not



>> a



>> self-permission issue.



>>



>> Interesting thing is that I can successfully log-in to the

user portal



>> with a LDAP based user and manage all the VMs assigned to

them.



>>



>> Just to see if there's been any configuration change, we also

run the



>> ovirt-engine-extension-aaa-ldap-setup tool, the configuration

it



>> returns



>> is pretty similar to ours, and even the test commands (Login,

Search)



>> work successfully (I can see search returning user's data

like name,



>> surname, ...). We even applied this configuration to engine

to see if



>> it



>> makes a difference but the result is the same, the search

dialog



>> returns



>> nothing and neither I can see the permission to grant.



>>



>> Any hint about this?



>



> Maybe you hit similar issue to this one[1].



>



> Can you please share engine.log, while you hit search button?







I'm also attaching the log at the time I hit the search button,

but I'm



afraid there's no entry about that.







Thanks.







> [1] https [2]://bugzilla.redhat.com/show_bug.cgi?id=1356675

[2]



>



>> Thanks



>> ___



>> Users mailing list



>> Users@ovirt.org



>> http [3]://lists.ovirt

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-12 Thread Ondra Machacek


On 08/12/2016 05:53 PM, nico...@devels.es wrote:

El 2016-08-10 14:46, Nicolás escribió:

En 10/8/2016 2:29 p. m., Alexander Wels  escribió:


On Wednesday, August 10, 2016 9:02:16 AM EDT Alexander Wels wrote:



On Wednesday, August 10, 2016 9:10:25 AM EDT nico...@devels.es

wrote:



El 2016-08-10 08:58, Ondra Machacek escribió:



> On 08/10/2016 09:37 AM, Nicolás wrote:



>> Hi,



>>



>> We're running oVirt 4.0.1.1 [1], and we're trying to grant a

permission to



>> a



>> user on a VM. Thing is when we open the 'Permissions' subtab

on that



>> VM,



>> we click on Add, the LDAP backend shows up but any value

entered into



>> the search box returns nothing, even when I know the values

exist.



>>



>> This has been working on oVirt 3.x, we actually migrated to

4.x last



>> week and didn't notice this issue.



>>



>> Additionally, there's no combobox to choose the permission to

grant?



>



> There should be combo box to choose a role.







I've attached a screenshot, seems there's not.







Its highly likely the dropdown is there, but its scrolled below

the bottom



of the dialog and thus you can't see it. I thought I made sure all

the



dialogs were working, seems like I missed one. Let me check it out

and see



what is going on.











Okay I double checked, I went to the VMs main tab, selected a VM,
then went to



the permissions sub tab. Clicked add. The dialog that popped up
looks like the



one attached, which is what I was expecting. The one you attached
appears to



be missing some styling, which is likely what caused the Role to
Assign part



to be scrolled below the bottom of the page.







Can you complete clear your cache (not shift reload, but
settings->clear



cache). If that doesn't work can you tell us the version of the
patternfly rpm



installed on your engine?







Yes, I already did that, also opened the engine on different clients
and the behavior is the same, I believe this is not a client issue.
Patternfly package is patternfly1-1.3.0-1.el7.centos.noarch




Ok, this indeed seems like a graphics problem since I am seeing this
connecting to a machine through a VNC server and the Role combobox is
moved down out of the dialog.

However, the LDAP issue persists. When I choose the 'internal' domain, I
can search the 'admin' user successfully, however, if I set it to be the
LDAP domain, any search returns nothing.

Any hints or ideas how to debug this?


Can you please enable debug log[1] and send it here?

[1] 
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/README#L442




Thanks.







Anyhow, I see there are lots of packages to update so I'll do so
within a few days and report results.







>> All this is done with the admin@internal user, so I guess

this is not



>> a



>> self-permission issue.



>>



>> Interesting thing is that I can successfully log-in to the

user portal



>> with a LDAP based user and manage all the VMs assigned to

them.



>>



>> Just to see if there's been any configuration change, we also

run the



>> ovirt-engine-extension-aaa-ldap-setup tool, the configuration

it



>> returns



>> is pretty similar to ours, and even the test commands (Login,

Search)



>> work successfully (I can see search returning user's data

like name,



>> surname, ...). We even applied this configuration to engine

to see if



>> it



>> makes a difference but the result is the same, the search

dialog



>> returns



>> nothing and neither I can see the permission to grant.



>>



>> Any hint about this?



>



> Maybe you hit similar issue to this one[1].



>



> Can you please share engine.log, while you hit search button?







I'm also attaching the log at the time I hit the search button,

but I'm



afraid there's no entry about that.







Thanks.







> [1] https [2]://bugzilla.redhat.com/show_bug.cgi?id=1356675

[2]



>



>> Thanks



>> ___



>> Users mailing list



>> Users@ovirt.org



>> http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/

[3]users [3]







___



Users mailing list



Users@ovirt.org



http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/

[3]users [3]



___



Users mailing list



Users@ovirt.org



http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/
[3]users [3]








Links:
--
[1] http://4.0.1.1
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1356675
[3] http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinf

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-12 Thread nicolas

El 2016-08-10 14:46, Nicolás escribió:

En 10/8/2016 2:29 p. m., Alexander Wels  escribió:


On Wednesday, August 10, 2016 9:02:16 AM EDT Alexander Wels wrote:



On Wednesday, August 10, 2016 9:10:25 AM EDT nico...@devels.es

wrote:



El 2016-08-10 08:58, Ondra Machacek escribió:



> On 08/10/2016 09:37 AM, Nicolás wrote:



>> Hi,



>>



>> We're running oVirt 4.0.1.1 [1], and we're trying to grant a

permission to



>> a



>> user on a VM. Thing is when we open the 'Permissions' subtab

on that



>> VM,



>> we click on Add, the LDAP backend shows up but any value

entered into



>> the search box returns nothing, even when I know the values

exist.



>>



>> This has been working on oVirt 3.x, we actually migrated to

4.x last



>> week and didn't notice this issue.



>>



>> Additionally, there's no combobox to choose the permission to

grant?



>



> There should be combo box to choose a role.







I've attached a screenshot, seems there's not.







Its highly likely the dropdown is there, but its scrolled below

the bottom



of the dialog and thus you can't see it. I thought I made sure all

the



dialogs were working, seems like I missed one. Let me check it out

and see



what is going on.











Okay I double checked, I went to the VMs main tab, selected a VM,
then went to



the permissions sub tab. Clicked add. The dialog that popped up
looks like the



one attached, which is what I was expecting. The one you attached
appears to



be missing some styling, which is likely what caused the Role to
Assign part



to be scrolled below the bottom of the page.







Can you complete clear your cache (not shift reload, but
settings->clear



cache). If that doesn't work can you tell us the version of the
patternfly rpm



installed on your engine?







Yes, I already did that, also opened the engine on different clients
and the behavior is the same, I believe this is not a client issue.
Patternfly package is patternfly1-1.3.0-1.el7.centos.noarch




Ok, this indeed seems like a graphics problem since I am seeing this 
connecting to a machine through a VNC server and the Role combobox is 
moved down out of the dialog.


However, the LDAP issue persists. When I choose the 'internal' domain, I 
can search the 'admin' user successfully, however, if I set it to be the 
LDAP domain, any search returns nothing.


Any hints or ideas how to debug this?

Thanks.







Anyhow, I see there are lots of packages to update so I'll do so
within a few days and report results.







>> All this is done with the admin@internal user, so I guess

this is not



>> a



>> self-permission issue.



>>



>> Interesting thing is that I can successfully log-in to the

user portal



>> with a LDAP based user and manage all the VMs assigned to

them.



>>



>> Just to see if there's been any configuration change, we also

run the



>> ovirt-engine-extension-aaa-ldap-setup tool, the configuration

it



>> returns



>> is pretty similar to ours, and even the test commands (Login,

Search)



>> work successfully (I can see search returning user's data

like name,



>> surname, ...). We even applied this configuration to engine

to see if



>> it



>> makes a difference but the result is the same, the search

dialog



>> returns



>> nothing and neither I can see the permission to grant.



>>



>> Any hint about this?



>



> Maybe you hit similar issue to this one[1].



>



> Can you please share engine.log, while you hit search button?







I'm also attaching the log at the time I hit the search button,

but I'm



afraid there's no entry about that.







Thanks.







> [1] https [2]://bugzilla.redhat.com/show_bug.cgi?id=1356675

[2]



>



>> Thanks



>> ___



>> Users mailing list



>> Users@ovirt.org



>> http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/

[3]users [3]







___



Users mailing list



Users@ovirt.org



http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/

[3]users [3]



___



Users mailing list



Users@ovirt.org



http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/
[3]users [3]








Links:
--
[1] http://4.0.1.1
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1356675
[3] http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread nicolas

El 2016-08-10 14:46, Nicolás escribió:

En 10/8/2016 2:29 p. m., Alexander Wels  escribió:


On Wednesday, August 10, 2016 9:02:16 AM EDT Alexander Wels wrote:



On Wednesday, August 10, 2016 9:10:25 AM EDT nico...@devels.es

wrote:



El 2016-08-10 08:58, Ondra Machacek escribió:



> On 08/10/2016 09:37 AM, Nicolás wrote:



>> Hi,



>>



>> We're running oVirt 4.0.1.1 [1], and we're trying to grant a

permission to



>> a



>> user on a VM. Thing is when we open the 'Permissions' subtab

on that



>> VM,



>> we click on Add, the LDAP backend shows up but any value

entered into



>> the search box returns nothing, even when I know the values

exist.



>>



>> This has been working on oVirt 3.x, we actually migrated to

4.x last



>> week and didn't notice this issue.



>>



>> Additionally, there's no combobox to choose the permission to

grant?



>



> There should be combo box to choose a role.







I've attached a screenshot, seems there's not.







Its highly likely the dropdown is there, but its scrolled below

the bottom



of the dialog and thus you can't see it. I thought I made sure all

the



dialogs were working, seems like I missed one. Let me check it out

and see



what is going on.











Okay I double checked, I went to the VMs main tab, selected a VM,
then went to



the permissions sub tab. Clicked add. The dialog that popped up
looks like the



one attached, which is what I was expecting. The one you attached
appears to



be missing some styling, which is likely what caused the Role to
Assign part



to be scrolled below the bottom of the page.







Can you complete clear your cache (not shift reload, but
settings->clear



cache). If that doesn't work can you tell us the version of the
patternfly rpm



installed on your engine?







Yes, I already did that, also opened the engine on different clients
and the behavior is the same, I believe this is not a client issue.
Patternfly package is patternfly1-1.3.0-1.el7.centos.noarch







Anyhow, I see there are lots of packages to update so I'll do so
within a few days and report results.




So I was able to update all packages, restart run engine-setup just in 
case, restart ovirt-engine and the situation is the same. I remembered 
we also have a dev. environment oVirt installation which we upgraded 
from 3.6.7 to 4.0.1 and same happens here, so finally we have 3 
independent oVirt installations with the same problem. There's something 
not working as intended.


I'm attaching a list of packages on oVirt engine and their versions if 
you want to check if there's something wrong with versioning, although 
everything seems to be ok.


Thanks!






>> All this is done with the admin@internal user, so I guess

this is not



>> a



>> self-permission issue.



>>



>> Interesting thing is that I can successfully log-in to the

user portal



>> with a LDAP based user and manage all the VMs assigned to

them.



>>



>> Just to see if there's been any configuration change, we also

run the



>> ovirt-engine-extension-aaa-ldap-setup tool, the configuration

it



>> returns



>> is pretty similar to ours, and even the test commands (Login,

Search)



>> work successfully (I can see search returning user's data

like name,



>> surname, ...). We even applied this configuration to engine

to see if



>> it



>> makes a difference but the result is the same, the search

dialog



>> returns



>> nothing and neither I can see the permission to grant.



>>



>> Any hint about this?



>



> Maybe you hit similar issue to this one[1].



>



> Can you please share engine.log, while you hit search button?







I'm also attaching the log at the time I hit the search button,

but I'm



afraid there's no entry about that.







Thanks.







> [1] https [2]://bugzilla.redhat.com/show_bug.cgi?id=1356675

[2]



>



>> Thanks



>> ___



>> Users mailing list



>> Users@ovirt.org



>> http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/

[3]users [3]







___



Users mailing list



Users@ovirt.org



http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/

[3]users [3]



___



Users mailing list



Users@ovirt.org



http [3]://lists.ovirt.org/ [3]mailman [3]/ [3]listinfo [3]/
[3]users [3]








Links:
--
[1] http://4.0.1.1
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1356675
[3] http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/usersovirt-engine-4.0.1.1-1.el7.centos.noarch
ovirt-engine-backend-4.0.1.1-1.el7.centos.noarch
ovirt-engine-cli-3.6.8.0-1.el7.centos.noarch
ovirt-engine-dashboard-1.0.0-0.2.20160610git5d210ea.el7.centos.noarch
ovirt-engine-dbscripts-4.0.1.1-1.el7.centos.noarch
ovirt-engine-dwh-4.0.1-1.el7.centos.no

Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread Nicolás
En 10/8/2016 2:29 p. m., Alexander Wels  escribió:

On Wednesday, August 10, 2016 9:02:16 AM EDT Alexander Wels wrote:

> On Wednesday, August 10, 2016 9:10:25 AM EDT nicolas@devels.es wrote:

> > El 2016-08-10 08:58, Ondra Machacek escribió:

> > > On 08/10/2016 09:37 AM, Nicolás wrote:

> > >> Hi,

> > >> 

> > >> We're running oVirt 4.0.1.1, and we're trying to grant a permission to

> > >> a

> > >> user on a VM. Thing is when we open the 'Permissions' subtab on that

> > >> VM,

> > >> we click on Add, the LDAP backend shows up but any value entered into

> > >> the search box returns nothing, even when I know the values exist.

> > >> 

> > >> This has been working on oVirt 3.x, we actually migrated to 4.x last

> > >> week and didn't notice this issue.

> > >> 

> > >> Additionally, there's no combobox to choose the permission to grant?

> > > 

> > > There should be combo box to choose a role.

> > 

> > I've attached a screenshot, seems there's not.

> 

> Its highly likely the dropdown is there, but its scrolled below the bottom

> of the dialog and thus you can't see it. I thought I made sure all the

> dialogs were working, seems like I missed one. Let me check it out and see

> what is going on.

> 



Okay I double checked, I went to the VMs main tab, selected a VM, then went to 

the permissions sub tab. Clicked add. The dialog that popped up looks like the 

one attached, which is what I was expecting. The one you attached appears to 

be missing some styling, which is likely what caused the Role to Assign part 

to be scrolled below the bottom of the page.



Can you complete clear your cache (not shift reload, but settings->clear 

cache). If that doesn't work can you tell us the version of the patternfly rpm 

installed on your engine?



Yes, I already did that, also opened the engine on different clients and the behavior is the same, I believe this is not a client issue. Patternfly package is patternfly1-1.3.0-1.el7.centos.noarch



Anyhow, I see there are lots of packages to update so I'll do so within a few days and report results.



> > >> All this is done with the admin@internal user, so I guess this is not

> > >> a

> > >> self-permission issue.

> > >> 

> > >> Interesting thing is that I can successfully log-in to the user portal

> > >> with a LDAP based user and manage all the VMs assigned to them.

> > >> 

> > >> Just to see if there's been any configuration change, we also run the

> > >> ovirt-engine-extension-aaa-ldap-setup tool, the configuration it

> > >> returns

> > >> is pretty similar to ours, and even the test commands (Login, Search)

> > >> work successfully (I can see search returning user's data like name,

> > >> surname, ...). We even applied this configuration to engine to see if

> > >> it

> > >> makes a difference but the result is the same, the search dialog

> > >> returns

> > >> nothing and neither I can see the permission to grant.

> > >> 

> > >> Any hint about this?

> > > 

> > > Maybe you hit similar issue to this one[1].

> > > 

> > > Can you please share engine.log, while you hit search button?

> > 

> > I'm also attaching the log at the time I hit the search button, but I'm

> > afraid there's no entry about that.

> > 

> > Thanks.

> > 

> > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1356675

> > > 

> > >> Thanks

> > >> ___

> > >> Users mailing list

> > >> Users@ovirt.org

> > >> http://lists.ovirt.org/mailman/listinfo/users

> 

> ___

> Users mailing list

> Users@ovirt.org

> http://lists.ovirt.org/mailman/listinfo/users

___

Users mailing list

Users@ovirt.org

http://lists.ovirt.org/mailman/listinfo/users




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread Alexander Wels
On Wednesday, August 10, 2016 9:02:16 AM EDT Alexander Wels wrote:
> On Wednesday, August 10, 2016 9:10:25 AM EDT nico...@devels.es wrote:
> > El 2016-08-10 08:58, Ondra Machacek escribió:
> > > On 08/10/2016 09:37 AM, Nicolás wrote:
> > >> Hi,
> > >> 
> > >> We're running oVirt 4.0.1.1, and we're trying to grant a permission to
> > >> a
> > >> user on a VM. Thing is when we open the 'Permissions' subtab on that
> > >> VM,
> > >> we click on Add, the LDAP backend shows up but any value entered into
> > >> the search box returns nothing, even when I know the values exist.
> > >> 
> > >> This has been working on oVirt 3.x, we actually migrated to 4.x last
> > >> week and didn't notice this issue.
> > >> 
> > >> Additionally, there's no combobox to choose the permission to grant?
> > > 
> > > There should be combo box to choose a role.
> > 
> > I've attached a screenshot, seems there's not.
> 
> Its highly likely the dropdown is there, but its scrolled below the bottom
> of the dialog and thus you can't see it. I thought I made sure all the
> dialogs were working, seems like I missed one. Let me check it out and see
> what is going on.
> 

Okay I double checked, I went to the VMs main tab, selected a VM, then went to 
the permissions sub tab. Clicked add. The dialog that popped up looks like the 
one attached, which is what I was expecting. The one you attached appears to 
be missing some styling, which is likely what caused the Role to Assign part 
to be scrolled below the bottom of the page.

Can you complete clear your cache (not shift reload, but settings->clear 
cache). If that doesn't work can you tell us the version of the patternfly rpm 
installed on your engine?

Alexander

> > >> All this is done with the admin@internal user, so I guess this is not
> > >> a
> > >> self-permission issue.
> > >> 
> > >> Interesting thing is that I can successfully log-in to the user portal
> > >> with a LDAP based user and manage all the VMs assigned to them.
> > >> 
> > >> Just to see if there's been any configuration change, we also run the
> > >> ovirt-engine-extension-aaa-ldap-setup tool, the configuration it
> > >> returns
> > >> is pretty similar to ours, and even the test commands (Login, Search)
> > >> work successfully (I can see search returning user's data like name,
> > >> surname, ...). We even applied this configuration to engine to see if
> > >> it
> > >> makes a difference but the result is the same, the search dialog
> > >> returns
> > >> nothing and neither I can see the permission to grant.
> > >> 
> > >> Any hint about this?
> > > 
> > > Maybe you hit similar issue to this one[1].
> > > 
> > > Can you please share engine.log, while you hit search button?
> > 
> > I'm also attaching the log at the time I hit the search button, but I'm
> > afraid there's no entry about that.
> > 
> > Thanks.
> > 
> > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1356675
> > > 
> > >> Thanks
> > >> ___
> > >> Users mailing list
> > >> Users@ovirt.org
> > >> http://lists.ovirt.org/mailman/listinfo/users
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread Alexander Wels
On Wednesday, August 10, 2016 9:10:25 AM EDT nico...@devels.es wrote:
> El 2016-08-10 08:58, Ondra Machacek escribió:
> > On 08/10/2016 09:37 AM, Nicolás wrote:
> >> Hi,
> >> 
> >> We're running oVirt 4.0.1.1, and we're trying to grant a permission to
> >> a
> >> user on a VM. Thing is when we open the 'Permissions' subtab on that
> >> VM,
> >> we click on Add, the LDAP backend shows up but any value entered into
> >> the search box returns nothing, even when I know the values exist.
> >> 
> >> This has been working on oVirt 3.x, we actually migrated to 4.x last
> >> week and didn't notice this issue.
> >> 
> >> Additionally, there's no combobox to choose the permission to grant?
> > 
> > There should be combo box to choose a role.
> 
> I've attached a screenshot, seems there's not.
> 

Its highly likely the dropdown is there, but its scrolled below the bottom of 
the dialog and thus you can't see it. I thought I made sure all the dialogs 
were working, seems like I missed one. Let me check it out and see what is 
going on.

> >> All this is done with the admin@internal user, so I guess this is not
> >> a
> >> self-permission issue.
> >> 
> >> Interesting thing is that I can successfully log-in to the user portal
> >> with a LDAP based user and manage all the VMs assigned to them.
> >> 
> >> Just to see if there's been any configuration change, we also run the
> >> ovirt-engine-extension-aaa-ldap-setup tool, the configuration it
> >> returns
> >> is pretty similar to ours, and even the test commands (Login, Search)
> >> work successfully (I can see search returning user's data like name,
> >> surname, ...). We even applied this configuration to engine to see if
> >> it
> >> makes a difference but the result is the same, the search dialog
> >> returns
> >> nothing and neither I can see the permission to grant.
> >> 
> >> Any hint about this?
> > 
> > Maybe you hit similar issue to this one[1].
> > 
> > Can you please share engine.log, while you hit search button?
> 
> I'm also attaching the log at the time I hit the search button, but I'm
> afraid there's no entry about that.
> 
> Thanks.
> 
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1356675
> > 
> >> Thanks
> >> ___
> >> Users mailing list
> >> Users@ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread nicolas

El 2016-08-10 13:36, nico...@devels.es escribió:

El 2016-08-10 09:32, Ondra Machacek escribió:

On 08/10/2016 10:10 AM, nico...@devels.es wrote:

El 2016-08-10 08:58, Ondra Machacek escribió:

On 08/10/2016 09:37 AM, Nicolás wrote:

Hi,

We're running oVirt 4.0.1.1, and we're trying to grant a permission 
to a
user on a VM. Thing is when we open the 'Permissions' subtab on 
that VM,
we click on Add, the LDAP backend shows up but any value entered 
into

the search box returns nothing, even when I know the values exist.

This has been working on oVirt 3.x, we actually migrated to 4.x 
last

week and didn't notice this issue.

Additionally, there's no combobox to choose the permission to 
grant?


There should be combo box to choose a role.



I've attached a screenshot, seems there's not.


OK, it seems like some UI issue. Can you please force reload or clear
browser cache?
Maybe try different browser.



Nope... Cleaned cache from Chrome, Firefox, same result. Even private
windows have the same behaviour. By the way, we have 2 independent
oVirt infrastructures, both upgraded from 3.6.7 and both have the same
issue, I just had a look at the second and the same happens here (no
log in engine.log either). This second is 4.0.0 instead of 4.0.0,
FWIW.



I meant: This second is 4.0.0 instead of 4.0.1





All this is done with the admin@internal user, so I guess this is 
not a

self-permission issue.

Interesting thing is that I can successfully log-in to the user 
portal

with a LDAP based user and manage all the VMs assigned to them.

Just to see if there's been any configuration change, we also run 
the
ovirt-engine-extension-aaa-ldap-setup tool, the configuration it 
returns
is pretty similar to ours, and even the test commands (Login, 
Search)
work successfully (I can see search returning user's data like 
name,
surname, ...). We even applied this configuration to engine to see 
if it
makes a difference but the result is the same, the search dialog 
returns

nothing and neither I can see the permission to grant.

Any hint about this?


Maybe you hit similar issue to this one[1].

Can you please share engine.log, while you hit search button?



I'm also attaching the log at the time I hit the search button, but 
I'm

afraid there's no entry about that.

Thanks.



[1] https://bugzilla.redhat.com/show_bug.cgi?id=1356675



Thanks
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread nicolas

El 2016-08-10 09:32, Ondra Machacek escribió:

On 08/10/2016 10:10 AM, nico...@devels.es wrote:

El 2016-08-10 08:58, Ondra Machacek escribió:

On 08/10/2016 09:37 AM, Nicolás wrote:

Hi,

We're running oVirt 4.0.1.1, and we're trying to grant a permission 
to a
user on a VM. Thing is when we open the 'Permissions' subtab on that 
VM,
we click on Add, the LDAP backend shows up but any value entered 
into

the search box returns nothing, even when I know the values exist.

This has been working on oVirt 3.x, we actually migrated to 4.x last
week and didn't notice this issue.

Additionally, there's no combobox to choose the permission to grant?


There should be combo box to choose a role.



I've attached a screenshot, seems there's not.


OK, it seems like some UI issue. Can you please force reload or clear
browser cache?
Maybe try different browser.



Nope... Cleaned cache from Chrome, Firefox, same result. Even private 
windows have the same behaviour. By the way, we have 2 independent oVirt 
infrastructures, both upgraded from 3.6.7 and both have the same issue, 
I just had a look at the second and the same happens here (no log in 
engine.log either). This second is 4.0.0 instead of 4.0.0, FWIW.






All this is done with the admin@internal user, so I guess this is 
not a

self-permission issue.

Interesting thing is that I can successfully log-in to the user 
portal

with a LDAP based user and manage all the VMs assigned to them.

Just to see if there's been any configuration change, we also run 
the
ovirt-engine-extension-aaa-ldap-setup tool, the configuration it 
returns
is pretty similar to ours, and even the test commands (Login, 
Search)

work successfully (I can see search returning user's data like name,
surname, ...). We even applied this configuration to engine to see 
if it
makes a difference but the result is the same, the search dialog 
returns

nothing and neither I can see the permission to grant.

Any hint about this?


Maybe you hit similar issue to this one[1].

Can you please share engine.log, while you hit search button?



I'm also attaching the log at the time I hit the search button, but 
I'm

afraid there's no entry about that.

Thanks.



[1] https://bugzilla.redhat.com/show_bug.cgi?id=1356675



Thanks
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread Ondra Machacek

On 08/10/2016 10:10 AM, nico...@devels.es wrote:

El 2016-08-10 08:58, Ondra Machacek escribió:

On 08/10/2016 09:37 AM, Nicolás wrote:

Hi,

We're running oVirt 4.0.1.1, and we're trying to grant a permission to a
user on a VM. Thing is when we open the 'Permissions' subtab on that VM,
we click on Add, the LDAP backend shows up but any value entered into
the search box returns nothing, even when I know the values exist.

This has been working on oVirt 3.x, we actually migrated to 4.x last
week and didn't notice this issue.

Additionally, there's no combobox to choose the permission to grant?


There should be combo box to choose a role.



I've attached a screenshot, seems there's not.


OK, it seems like some UI issue. Can you please force reload or clear 
browser cache?

Maybe try different browser.





All this is done with the admin@internal user, so I guess this is not a
self-permission issue.

Interesting thing is that I can successfully log-in to the user portal
with a LDAP based user and manage all the VMs assigned to them.

Just to see if there's been any configuration change, we also run the
ovirt-engine-extension-aaa-ldap-setup tool, the configuration it returns
is pretty similar to ours, and even the test commands (Login, Search)
work successfully (I can see search returning user's data like name,
surname, ...). We even applied this configuration to engine to see if it
makes a difference but the result is the same, the search dialog returns
nothing and neither I can see the permission to grant.

Any hint about this?


Maybe you hit similar issue to this one[1].

Can you please share engine.log, while you hit search button?



I'm also attaching the log at the time I hit the search button, but I'm
afraid there's no entry about that.

Thanks.



[1] https://bugzilla.redhat.com/show_bug.cgi?id=1356675



Thanks
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread nicolas

El 2016-08-10 08:58, Ondra Machacek escribió:

On 08/10/2016 09:37 AM, Nicolás wrote:

Hi,

We're running oVirt 4.0.1.1, and we're trying to grant a permission to 
a
user on a VM. Thing is when we open the 'Permissions' subtab on that 
VM,

we click on Add, the LDAP backend shows up but any value entered into
the search box returns nothing, even when I know the values exist.

This has been working on oVirt 3.x, we actually migrated to 4.x last
week and didn't notice this issue.

Additionally, there's no combobox to choose the permission to grant?


There should be combo box to choose a role.



I've attached a screenshot, seems there's not.



All this is done with the admin@internal user, so I guess this is not 
a

self-permission issue.

Interesting thing is that I can successfully log-in to the user portal
with a LDAP based user and manage all the VMs assigned to them.

Just to see if there's been any configuration change, we also run the
ovirt-engine-extension-aaa-ldap-setup tool, the configuration it 
returns

is pretty similar to ours, and even the test commands (Login, Search)
work successfully (I can see search returning user's data like name,
surname, ...). We even applied this configuration to engine to see if 
it
makes a difference but the result is the same, the search dialog 
returns

nothing and neither I can see the permission to grant.

Any hint about this?


Maybe you hit similar issue to this one[1].

Can you please share engine.log, while you hit search button?



I'm also attaching the log at the time I hit the search button, but I'm 
afraid there's no entry about that.


Thanks.



[1] https://bugzilla.redhat.com/show_bug.cgi?id=1356675



Thanks
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

engine.tar.gz
Description: GNU Zip compressed data
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread Ondra Machacek

On 08/10/2016 09:37 AM, Nicolás wrote:

Hi,

We're running oVirt 4.0.1.1, and we're trying to grant a permission to a
user on a VM. Thing is when we open the 'Permissions' subtab on that VM,
we click on Add, the LDAP backend shows up but any value entered into
the search box returns nothing, even when I know the values exist.

This has been working on oVirt 3.x, we actually migrated to 4.x last
week and didn't notice this issue.

Additionally, there's no combobox to choose the permission to grant?


There should be combo box to choose a role.



All this is done with the admin@internal user, so I guess this is not a
self-permission issue.

Interesting thing is that I can successfully log-in to the user portal
with a LDAP based user and manage all the VMs assigned to them.

Just to see if there's been any configuration change, we also run the
ovirt-engine-extension-aaa-ldap-setup tool, the configuration it returns
is pretty similar to ours, and even the test commands (Login, Search)
work successfully (I can see search returning user's data like name,
surname, ...). We even applied this configuration to engine to see if it
makes a difference but the result is the same, the search dialog returns
nothing and neither I can see the permission to grant.

Any hint about this?


Maybe you hit similar issue to this one[1].

Can you please share engine.log, while you hit search button?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1356675



Thanks
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] LDAP-based domain not working after upgrade?

2016-08-10 Thread Nicolás

Hi,

We're running oVirt 4.0.1.1, and we're trying to grant a permission to a 
user on a VM. Thing is when we open the 'Permissions' subtab on that VM, 
we click on Add, the LDAP backend shows up but any value entered into 
the search box returns nothing, even when I know the values exist.


This has been working on oVirt 3.x, we actually migrated to 4.x last 
week and didn't notice this issue.


Additionally, there's no combobox to choose the permission to grant?

All this is done with the admin@internal user, so I guess this is not a 
self-permission issue.


Interesting thing is that I can successfully log-in to the user portal 
with a LDAP based user and manage all the VMs assigned to them.


Just to see if there's been any configuration change, we also run the 
ovirt-engine-extension-aaa-ldap-setup tool, the configuration it returns 
is pretty similar to ours, and even the test commands (Login, Search) 
work successfully (I can see search returning user's data like name, 
surname, ...). We even applied this configuration to engine to see if it 
makes a difference but the result is the same, the search dialog returns 
nothing and neither I can see the permission to grant.


Any hint about this?

Thanks
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ldap and multiple profiles

2016-07-11 Thread Ondra Machacek

On 07/04/2016 04:13 PM, Fabrice Bacchella wrote:

I want to setup two LDAP base profile.

One is backed using an active directory (for real users)
One is backed using an openldap (for service account).

I have to problem with this setup.

One it's that in the log I see many "Creating LDAP pool 'authz'" and "Creating LDAP 
pool 'authn'". If I have two LDAP backend, I'm afraid they will be a conflict of ldap pool if 
they used the same name.


I am unsure I understand the problem, if you will use different profiles 
you won't share the
pool. Can you send the log and explain on that what's going on, so we 
can understand the

problem?



I tried to add in my openldap.properties:

search.simple-namespace.pool = authz-prod
search.simple-user-fetch.pool = authz-prod
search.simple-resolve-groups-member.pool = authz-prod
search.simple-resolve-groups-memberOf-item.pool = authz-prod
search.simple-resolve-groups-memberOf.pool = authz-prod
search.simple-query-principals.pool = authz-prod
search.simple-query-groups.pool = authz-prod

Is that enough ? And Why is it replicated many time ?

I have another problem, there is a stupid bug in my openldap configuration, but 
it will be difficult to resolve that.

In it, there is two naming context
dc=sub,dc=example,dc=com
and
dc=example,dc=com

Ovirt only see the first one, and of course, with a little help from Murphy, I 
need the seconde one. Is there anything I can do about that ?


Yes, you can. Please see[1] and check 'Is it possible to use specific 
base DN instead of automatic resolution?'


[1] http://www.ovirt.org/develop/release-management/features/infra/aaa_faq/



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] ldap and multiple profiles

2016-07-04 Thread Fabrice Bacchella
I want to setup two LDAP base profile.

One is backed using an active directory (for real users)
One is backed using an openldap (for service account).

I have to problem with this setup.

One it's that in the log I see many "Creating LDAP pool 'authz'" and "Creating 
LDAP pool 'authn'". If I have two LDAP backend, I'm afraid they will be a 
conflict of ldap pool if they used the same name.

I tried to add in my openldap.properties:

search.simple-namespace.pool = authz-prod
search.simple-user-fetch.pool = authz-prod
search.simple-resolve-groups-member.pool = authz-prod
search.simple-resolve-groups-memberOf-item.pool = authz-prod
search.simple-resolve-groups-memberOf.pool = authz-prod
search.simple-query-principals.pool = authz-prod
search.simple-query-groups.pool = authz-prod

Is that enough ? And Why is it replicated many time ?

I have another problem, there is a stupid bug in my openldap configuration, but 
it will be difficult to resolve that.

In it, there is two naming context
dc=sub,dc=example,dc=com
and 
dc=example,dc=com

Ovirt only see the first one, and of course, with a little help from Murphy, I 
need the seconde one. Is there anything I can do about that ?

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ldap servers configuration can be misleading with AD

2016-04-20 Thread Ondra Machacek

On 04/20/2016 10:33 AM, Fabrice Bacchella wrote:



Le 20 avr. 2016 à 10:16, Ondra Machacek  a écrit :

On 04/19/2016 07:46 PM, Fabrice Bacchella wrote:



Le 19 avr. 2016 à 17:35, Ondra Machacek  a écrit :

On 04/19/2016 04:37 PM, Fabrice Bacchella wrote:

I tried to plug ovirt using my company AD.

But I have a problem, the DNS srv records are not well managed and I can't use 
them so I changed pool.default.serverset.type from srvrecord to failover.


With AD you should use srvrecord, unless you have somehow miscofigured AD.
Can you please elaborate more what does it mean 'DNS srv records are not well 
managed'?


The command
dig +short  _ldap._tcp.dsone.3ds.com any | wc -l
return 122 lines. Out of that, I can only use less than 10, all other generates 
timeout. I don't know if it's firewall or forgotten DC that generate that. 
There is no way I can use srvrecord.
This domain is totally out of my reach, I have to take it as is.


ok, that's not good, but if some of the domains which are working are in same 
site, you can use 'domain-conversion'(works only with srvrecord):
pool.default.serverset.srvrecord.domain-conversion.type = regex
pool.default.serverset.srvrecord.domain-conversion.regex.pattern = 
^(?.*)$
pool.default.serverset.srvrecord.domain-conversion.regex.replacement = 
WORKING-SITE._sites.${domain}


What is that supposed to do ? All my DC are in the form xx-xxx-dcs99.${domain} 
and I have to pick a in this list. dig _sites.${domain} return nothing for me

what a regex will do ?


Well AD has something called sites[1].
With this regex, you can specify what computers will only be used.

[1] https://technet.microsoft.com/en-us/library/cc782048%28v=ws.10%29.aspx





Is that your case? Can you please share log of extensions-tool, so we can 
better understand
your problem and provide better help.


I have no knowledge about AD, I'm a 100% linux sysadmin and just use AD as an 
LDAP server, so all those forest/GC are unknown things for me.

I will send that in a private mail.



OK, will take a look.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ldap servers configuration can be misleading with AD

2016-04-20 Thread Fabrice Bacchella

> Le 20 avr. 2016 à 10:16, Ondra Machacek  a écrit :
> 
> On 04/19/2016 07:46 PM, Fabrice Bacchella wrote:
>> 
>>> Le 19 avr. 2016 à 17:35, Ondra Machacek  a écrit :
>>> 
>>> On 04/19/2016 04:37 PM, Fabrice Bacchella wrote:
 I tried to plug ovirt using my company AD.
 
 But I have a problem, the DNS srv records are not well managed and I can't 
 use them so I changed pool.default.serverset.type from srvrecord to 
 failover.
>>> 
>>> With AD you should use srvrecord, unless you have somehow miscofigured AD.
>>> Can you please elaborate more what does it mean 'DNS srv records are not 
>>> well managed'?
>> 
>> The command
>> dig +short  _ldap._tcp.dsone.3ds.com any | wc -l
>> return 122 lines. Out of that, I can only use less than 10, all other 
>> generates timeout. I don't know if it's firewall or forgotten DC that 
>> generate that. There is no way I can use srvrecord.
>> This domain is totally out of my reach, I have to take it as is.
> 
> ok, that's not good, but if some of the domains which are working are in same 
> site, you can use 'domain-conversion'(works only with srvrecord):
> pool.default.serverset.srvrecord.domain-conversion.type = regex
> pool.default.serverset.srvrecord.domain-conversion.regex.pattern = 
> ^(?.*)$
> pool.default.serverset.srvrecord.domain-conversion.regex.replacement = 
> WORKING-SITE._sites.${domain}

What is that supposed to do ? All my DC are in the form xx-xxx-dcs99.${domain} 
and I have to pick a in this list. dig _sites.${domain} return nothing for me

what a regex will do ?


> Is that your case? Can you please share log of extensions-tool, so we can 
> better understand
> your problem and provide better help.

I have no knowledge about AD, I'm a 100% linux sysadmin and just use AD as an 
LDAP server, so all those forest/GC are unknown things for me.

I will send that in a private mail.

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ldap servers configuration can be misleading with AD

2016-04-20 Thread Ondra Machacek

On 04/19/2016 07:46 PM, Fabrice Bacchella wrote:



Le 19 avr. 2016 à 17:35, Ondra Machacek  a écrit :

On 04/19/2016 04:37 PM, Fabrice Bacchella wrote:

I tried to plug ovirt using my company AD.

But I have a problem, the DNS srv records are not well managed and I can't use 
them so I changed pool.default.serverset.type from srvrecord to failover.


With AD you should use srvrecord, unless you have somehow miscofigured AD.
Can you please elaborate more what does it mean 'DNS srv records are not well 
managed'?


The command
dig +short  _ldap._tcp.dsone.3ds.com any | wc -l
return 122 lines. Out of that, I can only use less than 10, all other generates 
timeout. I don't know if it's firewall or forgotten DC that generate that. 
There is no way I can use srvrecord.
This domain is totally out of my reach, I have to take it as is.


ok, that's not good, but if some of the domains which are working are in 
same site, you can use 'domain-conversion'(works only with srvrecord):

pool.default.serverset.srvrecord.domain-conversion.type = regex
pool.default.serverset.srvrecord.domain-conversion.regex.pattern = 
^(?.*)$
pool.default.serverset.srvrecord.domain-conversion.regex.replacement = 
WORKING-SITE._sites.${domain}






Can you please send engine log or if you are on 3.6, then use this command to 
test and provide log:
$ ovirt-engine-extensions-tool --log-level=FINEST --log-file=ad-search.log aaa 
search --entity-name=userX --extension-name=ad-authz


I kill it after 1h of execution, and a 1.6MB log file, when I have
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}

With pool.default.serverset.type = failover and 
pool.default.connection-options.connectTimeoutMillis = 500, I got:
time ovirt-engine-extensions-tool  bla
real1m29.264s
user0m6.837s
sys 0m0.291s
and a 278KB log file.


And with my setup (pool.default.serverset.type and 
pool.default.dc-resolve.default.serverset.type set to failover, 
pool.default.connection-options.connectTimeoutMillis = 500), I got
real0m5.084s
user0m6.343s
sys 0m0.164s
and a 199KB log file.


With pool.default.dc-resolve.enable = false, the results is the same than with 
failover for every one.


Ok. So assure in your failover servers are GCs(for correct group 
resolution).
Now it could use other servers (which you didn't specified in failover) 
in case you are resolving
user/group from different domain, so it's chasing refferal, in that case 
we run 'dig
domainX.forest.com A', so you can have actually more A 
records(inacessible) for it.


Is that your case? Can you please share log of extensions-tool, so we 
can better understand

your problem and provide better help.





Btw: Do you use mutli domain AD setup? Or only single domain?


I think it's a single domain, but I'm not a Microsoft expert at all.



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ldap servers configuration can be misleading with AD

2016-04-19 Thread Fabrice Bacchella

> Le 19 avr. 2016 à 17:35, Ondra Machacek  a écrit :
> 
> On 04/19/2016 04:37 PM, Fabrice Bacchella wrote:
>> I tried to plug ovirt using my company AD.
>> 
>> But I have a problem, the DNS srv records are not well managed and I can't 
>> use them so I changed pool.default.serverset.type from srvrecord to failover.
> 
> With AD you should use srvrecord, unless you have somehow miscofigured AD.
> Can you please elaborate more what does it mean 'DNS srv records are not well 
> managed'?

The command
dig +short  _ldap._tcp.dsone.3ds.com any | wc -l
return 122 lines. Out of that, I can only use less than 10, all other generates 
timeout. I don't know if it's firewall or forgotten DC that generate that. 
There is no way I can use srvrecord.
This domain is totally out of my reach, I have to take it as is.

> 
> Can you please send engine log or if you are on 3.6, then use this command to 
> test and provide log:
> $ ovirt-engine-extensions-tool --log-level=FINEST --log-file=ad-search.log 
> aaa search --entity-name=userX --extension-name=ad-authz

I kill it after 1h of execution, and a 1.6MB log file, when I have
pool.default.serverset.type = srvrecord
pool.default.serverset.srvrecord.domain = ${global:vars.domain}

With pool.default.serverset.type = failover and 
pool.default.connection-options.connectTimeoutMillis = 500, I got:
time ovirt-engine-extensions-tool  bla
real1m29.264s
user0m6.837s
sys 0m0.291s
and a 278KB log file.


And with my setup (pool.default.serverset.type and 
pool.default.dc-resolve.default.serverset.type set to failover, 
pool.default.connection-options.connectTimeoutMillis = 500), I got
real0m5.084s
user0m6.343s
sys 0m0.164s
and a 199KB log file.


With pool.default.dc-resolve.enable = false, the results is the same than with 
failover for every one.

> 
> Btw: Do you use mutli domain AD setup? Or only single domain?

I think it's a single domain, but I'm not a Microsoft expert at all.


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] ldap servers configuration can be misleading with AD

2016-04-19 Thread Ondra Machacek

On 04/19/2016 04:37 PM, Fabrice Bacchella wrote:

I tried to plug ovirt using my company AD.

But I have a problem, the DNS srv records are not well managed and I can't use 
them so I changed pool.default.serverset.type from srvrecord to failover.


With AD you should use srvrecord, unless you have somehow miscofigured AD.
Can you please elaborate more what does it mean 'DNS srv records are not 
well managed'?


Can you please send engine log or if you are on 3.6, then use this 
command to test and provide log:
$ ovirt-engine-extensions-tool --log-level=FINEST 
--log-file=ad-search.log aaa search --entity-name=userX 
--extension-name=ad-authz


Btw: Do you use mutli domain AD setup? Or only single domain?



But it was not enough, it was still using those invalid records. It was used by 
pool.default.dc-resolve.default.serverset.type too. I found that after digging 
in the source. I wonder why it should be specified twice. Why 
pool.default.dc-resolve.default.serverset and pool.default.serverset are 
different ?


You can disable 'dc-resolve' by 'pool.default.dc-resolve.enable = false',
but first you should find issue.



I also need to specify search.ad-resolve-upn.search-request.baseDN because it 
didn't found it any more. I wonder if it's related.

My aaa property file:

include = 

vars.domain = MYDOME
vars.user = A_DN
vars.password = the_password
vars.forest = my_forest

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = failover
pool.default.serverset.failover.1.server = server1
pool.default.serverset.failover.2.server = server2
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = trust.jks
pool.default.ssl.truststore.password =
pool.default.ssl.startTLSProtocol = TLSv1.2

pool.default.connection-options.connectTimeoutMillis = 500
pool.default.dc-resolve.enable = true
pool.default.dc-resolve.default.serverset.type = failover
pool.default.dc-resolve.serverset.failover.1.server = server1
pool.default.dc-resolve.serverset.failover.2.server = server2

search.ad-resolve-upn.search-request.baseDN = BASE_DN


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] ldap servers configuration can be misleading with AD

2016-04-19 Thread Fabrice Bacchella
I tried to plug ovirt using my company AD.

But I have a problem, the DNS srv records are not well managed and I can't use 
them so I changed pool.default.serverset.type from srvrecord to failover.

But it was not enough, it was still using those invalid records. It was used by 
pool.default.dc-resolve.default.serverset.type too. I found that after digging 
in the source. I wonder why it should be specified twice. Why 
pool.default.dc-resolve.default.serverset and pool.default.serverset are 
different ?

I also need to specify search.ad-resolve-upn.search-request.baseDN because it 
didn't found it any more. I wonder if it's related.

My aaa property file:

include = 

vars.domain = MYDOME
vars.user = A_DN
vars.password = the_password
vars.forest = my_forest

pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}
pool.default.serverset.type = failover
pool.default.serverset.failover.1.server = server1
pool.default.serverset.failover.2.server = server2
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = trust.jks
pool.default.ssl.truststore.password = 
pool.default.ssl.startTLSProtocol = TLSv1.2

pool.default.connection-options.connectTimeoutMillis = 500
pool.default.dc-resolve.enable = true
pool.default.dc-resolve.default.serverset.type = failover
pool.default.dc-resolve.serverset.failover.1.server = server1
pool.default.dc-resolve.serverset.failover.2.server = server2

search.ad-resolve-upn.search-request.baseDN = BASE_DN


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Authentication

2015-11-05 Thread Alon Bar-Lev


- Original Message -
> From: "Budur Nagaraju" 
> To: "Alon Bar-Lev" 
> Cc: "users" 
> Sent: Thursday, November 5, 2015 8:28:43 AM
> Subject: Re: [ovirt-users] LDAP Authentication
> 
> But am using ovirt 3.5 version ,after restarting engine am not getting any
> warning logs.
> is there ant resolution ?

have you followed instructions at [1] to enable debug log?

[1] 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0#l377

> 
> 
> On Thu, Nov 5, 2015 at 11:55 AM, Alon Bar-Lev  wrote:
> 
> >
> > Extension tool is available since 3.6, will be handy in these cases.
> >
> > - Original Message -
> > > From: "Budur Nagaraju" 
> > > To: "Alon Bar-Lev" 
> > > Cc: "users" 
> > > Sent: Thursday, November 5, 2015 8:17:46 AM
> > > Subject: Re: [ovirt-users] LDAP Authentication
> > >
> > > Getting below error ,tried installing extension tools but no luck
> > >
> > > # ovirt-engine-extensions-tool aaa abc --profile=ssl --user-name=abc
> > > -bash: ovirt-engine-extensions-tool: command not found
> > >
> > > On Thu, Nov 5, 2015 at 11:39 AM, Alon Bar-Lev  wrote:
> > >
> > > >
> > > > I will need a debug log of a login, please follow these[1]
> > instructions.
> > > >
> > > > [1]
> > > >
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0#l377
> > > >
> > > > - Original Message -
> > > > > From: "Budur Nagaraju" 
> > > > > To: "Alon Bar-Lev" 
> > > > > Cc: "users" 
> > > > > Sent: Thursday, November 5, 2015 8:01:54 AM
> > > > > Subject: Re: [ovirt-users] LDAP Authentication
> > > > >
> > > > > Below are the details,
> > > > >
> > > > >
> > > > >  rpm -qa |grep ovirt-engine-extension-aaa-ldap
> > > > > ovirt-engine-extension-aaa-ldap-1.0.2-1.el6.noarch
> > > > >
> > > > > Ovirt Engine Version :3.5
> > > > >
> > > > > we do not have multiple sites.
> > > > >
> > > > > -Nagaraju
> > > > >
> > > > >
> > > > > On Thu, Nov 5, 2015 at 11:25 AM, Alon Bar-Lev 
> > wrote:
> > > > >
> > > > > > Hi,
> > > > > > What version of ovirt?
> > > > > > What version of ovirt-engine-extension-aaa-ldap?
> > > > > > Do you have a domain that span multiple sites?
> > > > > > Regards,
> > > > > > Alon
> > > > > >
> > > > > > - Original Message -
> > > > > > > From: "Budur Nagaraju" 
> > > > > > > To: "users" 
> > > > > > > Sent: Thursday, November 5, 2015 5:34:18 AM
> > > > > > > Subject: [ovirt-users] LDAP Authentication
> > > > > > >
> > > > > > > HI
> > > > > > >
> > > > > > > LDAP Authentication is taking 5minutes is there any way to
> > resolve
> > > > this
> > > > > > issue
> > > > > > > ?
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Nagaraju
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ___
> > > > > > > Users mailing list
> > > > > > > Users@ovirt.org
> > > > > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Authentication

2015-11-04 Thread Budur Nagaraju
But am using ovirt 3.5 version ,after restarting engine am not getting any
warning logs.
is there ant resolution ?


On Thu, Nov 5, 2015 at 11:55 AM, Alon Bar-Lev  wrote:

>
> Extension tool is available since 3.6, will be handy in these cases.
>
> - Original Message -
> > From: "Budur Nagaraju" 
> > To: "Alon Bar-Lev" 
> > Cc: "users" 
> > Sent: Thursday, November 5, 2015 8:17:46 AM
> > Subject: Re: [ovirt-users] LDAP Authentication
> >
> > Getting below error ,tried installing extension tools but no luck
> >
> > # ovirt-engine-extensions-tool aaa abc --profile=ssl --user-name=abc
> > -bash: ovirt-engine-extensions-tool: command not found
> >
> > On Thu, Nov 5, 2015 at 11:39 AM, Alon Bar-Lev  wrote:
> >
> > >
> > > I will need a debug log of a login, please follow these[1]
> instructions.
> > >
> > > [1]
> > >
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0#l377
> > >
> > > - Original Message -
> > > > From: "Budur Nagaraju" 
> > > > To: "Alon Bar-Lev" 
> > > > Cc: "users" 
> > > > Sent: Thursday, November 5, 2015 8:01:54 AM
> > > > Subject: Re: [ovirt-users] LDAP Authentication
> > > >
> > > > Below are the details,
> > > >
> > > >
> > > >  rpm -qa |grep ovirt-engine-extension-aaa-ldap
> > > > ovirt-engine-extension-aaa-ldap-1.0.2-1.el6.noarch
> > > >
> > > > Ovirt Engine Version :3.5
> > > >
> > > > we do not have multiple sites.
> > > >
> > > > -Nagaraju
> > > >
> > > >
> > > > On Thu, Nov 5, 2015 at 11:25 AM, Alon Bar-Lev 
> wrote:
> > > >
> > > > > Hi,
> > > > > What version of ovirt?
> > > > > What version of ovirt-engine-extension-aaa-ldap?
> > > > > Do you have a domain that span multiple sites?
> > > > > Regards,
> > > > > Alon
> > > > >
> > > > > - Original Message -
> > > > > > From: "Budur Nagaraju" 
> > > > > > To: "users" 
> > > > > > Sent: Thursday, November 5, 2015 5:34:18 AM
> > > > > > Subject: [ovirt-users] LDAP Authentication
> > > > > >
> > > > > > HI
> > > > > >
> > > > > > LDAP Authentication is taking 5minutes is there any way to
> resolve
> > > this
> > > > > issue
> > > > > > ?
> > > > > >
> > > > > > Thanks,
> > > > > > Nagaraju
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > ___
> > > > > > Users mailing list
> > > > > > Users@ovirt.org
> > > > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > > >
> > > > >
> > > >
> > >
> >
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Authentication

2015-11-04 Thread Alon Bar-Lev

Extension tool is available since 3.6, will be handy in these cases.

- Original Message -
> From: "Budur Nagaraju" 
> To: "Alon Bar-Lev" 
> Cc: "users" 
> Sent: Thursday, November 5, 2015 8:17:46 AM
> Subject: Re: [ovirt-users] LDAP Authentication
> 
> Getting below error ,tried installing extension tools but no luck
> 
> # ovirt-engine-extensions-tool aaa abc --profile=ssl --user-name=abc
> -bash: ovirt-engine-extensions-tool: command not found
> 
> On Thu, Nov 5, 2015 at 11:39 AM, Alon Bar-Lev  wrote:
> 
> >
> > I will need a debug log of a login, please follow these[1] instructions.
> >
> > [1]
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0#l377
> >
> > - Original Message -
> > > From: "Budur Nagaraju" 
> > > To: "Alon Bar-Lev" 
> > > Cc: "users" 
> > > Sent: Thursday, November 5, 2015 8:01:54 AM
> > > Subject: Re: [ovirt-users] LDAP Authentication
> > >
> > > Below are the details,
> > >
> > >
> > >  rpm -qa |grep ovirt-engine-extension-aaa-ldap
> > > ovirt-engine-extension-aaa-ldap-1.0.2-1.el6.noarch
> > >
> > > Ovirt Engine Version :3.5
> > >
> > > we do not have multiple sites.
> > >
> > > -Nagaraju
> > >
> > >
> > > On Thu, Nov 5, 2015 at 11:25 AM, Alon Bar-Lev  wrote:
> > >
> > > > Hi,
> > > > What version of ovirt?
> > > > What version of ovirt-engine-extension-aaa-ldap?
> > > > Do you have a domain that span multiple sites?
> > > > Regards,
> > > > Alon
> > > >
> > > > - Original Message -
> > > > > From: "Budur Nagaraju" 
> > > > > To: "users" 
> > > > > Sent: Thursday, November 5, 2015 5:34:18 AM
> > > > > Subject: [ovirt-users] LDAP Authentication
> > > > >
> > > > > HI
> > > > >
> > > > > LDAP Authentication is taking 5minutes is there any way to resolve
> > this
> > > > issue
> > > > > ?
> > > > >
> > > > > Thanks,
> > > > > Nagaraju
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > ___
> > > > > Users mailing list
> > > > > Users@ovirt.org
> > > > > http://lists.ovirt.org/mailman/listinfo/users
> > > > >
> > > >
> > >
> >
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Authentication

2015-11-04 Thread Budur Nagaraju
Getting below error ,tried installing extension tools but no luck

# ovirt-engine-extensions-tool aaa abc --profile=ssl --user-name=abc
-bash: ovirt-engine-extensions-tool: command not found

On Thu, Nov 5, 2015 at 11:39 AM, Alon Bar-Lev  wrote:

>
> I will need a debug log of a login, please follow these[1] instructions.
>
> [1]
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0#l377
>
> - Original Message -
> > From: "Budur Nagaraju" 
> > To: "Alon Bar-Lev" 
> > Cc: "users" 
> > Sent: Thursday, November 5, 2015 8:01:54 AM
> > Subject: Re: [ovirt-users] LDAP Authentication
> >
> > Below are the details,
> >
> >
> >  rpm -qa |grep ovirt-engine-extension-aaa-ldap
> > ovirt-engine-extension-aaa-ldap-1.0.2-1.el6.noarch
> >
> > Ovirt Engine Version :3.5
> >
> > we do not have multiple sites.
> >
> > -Nagaraju
> >
> >
> > On Thu, Nov 5, 2015 at 11:25 AM, Alon Bar-Lev  wrote:
> >
> > > Hi,
> > > What version of ovirt?
> > > What version of ovirt-engine-extension-aaa-ldap?
> > > Do you have a domain that span multiple sites?
> > > Regards,
> > > Alon
> > >
> > > - Original Message -
> > > > From: "Budur Nagaraju" 
> > > > To: "users" 
> > > > Sent: Thursday, November 5, 2015 5:34:18 AM
> > > > Subject: [ovirt-users] LDAP Authentication
> > > >
> > > > HI
> > > >
> > > > LDAP Authentication is taking 5minutes is there any way to resolve
> this
> > > issue
> > > > ?
> > > >
> > > > Thanks,
> > > > Nagaraju
> > > >
> > > >
> > > >
> > > >
> > > > ___
> > > > Users mailing list
> > > > Users@ovirt.org
> > > > http://lists.ovirt.org/mailman/listinfo/users
> > > >
> > >
> >
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Authentication

2015-11-04 Thread Alon Bar-Lev

I will need a debug log of a login, please follow these[1] instructions.

[1] 
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0#l377

- Original Message -
> From: "Budur Nagaraju" 
> To: "Alon Bar-Lev" 
> Cc: "users" 
> Sent: Thursday, November 5, 2015 8:01:54 AM
> Subject: Re: [ovirt-users] LDAP Authentication
> 
> Below are the details,
> 
> 
>  rpm -qa |grep ovirt-engine-extension-aaa-ldap
> ovirt-engine-extension-aaa-ldap-1.0.2-1.el6.noarch
> 
> Ovirt Engine Version :3.5
> 
> we do not have multiple sites.
> 
> -Nagaraju
> 
> 
> On Thu, Nov 5, 2015 at 11:25 AM, Alon Bar-Lev  wrote:
> 
> > Hi,
> > What version of ovirt?
> > What version of ovirt-engine-extension-aaa-ldap?
> > Do you have a domain that span multiple sites?
> > Regards,
> > Alon
> >
> > - Original Message -
> > > From: "Budur Nagaraju" 
> > > To: "users" 
> > > Sent: Thursday, November 5, 2015 5:34:18 AM
> > > Subject: [ovirt-users] LDAP Authentication
> > >
> > > HI
> > >
> > > LDAP Authentication is taking 5minutes is there any way to resolve this
> > issue
> > > ?
> > >
> > > Thanks,
> > > Nagaraju
> > >
> > >
> > >
> > >
> > > ___
> > > Users mailing list
> > > Users@ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > >
> >
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Authentication

2015-11-04 Thread Budur Nagaraju
Below are the details,


 rpm -qa |grep ovirt-engine-extension-aaa-ldap
ovirt-engine-extension-aaa-ldap-1.0.2-1.el6.noarch

Ovirt Engine Version :3.5

we do not have multiple sites.

-Nagaraju


On Thu, Nov 5, 2015 at 11:25 AM, Alon Bar-Lev  wrote:

> Hi,
> What version of ovirt?
> What version of ovirt-engine-extension-aaa-ldap?
> Do you have a domain that span multiple sites?
> Regards,
> Alon
>
> - Original Message -
> > From: "Budur Nagaraju" 
> > To: "users" 
> > Sent: Thursday, November 5, 2015 5:34:18 AM
> > Subject: [ovirt-users] LDAP Authentication
> >
> > HI
> >
> > LDAP Authentication is taking 5minutes is there any way to resolve this
> issue
> > ?
> >
> > Thanks,
> > Nagaraju
> >
> >
> >
> >
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Authentication

2015-11-04 Thread Alon Bar-Lev
Hi,
What version of ovirt?
What version of ovirt-engine-extension-aaa-ldap?
Do you have a domain that span multiple sites?
Regards,
Alon

- Original Message -
> From: "Budur Nagaraju" 
> To: "users" 
> Sent: Thursday, November 5, 2015 5:34:18 AM
> Subject: [ovirt-users] LDAP Authentication
> 
> HI
> 
> LDAP Authentication is taking 5minutes is there any way to resolve this issue
> ?
> 
> Thanks,
> Nagaraju
> 
> 
> 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] LDAP Authentication

2015-11-04 Thread Budur Nagaraju
HI

LDAP Authentication is taking 5minutes is there any way to resolve this
issue  ?

Thanks,
Nagaraju
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP authentication with TLS

2015-10-07 Thread Donny Davis
What are you using as the var.server parameter... does it match the cert...

On Wed, Oct 7, 2015 at 2:43 PM, Alon Bar-Lev  wrote:

>
> Summary:
> Using legacy ldaps protocol the user's expected certificate was retrieved.
> Using startTLS a different and a self signed certificate was retrieved.
> Two different identities via the two interfaces which should have returned
> a single identity.
>
> - Original Message -
> > From: "Alon Bar-Lev" 
> > To: "Steve Dainard" 
> > Cc: "users" 
> > Sent: Wednesday, October 7, 2015 12:01:59 AM
> > Subject: Re: [ovirt-users] LDAP authentication with TLS
> >
> > Hi,
> >
> > Can you please send me the profile, the keystore you created and the
> output
> > of:
> >
> > openssl s_client -connect server:636 -showcerts < /dev/null
> >
> > Thanks!
> >
> > - Original Message -
> > > From: "Steve Dainard" 
> > > To: "users" 
> > > Sent: Tuesday, October 6, 2015 11:50:41 PM
> > > Subject: [ovirt-users] LDAP authentication with TLS
> > >
> > > Hello,
> > >
> > > Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication.
> > >
> > > I've configured the appropriate aaa profile but I'm getting TLS errors
> > >  when I search for users to add via ovirt:
> > >
> > > The connection reader was unable to successfully complete TLS
> > > negotiation: javax_net_ssl_SSLHandshakeException:
> > > sun_security_validator_ValidatorException: No trusted certificate
> > > found caused by sun_security_validator_ValidatorException: No trusted
> > > certificate found
> > >
> > > I added the external CA certificate using keytool as per
> > > https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with
> > > appropriate adjustments of course:
> > >
> > > keytool -importcert -noprompt -trustcacerts -alias myrootca \
> > >-file myrootca.pem -keystore myrootca.jks -storepass changeit
> > >
> > > I know this certificate works, and can connect to LDAP with TLS as I'm
> > > using the same LDAP configuration/certificate with SSSD.
> > >
> > > Can anyone clarify whether I should be adding the external CA
> > > certificate or the LDAP host certificate with keytool or any other
> > > suggestions?
> > >
> > > Thanks,
> > > Steve
> > > ___
> > > Users mailing list
> > > Users@ovirt.org
> > > http://lists.ovirt.org/mailman/listinfo/users
> > >
> >
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>



-- 
Donny Davis
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP authentication with TLS

2015-10-07 Thread Alon Bar-Lev

Summary:
Using legacy ldaps protocol the user's expected certificate was retrieved.
Using startTLS a different and a self signed certificate was retrieved.
Two different identities via the two interfaces which should have returned a 
single identity.

- Original Message -
> From: "Alon Bar-Lev" 
> To: "Steve Dainard" 
> Cc: "users" 
> Sent: Wednesday, October 7, 2015 12:01:59 AM
> Subject: Re: [ovirt-users] LDAP authentication with TLS
> 
> Hi,
> 
> Can you please send me the profile, the keystore you created and the output
> of:
> 
> openssl s_client -connect server:636 -showcerts < /dev/null
> 
> Thanks!
> 
> - Original Message -
> > From: "Steve Dainard" 
> > To: "users" 
> > Sent: Tuesday, October 6, 2015 11:50:41 PM
> > Subject: [ovirt-users] LDAP authentication with TLS
> > 
> > Hello,
> > 
> > Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication.
> > 
> > I've configured the appropriate aaa profile but I'm getting TLS errors
> >  when I search for users to add via ovirt:
> > 
> > The connection reader was unable to successfully complete TLS
> > negotiation: javax_net_ssl_SSLHandshakeException:
> > sun_security_validator_ValidatorException: No trusted certificate
> > found caused by sun_security_validator_ValidatorException: No trusted
> > certificate found
> > 
> > I added the external CA certificate using keytool as per
> > https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with
> > appropriate adjustments of course:
> > 
> > keytool -importcert -noprompt -trustcacerts -alias myrootca \
> >-file myrootca.pem -keystore myrootca.jks -storepass changeit
> > 
> > I know this certificate works, and can connect to LDAP with TLS as I'm
> > using the same LDAP configuration/certificate with SSSD.
> > 
> > Can anyone clarify whether I should be adding the external CA
> > certificate or the LDAP host certificate with keytool or any other
> > suggestions?
> > 
> > Thanks,
> > Steve
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP

2015-10-07 Thread Fernando Fuentes

Alon,

Much appreciated!

Regards,

On 10/07/2015 10:49 AM, Alon Bar-Lev wrote:

Yes, see[1]

[1] https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases

- Original Message -

From: "Fernando Fuentes" 
To: users@ovirt.org
Sent: Wednesday, October 7, 2015 6:46:38 PM
Subject: [ovirt-users] LDAP

I migrated from 3.4 to 3.5 and I see that my kerberos/ldap is no longer
working and looking further now I see that 3.5 uses AAA.
Is there a migration process to move my kerberos/ldap to AAA or a guide
to this?

TIA!
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP

2015-10-07 Thread Alon Bar-Lev

Yes, see[1]

[1] https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases

- Original Message -
> From: "Fernando Fuentes" 
> To: users@ovirt.org
> Sent: Wednesday, October 7, 2015 6:46:38 PM
> Subject: [ovirt-users] LDAP
> 
> I migrated from 3.4 to 3.5 and I see that my kerberos/ldap is no longer
> working and looking further now I see that 3.5 uses AAA.
> Is there a migration process to move my kerberos/ldap to AAA or a guide
> to this?
> 
> TIA!
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] LDAP

2015-10-07 Thread Fernando Fuentes
I migrated from 3.4 to 3.5 and I see that my kerberos/ldap is no longer 
working and looking further now I see that 3.5 uses AAA.
Is there a migration process to move my kerberos/ldap to AAA or a guide 
to this?


TIA!
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP authentication with TLS

2015-10-06 Thread Alon Bar-Lev
Hi,

Can you please send me the profile, the keystore you created and the output of:

openssl s_client -connect server:636 -showcerts < /dev/null

Thanks!

- Original Message -
> From: "Steve Dainard" 
> To: "users" 
> Sent: Tuesday, October 6, 2015 11:50:41 PM
> Subject: [ovirt-users] LDAP authentication with TLS
> 
> Hello,
> 
> Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication.
> 
> I've configured the appropriate aaa profile but I'm getting TLS errors
>  when I search for users to add via ovirt:
> 
> The connection reader was unable to successfully complete TLS
> negotiation: javax_net_ssl_SSLHandshakeException:
> sun_security_validator_ValidatorException: No trusted certificate
> found caused by sun_security_validator_ValidatorException: No trusted
> certificate found
> 
> I added the external CA certificate using keytool as per
> https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with
> appropriate adjustments of course:
> 
> keytool -importcert -noprompt -trustcacerts -alias myrootca \
>-file myrootca.pem -keystore myrootca.jks -storepass changeit
> 
> I know this certificate works, and can connect to LDAP with TLS as I'm
> using the same LDAP configuration/certificate with SSSD.
> 
> Can anyone clarify whether I should be adding the external CA
> certificate or the LDAP host certificate with keytool or any other
> suggestions?
> 
> Thanks,
> Steve
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] LDAP authentication with TLS

2015-10-06 Thread Steve Dainard
Hello,

Trying to configure Ovirt 3.5.3.1-1.el7.centos for LDAP authentication.

I've configured the appropriate aaa profile but I'm getting TLS errors
 when I search for users to add via ovirt:

The connection reader was unable to successfully complete TLS
negotiation: javax_net_ssl_SSLHandshakeException:
sun_security_validator_ValidatorException: No trusted certificate
found caused by sun_security_validator_ValidatorException: No trusted
certificate found

I added the external CA certificate using keytool as per
https://github.com/oVirt/ovirt-engine-extension-aaa-ldap with
appropriate adjustments of course:

keytool -importcert -noprompt -trustcacerts -alias myrootca \
   -file myrootca.pem -keystore myrootca.jks -storepass changeit

I know this certificate works, and can connect to LDAP with TLS as I'm
using the same LDAP configuration/certificate with SSSD.

Can anyone clarify whether I should be adding the external CA
certificate or the LDAP host certificate with keytool or any other
suggestions?

Thanks,
Steve
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Authentication

2015-09-23 Thread Alon Bar-Lev

SuperUser is required to login user to webadmin.
Not sure what is "too long time"... within any logs nobody can help you.

- Original Message -
> From: "Budur Nagaraju" 
> To: "Ondra Machacek" 
> Cc: users@ovirt.org
> Sent: Wednesday, September 23, 2015 10:39:50 AM
> Subject: Re: [ovirt-users] LDAP Authentication
> 
> When I give "superuser" permission then able to login and its taking too long
> time to login.
> Pls suggest any thing needs to be dome ?
> 
> On Wed, Sep 23, 2015 at 1:07 PM, Ondra Machacek < omach...@redhat.com >
> wrote:
> 
> 
> 
> Should work well, strange.
> The 'warn' message you sent was unsuccessfull login to webadmin as I can see
> 'LoginAdminUserCommand', in UserPortal it's 'LoginUserCommand'.
> Please try to assign UserRole to some vm to another user in domain if it will
> work properly, if not please open bz.
> 
> 
> On 09/23/2015 09:29 AM, Budur Nagaraju wrote:
> 
> 
> 
> yeah facing issues while logging to the user portal.
> 
> On Wed, Sep 23, 2015 at 12:54 PM, Ondra Machacek < omach...@redhat.com >
> wrote:
> 
> 
> 
> With UserRole you can only login to UserPortal, not webadmin. Do you have
> this issue when you try to login to UserPortal?
> 
> 
> On 09/23/2015 09:22 AM, Budur Nagaraju wrote:
> 
> 
> 
> Provided the "user role" permissions still same issue
> 
> On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek < omach...@redhat.com >
> wrote:
> 
> 
> 
> Hi,
> 
> your user nbud...@abc.net doesn't have appropriate permissions to login.
> First you need to login as 'admin@internal' and assign him some permissions,
> then you will be able to login.
> 
> Ondra
> 
> 
> On 09/23/2015 09:15 AM, Budur Nagaraju wrote:
> 
> 
> 
> HI All,
> 
> After rectifying this able to search the domain in the users in UI,
> but unable to login getting the below error ,
> 
> 
> 2015-09-23 12:41:47,482 WARN
> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand]
> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for user
> nbud...@abc.net . Reasons: USER_NOT_AUTHORIZED_TO_PERFORM_ACTION
> 
> Thanks,
> Nagaraju
> 
> 
> 
> 
> 
> On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek < omach...@redhat.com >
> wrote:
> 
> 
> 
> Hi,
> 
> as Alon already said, you have trailing space in your configuration
> 
> ' my.abc.net ' <-- space at the end
> 
> Please remove this space and try again.
> 
> Ondra
> 
> 
> On 09/23/2015 05:35 AM, Budur Nagaraju wrote:
> 
> 
> 
> HI Alon,
> 
> Tried all the options but no luck ,
> 
> I have copied the logs in the pastebin below is the link , warning message is
> that unable to resolve the DNS ,let me know any help would I get .
> 
> http://pastebin.com/7qN9QnHK
> 
> Thanks,
> Nagaraju
> 
> 
> On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger <
> daniel.helgenber...@m-box.de > wrote:
> 
> 
> Hello Budur,
> 
> I've done this recently. Alon, no offense, but the docs are not quite strait
> forward...
> 
> Requirements:
> - LDAP server (obviously) - called here ldap.mydomain.com
> - LDAP bind account - called here l...@mydomain.com , password 'Passw@rd'
> - At least one existing account in ladp, called u...@mydomain.com
> 
> Please note, the most common issue will be DNS.
> 
> I'll describe in short what steps need to be taken. All this needs to be done
> on your engine host. In the end this was quite easy :)
> 
> 1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients
> (these are only for testing your setup)
> 2. Test if ldap is working in general. (The extension uses the global catalog
> at least for AD, this was news to me):
> # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://
> ldap.mydomain.com:3268/ -x \
> -D ' l...@mydomain.com ' -w Passw@rd -b '' '(userPrincipalName=
> u...@mydomian.com )' cn userPrincipalName
> 
> If this command does not return details of the user, do debug your ldap and
> continue once this works. Example:
> 
> # extended LDIF
> #
> # LDAPv3
> # base <> with scope subtree
> # filter: (userPrincipalName= u...@mydomain.com )
> # requesting: cn userPrincipalName
> # with pagedResults control: size=1024
> #
> 
> # Some Name, some-ou, mydomain.com
> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com
> cn: Some Name
> userPrincipalName: u...@mydomain.com
> 
> # search result
> search: 2
> result: 0 Success
> control: 1.2.840.113556.1

Re: [ovirt-users] LDAP Authentication

2015-09-23 Thread Alon Bar-Lev


- Original Message -
> From: "Daniel Helgenberger" 
> To: "Budur Nagaraju" , "Alon Bar-Lev" 
> Cc: users@ovirt.org
> Sent: Tuesday, September 22, 2015 6:14:50 PM
> Subject: Re: [ovirt-users] LDAP Authentication
> 
> Hello Budur,
> 
> I've done this recently. Alon, no offense, but the docs are not quite strait
> forward...
> 

Patches to documentation will be most welcomed.
However, these should not assume a specific environment nor mode.

Thanks!
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Authentication

2015-09-23 Thread Budur Nagaraju
 return details of the user, do debug your
>>>>> ldap and continue once this works. Example:
>>>>>
>>>>> # extended LDIF
>>>>> #
>>>>> # LDAPv3
>>>>> # base <> with scope subtree
>>>>> # filter: (userPrincipalName= u...@mydomain.com)
>>>>> # requesting: cn userPrincipalName
>>>>> # with pagedResults control: size=1024
>>>>> #
>>>>>
>>>>> # Some Name, some-ou, mydomain.com
>>>>> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com
>>>>> cn: Some Name
>>>>> userPrincipalName: u...@mydomain.com
>>>>>
>>>>> # search result
>>>>> search: 2
>>>>> result: 0 Success
>>>>> control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=
>>>>> pagedresults: cookie=
>>>>>
>>>>> # numResponses: 2
>>>>> # numEntries: 1
>>>>>
>>>>>
>>>>> 3. Copy the examples as mentioned from the readme.
>>>>> 4. You only need to modify
>>>>> /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is.
>>>>> 5. There, set:
>>>>>
>>>>>   vars.domain = ldap.mydomain.com
>>>>>   vars.user = ldap@${global:vars.domain}
>>>>>   vars.password = Passw@rd
>>>>>
>>>>> 6. Restart ovirt engine service
>>>>> 7. Log in as admin@einternal and add user rights and roles from the
>>>>> new provider
>>>>>
>>>>> Hope this helps.
>>>>>
>>>>> On 22.09.2015 16 <22.09.2015%2016>:46, Budur Nagaraju wrote:
>>>>> >
>>>>> > below are the three files which I have modified.
>>>>> >
>>>>> >
>>>>> > [root@cstlb2 extensions.d]# cat profile1-authn.properties
>>>>> > ovirt.engine.extension.name < <http://ovirt.engine.extension.name>
>>>>> http://ovirt.engine.extension.name> = cloudspin-authn
>>>>> > ovirt.engine.extension.bindings.method = jbossmodule
>>>>> > ovirt.engine.extension.binding.jbossmodule.module =
>>>>> > org.ovirt.engine-extensions.aaa.ldap
>>>>> > ovirt.engine.extension.binding.jbossmodule.class =
>>>>> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
>>>>> > ovirt.engine.extension.provides =
>>>>> org.ovirt.engine.api.extensions.aaa.Authn
>>>>> > ovirt.engine.aaa.authn.profile.name <
>>>>> <http://ovirt.engine.aaa.authn.profile.name>
>>>>> http://ovirt.engine.aaa.authn.profile.name>
>>>>> > = cloudspin
>>>>> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
>>>>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
>>>>> >
>>>>> >
>>>>> > [root@cstlb2 extensions.d]# ls
>>>>> > profile1-authn.properties  profile1-authz.properties
>>>>> > [root@cstlb2 extensions.d]# cat profile1-authz.properties
>>>>> > ovirt.engine.extension.name < <http://ovirt.engine.extension.name>
>>>>> http://ovirt.engine.extension.name> = cloudspin-authz
>>>>> > ovirt.engine.extension.bindings.method = jbossmodule
>>>>> > ovirt.engine.extension.binding.jbossmodule.module =
>>>>> > org.ovirt.engine-extensions.aaa.ldap
>>>>> > ovirt.engine.extension.binding.jbossmodule.class =
>>>>> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>>>>> > ovirt.engine.extension.provides =
>>>>> org.ovirt.engine.api.extensions.aaa.Authz
>>>>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
>>>>> > [root@cstlb2 extensions.d]#
>>>>> >
>>>>> >
>>>>> >
>>>>> > [root@cstlb2 aaa]# pwd
>>>>> > /etc/ovirt-engine/aaa
>>>>> > [root@cstlb2 aaa]# ls
>>>>> > ldap1.properties
>>>>> > [root@cstlb2 aaa]# cat ldap1.properties
>>>>> > #
>>>>> > # Select one
>>>>> > #
>>>>> > include = 
>>>>> > #include = <389ds.properties>
>>>>> > #include = 
>>>>> > #include = 
>>>>> > #include = 
>>>>> > #include = 
>>>>&g

Re: [ovirt-users] LDAP Authentication

2015-09-23 Thread Ondra Machacek
 # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.server}.jks
> #pool.default.ssl.truststore.password = changeit
> [root@cstlb2 aaa]#
>
>
>
>
>
>
> On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev
mailto:alo...@redhat.com>
> <mailto:alo...@redhat.com
<mailto:alo...@redhat.com>>> wrote:
>
>
>
> - Original Message -
>   > From: "Budur Nagaraju" mailto:nbud...@gmail.com>
<mailto:nbud...@gmail.com <mailto:nbud...@gmail.com>>>
> > To: "Alon Bar-Lev" mailto:alo...@redhat.com>
<mailto:alo...@redhat.com <mailto:alo...@redhat.com>>>
> > Cc:users@ovirt.org
<mailto:Cc:users@ovirt.org> <mailto:users@ovirt.org
<mailto:users@ovirt.org>>
> > Sent: Tuesday, September 22, 2015 5:35:16 PM
> > Subject: Re: [ovirt-users] LDAP Authentication
> >
> > its too complicated ,you have any script or
video ?
>
> in 3.6 we have a setup script.
> for now:
>
> cp -r
/usr/share/ovirt-engine/examples/simple/.
/etc/ovirt-engine/
>
> this is written in the README.
>
> then customize files at
/etc/ovirt-engine/extnesions.d/*
>  /etc/ovirt-engine/aaa/* to match your setup
>
> >
> >
>   > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev
mailto:alo...@redhat.com>
<mailto:alo...@redhat.com
<mailto:alo...@redhat.com>>> wrote:
> >
> > >
> > >
> > > - Original Message -
>  > > > From: "Budur Nagaraju" mailto:nbud...@gmail.com>
<mailto:nbud...@gmail.com <mailto:nbud...@gmail.com>>>
> > > > To: "Alon Bar-Lev" mailto:alo...@redhat.com>
<mailto:alo...@redhat.com <mailto:alo...@redhat.com>>>
> > > > Cc:users@ovirt.org
<mailto:Cc:users@ovirt.org> <mailto:users@ovirt.org
<mailto:users@ovirt.org>>
> > > > Sent: Tuesday, September 22, 2015
5:24:36 PM
> > > > Subject: Re: [ovirt-users] LDAP
Authentication
> > > >
> > > > HI Alon,
> > > >
> > > > Below is the configuration which I have
done ,but unable to search the
> > > > users in UI
> > > > can you pls help me ?
> > >
> > > you need three files, see the
> > >
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
> > >
> > > >
> > > >
> > > > [root@cstlb2 aaa]# cat ldap1.properties
> > > > #
> > > > # Select one
> > > > #
> > > > include = 
> > > > #include = <389ds.properties>
> > > > #include = 
> > > > #include = 
> > > > #include = 
> > > > #include = 
> > > > #include = 
> > > >
> > > > #
> > > > # Server
> > > > #
> > > > vars.server =my.abc.net
<http://my.abc.net> <http://my.abc.n

Re: [ovirt-users] LDAP Authentication

2015-09-23 Thread Budur Nagaraju
fy
>>>> /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is.
>>>> 5. There, set:
>>>>
>>>>   vars.domain = ldap.mydomain.com
>>>>   vars.user = ldap@${global:vars.domain}
>>>>   vars.password = Passw@rd
>>>>
>>>> 6. Restart ovirt engine service
>>>> 7. Log in as admin@einternal and add user rights and roles from the
>>>> new provider
>>>>
>>>> Hope this helps.
>>>>
>>>> On 22.09.2015 16 <22.09.2015%2016>:46, Budur Nagaraju wrote:
>>>> >
>>>> > below are the three files which I have modified.
>>>> >
>>>> >
>>>> > [root@cstlb2 extensions.d]# cat profile1-authn.properties
>>>> > ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
>>>> cloudspin-authn
>>>> > ovirt.engine.extension.bindings.method = jbossmodule
>>>> > ovirt.engine.extension.binding.jbossmodule.module =
>>>> > org.ovirt.engine-extensions.aaa.ldap
>>>> > ovirt.engine.extension.binding.jbossmodule.class =
>>>> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
>>>> > ovirt.engine.extension.provides =
>>>> org.ovirt.engine.api.extensions.aaa.Authn
>>>> > ovirt.engine.aaa.authn.profile.name <
>>>> http://ovirt.engine.aaa.authn.profile.name>
>>>> > = cloudspin
>>>> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
>>>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
>>>> >
>>>> >
>>>> > [root@cstlb2 extensions.d]# ls
>>>> > profile1-authn.properties  profile1-authz.properties
>>>> > [root@cstlb2 extensions.d]# cat profile1-authz.properties
>>>> > ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
>>>> cloudspin-authz
>>>> > ovirt.engine.extension.bindings.method = jbossmodule
>>>> > ovirt.engine.extension.binding.jbossmodule.module =
>>>> > org.ovirt.engine-extensions.aaa.ldap
>>>> > ovirt.engine.extension.binding.jbossmodule.class =
>>>> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>>>> > ovirt.engine.extension.provides =
>>>> org.ovirt.engine.api.extensions.aaa.Authz
>>>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
>>>> > [root@cstlb2 extensions.d]#
>>>> >
>>>> >
>>>> >
>>>> > [root@cstlb2 aaa]# pwd
>>>> > /etc/ovirt-engine/aaa
>>>> > [root@cstlb2 aaa]# ls
>>>> > ldap1.properties
>>>> > [root@cstlb2 aaa]# cat ldap1.properties
>>>> > #
>>>> > # Select one
>>>> > #
>>>> > include = 
>>>> > #include = <389ds.properties>
>>>> > #include = 
>>>> > #include = 
>>>> > #include = 
>>>> > #include = 
>>>> > #include = 
>>>> >
>>>> > #
>>>> > # Server
>>>> > #
>>>> > vars.server = my.abc.net <http://my.abc.net>
>>>> >
>>>> > #
>>>> > # Search user and its password.
>>>> > #
>>>> > vars.user =
>>>> >
>>>> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
>>>> > vars.password = company
>>>> >
>>>> > pool.default.serverset.single.server = ${global:vars.server}
>>>> > pool.default.auth.simple.bindDN = ${global:vars.user}
>>>> > pool.default.auth.simple.password = ${global:vars.password}
>>>> >
>>>> > # Create keystore, import certificate chain and uncomment
>>>> > # if using ssl/tls.
>>>> > #pool.default.ssl.startTLS = true
>>>> > #pool.default.ssl.truststore.file =
>>>> ${local:_basedir}/${global:vars.server}.jks
>>>> > #pool.default.ssl.truststore.password = changeit
>>>> > [root@cstlb2 aaa]#
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev < 
>>>> alo...@redhat.com
>>>> > alo...@redhat.com>> wrote:
>>>> >
>>>> >
>>>> >
>>>> > - Original Message ---

Re: [ovirt-users] LDAP Authentication

2015-09-23 Thread Ondra Machacek
Budur
Nagaraju wrote:
>
> below are the three files which I have modified.
>
>
> [root@cstlb2 extensions.d]# cat profile1-authn.properties
> ovirt.engine.extension.name
<http://ovirt.engine.extension.name>
<http://ovirt.engine.extension.name> = cloudspin-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name
<http://ovirt.engine.aaa.authn.profile.name>
<http://ovirt.engine.aaa.authn.profile.name>
> = cloudspin
> ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
> config.profile.file.1 =
/etc/ovirt-engine/aaa/ldap1.properties
>
>
> [root@cstlb2 extensions.d]# ls
> profile1-authn.properties profile1-authz.properties
> [root@cstlb2 extensions.d]# cat profile1-authz.properties
> ovirt.engine.extension.name
<http://ovirt.engine.extension.name>
<http://ovirt.engine.extension.name> = cloudspin-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 =
/etc/ovirt-engine/aaa/ldap1.properties
> [root@cstlb2 extensions.d]#
>
>
>
> [root@cstlb2 aaa]# pwd
> /etc/ovirt-engine/aaa
> [root@cstlb2 aaa]# ls
> ldap1.properties
> [root@cstlb2 aaa]# cat ldap1.properties
> #
> # Select one
> #
> include = 
> #include = <389ds.properties>
> #include = 
> #include = 
> #include = 
> #include = 
> #include = 
>
> #
> # Server
> #
> vars.server = my.abc.net <http://my.abc.net>
<http://my.abc.net>
>
> #
> # Search user and its password.
> #
> vars.user =
>

uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
> vars.password = company
>
> pool.default.serverset.single.server =
${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password =
${global:vars.password}
>
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.server}.jks
> #pool.default.ssl.truststore.password = changeit
> [root@cstlb2 aaa]#
>
>
>
>
>
>
> On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev
mailto:alo...@redhat.com>
> <mailto:alo...@redhat.com <mailto:alo...@redhat.com>>> wrote:
>
>
>
> - Original Message -----
    > > From: "Budur Nagaraju" mailto:nbud...@gmail.com> <mailto:nbud...@gmail.com
<mailto:nbud...@gmail.com>>>
> > To: "Alon Bar-Lev" mailto:alo...@redhat.com> <mailto:alo...@redhat.com
<mailto:alo...@redhat.com>>>
> > Cc:users@ovirt.org <mailto:cc%3aus...@ovirt.org>
<mailto:users@ovirt.org <mailto:users@ovirt.org>>
> > Sent: Tuesday, September 22, 2015 5:35:16 PM
> > Subject: Re: [ovirt-users] LDAP Authentication
> >
> > its too complicated ,you have any script or video ?
 

Re: [ovirt-users] LDAP Authentication

2015-09-23 Thread Budur Nagaraju
t.engine.extension.name> =
>>> cloudspin-authn
>>> > ovirt.engine.extension.bindings.method = jbossmodule
>>> > ovirt.engine.extension.binding.jbossmodule.module =
>>> > org.ovirt.engine-extensions.aaa.ldap
>>> > ovirt.engine.extension.binding.jbossmodule.class =
>>> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
>>> > ovirt.engine.extension.provides =
>>> org.ovirt.engine.api.extensions.aaa.Authn
>>> > ovirt.engine.aaa.authn.profile.name <
>>> http://ovirt.engine.aaa.authn.profile.name>
>>> > = cloudspin
>>> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
>>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
>>> >
>>> >
>>> > [root@cstlb2 extensions.d]# ls
>>> > profile1-authn.properties  profile1-authz.properties
>>> > [root@cstlb2 extensions.d]# cat profile1-authz.properties
>>> > ovirt.engine.extension.name <http://ovirt.engine.extension.name> =
>>> cloudspin-authz
>>> > ovirt.engine.extension.bindings.method = jbossmodule
>>> > ovirt.engine.extension.binding.jbossmodule.module =
>>> > org.ovirt.engine-extensions.aaa.ldap
>>> > ovirt.engine.extension.binding.jbossmodule.class =
>>> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>>> > ovirt.engine.extension.provides =
>>> org.ovirt.engine.api.extensions.aaa.Authz
>>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
>>> > [root@cstlb2 extensions.d]#
>>> >
>>> >
>>> >
>>> > [root@cstlb2 aaa]# pwd
>>> > /etc/ovirt-engine/aaa
>>> > [root@cstlb2 aaa]# ls
>>> > ldap1.properties
>>> > [root@cstlb2 aaa]# cat ldap1.properties
>>> > #
>>> > # Select one
>>> > #
>>> > include = 
>>> > #include = <389ds.properties>
>>> > #include = 
>>> > #include = 
>>> > #include = 
>>> > #include = 
>>> > #include = 
>>> >
>>> > #
>>> > # Server
>>> > #
>>> > vars.server = my.abc.net < <http://my.abc.net>http://my.abc.net>
>>> >
>>> > #
>>> > # Search user and its password.
>>> > #
>>> > vars.user =
>>> >
>>> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
>>> > vars.password = company
>>> >
>>> > pool.default.serverset.single.server = ${global:vars.server}
>>> > pool.default.auth.simple.bindDN = ${global:vars.user}
>>> > pool.default.auth.simple.password = ${global:vars.password}
>>> >
>>> > # Create keystore, import certificate chain and uncomment
>>> > # if using ssl/tls.
>>> > #pool.default.ssl.startTLS = true
>>> > #pool.default.ssl.truststore.file =
>>> ${local:_basedir}/${global:vars.server}.jks
>>> > #pool.default.ssl.truststore.password = changeit
>>> > [root@cstlb2 aaa]#
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev >> > alo...@redhat.com>> wrote:
>>> >
>>> >
>>> >
>>> > - Original Message -
>>> > > From: "Budur Nagaraju" >> nbud...@gmail.com>>
>>> > > To: "Alon Bar-Lev" < alo...@redhat.com
>>> <mailto:alo...@redhat.com>>
>>> > > Cc:users@ovirt.org <mailto:users@ovirt.org>
>>> > > Sent: Tuesday, September 22, 2015 5:35:16 PM
>>> > > Subject: Re: [ovirt-users] LDAP Authentication
>>> > >
>>> > > its too complicated ,you have any script or video ?
>>> >
>>> > in 3.6 we have a setup script.
>>> > for now:
>>> >
>>> > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
>>> >
>>> > this is written in the README.
>>> >
>>> > then customize files at /etc/ovirt-engine/extnesions.d/*
>>> > /etc/ovirt-engine/aaa/* to match your setup
>>> >
>>> > >
>>> > >
>>> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev <
>>> alo...@redhat.com <mailto:alo...@redhat.com>> wrote:
>>> > >
>>> > > >
>>> >   

Re: [ovirt-users] LDAP Authentication

2015-09-23 Thread Ondra Machacek
> ovirt.engine.aaa.authn.profile.name
<http://ovirt.engine.aaa.authn.profile.name>
<http://ovirt.engine.aaa.authn.profile.name>
> = cloudspin
> ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
> config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
>
>
> [root@cstlb2 extensions.d]# ls
> profile1-authn.properties profile1-authz.properties
> [root@cstlb2 extensions.d]# cat profile1-authz.properties
> ovirt.engine.extension.name
<http://ovirt.engine.extension.name>
<http://ovirt.engine.extension.name> = cloudspin-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides =
org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
> [root@cstlb2 extensions.d]#
>
>
>
> [root@cstlb2 aaa]# pwd
> /etc/ovirt-engine/aaa
> [root@cstlb2 aaa]# ls
> ldap1.properties
> [root@cstlb2 aaa]# cat ldap1.properties
> #
> # Select one
> #
> include = 
> #include = <389ds.properties>
> #include = 
> #include = 
> #include = 
> #include = 
> #include = 
>
> #
> # Server
> #
> vars.server = my.abc.net <http://my.abc.net>
<http://my.abc.net>
>
> #
> # Search user and its password.
> #
> vars.user =
>

uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
> vars.password = company
>
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.server}.jks
> #pool.default.ssl.truststore.password = changeit
> [root@cstlb2 aaa]#
>
>
>
>
>
>
> On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev
mailto:alo...@redhat.com>
> <mailto:alo...@redhat.com <mailto:alo...@redhat.com>>> wrote:
>
>
>
> - Original Message -
> > From: "Budur Nagaraju" mailto:nbud...@gmail.com>
<mailto:nbud...@gmail.com <mailto:nbud...@gmail.com>>>
> > To: "Alon Bar-Lev" mailto:alo...@redhat.com> <mailto:alo...@redhat.com
<mailto:alo...@redhat.com>>>
> > Cc:users@ovirt.org <mailto:cc%3aus...@ovirt.org>
<mailto:users@ovirt.org <mailto:users@ovirt.org>>
> > Sent: Tuesday, September 22, 2015 5:35:16 PM
> > Subject: Re: [ovirt-users] LDAP Authentication
> >
> > its too complicated ,you have any script or video ?
>
> in 3.6 we have a setup script.
> for now:
>
> cp -r /usr/share/ovirt-engine/examples/simple/.
/etc/ovirt-engine/
>
> this is written in the README.
>
> then customize files at /etc/ovirt-engine/extnesions.d/*
> /etc/ovirt-engine/aaa/* to match your setup
>
> >
> >
> > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev mailto:alo...@redhat.com> <mailto:alo...@redhat.com
<mailto:alo...@redhat.com>>> wrote:
> >
> > >
> > >
> > > - Original Message -
> > > > From: "Budur Nagaraju" mailto:nbud...@gmail.com> <mailto:nbud...@gmail.com
<mailto:nbud...@gmail.com>>>
> > > > To: "Alon Bar-Lev" mailto:alo...@redhat.com> <mailto:alo...@redhat.com
<mailto:alo...@redhat.com>>>
> > > > Cc:users@ovirt.org <mailto:cc%3aus...@ovirt.org>
<mailto:users@ovir

Re: [ovirt-users] LDAP Authentication

2015-09-23 Thread Budur Nagaraju
z.properties
>> > ovirt.engine.extension.name < <http://ovirt.engine.extension.name>
>> http://ovirt.engine.extension.name> = cloudspin-authz
>> > ovirt.engine.extension.bindings.method = jbossmodule
>> > ovirt.engine.extension.binding.jbossmodule.module =
>> > org.ovirt.engine-extensions.aaa.ldap
>> > ovirt.engine.extension.binding.jbossmodule.class =
>> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>> > ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Authz
>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
>> > [root@cstlb2 extensions.d]#
>> >
>> >
>> >
>> > [root@cstlb2 aaa]# pwd
>> > /etc/ovirt-engine/aaa
>> > [root@cstlb2 aaa]# ls
>> > ldap1.properties
>> > [root@cstlb2 aaa]# cat ldap1.properties
>> > #
>> > # Select one
>> > #
>> > include = 
>> > #include = <389ds.properties>
>> > #include = 
>> > #include = 
>> > #include = 
>> > #include = 
>> > #include = 
>> >
>> > #
>> > # Server
>> > #
>> > vars.server = my.abc.net <http://my.abc.net>
>> >
>> > #
>> > # Search user and its password.
>> > #
>> > vars.user =
>> >
>> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
>> > vars.password = company
>> >
>> > pool.default.serverset.single.server = ${global:vars.server}
>> > pool.default.auth.simple.bindDN = ${global:vars.user}
>> > pool.default.auth.simple.password = ${global:vars.password}
>> >
>> > # Create keystore, import certificate chain and uncomment
>> > # if using ssl/tls.
>> > #pool.default.ssl.startTLS = true
>> > #pool.default.ssl.truststore.file =
>> ${local:_basedir}/${global:vars.server}.jks
>> > #pool.default.ssl.truststore.password = changeit
>> > [root@cstlb2 aaa]#
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev < 
>> alo...@redhat.com
>> > alo...@redhat.com>> wrote:
>> >
>> >
>> >
>> > - Original Message -
>> > > From: "Budur Nagaraju" > nbud...@gmail.com>>
>> > > To: "Alon Bar-Lev" < alo...@redhat.com
>> <mailto:alo...@redhat.com>>
>> > > Cc:users@ovirt.org <mailto:users@ovirt.org>
>> > > Sent: Tuesday, September 22, 2015 5:35:16 PM
>> > > Subject: Re: [ovirt-users] LDAP Authentication
>> > >
>> > > its too complicated ,you have any script or video ?
>> >
>> > in 3.6 we have a setup script.
>> > for now:
>> >
>> > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
>> >
>> > this is written in the README.
>> >
>> > then customize files at /etc/ovirt-engine/extnesions.d/*
>> > /etc/ovirt-engine/aaa/* to match your setup
>> >
>> > >
>> > >
>> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev > <mailto:alo...@redhat.com>> wrote:
>> > >
>> > > >
>> > > >
>> > > > - Original Message -
>> > > > > From: "Budur Nagaraju" > nbud...@gmail.com>>
>> > > > > To: "Alon Bar-Lev" < alo...@redhat.com
>> <mailto:alo...@redhat.com>>
>> > > > > Cc:users@ovirt.org <mailto:users@ovirt.org>
>> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM
>> > > > > Subject: Re: [ovirt-users] LDAP Authentication
>> > > > >
>> > > > > HI Alon,
>> > > > >
>> > > > > Below is the configuration which I have done ,but unable to
>> search the
>> > > > > users in UI
>> > > > > can you pls help me ?
>> > > >
>> > > > you need three files, see the
>> > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
>> > > >
>> > > > >
>> > > > >
>> > > > > [root@cstlb2 aaa]# cat ldap1.properties
>> > > > > #
>> > > > > # Select one
>> > > > > #

Re: [ovirt-users] LDAP Authentication

2015-09-22 Thread Ondra Machacek
> [root@cstlb2 aaa]# pwd
> /etc/ovirt-engine/aaa
> [root@cstlb2 aaa]# ls
> ldap1.properties
> [root@cstlb2 aaa]# cat ldap1.properties
> #
> # Select one
> #
> include = 
> #include = <389ds.properties>
> #include = 
> #include = 
> #include = 
> #include = 
> #include = 
>
> #
> # Server
> #
> vars.server = my.abc.net <http://my.abc.net> <http://my.abc.net>
>
> #
> # Search user and its password.
> #
> vars.user =
>

uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
> vars.password = company
>
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
>
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.server}.jks
> #pool.default.ssl.truststore.password = changeit
> [root@cstlb2 aaa]#
>
>
>
>
>
>
> On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev mailto:alo...@redhat.com>
> <mailto:alo...@redhat.com <mailto:alo...@redhat.com>>> wrote:
>
>
>
> - Original Message -
> > From: "Budur Nagaraju" mailto:nbud...@gmail.com>
<mailto:nbud...@gmail.com <mailto:nbud...@gmail.com>>>
> > To: "Alon Bar-Lev" mailto:alo...@redhat.com> <mailto:alo...@redhat.com
<mailto:alo...@redhat.com>>>
> > Cc:users@ovirt.org <mailto:cc%3aus...@ovirt.org>
<mailto:users@ovirt.org <mailto:users@ovirt.org>>
> > Sent: Tuesday, September 22, 2015 5:35:16 PM
> > Subject: Re: [ovirt-users] LDAP Authentication
> >
> > its too complicated ,you have any script or video ?
>
> in 3.6 we have a setup script.
> for now:
>
> cp -r /usr/share/ovirt-engine/examples/simple/.
/etc/ovirt-engine/
>
> this is written in the README.
>
> then customize files at /etc/ovirt-engine/extnesions.d/*
> /etc/ovirt-engine/aaa/* to match your setup
>
> >
> >
> > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev mailto:alo...@redhat.com> <mailto:alo...@redhat.com
<mailto:alo...@redhat.com>>> wrote:
> >
> > >
> > >
> > > - Original Message -
> > > > From: "Budur Nagaraju" mailto:nbud...@gmail.com> <mailto:nbud...@gmail.com
<mailto:nbud...@gmail.com>>>
> > > > To: "Alon Bar-Lev" mailto:alo...@redhat.com> <mailto:alo...@redhat.com
<mailto:alo...@redhat.com>>>
> > > > Cc:users@ovirt.org <mailto:cc%3aus...@ovirt.org>
<mailto:users@ovirt.org <mailto:users@ovirt.org>>
> > > > Sent: Tuesday, September 22, 2015 5:24:36 PM
> > > > Subject: Re: [ovirt-users] LDAP Authentication
> > > >
> > > > HI Alon,
> > > >
> > > > Below is the configuration which I have done ,but
unable to search the
> > > > users in UI
> > > > can you pls help me ?
> > >
> > > you need three files, see the
> > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
> > >
> > > >
> > > >
> > > > [root@cstlb2 aaa]# cat ldap1.properties
> > > > #
> > > > # Select one
> > > > #
> > > > include = 
> > > > #include = <389ds.properties>
> > > > #include = 
> > > > #include = 
> > > > #include = 
> > > > #include = 
> > > > #include = 
> > > >
> > > > #
> > > > # Server
> > > > #
> > > > vars.server =my.abc.net <http://my.abc.net>
<http://my.abc.net>
> > > >
> > > > #
> > > > # Search user and its password.
> > > > #
> > > > vars.user =
> > > >
> >

Re: [ovirt-users] LDAP Authentication

2015-09-22 Thread Budur Nagaraju
 jbossmodule
>> > ovirt.engine.extension.binding.jbossmodule.module =
>> > org.ovirt.engine-extensions.aaa.ldap
>> > ovirt.engine.extension.binding.jbossmodule.class =
>> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
>> > ovirt.engine.extension.provides =
>> org.ovirt.engine.api.extensions.aaa.Authz
>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
>> > [root@cstlb2 extensions.d]#
>> >
>> >
>> >
>> > [root@cstlb2 aaa]# pwd
>> > /etc/ovirt-engine/aaa
>> > [root@cstlb2 aaa]# ls
>> > ldap1.properties
>> > [root@cstlb2 aaa]# cat ldap1.properties
>> > #
>> > # Select one
>> > #
>> > include = 
>> > #include = <389ds.properties>
>> > #include = 
>> > #include = 
>> > #include = 
>> > #include = 
>> > #include = 
>> >
>> > #
>> > # Server
>> > #
>> > vars.server = my.abc.net <http://my.abc.net>
>> >
>> > #
>> > # Search user and its password.
>> > #
>> > vars.user =
>> >
>> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
>> > vars.password = company
>> >
>> > pool.default.serverset.single.server = ${global:vars.server}
>> > pool.default.auth.simple.bindDN = ${global:vars.user}
>> > pool.default.auth.simple.password = ${global:vars.password}
>> >
>> > # Create keystore, import certificate chain and uncomment
>> > # if using ssl/tls.
>> > #pool.default.ssl.startTLS = true
>> > #pool.default.ssl.truststore.file =
>> ${local:_basedir}/${global:vars.server}.jks
>> > #pool.default.ssl.truststore.password = changeit
>> > [root@cstlb2 aaa]#
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev > > <mailto:alo...@redhat.com>> wrote:
>> >
>> >
>> >
>> > - Original Message -
>> > > From: "Budur Nagaraju" > nbud...@gmail.com>>
>> > > To: "Alon Bar-Lev" mailto:alo...@redhat.com>>
>> > > Cc:users@ovirt.org <mailto:users@ovirt.org>
>> > > Sent: Tuesday, September 22, 2015 5:35:16 PM
>> > > Subject: Re: [ovirt-users] LDAP Authentication
>> > >
>> > > its too complicated ,you have any script or video ?
>> >
>> > in 3.6 we have a setup script.
>> > for now:
>> >
>> > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
>> >
>> > this is written in the README.
>> >
>> > then customize files at /etc/ovirt-engine/extnesions.d/*
>> > /etc/ovirt-engine/aaa/* to match your setup
>> >
>> > >
>> > >
>> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev > <mailto:alo...@redhat.com>> wrote:
>> > >
>> > > >
>> > > >
>> > > > - Original Message -
>> > > > > From: "Budur Nagaraju" > nbud...@gmail.com>>
>> > > > > To: "Alon Bar-Lev" > alo...@redhat.com>>
>> > > > > Cc:users@ovirt.org <mailto:users@ovirt.org>
>> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM
>> > > > > Subject: Re: [ovirt-users] LDAP Authentication
>> > > > >
>> > > > > HI Alon,
>> > > > >
>> > > > > Below is the configuration which I have done ,but unable to
>> search the
>> > > > > users in UI
>> > > > > can you pls help me ?
>> > > >
>> > > > you need three files, see the
>> > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
>> > > >
>> > > > >
>> > > > >
>> > > > > [root@cstlb2 aaa]# cat ldap1.properties
>> > > > > #
>> > > > > # Select one
>> > > > > #
>> > > > > include = 
>> > > > > #include = <389ds.properties>
>> > > > > #include = 
>> > > > > #include = 
>> > > > > #include = 
>> > > > > #include = 
>> > > > > #include

Re: [ovirt-users] LDAP Authentication

2015-09-22 Thread Budur Nagaraju
r and its password.
> > #
> > vars.user =
> >
> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
> > vars.password = company
> >
> > pool.default.serverset.single.server = ${global:vars.server}
> > pool.default.auth.simple.bindDN = ${global:vars.user}
> > pool.default.auth.simple.password = ${global:vars.password}
> >
> > # Create keystore, import certificate chain and uncomment
> > # if using ssl/tls.
> > #pool.default.ssl.startTLS = true
> > #pool.default.ssl.truststore.file =
> ${local:_basedir}/${global:vars.server}.jks
> > #pool.default.ssl.truststore.password = changeit
> > [root@cstlb2 aaa]#
> >
> >
> >
> >
> >
> >
> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev  > <mailto:alo...@redhat.com>> wrote:
> >
> >
> >
> > - Original Message -
> > > From: "Budur Nagaraju"  nbud...@gmail.com>>
> > > To: "Alon Bar-Lev" mailto:alo...@redhat.com>>
> > > Cc:users@ovirt.org <mailto:users@ovirt.org>
> > > Sent: Tuesday, September 22, 2015 5:35:16 PM
> > > Subject: Re: [ovirt-users] LDAP Authentication
> > >
> > > its too complicated ,you have any script or video ?
> >
> > in 3.6 we have a setup script.
> > for now:
> >
> > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
> >
> > this is written in the README.
> >
> > then customize files at /etc/ovirt-engine/extnesions.d/*
> > /etc/ovirt-engine/aaa/* to match your setup
> >
> > >
> > >
> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev  <mailto:alo...@redhat.com>> wrote:
> > >
> > > >
> > > >
> > > > - Original Message -
> > > > > From: "Budur Nagaraju"  nbud...@gmail.com>>
> > > > > To: "Alon Bar-Lev"  alo...@redhat.com>>
> > > > > Cc:users@ovirt.org <mailto:users@ovirt.org>
> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM
> > > > > Subject: Re: [ovirt-users] LDAP Authentication
> > > > >
> > > > > HI Alon,
> > > > >
> > > > > Below is the configuration which I have done ,but unable to
> search the
> > > > > users in UI
> > > > > can you pls help me ?
> > > >
> > > > you need three files, see the
> > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
> > > >
> > > > >
> > > > >
> > > > > [root@cstlb2 aaa]# cat ldap1.properties
> > > > > #
> > > > > # Select one
> > > > > #
> > > > > include = 
> > > > > #include = <389ds.properties>
> > > > > #include = 
> > > > > #include = 
> > > > > #include = 
> > > > > #include = 
> > > > > #include = 
> > > > >
> > > > > #
> > > > > # Server
> > > > > #
> > > > > vars.server =my.abc.net <http://my.abc.net>
> > > > >
> > > > > #
> > > > > # Search user and its password.
> > > > > #
> > > > > vars.user =
> > > > >
> > > >
> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
> > > > > vars.password = company1
> > > > >
> > > > > pool.default.serverset.single.server = ${global:vars.server}
> > > > > pool.default.auth.simple.bindDN = ${global:vars.user}
> > > > > pool.default.auth.simple.password = ${global:vars.password}
> > > > >
> > > > > # Create keystore, import certificate chain and uncomment
> > > > > # if using ssl/tls.
> > > > > #pool.default.ssl.startTLS = true
> > > > > #pool.default.ssl.truststore.file =
> > > > > ${local:_basedir}/${global:vars.server}.jks
> > > > > #pool.default.ssl.truststore.password = changeit
> > > > > [root@cstlb2 aaa]#
> > > > >
> > > > >
> > > > >
> > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev <
> alo...@redhat.com <mailto:alo...@redhat.com>> wrote:
> > > > >
> > > > > >
> > > > > >
> > > > > > - Original Message -
> > > > > > > From: "Budur Nagaraju"  nbud...@gmail.com>>
> > > > > > > To:users@ovirt.org <mailto:users@ovirt.org>
> > > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM
> > > > > > > Subject: [ovirt-users] LDAP Authentication
> > > > > > >
> > > > > > > HI All,
> > > > > > >
> > > > > > > Can someone help me in configuring LDAP authentication for
> Ovirt ?
> > > > > >
> > > > > > Please review:
> > > > > >http://www.ovirt.org/Features/AAA
> > > > > >
> > > > > >
> > > >
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
> > > > > >
> > > > >
> > > >
> > >
> >
> >
>
> --
> Daniel Helgenberger
> m box bewegtbild GmbH
>
> P: +49/30/2408781-22
> F: +49/30/2408781-10
>
> ACKERSTR. 19
> D-10115 BERLIN
>
>
> www.m-box.de  www.monkeymen.tv
>
> Geschäftsführer: Martin Retschitzegger / Michaela Göllner
> Handeslregister: Amtsgericht Charlottenburg / HRB 112767
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Authentication

2015-09-22 Thread Daniel Helgenberger
Hello Budur,

I've done this recently. Alon, no offense, but the docs are not quite strait 
forward...

Requirements:
 - LDAP server (obviously) - called here ldap.mydomain.com
 - LDAP bind account - called here l...@mydomain.com, password 'Passw@rd'
 - At least one existing account in ladp, called u...@mydomain.com

Please note, the most common issue will be DNS.

I'll describe in short what steps need to be taken. All this needs to be done 
on your engine host. In the end this was quite easy :)

1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients 
(these are only for testing your setup)
2. Test if ldap is working in general. (The extension uses the global catalog 
at least for AD, this was news to me):
  # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H 
ldap://ldap.mydomain.com:3268/ -x \
  -D 'l...@mydomain.com' -w Passw@rd -b ''  
'(userPrincipalName=u...@mydomian.com)' cn userPrincipalName

  If this command does not return details of the user, do debug your ldap and 
continue once this works. Example:

# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (userPrincipalName=u...@mydomain.com)
# requesting: cn userPrincipalName
# with pagedResults control: size=1024
#

# Some Name, some-ou, mydomain.com
dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com
cn: Some Name
userPrincipalName: u...@mydomain.com

# search result
search: 2
result: 0 Success
control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=
pagedresults: cookie=

# numResponses: 2
# numEntries: 1


3. Copy the examples as mentioned from the readme.
4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave 
the rest as is.
5. There, set:

  vars.domain = ldap.mydomain.com
  vars.user = ldap@${global:vars.domain}
  vars.password = Passw@rd

6. Restart ovirt engine service
7. Log in as admin@einternal and add user rights and roles from the new provider

Hope this helps.

On 22.09.2015 16:46, Budur Nagaraju wrote:
> 
> below are the three files which I have modified.
> 
> 
> [root@cstlb2 extensions.d]# cat profile1-authn.properties
> ovirt.engine.extension.name <http://ovirt.engine.extension.name> = 
> cloudspin-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module = 
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class = 
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name 
> <http://ovirt.engine.aaa.authn.profile.name> 
> = cloudspin
> ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
> config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
> 
> 
> [root@cstlb2 extensions.d]# ls
> profile1-authn.properties  profile1-authz.properties
> [root@cstlb2 extensions.d]# cat profile1-authz.properties
> ovirt.engine.extension.name <http://ovirt.engine.extension.name> = 
> cloudspin-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module = 
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class = 
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
> [root@cstlb2 extensions.d]#
> 
> 
> 
> [root@cstlb2 aaa]# pwd
> /etc/ovirt-engine/aaa
> [root@cstlb2 aaa]# ls
> ldap1.properties
> [root@cstlb2 aaa]# cat ldap1.properties
> #
> # Select one
> #
> include = 
> #include = <389ds.properties>
> #include = 
> #include = 
> #include = 
> #include = 
> #include = 
> 
> #
> # Server
> #
> vars.server = my.abc.net <http://my.abc.net>
> 
> #
> # Search user and its password.
> #
> vars.user = 
> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
> vars.password = company
> 
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
> 
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file = 
> ${local:_basedir}/${global:vars.server}.jks
> #pool.default.ssl.truststore.password = changeit
> [root@cstlb2 aaa]#
> 
> 
> 
> 
> 
> 
> On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev  <mailto:alo...@redhat.com>> wrote:
> 
> 
> 
> - Original Message -
> > From: "Budur Nagaraju" mailto:nbud...@gmail.com>>
> > To

Re: [ovirt-users] LDAP Authentication

2015-09-22 Thread Alon Bar-Lev

please do not paste logs inline, either attach or pastebin.

please try to read errors and warnings before sending out, you have trailing 
space in configuration I guess.

2015-09-22 20:21:51,533 WARN  
[org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-8) 
[ovirt-engine-extension-aaa-ldap.authn::cloudspin-authn] Cannot initialize LDAP 
framework, deferring initialization. Error: An error occurred while attempting 
to resolve address 'psbngdc01.psecure.net ':  java.net.UnknownHostException: 
psbngdc01.psecure.net : Name or service not known


- Original Message -
> From: "Budur Nagaraju" 
> To: "Alon Bar-Lev" 
> Cc: users@ovirt.org
> Sent: Tuesday, September 22, 2015 5:53:10 PM
> Subject: Re: [ovirt-users] LDAP Authentication
> 
> Below is the log I have got,
> 
> 
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Authentication

2015-09-22 Thread Budur Nagaraju
Center Pulse. Setting status to Non Responsive.
2015-09-22 20:22:01,998 INFO
[org.ovirt.engine.core.vdsbroker.irsbroker.IrsProxyData]
(DefaultQuartzScheduler_Worker-22) [759b2abb] hostFromVds::selectedVds -
host1, spmStatus SPM, storage pool Pulse
2015-09-22 20:22:02,002 INFO
[org.ovirt.engine.core.vdsbroker.irsbroker.IrsProxyData]
(DefaultQuartzScheduler_Worker-22) [759b2abb] Initialize Irs proxy from
vds: 10.204.206.7
2015-09-22 20:22:02,006 INFO
[org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector]
(DefaultQuartzScheduler_Worker-22) [759b2abb] Correlation ID: null, Call
Stack: null, Custom Event ID: -1, Message: Storage Pool Manager runs on
Host host1 (Address: 10.204.206.7).
2015-09-22 20:22:02,009 INFO
[org.ovirt.vdsm.jsonrpc.client.reactors.ReactorClient] (SSL Stomp Reactor)
Connecting to /10.204.206.7
2015-09-22 20:22:02,025 INFO
[org.ovirt.engine.core.vdsbroker.irsbroker.SPMGetAllTasksInfoVDSCommand]
(org.ovirt.thread.pool-8-thread-8) [759b2abb] START,
SPMGetAllTasksInfoVDSCommand( storagePoolId =
92328f51-9152-4730-a558-8c1fd0b4e076, ignoreFailoverLimit = false), log id:
45cd45aa
2015-09-22 20:22:02,150 INFO
[org.ovirt.engine.core.vdsbroker.irsbroker.SPMGetAllTasksInfoVDSCommand]
(org.ovirt.thread.pool-8-thread-8) [759b2abb] -- executeIrsBrokerCommand:
Attempting on storage pool 92328f51-9152-4730-a558-8c1fd0b4e076
2015-09-22 20:22:02,155 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.HSMGetAllTasksInfoVDSCommand]
(org.ovirt.thread.pool-8-thread-8) [759b2abb] START,
HSMGetAllTasksInfoVDSCommand(HostName = host1, HostId =
b8804829-6107-4486-8c98-5ee4c0f4e797), log id: f9a6597
2015-09-22 20:22:02,160 INFO
[org.ovirt.engine.core.vdsbroker.vdsbroker.HSMGetAllTasksInfoVDSCommand]
(org.ovirt.thread.pool-8-thread-8) [759b2abb] FINISH,
HSMGetAllTasksInfoVDSCommand, return: [], log id: f9a6597
2015-09-22 20:22:02,160 INFO
[org.ovirt.engine.core.vdsbroker.irsbroker.SPMGetAllTasksInfoVDSCommand]
(org.ovirt.thread.pool-8-thread-8) [759b2abb] FINISH,
SPMGetAllTasksInfoVDSCommand, return: [], log id: 45cd45aa
2015-09-22 20:22:02,161 INFO
[org.ovirt.engine.core.bll.tasks.AsyncTaskManager]
(org.ovirt.thread.pool-8-thread-8) [759b2abb] Discovered no tasks on
Storage Pool Pulse
w


On Tue, Sep 22, 2015 at 8:20 PM, Alon Bar-Lev  wrote:

> looks ok, now restart engine and see if you have any error at
> /var/log/ovirt-engine/engine.log
>
> - Original Message -
> > From: "Budur Nagaraju" 
> > To: "Alon Bar-Lev" 
> > Cc: users@ovirt.org
> > Sent: Tuesday, September 22, 2015 5:45:42 PM
> > Subject: Re: [ovirt-users] LDAP Authentication
> >
> > below are the three files which I have modified.
> >
> >
> > [root@cstlb2 extensions.d]# cat profile1-authn.properties
> > ovirt.engine.extension.name = cloudspin-authn
> > ovirt.engine.extension.bindings.method = jbossmodule
> > ovirt.engine.extension.binding.jbossmodule.module =
> > org.ovirt.engine-extensions.aaa.ldap
> > ovirt.engine.extension.binding.jbossmodule.class =
> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> > ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authn
> > ovirt.engine.aaa.authn.profile.name = cloudspin
> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
> >
> >
> > [root@cstlb2 extensions.d]# ls
> > profile1-authn.properties  profile1-authz.properties
> > [root@cstlb2 extensions.d]# cat profile1-authz.properties
> > ovirt.engine.extension.name = cloudspin-authz
> > ovirt.engine.extension.bindings.method = jbossmodule
> > ovirt.engine.extension.binding.jbossmodule.module =
> > org.ovirt.engine-extensions.aaa.ldap
> > ovirt.engine.extension.binding.jbossmodule.class =
> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> > ovirt.engine.extension.provides =
> org.ovirt.engine.api.extensions.aaa.Authz
> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
> > [root@cstlb2 extensions.d]#
> >
> >
> >
> > [root@cstlb2 aaa]# pwd
> > /etc/ovirt-engine/aaa
> > [root@cstlb2 aaa]# ls
> > ldap1.properties
> > [root@cstlb2 aaa]# cat ldap1.properties
> > #
> > # Select one
> > #
> > include = 
> > #include = <389ds.properties>
> > #include = 
> > #include = 
> > #include = 
> > #include = 
> > #include = 
> >
> > #
> > # Server
> > #
> > vars.server = my.abc.net
> >
> > #
> > # Search user and its password.
> > #
> > vars.user =
> >
> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
> > vars.password = company
> >
>

Re: [ovirt-users] LDAP Authentication

2015-09-22 Thread Alon Bar-Lev
looks ok, now restart engine and see if you have any error at 
/var/log/ovirt-engine/engine.log

- Original Message -
> From: "Budur Nagaraju" 
> To: "Alon Bar-Lev" 
> Cc: users@ovirt.org
> Sent: Tuesday, September 22, 2015 5:45:42 PM
> Subject: Re: [ovirt-users] LDAP Authentication
> 
> below are the three files which I have modified.
> 
> 
> [root@cstlb2 extensions.d]# cat profile1-authn.properties
> ovirt.engine.extension.name = cloudspin-authn
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthnExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
> ovirt.engine.aaa.authn.profile.name = cloudspin
> ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
> config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
> 
> 
> [root@cstlb2 extensions.d]# ls
> profile1-authn.properties  profile1-authz.properties
> [root@cstlb2 extensions.d]# cat profile1-authz.properties
> ovirt.engine.extension.name = cloudspin-authz
> ovirt.engine.extension.bindings.method = jbossmodule
> ovirt.engine.extension.binding.jbossmodule.module =
> org.ovirt.engine-extensions.aaa.ldap
> ovirt.engine.extension.binding.jbossmodule.class =
> org.ovirt.engineextensions.aaa.ldap.AuthzExtension
> ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
> config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
> [root@cstlb2 extensions.d]#
> 
> 
> 
> [root@cstlb2 aaa]# pwd
> /etc/ovirt-engine/aaa
> [root@cstlb2 aaa]# ls
> ldap1.properties
> [root@cstlb2 aaa]# cat ldap1.properties
> #
> # Select one
> #
> include = 
> #include = <389ds.properties>
> #include = 
> #include = 
> #include = 
> #include = 
> #include = 
> 
> #
> # Server
> #
> vars.server = my.abc.net
> 
> #
> # Search user and its password.
> #
> vars.user =
> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
> vars.password = company
> 
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
> 
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file =
> ${local:_basedir}/${global:vars.server}.jks
> #pool.default.ssl.truststore.password = changeit
> [root@cstlb2 aaa]#
> 
> 
> 
> 
> 
> 
> On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev  wrote:
> 
> >
> >
> > - Original Message -
> > > From: "Budur Nagaraju" 
> > > To: "Alon Bar-Lev" 
> > > Cc: users@ovirt.org
> > > Sent: Tuesday, September 22, 2015 5:35:16 PM
> > > Subject: Re: [ovirt-users] LDAP Authentication
> > >
> > > its too complicated ,you have any script or video ?
> >
> > in 3.6 we have a setup script.
> > for now:
> >
> > cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
> >
> > this is written in the README.
> >
> > then customize files at /etc/ovirt-engine/extnesions.d/*
> > /etc/ovirt-engine/aaa/* to match your setup
> >
> > >
> > >
> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev  wrote:
> > >
> > > >
> > > >
> > > > - Original Message -
> > > > > From: "Budur Nagaraju" 
> > > > > To: "Alon Bar-Lev" 
> > > > > Cc: users@ovirt.org
> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM
> > > > > Subject: Re: [ovirt-users] LDAP Authentication
> > > > >
> > > > > HI Alon,
> > > > >
> > > > > Below is the configuration which I have done ,but unable to search
> > the
> > > > > users in UI
> > > > > can you pls help me ?
> > > >
> > > > you need three files, see the
> > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
> > > >
> > > > >
> > > > >
> > > > > [root@cstlb2 aaa]# cat ldap1.properties
> > > > > #
> > > > > # Select one
> > > > > #
> > > > > include = 
> > > > > #include = <389ds.properties>
> > > > > #include = 
> > > > > #include = 
> >

Re: [ovirt-users] LDAP Authentication

2015-09-22 Thread Budur Nagaraju
below are the three files which I have modified.


[root@cstlb2 extensions.d]# cat profile1-authn.properties
ovirt.engine.extension.name = cloudspin-authn
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthnExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn
ovirt.engine.aaa.authn.profile.name = cloudspin
ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth
config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties


[root@cstlb2 extensions.d]# ls
profile1-authn.properties  profile1-authz.properties
[root@cstlb2 extensions.d]# cat profile1-authz.properties
ovirt.engine.extension.name = cloudspin-authz
ovirt.engine.extension.bindings.method = jbossmodule
ovirt.engine.extension.binding.jbossmodule.module =
org.ovirt.engine-extensions.aaa.ldap
ovirt.engine.extension.binding.jbossmodule.class =
org.ovirt.engineextensions.aaa.ldap.AuthzExtension
ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz
config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties
[root@cstlb2 extensions.d]#



[root@cstlb2 aaa]# pwd
/etc/ovirt-engine/aaa
[root@cstlb2 aaa]# ls
ldap1.properties
[root@cstlb2 aaa]# cat ldap1.properties
#
# Select one
#
include = 
#include = <389ds.properties>
#include = 
#include = 
#include = 
#include = 
#include = 

#
# Server
#
vars.server = my.abc.net

#
# Search user and its password.
#
vars.user =
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net
vars.password = company

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.server}.jks
#pool.default.ssl.truststore.password = changeit
[root@cstlb2 aaa]#






On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev  wrote:

>
>
> - Original Message -
> > From: "Budur Nagaraju" 
> > To: "Alon Bar-Lev" 
> > Cc: users@ovirt.org
> > Sent: Tuesday, September 22, 2015 5:35:16 PM
> > Subject: Re: [ovirt-users] LDAP Authentication
> >
> > its too complicated ,you have any script or video ?
>
> in 3.6 we have a setup script.
> for now:
>
> cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/
>
> this is written in the README.
>
> then customize files at /etc/ovirt-engine/extnesions.d/*
> /etc/ovirt-engine/aaa/* to match your setup
>
> >
> >
> > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev  wrote:
> >
> > >
> > >
> > > - Original Message -
> > > > From: "Budur Nagaraju" 
> > > > To: "Alon Bar-Lev" 
> > > > Cc: users@ovirt.org
> > > > Sent: Tuesday, September 22, 2015 5:24:36 PM
> > > > Subject: Re: [ovirt-users] LDAP Authentication
> > > >
> > > > HI Alon,
> > > >
> > > > Below is the configuration which I have done ,but unable to search
> the
> > > > users in UI
> > > > can you pls help me ?
> > >
> > > you need three files, see the
> > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
> > >
> > > >
> > > >
> > > > [root@cstlb2 aaa]# cat ldap1.properties
> > > > #
> > > > # Select one
> > > > #
> > > > include = 
> > > > #include = <389ds.properties>
> > > > #include = 
> > > > #include = 
> > > > #include = 
> > > > #include = 
> > > > #include = 
> > > >
> > > > #
> > > > # Server
> > > > #
> > > > vars.server = my.abc.net
> > > >
> > > > #
> > > > # Search user and its password.
> > > > #
> > > > vars.user =
> > > >
> > >
> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
> > > > vars.password = company1
> > > >
> > > > pool.default.serverset.single.server = ${global:vars.server}
> > > > pool.default.auth.simple.bindDN = ${global:vars.user}
> > > > pool.default.auth.simple.password = ${global:vars.password}
> > > >
> > > > # Create keystore, import certificate chain and uncomment
> > > > # if using ssl/tls.
> > > > #pool.default.ssl.startTLS = true
> 

Re: [ovirt-users] LDAP Authentication

2015-09-22 Thread Alon Bar-Lev


- Original Message -
> From: "Budur Nagaraju" 
> To: "Alon Bar-Lev" 
> Cc: users@ovirt.org
> Sent: Tuesday, September 22, 2015 5:35:16 PM
> Subject: Re: [ovirt-users] LDAP Authentication
> 
> its too complicated ,you have any script or video ?

in 3.6 we have a setup script.
for now:

cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/

this is written in the README.

then customize files at /etc/ovirt-engine/extnesions.d/* 
/etc/ovirt-engine/aaa/* to match your setup

> 
> 
> On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev  wrote:
> 
> >
> >
> > - Original Message -
> > > From: "Budur Nagaraju" 
> > > To: "Alon Bar-Lev" 
> > > Cc: users@ovirt.org
> > > Sent: Tuesday, September 22, 2015 5:24:36 PM
> > > Subject: Re: [ovirt-users] LDAP Authentication
> > >
> > > HI Alon,
> > >
> > > Below is the configuration which I have done ,but unable to search the
> > > users in UI
> > > can you pls help me ?
> >
> > you need three files, see the
> > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
> >
> > >
> > >
> > > [root@cstlb2 aaa]# cat ldap1.properties
> > > #
> > > # Select one
> > > #
> > > include = 
> > > #include = <389ds.properties>
> > > #include = 
> > > #include = 
> > > #include = 
> > > #include = 
> > > #include = 
> > >
> > > #
> > > # Server
> > > #
> > > vars.server = my.abc.net
> > >
> > > #
> > > # Search user and its password.
> > > #
> > > vars.user =
> > >
> > uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
> > > vars.password = company1
> > >
> > > pool.default.serverset.single.server = ${global:vars.server}
> > > pool.default.auth.simple.bindDN = ${global:vars.user}
> > > pool.default.auth.simple.password = ${global:vars.password}
> > >
> > > # Create keystore, import certificate chain and uncomment
> > > # if using ssl/tls.
> > > #pool.default.ssl.startTLS = true
> > > #pool.default.ssl.truststore.file =
> > > ${local:_basedir}/${global:vars.server}.jks
> > > #pool.default.ssl.truststore.password = changeit
> > > [root@cstlb2 aaa]#
> > >
> > >
> > >
> > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev  wrote:
> > >
> > > >
> > > >
> > > > - Original Message -
> > > > > From: "Budur Nagaraju" 
> > > > > To: users@ovirt.org
> > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM
> > > > > Subject: [ovirt-users] LDAP Authentication
> > > > >
> > > > > HI All,
> > > > >
> > > > > Can someone help me in configuring LDAP authentication for Ovirt ?
> > > >
> > > > Please review:
> > > > http://www.ovirt.org/Features/AAA
> > > >
> > > >
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
> > > >
> > >
> >
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Authentication

2015-09-22 Thread Budur Nagaraju
its too complicated ,you have any script or video ?


On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev  wrote:

>
>
> - Original Message -
> > From: "Budur Nagaraju" 
> > To: "Alon Bar-Lev" 
> > Cc: users@ovirt.org
> > Sent: Tuesday, September 22, 2015 5:24:36 PM
> > Subject: Re: [ovirt-users] LDAP Authentication
> >
> > HI Alon,
> >
> > Below is the configuration which I have done ,but unable to search the
> > users in UI
> > can you pls help me ?
>
> you need three files, see the
> /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple
>
> >
> >
> > [root@cstlb2 aaa]# cat ldap1.properties
> > #
> > # Select one
> > #
> > include = 
> > #include = <389ds.properties>
> > #include = 
> > #include = 
> > #include = 
> > #include = 
> > #include = 
> >
> > #
> > # Server
> > #
> > vars.server = my.abc.net
> >
> > #
> > # Search user and its password.
> > #
> > vars.user =
> >
> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
> > vars.password = company1
> >
> > pool.default.serverset.single.server = ${global:vars.server}
> > pool.default.auth.simple.bindDN = ${global:vars.user}
> > pool.default.auth.simple.password = ${global:vars.password}
> >
> > # Create keystore, import certificate chain and uncomment
> > # if using ssl/tls.
> > #pool.default.ssl.startTLS = true
> > #pool.default.ssl.truststore.file =
> > ${local:_basedir}/${global:vars.server}.jks
> > #pool.default.ssl.truststore.password = changeit
> > [root@cstlb2 aaa]#
> >
> >
> >
> > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev  wrote:
> >
> > >
> > >
> > > - Original Message -
> > > > From: "Budur Nagaraju" 
> > > > To: users@ovirt.org
> > > > Sent: Tuesday, September 22, 2015 4:34:46 PM
> > > > Subject: [ovirt-users] LDAP Authentication
> > > >
> > > > HI All,
> > > >
> > > > Can someone help me in configuring LDAP authentication for Ovirt ?
> > >
> > > Please review:
> > > http://www.ovirt.org/Features/AAA
> > >
> > >
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
> > >
> >
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Authentication

2015-09-22 Thread Alon Bar-Lev


- Original Message -
> From: "Budur Nagaraju" 
> To: "Alon Bar-Lev" 
> Cc: users@ovirt.org
> Sent: Tuesday, September 22, 2015 5:24:36 PM
> Subject: Re: [ovirt-users] LDAP Authentication
> 
> HI Alon,
> 
> Below is the configuration which I have done ,but unable to search the
> users in UI
> can you pls help me ?

you need three files, see the 
/usr/share/ovirt-engine-extension-aaa-ldap/examples/simple

> 
> 
> [root@cstlb2 aaa]# cat ldap1.properties
> #
> # Select one
> #
> include = 
> #include = <389ds.properties>
> #include = 
> #include = 
> #include = 
> #include = 
> #include = 
> 
> #
> # Server
> #
> vars.server = my.abc.net
> 
> #
> # Search user and its password.
> #
> vars.user =
> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
> vars.password = company1
> 
> pool.default.serverset.single.server = ${global:vars.server}
> pool.default.auth.simple.bindDN = ${global:vars.user}
> pool.default.auth.simple.password = ${global:vars.password}
> 
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> #pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file =
> ${local:_basedir}/${global:vars.server}.jks
> #pool.default.ssl.truststore.password = changeit
> [root@cstlb2 aaa]#
> 
> 
> 
> On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev  wrote:
> 
> >
> >
> > - Original Message -
> > > From: "Budur Nagaraju" 
> > > To: users@ovirt.org
> > > Sent: Tuesday, September 22, 2015 4:34:46 PM
> > > Subject: [ovirt-users] LDAP Authentication
> > >
> > > HI All,
> > >
> > > Can someone help me in configuring LDAP authentication for Ovirt ?
> >
> > Please review:
> > http://www.ovirt.org/Features/AAA
> >
> > https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
> >
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Authentication

2015-09-22 Thread Budur Nagaraju
HI Alon,

Below is the configuration which I have done ,but unable to search the
users in UI
can you pls help me ?


[root@cstlb2 aaa]# cat ldap1.properties
#
# Select one
#
include = 
#include = <389ds.properties>
#include = 
#include = 
#include = 
#include = 
#include = 

#
# Server
#
vars.server = my.abc.net

#
# Search user and its password.
#
vars.user =
uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net
vars.password = company1

pool.default.serverset.single.server = ${global:vars.server}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.server}.jks
#pool.default.ssl.truststore.password = changeit
[root@cstlb2 aaa]#



On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev  wrote:

>
>
> - Original Message -
> > From: "Budur Nagaraju" 
> > To: users@ovirt.org
> > Sent: Tuesday, September 22, 2015 4:34:46 PM
> > Subject: [ovirt-users] LDAP Authentication
> >
> > HI All,
> >
> > Can someone help me in configuring LDAP authentication for Ovirt ?
>
> Please review:
> http://www.ovirt.org/Features/AAA
>
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Authentication

2015-09-22 Thread Alon Bar-Lev


- Original Message -
> From: "Budur Nagaraju" 
> To: users@ovirt.org
> Sent: Tuesday, September 22, 2015 4:34:46 PM
> Subject: [ovirt-users] LDAP Authentication
> 
> HI All,
> 
> Can someone help me in configuring LDAP authentication for Ovirt ?

Please review:
http://www.ovirt.org/Features/AAA
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] LDAP Authentication

2015-09-22 Thread Budur Nagaraju
HI All,

Can someone help me in configuring LDAP authentication for Ovirt ?

Thanks,,
Nagaraju
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP bind DN generation problem

2015-06-19 Thread Mitja Mihelič

On 18/06/15 14:49, Ondra Machacek wrote:

On 06/18/2015 02:07 PM, Mitja Mihelič wrote:

Hi!

Hi


We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the 
LDAP domain on the login screen. Only internal is available.
Our LDAP server is actually a 389DS instance and we are using for 
authentication in oVirt without Kerberos. The existing setup has 
worked since the days of 3.2.


When we try to validate the domain, we get
[root@brda ~]# engine-manage-domains validate
Error: Cannot authenticate user ovirt to domain guest.arnes.si, 
details: [LDAP: error code 32 - No Such Object]; nested exception is 
javax.naming.AuthenticationException: [LDAP: error code 32 - No Such 
Object]
Failure while testing domain guest.arnes.si. Details: Cannot 
authenticate user to LDAP server.


The LDAP log reports
[18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND 
dn="uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si" method=128 version=3

As you can see there is a comma missing before "dc=guest,dc=arnes,dc=si".

Before the upgrade the bind DN was generated properly as
[18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND 
dn="uid=ovirt,ou=People,dc=arnes,dc=si" method=128 version=3


So what is your search user's DN ?
Is it:
dn="uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si"

or

dn="uid=ovirt,ou=People,dc=arnes,dc=si"

Is it possible for you to try if different user works fine?
Because user with very similar DN works for me just OK.
At the time of posting I did not notice the difference, thanks for the 
spot. The correct DN is dn="uid=ovirt,ou=People,dc=arnes,dc=si".
Although that means that after upgrading to 3.5 the DN for the search 
user is formatted differently when issuing an LDAP bind request.


In the end we noticed that the AAA part of oVirt was reworked in 3.5. We 
deleted the old LDAP domain, that we manually inserted into the database 
back in 3.2 days. Then we added LDAP as an authentication source as per 
AAA instructions, which we found a bit vague. The README on github for 
the AAA extension provided most of the information.


We also found that the format of external_id in the users table had been 
changed from fdfc627c-d875-11e0-90f0-83df133b58cc to 
fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not log 
in. Instead additional users were created with this new format 
external_id, a namespace with "dc=arnes,dc=si" and a new user_id.
We manually deleted the faux users, updated the external_id to the new 
format and added a namespace entry for existing users.

That worked for us.

Kind regards, Mitja




This looks like a bug.
Is there a quick fix we can do to fix this typo?

We are also interested in knowing what is the correct way in 3.5 to 
add a domain that uses an LDAP server for its authentication source 
without Kerberos.


Please see following links:
*https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
*https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD
*http://www.ovirt.org/Features/AAA
*https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD
*https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6
*https://github.com/machacekondra/ovirt-engine-kerbldap-migration



Kind regards, Mitja
--
--
Mitja Mihelič
ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 8800, fax: +386 1 479 88 99


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP bind DN generation problem

2015-06-19 Thread Alon Bar-Lev


- Original Message -
> From: "Mitja Mihelič" 
> To: "Alon Bar-Lev" 
> Cc: "Ondra Machacek" , users@ovirt.org
> Sent: Friday, June 19, 2015 4:54:32 PM
> Subject: Re: [ovirt-users] LDAP bind DN generation problem
> 
> 
> On 19. 06. 2015 12:44, Alon Bar-Lev wrote:
> >
> > - Original Message -
> >> From: "Mitja Mihelič" 
> >> To: "Ondra Machacek" , users@ovirt.org
> >> Sent: Friday, June 19, 2015 1:39:14 PM
> >> Subject: Re: [ovirt-users] LDAP bind DN generation problem
> >>
> >> On 18/06/15 14:49, Ondra Machacek wrote:
> >>
> >>
> >> On 06/18/2015 02:07 PM, Mitja Mihelič wrote:
> >>
> >>
> >> Hi!
> >> Hi
> >>
> >>
> >>
> >> We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the LDAP
> >> domain on the login screen. Only internal is available.
> >> Our LDAP server is actually a 389DS instance and we are using for
> >> authentication in oVirt without Kerberos. The existing setup has worked
> >> since the days of 3.2.
> >>
> >> When we try to validate the domain, we get
> >> [root@brda ~]# engine-manage-domains validate
> >> Error: Cannot authenticate user ovirt to domain guest.arnes.si, details:
> >> [LDAP: error code 32 - No Such Object]; nested exception is
> >> javax.naming.AuthenticationException: [LDAP: error code 32 - No Such
> >> Object]
> >> Failure while testing domain guest.arnes.si. Details: Cannot authenticate
> >> user to LDAP server.
> >>
> >> The LDAP log reports
> >> [18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND
> >> dn="uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si" method=128 version=3
> >> As you can see there is a comma missing before "dc=guest,dc=arnes,dc=si".
> >>
> >> Before the upgrade the bind DN was generated properly as
> >> [18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND
> >> dn="uid=ovirt,ou=People,dc=arnes,dc=si" method=128 version=3
> >>
> >> So what is your search user's DN ?
> >> Is it:
> >> dn="uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si"
> >>
> >> or
> >>
> >> dn="uid=ovirt,ou=People,dc=arnes,dc=si"
> >>
> >> Is it possible for you to try if different user works fine?
> >> Because user with very similar DN works for me just OK.
> >> At the time of posting I did not notice the difference, thanks for the
> >> spot.
> >> The correct DN is dn="uid=ovirt,ou=People,dc=arnes,dc=si".
> >> Although that means that after upgrading to 3.5 the DN for the search user
> >> is
> >> formatted differently when issuing an LDAP bind request.
> >>
> >> In the end we noticed that the AAA part of oVirt was reworked in 3.5. We
> >> deleted the old LDAP domain, that we manually inserted into the database
> >> back in 3.2 days. Then we added LDAP as an authentication source as per
> >> AAA
> >> instructions, which we found a bit vague. The README on github for the AAA
> >> extension provided most of the information.
> >>
> >> We also found that the format of external_id in the users table had been
> >> changed from fdfc627c-d875-11e0-90f0-83df133b58cc to
> >> fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not log in.
> >> Instead additional users were created with this new format external_id, a
> >> namespace with "dc=arnes,dc=si" and a new user_id.
> >> We manually deleted the faux users, updated the external_id to the new
> >> format
> >> and added a namespace entry for existing users.
> >> That worked for us.
> > the conversion tool should have taken care of all these. have you tried to
> > use it?
> Sorry, no. We didn't know of its existence then. Can you provide a link
> to its page?

https://github.com/machacekondra/ovirt-engine-kerbldap-migration

> >
> >> Kind regards, Mitja
> >>
> >>
> >>
> >>
> >>
> >>
> >> This looks like a bug.
> >> Is there a quick fix we can do to fix this typo?
> >>
> >> We are also interested in knowing what is the correct way in 3.5 to add a
> >> domain that uses an LDAP server for its authentication source without
> >> Kerberos.
> >>
> >> Please see following links:
> >> *
> >> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-

Re: [ovirt-users] LDAP bind DN generation problem

2015-06-19 Thread Mitja Mihelič


On 19. 06. 2015 12:44, Alon Bar-Lev wrote:


- Original Message -

From: "Mitja Mihelič" 
To: "Ondra Machacek" , users@ovirt.org
Sent: Friday, June 19, 2015 1:39:14 PM
Subject: Re: [ovirt-users] LDAP bind DN generation problem

On 18/06/15 14:49, Ondra Machacek wrote:


On 06/18/2015 02:07 PM, Mitja Mihelič wrote:


Hi!
Hi



We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the LDAP
domain on the login screen. Only internal is available.
Our LDAP server is actually a 389DS instance and we are using for
authentication in oVirt without Kerberos. The existing setup has worked
since the days of 3.2.

When we try to validate the domain, we get
[root@brda ~]# engine-manage-domains validate
Error: Cannot authenticate user ovirt to domain guest.arnes.si, details:
[LDAP: error code 32 - No Such Object]; nested exception is
javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]
Failure while testing domain guest.arnes.si. Details: Cannot authenticate
user to LDAP server.

The LDAP log reports
[18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND
dn="uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si" method=128 version=3
As you can see there is a comma missing before "dc=guest,dc=arnes,dc=si".

Before the upgrade the bind DN was generated properly as
[18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND
dn="uid=ovirt,ou=People,dc=arnes,dc=si" method=128 version=3

So what is your search user's DN ?
Is it:
dn="uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si"

or

dn="uid=ovirt,ou=People,dc=arnes,dc=si"

Is it possible for you to try if different user works fine?
Because user with very similar DN works for me just OK.
At the time of posting I did not notice the difference, thanks for the spot.
The correct DN is dn="uid=ovirt,ou=People,dc=arnes,dc=si".
Although that means that after upgrading to 3.5 the DN for the search user is
formatted differently when issuing an LDAP bind request.

In the end we noticed that the AAA part of oVirt was reworked in 3.5. We
deleted the old LDAP domain, that we manually inserted into the database
back in 3.2 days. Then we added LDAP as an authentication source as per AAA
instructions, which we found a bit vague. The README on github for the AAA
extension provided most of the information.

We also found that the format of external_id in the users table had been
changed from fdfc627c-d875-11e0-90f0-83df133b58cc to
fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not log in.
Instead additional users were created with this new format external_id, a
namespace with "dc=arnes,dc=si" and a new user_id.
We manually deleted the faux users, updated the external_id to the new format
and added a namespace entry for existing users.
That worked for us.

the conversion tool should have taken care of all these. have you tried to use 
it?
Sorry, no. We didn't know of its existence then. Can you provide a link 
to its page?



Kind regards, Mitja






This looks like a bug.
Is there a quick fix we can do to fix this typo?

We are also interested in knowing what is the correct way in 3.5 to add a
domain that uses an LDAP server for its authentication source without
Kerberos.

Please see following links:
*
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
*
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD
* http://www.ovirt.org/Features/AAA *
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD
*
https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6
* https://github.com/machacekondra/ovirt-engine-kerbldap-migration




Kind regards, Mitja
--
--
Mitja Mihelič
ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 8800, fax: +386 1 479 88 99


___
Users mailing list Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP bind DN generation problem

2015-06-19 Thread Alon Bar-Lev


- Original Message -
> From: "Mitja Mihelič" 
> To: "Ondra Machacek" , users@ovirt.org
> Sent: Friday, June 19, 2015 1:39:14 PM
> Subject: Re: [ovirt-users] LDAP bind DN generation problem
> 
> On 18/06/15 14:49, Ondra Machacek wrote:
> 
> 
> On 06/18/2015 02:07 PM, Mitja Mihelič wrote:
> 
> 
> Hi!
> Hi
> 
> 
> 
> We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the LDAP
> domain on the login screen. Only internal is available.
> Our LDAP server is actually a 389DS instance and we are using for
> authentication in oVirt without Kerberos. The existing setup has worked
> since the days of 3.2.
> 
> When we try to validate the domain, we get
> [root@brda ~]# engine-manage-domains validate
> Error: Cannot authenticate user ovirt to domain guest.arnes.si, details:
> [LDAP: error code 32 - No Such Object]; nested exception is
> javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]
> Failure while testing domain guest.arnes.si. Details: Cannot authenticate
> user to LDAP server.
> 
> The LDAP log reports
> [18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND
> dn="uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si" method=128 version=3
> As you can see there is a comma missing before "dc=guest,dc=arnes,dc=si".
> 
> Before the upgrade the bind DN was generated properly as
> [18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND
> dn="uid=ovirt,ou=People,dc=arnes,dc=si" method=128 version=3
> 
> So what is your search user's DN ?
> Is it:
> dn="uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si"
> 
> or
> 
> dn="uid=ovirt,ou=People,dc=arnes,dc=si"
> 
> Is it possible for you to try if different user works fine?
> Because user with very similar DN works for me just OK.
> At the time of posting I did not notice the difference, thanks for the spot.
> The correct DN is dn="uid=ovirt,ou=People,dc=arnes,dc=si".
> Although that means that after upgrading to 3.5 the DN for the search user is
> formatted differently when issuing an LDAP bind request.
> 
> In the end we noticed that the AAA part of oVirt was reworked in 3.5. We
> deleted the old LDAP domain, that we manually inserted into the database
> back in 3.2 days. Then we added LDAP as an authentication source as per AAA
> instructions, which we found a bit vague. The README on github for the AAA
> extension provided most of the information.
> 
> We also found that the format of external_id in the users table had been
> changed from fdfc627c-d875-11e0-90f0-83df133b58cc to
> fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not log in.
> Instead additional users were created with this new format external_id, a
> namespace with "dc=arnes,dc=si" and a new user_id.
> We manually deleted the faux users, updated the external_id to the new format
> and added a namespace entry for existing users.
> That worked for us.

the conversion tool should have taken care of all these. have you tried to use 
it?

> 
> Kind regards, Mitja
> 
> 
> 
> 
> 
> 
> This looks like a bug.
> Is there a quick fix we can do to fix this typo?
> 
> We are also interested in knowing what is the correct way in 3.5 to add a
> domain that uses an LDAP server for its authentication source without
> Kerberos.
> 
> Please see following links:
> *
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
> *
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD
> * http://www.ovirt.org/Features/AAA *
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD
> *
> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6
> * https://github.com/machacekondra/ovirt-engine-kerbldap-migration
> 
> 
> 
> 
> Kind regards, Mitja
> --
> --
> Mitja Mihelič
> ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
> tel: +386 1 479 8800, fax: +386 1 479 88 99
> 
> 
> ___
> Users mailing list Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
> 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP bind DN generation problem

2015-06-19 Thread Mitja Mihelič

On 18/06/15 14:49, Ondra Machacek wrote:

On 06/18/2015 02:07 PM, Mitja Mihelič wrote:

Hi!

Hi


We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the 
LDAP domain on the login screen. Only internal is available.
Our LDAP server is actually a 389DS instance and we are using for 
authentication in oVirt without Kerberos. The existing setup has 
worked since the days of 3.2.


When we try to validate the domain, we get
[root@brda ~]# engine-manage-domains validate
Error: Cannot authenticate user ovirt to domain guest.arnes.si, 
details: [LDAP: error code 32 - No Such Object]; nested exception is 
javax.naming.AuthenticationException: [LDAP: error code 32 - No Such 
Object]
Failure while testing domain guest.arnes.si. Details: Cannot 
authenticate user to LDAP server.


The LDAP log reports
[18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND 
dn="uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si" method=128 version=3

As you can see there is a comma missing before "dc=guest,dc=arnes,dc=si".

Before the upgrade the bind DN was generated properly as
[18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND 
dn="uid=ovirt,ou=People,dc=arnes,dc=si" method=128 version=3


So what is your search user's DN ?
Is it:
dn="uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si"

or

dn="uid=ovirt,ou=People,dc=arnes,dc=si"

Is it possible for you to try if different user works fine?
Because user with very similar DN works for me just OK.
At the time of posting I did not notice the difference, thanks for the 
spot. The correct DN is dn="uid=ovirt,ou=People,dc=arnes,dc=si".
Although that means that after upgrading to 3.5 the DN for the search 
user is formatted differently when issuing an LDAP bind request.


In the end we noticed that the AAA part of oVirt was reworked in 3.5. We 
deleted the old LDAP domain, that we manually inserted into the database 
back in 3.2 days. Then we added LDAP as an authentication source as per 
AAA instructions, which we found a bit vague. The README on github for 
the AAA extension provided most of the information.


We also found that the format of external_id in the users table had been 
changed from fdfc627c-d875-11e0-90f0-83df133b58cc to 
fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not log 
in. Instead additional users were created with this new format 
external_id, a namespace with "dc=arnes,dc=si" and a new user_id.
We manually deleted the faux users, updated the external_id to the new 
format and added a namespace entry for existing users.

That worked for us.

Kind regards, Mitja




This looks like a bug.
Is there a quick fix we can do to fix this typo?

We are also interested in knowing what is the correct way in 3.5 to 
add a domain that uses an LDAP server for its authentication source 
without Kerberos.


Please see following links:
*https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
*https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD
*http://www.ovirt.org/Features/AAA
*https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD
*https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6
*https://github.com/machacekondra/ovirt-engine-kerbldap-migration



Kind regards, Mitja
--
--
Mitja Mihelič
ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 8800, fax: +386 1 479 88 99


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users




___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP bind DN generation problem

2015-06-18 Thread Ondra Machacek

On 06/18/2015 02:07 PM, Mitja Mihelič wrote:

Hi!

Hi


We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the 
LDAP domain on the login screen. Only internal is available.
Our LDAP server is actually a 389DS instance and we are using for 
authentication in oVirt without Kerberos. The existing setup has 
worked since the days of 3.2.


When we try to validate the domain, we get
[root@brda ~]# engine-manage-domains validate
Error: Cannot authenticate user ovirt to domain guest.arnes.si, 
details: [LDAP: error code 32 - No Such Object]; nested exception is 
javax.naming.AuthenticationException: [LDAP: error code 32 - No Such 
Object]
Failure while testing domain guest.arnes.si. Details: Cannot 
authenticate user to LDAP server.


The LDAP log reports
[18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND 
dn="uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si" method=128 version=3

As you can see there is a comma missing before "dc=guest,dc=arnes,dc=si".

Before the upgrade the bind DN was generated properly as
[18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND 
dn="uid=ovirt,ou=People,dc=arnes,dc=si" method=128 version=3


So what is your search user's DN ?
Is it:
dn="uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si"

or

dn="uid=ovirt,ou=People,dc=arnes,dc=si"

Is it possible for you to try if different user works fine?
Because user with very similar DN works for me just OK.



This looks like a bug.
Is there a quick fix we can do to fix this typo?

We are also interested in knowing what is the correct way in 3.5 to 
add a domain that uses an LDAP server for its authentication source 
without Kerberos.


Please see following links:

*https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
*https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD
*http://www.ovirt.org/Features/AAA
*https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD
*https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6
*https://github.com/machacekondra/ovirt-engine-kerbldap-migration




Kind regards, Mitja
--
--
Mitja Mihelič
ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 8800, fax: +386 1 479 88 99


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] LDAP bind DN generation problem

2015-06-18 Thread Mitja Mihelič

Hi!

We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the 
LDAP domain on the login screen. Only internal is available.
Our LDAP server is actually a 389DS instance and we are using for 
authentication in oVirt without Kerberos. The existing setup has worked 
since the days of 3.2.


When we try to validate the domain, we get
[root@brda ~]# engine-manage-domains validate
Error: Cannot authenticate user ovirt to domain guest.arnes.si, details: 
[LDAP: error code 32 - No Such Object]; nested exception is 
javax.naming.AuthenticationException: [LDAP: error code 32 - No Such Object]
Failure while testing domain guest.arnes.si. Details: Cannot 
authenticate user to LDAP server.


The LDAP log reports
[18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND 
dn="uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si" method=128 version=3

As you can see there is a comma missing before "dc=guest,dc=arnes,dc=si".

Before the upgrade the bind DN was generated properly as
[18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND 
dn="uid=ovirt,ou=People,dc=arnes,dc=si" method=128 version=3


This looks like a bug.
Is there a quick fix we can do to fix this typo?

We are also interested in knowing what is the correct way in 3.5 to add 
a domain that uses an LDAP server for its authentication source without 
Kerberos.


Kind regards, Mitja

--
--
Mitja Mihelič
ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 8800, fax: +386 1 479 88 99

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Certificate Location?

2015-01-06 Thread Alon Bar-Lev
Please use the formal documentation and if needed help improve them.
References for ssl:

http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l153
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l106
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l147


- Original Message -
> From: "Donny Davis" 
> To: "Sandvik Agustin" , users@ovirt.org
> Sent: Wednesday, January 7, 2015 12:12:23 AM
> Subject: Re: [ovirt-users] LDAP Certificate Location?
> 
> 
> 
> In the article you referenced you didn't setup tls
> On Jan 6, 2015 2:04 PM, Sandvik Agustin  wrote:
> 
> 
> 
> Hi Donny,
> 
> 
> Sorry to bother you at this time, I installed the 389ds by following this
> http://www.unixmen.com/setup-directory-serverldap-in-centos-6-4-rhel-6-4/
> and now I'm following your documentation at
> https://cloudspin.me/ovirt-simple-ldap-aaa/ I'm wondering if where can I
> find this CA or pem thing you mention on your website "
> /etc/pki/tls/cacerts/ldapCA.pem".
> 
> Thanks in Advance,
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP Certificate Location?

2015-01-06 Thread Donny Davis
In the article you referenced you didn't setup tls
On Jan 6, 2015 2:04 PM, Sandvik Agustin  wrote:Hi Donny,Sorry to bother you at this time, I installed the 389ds by following this http://www.unixmen.com/setup-directory-serverldap-in-centos-6-4-rhel-6-4/ and now I'm following your documentation at https://cloudspin.me/ovirt-simple-ldap-aaa/ I'm wondering if where can I find this CA or pem thing you mention on your website "/etc/pki/tls/cacerts/ldapCA.pem".Thanks in Advance,
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP

2014-11-20 Thread Alon Bar-Lev


- Original Message -
> From: "Koen Vanoppen" 
> To: users@ovirt.org
> Sent: Thursday, November 20, 2014 11:22:46 AM
> Subject: Re: [ovirt-users] LDAP
> 
> If it get's to ovirt 3.5.1 that indeed would be great. We don't have any
> issues for the moment, so we can wait for that release. It's only a error
> without problems :-).
> 

Thanks, however, if you test and find issues it can be better for 3.5.1 for all 
users :)

> Thanks in advance.
> 
> 2014-11-20 10:18 GMT+01:00 Alon Bar-Lev < alo...@redhat.com > :
> 
> 
> 
> 
> - Original Message -
> > From: "Koen Vanoppen" < vanoppen.k...@gmail.com >
> > To: users@ovirt.org
> > Sent: Thursday, November 20, 2014 11:11:57 AM
> > Subject: Re: [ovirt-users] LDAP
> > 
> > Is it stable? Because it is for production environment on the Brussels
> > Airport... Can't be messed around with :-)
> 
> Well, it is new... as any new component first should be tested in
> semi-production, if it meets your needs you can promote.
> From my tests it is more stable than the legacy implementation as it is much
> simpler, it does not relay on dns records, kerberos nor static configuration
> that assumed to suit all.
> It also provide much better performance.
> I could release this now, but I am waiting to one first of ovirt-engine-3.5.1
> to make it easier to deploy,
> And of course I would like more people to test this and report back results.
> 
> > 
> > 2014-11-20 10:10 GMT+01:00 Alon Bar-Lev < alo...@redhat.com > :
> > 
> > 
> > 
> > 
> > 
> > - Original Message -
> > > From: "Koen Vanoppen" < vanoppen.k...@gmail.com >
> > > To: users@ovirt.org
> > > Sent: Thursday, November 20, 2014 10:51:06 AM
> > > Subject: [ovirt-users] LDAP
> > > 
> > > Hello everybody,
> > > 
> > > We updated our ovirt to 3.5, but now we see some errors concerning LDAP.
> > > I
> > > already searched oonline for a guide for the AAA config, but can't seem
> > > to
> > > find something...
> > > Does anybody already has a clear how-to for the AAA config?
> > > 
> > > This is the error we get sometimes in our engine.log (we are still able
> > > to
> > > login with ldap btw):
> > > 
> > > 2014-11-20 06:42:06,539 ERROR
> > > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> > > (ajp--127.0.0.1-8702-32) Failed ldap search server
> > > ldap://***.brussels.airport:*** using user @BRUSSELS.AIRPORT due to :
> > > [LDAP: error code 34 - 208F: LdapErr: DSID-0C09074B, comment: Error
> > > processing name, data 0, v23f0]; nested exception is
> > > javax.naming.InvalidNameException: : [LDAP: error code 34 - 208F:
> > > LdapErr: DSID-0C09074B, comment: Error processing name, data 0, v23f0];
> > > remaining name ''. We should try the next server
> > 
> > CCing Yair he might have a clue.
> > 
> > Would you like to test the next generation of LDAP provider? It should be
> > much simpler than current provider, it uses only LDAP protocol, and enable
> > you to customize almost everything.
> > 
> > It is available in ovirt-engine-3.5-snapshots repository, package name is
> > ovirt-engine-extension-aaa-ldap, documentation is available within package
> > and here[1], I will be glad to help if you decide to check it out.
> > 
> > Regards,
> > Alon Bar-Lev.
> > 
> > [1]
> > http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
> > 
> > 
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP

2014-11-20 Thread Koen Vanoppen
If it get's to ovirt 3.5.1 that indeed would be great. We don't have any
issues for the moment, so we can wait for that release. It's only a error
without problems :-).

Thanks in advance.

2014-11-20 10:18 GMT+01:00 Alon Bar-Lev :

>
>
> - Original Message -
> > From: "Koen Vanoppen" 
> > To: users@ovirt.org
> > Sent: Thursday, November 20, 2014 11:11:57 AM
> > Subject: Re: [ovirt-users] LDAP
> >
> > Is it stable? Because it is for production environment on the Brussels
> > Airport... Can't be messed around with :-)
>
> Well, it is new... as any new component first should be tested in
> semi-production, if it meets your needs you can promote.
> From my tests it is more stable than the legacy implementation as it is
> much simpler, it does not relay on dns records, kerberos nor static
> configuration that assumed to suit all.
> It also provide much better performance.
> I could release this now, but I am waiting to one first of
> ovirt-engine-3.5.1 to make it easier to deploy,
> And of course I would like more people to test this and report back
> results.
>
> >
> > 2014-11-20 10:10 GMT+01:00 Alon Bar-Lev < alo...@redhat.com > :
> >
> >
> >
> >
> >
> > - Original Message -----
> > > From: "Koen Vanoppen" < vanoppen.k...@gmail.com >
> > > To: users@ovirt.org
> > > Sent: Thursday, November 20, 2014 10:51:06 AM
> > > Subject: [ovirt-users] LDAP
> > >
> > > Hello everybody,
> > >
> > > We updated our ovirt to 3.5, but now we see some errors concerning
> LDAP. I
> > > already searched oonline for a guide for the AAA config, but can't
> seem to
> > > find something...
> > > Does anybody already has a clear how-to for the AAA config?
> > >
> > > This is the error we get sometimes in our engine.log (we are still
> able to
> > > login with ldap btw):
> > >
> > > 2014-11-20 06:42:06,539 ERROR
> > >
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> > > (ajp--127.0.0.1-8702-32) Failed ldap search server
> > > ldap://***.brussels.airport:*** using user @BRUSSELS.AIRPORT due
> to :
> > > [LDAP: error code 34 - 208F: LdapErr: DSID-0C09074B, comment: Error
> > > processing name, data 0, v23f0]; nested exception is
> > > javax.naming.InvalidNameException: : [LDAP: error code 34 - 208F:
> > > LdapErr: DSID-0C09074B, comment: Error processing name, data 0, v23f0];
> > > remaining name ''. We should try the next server
> >
> > CCing Yair he might have a clue.
> >
> > Would you like to test the next generation of LDAP provider? It should be
> > much simpler than current provider, it uses only LDAP protocol, and
> enable
> > you to customize almost everything.
> >
> > It is available in ovirt-engine-3.5-snapshots repository, package name is
> > ovirt-engine-extension-aaa-ldap, documentation is available within
> package
> > and here[1], I will be glad to help if you decide to check it out.
> >
> > Regards,
> > Alon Bar-Lev.
> >
> > [1]
> >
> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
> >
> >
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP

2014-11-20 Thread Alon Bar-Lev


- Original Message -
> From: "Koen Vanoppen" 
> To: users@ovirt.org
> Sent: Thursday, November 20, 2014 11:11:57 AM
> Subject: Re: [ovirt-users] LDAP
> 
> Is it stable? Because it is for production environment on the Brussels
> Airport... Can't be messed around with :-)

Well, it is new... as any new component first should be tested in 
semi-production, if it meets your needs you can promote.
>From my tests it is more stable than the legacy implementation as it is much 
>simpler, it does not relay on dns records, kerberos nor static configuration 
>that assumed to suit all.
It also provide much better performance.
I could release this now, but I am waiting to one first of ovirt-engine-3.5.1 
to make it easier to deploy,
And of course I would like more people to test this and report back results.

> 
> 2014-11-20 10:10 GMT+01:00 Alon Bar-Lev < alo...@redhat.com > :
> 
> 
> 
> 
> 
> - Original Message -
> > From: "Koen Vanoppen" < vanoppen.k...@gmail.com >
> > To: users@ovirt.org
> > Sent: Thursday, November 20, 2014 10:51:06 AM
> > Subject: [ovirt-users] LDAP
> > 
> > Hello everybody,
> > 
> > We updated our ovirt to 3.5, but now we see some errors concerning LDAP. I
> > already searched oonline for a guide for the AAA config, but can't seem to
> > find something...
> > Does anybody already has a clear how-to for the AAA config?
> > 
> > This is the error we get sometimes in our engine.log (we are still able to
> > login with ldap btw):
> > 
> > 2014-11-20 06:42:06,539 ERROR
> > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> > (ajp--127.0.0.1-8702-32) Failed ldap search server
> > ldap://***.brussels.airport:*** using user @BRUSSELS.AIRPORT due to :
> > [LDAP: error code 34 - 208F: LdapErr: DSID-0C09074B, comment: Error
> > processing name, data 0, v23f0]; nested exception is
> > javax.naming.InvalidNameException: : [LDAP: error code 34 - 208F:
> > LdapErr: DSID-0C09074B, comment: Error processing name, data 0, v23f0];
> > remaining name ''. We should try the next server
> 
> CCing Yair he might have a clue.
> 
> Would you like to test the next generation of LDAP provider? It should be
> much simpler than current provider, it uses only LDAP protocol, and enable
> you to customize almost everything.
> 
> It is available in ovirt-engine-3.5-snapshots repository, package name is
> ovirt-engine-extension-aaa-ldap, documentation is available within package
> and here[1], I will be glad to help if you decide to check it out.
> 
> Regards,
> Alon Bar-Lev.
> 
> [1]
> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
> 
> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP

2014-11-20 Thread Koen Vanoppen
It's a complete update of ovirt 3.4.2 to 3.5. No DWH and reports installed
on the engine. Everything works fine. Even Ldap. It's just the error that
sometimes shows up now since the update. Ldap comes from active directory
(windows server 2012).

2014-11-20 10:12 GMT+01:00 Yair Zaslavsky :

>
>
> - Original Message -
> > From: "Koen Vanoppen" 
> > To: users@ovirt.org
> > Sent: Thursday, November 20, 2014 10:51:06 AM
> > Subject: [ovirt-users] LDAP
> >
> > Hello everybody,
> >
> > We updated our ovirt to 3.5, but now we see some errors concerning LDAP.
> I
> > already searched oonline for a guide for the AAA config, but can't seem
> to
> > find something...
> > Does anybody already has a clear how-to for the AAA config?
> >
> > This is the error we get sometimes in our engine.log (we are still able
> to
> > login with ldap btw):
> >
> > 2014-11-20 06:42:06,539 ERROR
> > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> > (ajp--127.0.0.1-8702-32) Failed ldap search server
> > ldap://***.brussels.airport:*** using user @BRUSSELS.AIRPORT due to :
> > [LDAP: error code 34 - 208F: LdapErr: DSID-0C09074B, comment: Error
> > processing name, data 0, v23f0]; nested exception is
> > javax.naming.InvalidNameException: : [LDAP: error code 34 - 208F:
> > LdapErr: DSID-0C09074B, comment: Error processing name, data 0, v23f0];
> > remaining name ''. We should try the next server
> >
> > Kind regards,
> >
> > Koen
>
> So i understand this is not 100% right?
> Can you share more on the upgrade? Are you working with openldap? Have you
> upgraded anything else?
>
> >
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP

2014-11-20 Thread Koen Vanoppen
Is it stable? Because it is for production environment on the Brussels
Airport... Can't be messed around with :-)

2014-11-20 10:10 GMT+01:00 Alon Bar-Lev :

>
>
> - Original Message -
> > From: "Koen Vanoppen" 
> > To: users@ovirt.org
> > Sent: Thursday, November 20, 2014 10:51:06 AM
> > Subject: [ovirt-users] LDAP
> >
> > Hello everybody,
> >
> > We updated our ovirt to 3.5, but now we see some errors concerning LDAP.
> I
> > already searched oonline for a guide for the AAA config, but can't seem
> to
> > find something...
> > Does anybody already has a clear how-to for the AAA config?
> >
> > This is the error we get sometimes in our engine.log (we are still able
> to
> > login with ldap btw):
> >
> > 2014-11-20 06:42:06,539 ERROR
> > [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> > (ajp--127.0.0.1-8702-32) Failed ldap search server
> > ldap://***.brussels.airport:*** using user @BRUSSELS.AIRPORT due to :
> > [LDAP: error code 34 - 208F: LdapErr: DSID-0C09074B, comment: Error
> > processing name, data 0, v23f0]; nested exception is
> > javax.naming.InvalidNameException: : [LDAP: error code 34 - 208F:
> > LdapErr: DSID-0C09074B, comment: Error processing name, data 0, v23f0];
> > remaining name ''. We should try the next server
>
> CCing Yair he might have a clue.
>
> Would you like to test the next generation of LDAP provider? It should be
> much simpler than current provider, it uses only LDAP protocol, and enable
> you to customize almost everything.
>
> It is available in ovirt-engine-3.5-snapshots repository, package name is
> ovirt-engine-extension-aaa-ldap, documentation is available within package
> and here[1], I will be glad to help if you decide to check it out.
>
> Regards,
> Alon Bar-Lev.
>
> [1]
> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP

2014-11-20 Thread Yair Zaslavsky


- Original Message -
> From: "Koen Vanoppen" 
> To: users@ovirt.org
> Sent: Thursday, November 20, 2014 10:51:06 AM
> Subject: [ovirt-users] LDAP
> 
> Hello everybody,
> 
> We updated our ovirt to 3.5, but now we see some errors concerning LDAP. I
> already searched oonline for a guide for the AAA config, but can't seem to
> find something...
> Does anybody already has a clear how-to for the AAA config?
> 
> This is the error we get sometimes in our engine.log (we are still able to
> login with ldap btw):
> 
> 2014-11-20 06:42:06,539 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> (ajp--127.0.0.1-8702-32) Failed ldap search server
> ldap://***.brussels.airport:*** using user @BRUSSELS.AIRPORT due to :
> [LDAP: error code 34 - 208F: LdapErr: DSID-0C09074B, comment: Error
> processing name, data 0, v23f0]; nested exception is
> javax.naming.InvalidNameException: : [LDAP: error code 34 - 208F:
> LdapErr: DSID-0C09074B, comment: Error processing name, data 0, v23f0];
> remaining name ''. We should try the next server
> 
> Kind regards,
> 
> Koen

So i understand this is not 100% right?
Can you share more on the upgrade? Are you working with openldap? Have you 
upgraded anything else?

> 
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] LDAP

2014-11-20 Thread Alon Bar-Lev


- Original Message -
> From: "Koen Vanoppen" 
> To: users@ovirt.org
> Sent: Thursday, November 20, 2014 10:51:06 AM
> Subject: [ovirt-users] LDAP
> 
> Hello everybody,
> 
> We updated our ovirt to 3.5, but now we see some errors concerning LDAP. I
> already searched oonline for a guide for the AAA config, but can't seem to
> find something...
> Does anybody already has a clear how-to for the AAA config?
> 
> This is the error we get sometimes in our engine.log (we are still able to
> login with ldap btw):
> 
> 2014-11-20 06:42:06,539 ERROR
> [org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
> (ajp--127.0.0.1-8702-32) Failed ldap search server
> ldap://***.brussels.airport:*** using user @BRUSSELS.AIRPORT due to :
> [LDAP: error code 34 - 208F: LdapErr: DSID-0C09074B, comment: Error
> processing name, data 0, v23f0]; nested exception is
> javax.naming.InvalidNameException: : [LDAP: error code 34 - 208F:
> LdapErr: DSID-0C09074B, comment: Error processing name, data 0, v23f0];
> remaining name ''. We should try the next server

CCing Yair he might have a clue.

Would you like to test the next generation of LDAP provider? It should be much 
simpler than current provider, it uses only LDAP protocol, and enable you to 
customize almost everything.

It is available in ovirt-engine-3.5-snapshots repository, package name is 
ovirt-engine-extension-aaa-ldap, documentation is available within package and 
here[1], I will be glad to help if you decide to check it out.

Regards,
Alon Bar-Lev.

[1] 
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[ovirt-users] LDAP

2014-11-20 Thread Koen Vanoppen
Hello everybody,

We updated our ovirt to 3.5, but now we see some errors concerning LDAP. I
already searched oonline for a guide for the AAA config, but can't seem to
find something...
Does anybody already has a clear how-to for the AAA config?

This is the error we get sometimes in our engine.log (we are still able to
login with ldap btw):

2014-11-20 06:42:06,539 ERROR
[org.ovirt.engine.extensions.aaa.builtin.kerberosldap.DirectorySearcher]
(ajp--127.0.0.1-8702-32) Failed ldap search server
ldap://***.brussels.airport:*** using user @BRUSSELS.AIRPORT due to :
[LDAP: error code 34 - 208F: LdapErr: DSID-0C09074B, comment: Error
processing name, data 0, v23f0]; nested exception is
javax.naming.InvalidNameException: : [LDAP: error code 34 - 208F:
LdapErr: DSID-0C09074B, comment: Error processing name, data 0, v23f0];
remaining name ''. We should try the next server

Kind regards,

Koen
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] ldap

2013-03-28 Thread Oved Ourfalli


- Original Message -
> From: "Ryan Wilkinson" 
> To: users@ovirt.org
> Sent: Thursday, March 28, 2013 2:42:56 PM
> Subject: [Users] ldap
> 
> 
> 
> I'm able to set up Active Directory authentication if my ovirt engine
> is set to use dns that is hosted on the same system as Active
> Directory. However, if I use static host entries in my engine
> "hosts" file instead of using dns I'm getting the error "ldap server
> for domain not found" when I issue the command:
> "engine-manage-domains -action=add -domain=’ovirt.local'
> -user='admin' -provider=ActiveDirectory -interactive" from the
> engine. I've googled to death how to configure static entries on my
> engine system for the ldap server and it seems that I need to
> configure my nsswitch and ldap.conf files but still no luck... Any
> ideas??
Hi Ryan,

To work with LDAP you currently need to have both LDAP and Kerberos SRV records 
in the DNS, as well as PTR record.
If you would like to work locally I can suggest working with dnsmasq 
(lightweight DHCP and caching DNS server) locally, defining these entries 
there, and setting /etc/resolv.conf properly, so that it would access it.

The configuration is in /etc/dnsmasq.conf (or in /etc/dnsmasq.d/...).
Example for LDAP and Kerberos records:
srv-host=_ldap._tcp.my_domain.com,ad.my_domain.com,389
srv-host=_kerberos._tcp.my_domain.com,ad.my_domain.com,88

and, afaik it also takes /etc/hosts and creates PTR records for the entries 
there, so that should be enough, if you add your AD host in /etc/hosts (I guess 
you can also add those manually in dnsmasq).

Let me know if you need further assistance.

Oved

> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


[Users] ldap

2013-03-28 Thread Ryan Wilkinson
I'm able to set up Active Directory authentication if my ovirt engine is
set to use dns that is hosted on the same system as Active Directory.
However, if I use static host entries in my engine "hosts" file instead of
using dns I'm getting the error "ldap server for domain not found" when I
issue the command: "engine-manage-domains -action=add -domain=’ovirt.local'
-user='admin' -provider=ActiveDirectory -interactive" from the engine. I've
googled to death how to configure static entries on my engine system for
the ldap server and it seems that I need to configure my nsswitch and
ldap.conf files but still no luck... Any ideas??
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [Users] ldap simple

2013-03-19 Thread Jure Kranjc
389 DS is so far working as expected. Thank you for your clarification, 
somehow missed that out.


On 19.3.2013 21:56, Itamar Heim wrote:

On 03/19/2013 05:26 PM, Yair Zaslavsky wrote:

Why openldap server?
We do not support openldap at the moment.


hopefully, the changes to auth part will make it for 3.3 to cover 
that, but depends on progress there.







*From: *"Jure Kranjc" 
*To: *users@ovirt.org
*Sent: *Tuesday, March 19, 2013 3:50:49 PM
*Subject: *Re: [Users] ldap simple

Hi.

Further testing...
- Setup: one ldap server with added user to match ovirt searches
(while adding user in webadmin),
- Fedora 18, engine 3.2.1, openldap-server, simple authentication,
no firewalls,
- with packet inspection we can see ldap responding with requested
attributes
- still, there are errors in logs, see below, and no users are
listed in webadmin, engine fails to parse given attributes
- engine-manage-domains -action=validate returns "Invalid
credentials" even though binding is ok and ldap is replying with 
data.


Can anyone point us to some documentation on this topic?
Is really AD the only good solution for user management?

engine.log
2013-03-19 15:16:53,042 ERROR
[org.ovirt.engine.core.bll.adbroker.LDAPTemplateWrapper]
(ajp--127.0.0.1-8702-3) Error in running LDAP query. BaseDN is ,
filter is (&(&(objectClass=person))
(|(givenname=test)(sn=test)(uid=test)(uid=test))). Exception message
is: null
2013-03-19 15:16:53,043 ERROR
[org.ovirt.engine.core.bll.adbroker.DirectorySearcher]
(ajp--127.0.0.1-8702-3) Failed ldap search server
ldap://ldaphost.domain.si:389 due to null. We should try the next 
server


server.log
2013-03-19 15:17:24,113 ERROR
[org.springframework.ldap.control.AbstractRequestControlDirContextProcessor]
(ajp--127.0.0.1-8702-6) No matching response control found for paged
results - looking for 'class
javax.naming.ldap.PagedResultsResponseControl



On 03/18/2013 09:09 AM, Yair Zaslavsky wrote:

Hi,
We're issuing a RootDSE query (once per LDAP domain configured).
We try to obtain from it the "defaultNamingContext" attribute.
If does not exist - we try to obtain ""NamingContexts"
We store the result at a "domainDn" (we have a data structure
which maps domains to information objects, one of the fields at
the information object is the DN of the domain)  field, and we
use it to compose the full ldap URL we send the queries to.




*From: *"Andrej Bagon" 
*To: *"Itamar Heim" 
*Cc: *users@ovirt.org, "Yair Zaslavsky"
    , "Oved Ourfalli" 
*Sent: *Monday, March 18, 2013 9:07:06 AM
*Subject: *Re: [Users] ldap simple

Hi,

the system is trying to bind to ldap as:
bind request:
uid=cn=ovirt,cn=Users,cn=Accounts,dc=ourdomain,dc=si

I dont know how it knows dc=ourdomain,dc=si
It should be
bind request: cn=ovirt,ou=system,dc=ourdomain,dc=si" -b
"dc=arnes,dc=si

The same with the search: we have users in form as:
edupersonprincipalname=usern...@users.ourdomain.si
<mailto:edupersonprincipalname=aba...@guest.arnes.si>,dc=users,dc=ourdomain,dc=si

values in database:
select * from vdc_options where option_name in
('DomainName','LdapServers','LDAPSecurityAuthentication','LDAPProviderTypes','AdUserName','AdUserPassword')
order by option_id;
  option_id |option_name |
option_value  | version
---+++-
 10 | AdUserName |
users.ourdomain.si:ovirt   | general
 11 | AdUserPassword
|users.ourdomain.si:adminpassword   | general
 69 | DomainName |
users.ourdomain.si | general
130 | LDAPSecurityAuthentication|
users.ourdomain.si:SIMPLE  | general
132 | LdapServers|
users.ourdomain.si:server.ourdomain.si | general
133 | LDAPProviderTypes  |
users.ourdomain.si:rhds| general
(6 rows)

Best Regards,
Andrej Bagon


On 03/15/2013 12:09 PM, Itamar Heim wrote:

On 03/14/2013 01:58 PM, Andrej Bagon wrote:

   

  1   2   >