Re: [ovirt-users] Setting Base DN for LDAP authentication
Hello, many thanks to Alon! We have a working setup with support for base dn. The special challenge in our setup is the constraint of specifying a base dn for every ldap search and referrals inside the branches that must be processed. If anyone has the same problem, our working configuration with a slightly newer version of ovirt-engine-extension-aaa-ldap is: $ cat /etc/ovirt-engine/aaa/company-ldap.properties include = rfc2307-openldap.properties vars.server = ldap.company.de vars.user = cn=system,dc=company,dc=de vars.password = password pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars sequence.my-basedn-init-vars.010.description = set baseDN sequence.my-basedn-init-vars.010.type = var-set sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN sequence.my-basedn-init-vars.010.var-set.value = dc=company,dc=de search.default.search-request.derefPolicy = ALWAYS Best regards Jannick ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Setting Base DN for LDAP authentication
- Original Message - From: jdel...@web.de To: Alon Bar-Lev alo...@redhat.com Cc: users@ovirt.org Sent: Monday, January 12, 2015 4:16:17 PM Subject: Re: [ovirt-users] Setting Base DN for LDAP authentication Hello, many thanks to Alon! We have a working setup with support for base dn. The special challenge in our setup is the constraint of specifying a base dn for every ldap search and referrals inside the branches that must be processed. If anyone has the same problem, our working configuration with a slightly newer version of ovirt-engine-extension-aaa-ldap is: Note that this environment has more than only baseDN issue, it also requires to dereference references at server side. Most environments should not require this, nor have invalid baseDN in their rootDSE naming context. In this specific environment a query for baseDN X result in baseDN Y. Thank you Jannick for the problem determination process. Supporting baseDN X-Y will be formally released in 1.0.2. $ cat /etc/ovirt-engine/aaa/company-ldap.properties include = rfc2307-openldap.properties vars.server = ldap.company.de vars.user = cn=system,dc=company,dc=de vars.password = password pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} sequence-init.init.100-my-basedn-init-vars = my-basedn-init-vars sequence.my-basedn-init-vars.010.description = set baseDN sequence.my-basedn-init-vars.010.type = var-set sequence.my-basedn-init-vars.010.var-set.variable = simple_baseDN sequence.my-basedn-init-vars.010.var-set.value = dc=company,dc=de search.default.search-request.derefPolicy = ALWAYS Best regards Jannick ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Setting Base DN for LDAP authentication
Hello Ondra, I'm trying to configure LDAP authentication with oVirt 3.5 and ovirt-engine-extension-aaa-ldap. I chose the simple bind transport example. But the given examples are missing the explicit specification of a base dn. Could you please advise me how this can be done? [...] I could not use namingContexts from RootDSE cause this results in base dn dc=de instead of dc=company,dc=de. Can you try user 'cn=Manager', I think it's incorrectly configured ACL. Nice try, but this is no proper solution for the problem. Raising privileges should be always avoided. Alon is currently troubleshooting this issue and he is close to find a good solution. Best regards Jannick ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Setting Base DN for LDAP authentication
Hello Alon, All over? :) traveling into the past. This e-mail comes from Mailmans moderator queue. It was sent before I was registered. And after being registered I was unable to cancel the e-mail, because Mailman always told me the token was unknown. The problem is solved to my complete satisfaction. Kind regards Jannick ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Setting Base DN for LDAP authentication
- Original Message - From: jdel...@web.de To: users@ovirt.org Sent: Friday, January 9, 2015 8:31:19 AM Subject: [ovirt-users] Setting Base DN for LDAP authentication Hello, I'm trying to configure LDAP authentication with oVirt 3.5 and ovirt-engine-extension-aaa-ldap. I chose the simple bind transport example. But the given examples are missing the explicit specification of a base dn. Could you please advise me how this can be done? My curent configuration: [jd@om01 ovirt-engine]$ cat aaa/company-ldap.properties include = openldap.properties vars.server = ldap.company.de vars.user = cn=system,dc=company,dc=de vars.password = password pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} [jd@om01 ovirt-engine]$ cat company-ldap-authn.properties ovirt.engine.extension.name = company-ldap-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = company-ldap ovirt.engine.aaa.authn.authz.plugin = company-ldap-authz config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties [jd@om01 ovirt-engine]$ cat company-ldap-authz.properties ovirt.engine.extension.name = company-ldap-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro # extended LDIF # # LDAPv3 # base dc=company,dc=de with scope subtree # filter: cn=jdeloro # requesting: ALL # # jdeloro, users, admins, company.de dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de [... and many more lines ...] I could not use namingContexts from RootDSE cause this results in base dn dc=de instead of dc=company,dc=de. Can you explain why the namingContexts is not sufficient? just for me to know and maybe enable easier override? It should contain a valid base DN for you to use. You have two options to fix this: 1. add another attribute to openldap let's say myNamingContext with valid value and add the following to profile (company-ldap.properties): sequence-init.init.610-my-openldap-init-vars = my-openldap-init-vars sequence.my-openldap-init-vars.010.description = set base dn sequence.my-openldap-init-vars.010.type = var-set sequence.my-openldap-init-vars.010.var-set.variable = simple_attrsBaseDN sequence.my-openldap-init-vars.010.var-set.value = myNamingContexts 2. another option is to enforce baseDN (company-ldap.properties): sequence-init.open.910-my-openldap-init-vars = my-openldap-init-vars sequence.my-openldap-init-vars.010.description = set base dn sequence.my-openldap-init-vars.010.type = var-set sequence.my-openldap-init-vars.010.var-set.variable = _simple_baseDN sequence.my-openldap-init-vars.010.var-set.value = dc=company,dc=de If you use the 2nd form, please note that it might break if I add proper support in next version. Regards, Alon. Kind regards Jannick ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Setting Base DN for LDAP authentication
Hello Alon, I'm trying to configure LDAP authentication with oVirt 3.5 and ovirt-engine-extension-aaa-ldap. I chose the simple bind transport example. But the given examples are missing the explicit specification of a base dn. Could you please advise me how this can be done? My curent configuration: [jd@om01 ovirt-engine]$ cat aaa/company-ldap.properties include = openldap.properties vars.server = ldap.company.de vars.user = cn=system,dc=company,dc=de vars.password = password pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} [jd@om01 ovirt-engine]$ cat company-ldap-authn.properties ovirt.engine.extension.name = company-ldap-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = company-ldap ovirt.engine.aaa.authn.authz.plugin = company-ldap-authz config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties [jd@om01 ovirt-engine]$ cat company-ldap-authz.properties ovirt.engine.extension.name = company-ldap-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro # extended LDIF # # LDAPv3 # base dc=company,dc=de with scope subtree # filter: cn=jdeloro # requesting: ALL # # jdeloro, users, admins, company.de dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de [... and many more lines ...] I could not use namingContexts from RootDSE cause this results in base dn dc=de instead of dc=company,dc=de. Can you explain why the namingContexts is not sufficient? just for me to know and maybe enable easier override? It should contain a valid base DN for you to use. [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D cn=system,dc=company,dc=de -W -s base namingContexts -LLL dn: namingContexts: dc=de This isn't the correct base dn. I need dc=company,dc=de to find any users. I don't know, why LDAP is configured like this. But I need to work with it. [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D cn=system,dc=company,dc=de -W -b dc=de cn=jdeloro # extended LDIF # # LDAPv3 # base dc=de with scope subtree # filter: cn=jdeloro # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro # extended LDIF # # LDAPv3 # base dc=company,dc=de with scope subtree # filter: cn=jdeloro # requesting: ALL # # jdeloro, users, admins, company.de dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de [... and many more lines ...] You have two options to fix this: 1. add another attribute to openldap let's say myNamingContext with valid value and add the following to profile (company-ldap.properties): sequence-init.init.610-my-openldap-init-vars = my-openldap-init-vars sequence.my-openldap-init-vars.010.description = set base dn sequence.my-openldap-init-vars.010.type = var-set sequence.my-openldap-init-vars.010.var-set.variable = simple_attrsBaseDN sequence.my-openldap-init-vars.010.var-set.value = myNamingContexts I can't use this options, because I'm not allowed to make LDAP changes. 2. another option is to enforce baseDN (company-ldap.properties): sequence-init.open.910-my-openldap-init-vars = my-openldap-init-vars sequence.my-openldap-init-vars.010.description = set base dn sequence.my-openldap-init-vars.010.type = var-set sequence.my-openldap-init-vars.010.var-set.variable = _simple_baseDN sequence.my-openldap-init-vars.010.var-set.value = dc=company,dc=de I have added the lines and restarted ovirt-engine, but the Namespace in 'Add Users and Groups' is still 'dc=de' and I can't find any users. Kind regards Jannick ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Setting Base DN for LDAP authentication
Hi, On 01/09/2015 07:31 AM, jdel...@web.de wrote: Hello, I'm trying to configure LDAP authentication with oVirt 3.5 and ovirt-engine-extension-aaa-ldap. I chose the simple bind transport example. But the given examples are missing the explicit specification of a base dn. Could you please advise me how this can be done? My curent configuration: [jd@om01 ovirt-engine]$ cat aaa/company-ldap.properties include = openldap.properties vars.server = ldap.company.de vars.user = cn=system,dc=company,dc=de vars.password = password pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} [jd@om01 ovirt-engine]$ cat company-ldap-authn.properties ovirt.engine.extension.name = company-ldap-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = company-ldap ovirt.engine.aaa.authn.authz.plugin = company-ldap-authz config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties [jd@om01 ovirt-engine]$ cat company-ldap-authz.properties ovirt.engine.extension.name = company-ldap-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro # extended LDIF # # LDAPv3 # base dc=company,dc=de with scope subtree # filter: cn=jdeloro # requesting: ALL # # jdeloro, users, admins, company.de dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de [... and many more lines ...] I could not use namingContexts from RootDSE cause this results in base dn dc=de instead of dc=company,dc=de. Can you try user 'cn=Manager', I think it's incorrectly configured ACL. Kind regards Jannick ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Setting Base DN for LDAP authentication
- Original Message - From: jdel...@web.de To: Alon Bar-Lev alo...@redhat.com Cc: users@ovirt.org Sent: Friday, January 9, 2015 1:20:44 PM Subject: Re: [ovirt-users] Setting Base DN for LDAP authentication Hello Alon, I'm trying to configure LDAP authentication with oVirt 3.5 and ovirt-engine-extension-aaa-ldap. I chose the simple bind transport example. But the given examples are missing the explicit specification of a base dn. Could you please advise me how this can be done? My curent configuration: [jd@om01 ovirt-engine]$ cat aaa/company-ldap.properties include = openldap.properties vars.server = ldap.company.de vars.user = cn=system,dc=company,dc=de vars.password = password pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} [jd@om01 ovirt-engine]$ cat company-ldap-authn.properties ovirt.engine.extension.name = company-ldap-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = company-ldap ovirt.engine.aaa.authn.authz.plugin = company-ldap-authz config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties [jd@om01 ovirt-engine]$ cat company-ldap-authz.properties ovirt.engine.extension.name = company-ldap-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro # extended LDIF # # LDAPv3 # base dc=company,dc=de with scope subtree # filter: cn=jdeloro # requesting: ALL # # jdeloro, users, admins, company.de dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de [... and many more lines ...] I could not use namingContexts from RootDSE cause this results in base dn dc=de instead of dc=company,dc=de. Can you explain why the namingContexts is not sufficient? just for me to know and maybe enable easier override? It should contain a valid base DN for you to use. [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D cn=system,dc=company,dc=de -W -s base namingContexts -LLL dn: namingContexts: dc=de This isn't the correct base dn. I need dc=company,dc=de to find any users. I don't know, why LDAP is configured like this. But I need to work with it. [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D cn=system,dc=company,dc=de -W -b dc=de cn=jdeloro # extended LDIF # # LDAPv3 # base dc=de with scope subtree # filter: cn=jdeloro # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro # extended LDIF # # LDAPv3 # base dc=company,dc=de with scope subtree # filter: cn=jdeloro # requesting: ALL # # jdeloro, users, admins, company.de dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de [... and many more lines ...] You have two options to fix this: 1. add another attribute to openldap let's say myNamingContext with valid value and add the following to profile (company-ldap.properties): sequence-init.init.610-my-openldap-init-vars = my-openldap-init-vars sequence.my-openldap-init-vars.010.description = set base dn sequence.my-openldap-init-vars.010.type = var-set sequence.my-openldap-init-vars.010.var-set.variable = simple_attrsBaseDN sequence.my-openldap-init-vars.010.var-set.value = myNamingContexts I can't use this options, because I'm not allowed to make LDAP changes. 2. another option is to enforce baseDN (company-ldap.properties): sequence-init.open.910-my-openldap-init-vars = my-openldap-init-vars sequence.my-openldap-init-vars.010.description = set base dn sequence.my-openldap-init-vars.010.type = var-set sequence.my-openldap-init-vars.010.var-set.variable = _simple_baseDN sequence.my-openldap-init-vars.010.var-set.value = dc=company,dc=de I have added the lines and restarted ovirt-engine, but the Namespace in 'Add Users and Groups' is still 'dc=de' and I can't find any users. Yes, the namespace will still present dc=de, this is expected. Can
[ovirt-users] Setting Base DN for LDAP authentication
Hello, I'm trying to configure LDAP authentication with oVirt 3.5 and ovirt-engine-extension-aaa-ldap. I chose the simple bind transport example. But the given examples are missing the explicit specification of a base dn. Could you please advise me how this can be done? My curent configuration: [jd@om01 ovirt-engine]$ cat aaa/company-ldap.properties include = openldap.properties vars.server = ldap.company.de vars.user = cn=system,dc=company,dc=de vars.password = password pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} [jd@om01 ovirt-engine]$ cat company-ldap-authn.properties ovirt.engine.extension.name = company-ldap-authn ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = company-ldap ovirt.engine.aaa.authn.authz.plugin = company-ldap-authz config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties [jd@om01 ovirt-engine]$ cat company-ldap-authz.properties ovirt.engine.extension.name = company-ldap-authz ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthzExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz config.profile.file.1 = /etc/ovirt-engine/aaa/company-ldap.properties [jd@om01 ovirt-engine]$ ldapsearch -H ldap://ldap.company.de -D cn=system,dc=company,dc=de -W -b dc=company,dc=de cn=jdeloro # extended LDIF # # LDAPv3 # base dc=company,dc=de with scope subtree # filter: cn=jdeloro # requesting: ALL # # jdeloro, users, admins, company.de dn: cn=jdeloro,ou=users,ou=admins,dc=company,dc=de [... and many more lines ...] I could not use namingContexts from RootDSE cause this results in base dn dc=de instead of dc=company,dc=de. Kind regards Jannick ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users