Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
- Original Message - From: Ondra Machacek omach...@redhat.com To: Yair Zaslavsky yzasl...@redhat.com Cc: cameron christensen cameron.christen...@uk2group.com, Alon Bar-Lev alo...@redhat.com, users@ovirt.org Sent: Thursday, November 20, 2014 6:09:53 PM Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA Hi, just tried it too. I was not successfull to reproduce, but the problem is that the domain part of LDAPSecurityAuthentication is uppercase as Cameron wrote. In 3.4 it is OK when it's upper case - everything works OK, but in 3.5 it's not. I checked differences and something like this would be enough, Yair? diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExte index f5ab28d..ccaf04a 100644 --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java @@ -240,7 +240,7 @@ public class EngineExtensionsManager extends ExtensionsManager { ) ); } -if (nameValue[0].equals(domain)) { +if (nameValue[0].equalsIgnoreCase(domain)) { result = nameValue[1]; break; } Ondra Looks fine, but please email me in private a testing environment where I can check that. Thanks! P.S: Another option worth trying is simply remove and add the domain, but hey, if you're already in 3.5, and removed the domain, why not use he generic ldap provider? - Original Message - From: Alon Bar-Lev alonbl at redhat.com To: Cameron Christensen cameron.christensen at uk2group.com, Yair Zaslavsky yzaslavs at redhat.com Cc: users at ovirt.org Sent: Monday, November 17, 2014 11:48:15 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA - Original Message - From: Cameron Christensen cameron.christensen at uk2group.com To: Alon Bar-Lev alonbl at redhat.com Cc: users at ovirt.org Sent: Monday, November 17, 2014 11:43:34 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote: - Original Message - From: Cameron Christensen cameron.christensen at uk2group.com To: users at ovirt.org Sent: Friday, November 14, 2014 5:39:54 PM Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA Hello, I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. Starting up ovrit-engine the extension manager fails to properly load the service that handles Kerberos/LDAP. This is probably a bug, can you please execute the following and paste result: # PGPASSWORD=@PASSWORD@ psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' option_id |option_name | option_value| version ---++---+- 165 | LDAPSecurityAuthentication | example.org:GSSAPI | general I replaced my domain name with 'example.org' I thought it will be empty... and it contains valid value. Yair? No, this is fine actually. Any I truly suggest you try out the new provider... Much easier to resolve any issue, current and future, including easier to debug. Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
Hi, just tried it too. I was not successfull to reproduce, but the problem is that the domain part of LDAPSecurityAuthentication is uppercase as Cameron wrote. In 3.4 it is OK when it's upper case - everything works OK, but in 3.5 it's not. I checked differences and something like this would be enough, Yair? diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExte index f5ab28d..ccaf04a 100644 --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java @@ -240,7 +240,7 @@ public class EngineExtensionsManager extends ExtensionsManager { ) ); } -if (nameValue[0].equals(domain)) { +if (nameValue[0].equalsIgnoreCase(domain)) { result = nameValue[1]; break; } Ondra - Original Message - From: Alon Bar-Lev alonbl at redhat.com To: Cameron Christensen cameron.christensen at uk2group.com, Yair Zaslavsky yzaslavs at redhat.com Cc: users at ovirt.org Sent: Monday, November 17, 2014 11:48:15 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA - Original Message - From: Cameron Christensen cameron.christensen at uk2group.com To: Alon Bar-Lev alonbl at redhat.com Cc: users at ovirt.org Sent: Monday, November 17, 2014 11:43:34 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote: - Original Message - From: Cameron Christensen cameron.christensen at uk2group.com To: users at ovirt.org Sent: Friday, November 14, 2014 5:39:54 PM Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA Hello, I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. Starting up ovrit-engine the extension manager fails to properly load the service that handles Kerberos/LDAP. This is probably a bug, can you please execute the following and paste result: # PGPASSWORD=@PASSWORD@ psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' option_id |option_name | option_value| version ---++---+- 165 | LDAPSecurityAuthentication | example.org:GSSAPI | general I replaced my domain name with 'example.org' I thought it will be empty... and it contains valid value. Yair? No, this is fine actually. Any I truly suggest you try out the new provider... Much easier to resolve any issue, current and future, including easier to debug. Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
- Original Message - From: Alon Bar-Lev alo...@redhat.com To: Cameron Christensen cameron.christen...@uk2group.com, Yair Zaslavsky yzasl...@redhat.com Cc: users@ovirt.org Sent: Monday, November 17, 2014 11:48:15 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA - Original Message - From: Cameron Christensen cameron.christen...@uk2group.com To: Alon Bar-Lev alo...@redhat.com Cc: users@ovirt.org Sent: Monday, November 17, 2014 11:43:34 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote: - Original Message - From: Cameron Christensen cameron.christen...@uk2group.com To: users@ovirt.org Sent: Friday, November 14, 2014 5:39:54 PM Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA Hello, I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. Starting up ovrit-engine the extension manager fails to properly load the service that handles Kerberos/LDAP. This is probably a bug, can you please execute the following and paste result: # PGPASSWORD=@PASSWORD@ psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' option_id |option_name | option_value| version ---++---+- 165 | LDAPSecurityAuthentication | example.org:GSSAPI | general I replaced my domain name with 'example.org' I thought it will be empty... and it contains valid value. Yair? No, this is fine actually. Any I truly suggest you try out the new provider... Much easier to resolve any issue, current and future, including easier to debug. Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
- Original Message - From: Cameron Christensen cameron.christen...@uk2group.com To: Alon Bar-Lev alo...@redhat.com Cc: Yair Zaslavsky yzasl...@redhat.com, users@ovirt.org Sent: Tuesday, November 18, 2014 6:21:18 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA On Mon, 2014-11-17 at 16:48 -0500, Alon Bar-Lev wrote: - Original Message - From: Cameron Christensen cameron.christen...@uk2group.com To: Alon Bar-Lev alo...@redhat.com Cc: users@ovirt.org Sent: Monday, November 17, 2014 11:43:34 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote: - Original Message - From: Cameron Christensen cameron.christen...@uk2group.com To: users@ovirt.org Sent: Friday, November 14, 2014 5:39:54 PM Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA Hello, I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. Starting up ovrit-engine the extension manager fails to properly load the service that handles Kerberos/LDAP. This is probably a bug, can you please execute the following and paste result: # PGPASSWORD=@PASSWORD@ psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' option_id |option_name | option_value| version ---++---+- 165 | LDAPSecurityAuthentication | example.org:GSSAPI | general I replaced my domain name with 'example.org' I thought it will be empty... and it contains valid value. Yair? Looking through the vdc_options table I noticed that many of the LDAP* and Ad* settings use two different spellings for the Kerberos/LDAP domain. One in all upper case letters, EXAMPLE.ORG and one in all lower case, example.org. (I'm guessing this is to handle either spelling of the domain?) I updated LDAPSecurityAuthentication and set the option_value to use both the upper case and lower case domain name, 'EXAMPLE.ORG:GSSAPI,example.org:GSSAPI'. select * from vdc_options where option_name = 'LDAPSecurityAuthentication'; option_id |option_name |option_value | version ---++-+- 165 | LDAPSecurityAuthentication | EXAMPLE.ORG:GSSAPI,example.org:GSSAPI | general Just so we can continue to investigate - if u would like to get your ldap and kerberos SRV records , to which domain will you send them in your setup? dig SRV _ldap._tcp.EXAMPLE.ORG or dig SRV _ldap._tcp.example.org? same goes to _kerberos._tcp.example.org and _kerberos._tcp.EXAMPLE.ORG Cheers, Yair Using both domain names I am able to authenticate, authorize and pull account information from the IPA server once again. Thanks for pointing me at the right location. Cameron ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
On Mon, 2014-11-17 at 16:48 -0500, Alon Bar-Lev wrote: - Original Message - From: Cameron Christensen cameron.christen...@uk2group.com To: Alon Bar-Lev alo...@redhat.com Cc: users@ovirt.org Sent: Monday, November 17, 2014 11:43:34 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote: - Original Message - From: Cameron Christensen cameron.christen...@uk2group.com To: users@ovirt.org Sent: Friday, November 14, 2014 5:39:54 PM Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA Hello, I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. Starting up ovrit-engine the extension manager fails to properly load the service that handles Kerberos/LDAP. This is probably a bug, can you please execute the following and paste result: # PGPASSWORD=@PASSWORD@ psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' option_id |option_name | option_value| version ---++---+- 165 | LDAPSecurityAuthentication | example.org:GSSAPI | general I replaced my domain name with 'example.org' I thought it will be empty... and it contains valid value. Yair? Looking through the vdc_options table I noticed that many of the LDAP* and Ad* settings use two different spellings for the Kerberos/LDAP domain. One in all upper case letters, EXAMPLE.ORG and one in all lower case, example.org. (I'm guessing this is to handle either spelling of the domain?) I updated LDAPSecurityAuthentication and set the option_value to use both the upper case and lower case domain name, 'EXAMPLE.ORG:GSSAPI,example.org:GSSAPI'. select * from vdc_options where option_name = 'LDAPSecurityAuthentication'; option_id |option_name |option_value | version ---++-+- 165 | LDAPSecurityAuthentication | EXAMPLE.ORG:GSSAPI,example.org:GSSAPI | general Using both domain names I am able to authenticate, authorize and pull account information from the IPA server once again. Thanks for pointing me at the right location. Cameron signature.asc Description: This is a digitally signed message part ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
Hello, is using the new structure AAA (Authentication, Authorization and Accouting) of the oVirt 3.5? -- Ao encaminhar esta mensagem, por favor: 1. Apague o meu e-mail e o meu nome. 2. Apague também os endereços dos amigos antes de reenviar 3. Use Cco ou Bcc para enviar mensagens! Dificulte a disseminação de vírus e spam. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
- Original Message - From: Cameron Christensen cameron.christen...@uk2group.com To: users@ovirt.org Sent: Friday, November 14, 2014 5:39:54 PM Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA Hello, I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. Starting up ovrit-engine the extension manager fails to properly load the service that handles Kerberos/LDAP. This is probably a bug, can you please execute the following and paste result: # PGPASSWORD=@PASSWORD@ psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' Replace @PASSWORD@ and probably other parameters based on /etc/ovirt-engine/engine.conf.d/10-setup-database.conf It is probably empty and we should file a bug. If you are interested there is a new ldap provider in 3.5 available in snapshots repository (ovirt-engine-extension-aaa-ldap package), documentation is available here[1], this provider should be simpler and robust as it uses only ldap protocol and is fully customizable. Regards, Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote: - Original Message - From: Cameron Christensen cameron.christen...@uk2group.com To: users@ovirt.org Sent: Friday, November 14, 2014 5:39:54 PM Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA Hello, I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. Starting up ovrit-engine the extension manager fails to properly load the service that handles Kerberos/LDAP. This is probably a bug, can you please execute the following and paste result: # PGPASSWORD=@PASSWORD@ psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' option_id |option_name | option_value| version ---++---+- 165 | LDAPSecurityAuthentication | example.org:GSSAPI | general I replaced my domain name with 'example.org' Cameron signature.asc Description: This is a digitally signed message part ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
- Original Message - From: Cameron Christensen cameron.christen...@uk2group.com To: Alon Bar-Lev alo...@redhat.com Cc: users@ovirt.org Sent: Monday, November 17, 2014 11:43:34 PM Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote: - Original Message - From: Cameron Christensen cameron.christen...@uk2group.com To: users@ovirt.org Sent: Friday, November 14, 2014 5:39:54 PM Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA Hello, I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. Starting up ovrit-engine the extension manager fails to properly load the service that handles Kerberos/LDAP. This is probably a bug, can you please execute the following and paste result: # PGPASSWORD=@PASSWORD@ psql -U engine -d engine -c select * from vdc_options where option_name='LDAPSecurityAuthentication' option_id |option_name | option_value| version ---++---+- 165 | LDAPSecurityAuthentication | example.org:GSSAPI | general I replaced my domain name with 'example.org' I thought it will be empty... and it contains valid value. Yair? Any I truly suggest you try out the new provider... Much easier to resolve any issue, current and future, including easier to debug. Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
Hello, I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. Starting up ovrit-engine the extension manager fails to properly load the service that handles Kerberos/LDAP. engine.log: ... 2014-11-10 11:29:25,106 INFO [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (MSC service thread 1-10) Start initializing ExecutionMessageDirector 2014-11-10 11:29:25,108 INFO [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (MSC service thread 1-10) Finished initializing ExecutionMessageDirector 2014-11-10 11:29:25,145 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Loading extension 'builtin-authn-internal' 2014-11-10 11:29:25,146 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Extension 'builtin-authn-internal' loaded 2014-11-10 11:29:25,148 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Loading extension 'internal' 2014-11-10 11:29:25,150 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Extension 'internal' loaded 2014-11-10 11:29:25,154 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Loading extension 'builtin-authn-EXAMPLE.ORG' 2014-11-10 11:29:25,215 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Extension 'builtin-authn-EXAMPLE.ORG' loaded 2014-11-10 11:29:25,218 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Loading extension 'EXAMPLE.ORG' 2014-11-10 11:29:25,264 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Extension 'EXAMPLE.ORG' loaded 2014-11-10 11:29:25,265 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Initializing extension 'EXAMPLE.ORG' 2014-11-10 11:29:25,265 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Extension 'EXAMPLE.ORG' initialized 2014-11-10 11:29:25,266 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Initializing extension 'builtin-authn-internal' 2014-11-10 11:29:25,266 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Extension 'builtin-authn-internal' initialized 2014-11-10 11:29:25,267 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Initializing extension 'builtin-authn-EXAMPLE.ORG' 2014-11-10 11:29:25,267 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Extension 'builtin-authn-EXAMPLE.ORG' initialized 2014-11-10 11:29:25,268 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Initializing extension 'internal' 2014-11-10 11:29:25,268 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Extension 'internal' initialized 2014-11-10 11:29:25,268 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Start of enabled extensions list 2014-11-10 11:29:25,269 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Instance name: 'EXAMPLE.ORG', Extension name: 'Kerberos/Ldap Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2014-11-10 11:29:25,270 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Instance name: 'builtin-authn-internal', Extension name: 'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License: 'AS L 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2014-11-10 11:29:25,270 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Instance name: 'builtin-authn-EXAMPLE.ORG', Extension name: 'Kerberos/Ldap Authn (Built-in)', Version: 'N/A', Notes: '', Licen se: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2014-11-10 11:29:25,271 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Instance name: 'internal', Extension name: 'Internal Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2014-11-10 11:29:25,272 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) End of enabled extensions list 2014-11-10 11:29:25,404 INFO [org.ovirt.engine.core.bll.aaa.DbUserCacheManager] (MSC service thread 1-10) Start initializing DbUserCacheManager 2014-11-10 11:29:25,405 INFO [org.ovirt.engine.core.bll.aaa.DbUserCacheManager] (MSC service thread 1-10) Finished initializing DbUserCacheManager 2014-11-10