confirmed that does seem to be the cause I updated the group_ids field of a user to the appropriate Id's from ad_groups and it fixed that user. in answer to your question "Did you first add the goup, and then added users (that belong to a group) either by adding users, or by adding a permission?" Ive tried it ever different way I can think of the results are always the same.
On Sun, Aug 17, 2014 at 9:46 AM, Yair Zaslavsky <yzasl...@redhat.com> wrote: > > > ----- Original Message ----- >> From: "Paul Robert Marino" <prmari...@gmail.com> >> To: "Yair Zaslavsky" <yzasl...@redhat.com> >> Cc: "Itamar Heim" <ih...@redhat.com>, users@ovirt.org >> Sent: Sunday, August 17, 2014 4:33:30 PM >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> here are the results of the queries you asked for >> >> >> group_ids >> >> | >> >> groups >> >> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------- >> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >> ---- >> >> 00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000,00000000-0000-0000-0000-000000000000 >> | <domain here>/groups/sysadmin,<domain here>/groups/pmarino,<domain >> here>/groups/pd managers,<domain here>/groups/qa managers,<domain >> here>/groups/accounting managers,<domain here>/directory administrat >> ors >> (1 row) >> >> >> engine=# select id, name from ad_groups; >> id | name >> --------------------------------------+--------------------------------------- >> eee00000-0000-0000-0000-123456789eee | Everyone >> 2a8a8401-fc9e-11e3-8742-861538ea406a | <domain here>/Groups/sysadmin >> (2 rows) > > It does look that there is something wrong in the association of users to > their group IDS. > Just to make sure I'm not missing anything - > Did you first add the goup, and then added users (that belong to a group) > either by adding users, or by adding a permission? > > Yair > >> >> >> >> On Wed, Aug 13, 2014 at 10:49 PM, Yair Zaslavsky <yzasl...@redhat.com> wrote: >> > >> > >> > ----- Original Message ----- >> >> From: "Paul Robert Marino" <prmari...@gmail.com> >> >> To: "Yair Zaslavsky" <yzasl...@redhat.com> >> >> Cc: "Itamar Heim" <ih...@redhat.com>, users@ovirt.org >> >> Sent: Wednesday, August 13, 2014 11:47:40 PM >> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> >> >> Ok so before I open a bug ticket I want to confirm I'm not doing any >> >> thing wrong here. >> >> I upgraded to 3.4 >> >> now it says "Active: false " on LDAP groups. >> >> >> >> Again I tried to add the sysadmin group from the directory server and >> >> set the power user and super user roles on the group >> >> it shows up as "<domain name>/Groups/sysadmin" >> >> I adder the permisions by clicking on the configure link on the top of >> >> the screen and set them in the "System Permissions" tab >> > >> > Sounds good so far. >> > I assume also you see the permissiosn in the permissions sub tab when you >> > click the group. >> > >> >> >> >> I added a user (pmarino) to the system which shows in the "Directory >> >> Group" tab shows "sysadmin groups <domian name>" among others >> >> however it only shows in the Permissions tab the permissions inherited >> >> by "Everyone" it does not show any permissions inherited by the >> >> sysadmin group. >> > >> > This is not good - I mean, should have worked. >> > >> >> >> >> just to prove it didnt work I logged out and attempted to log back in >> >> as the user (pmarino) it wouldn't let me log in >> >> >> >> I logged back in as the internal admin user then I added the SuperUser >> >> permissions directly to the pmarino account and logged back out again. >> >> Now when I logged in as pmarino it gave me the access I expected. >> > >> > Can I please ask you to provide some database info ? >> > >> > It will be awesome if you can provide the following SQL queries results - >> > >> > select group_ids, groups from users where username ilike '%pmarino%'; >> > >> > In addition, please perform - select id, name from ad_groups; >> > >> > Thanks for your help. >> > >> > P.S - As far as I understand the two bugs mentioend by Itamar (I mean, the >> > solution to the bugs) should have fixed your issue as well. >> > >> > >> > >> >> >> >> >> >> >> >> Here is the relevant portion of the engine log >> >> " >> >> 2014-08-13 16:00:38,801 INFO >> >> [org.ovirt.engine.core.bll.AddGroupCommand] (ajp-/127.0.0.1:8702-5) >> >> [1e7fa420] Running command: AddGroupCommand internal: false. Entities >> >> affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System >> >> 2014-08-13 16:00:38,813 INFO >> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> >> (ajp-/127.0.0.1:8702-5) [1e7fa420] Correlation ID: 1e7fa420, Call >> >> Stack: null, Custom Event ID: -1, Message: User '<domain >> >> name>/Groups/sysadmin' was added successfully to the system. >> >> 2014-08-13 16:09:01,352 INFO >> >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand] >> >> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Running command: >> >> AddSystemPermissionCommand internal: false. Entities affected : ID: >> >> aaa00000-0000-0000-0000-123456789aaa Type: System, ID: >> >> aaa00000-0000-0000-0000-123456789aaa Type: System >> >> 2014-08-13 16:09:01,371 INFO >> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> >> (org.ovirt.thread.pool-4-thread-24) [75cab17c] Correlation ID: >> >> 75cab17c, Call Stack: null, Custom Event ID: -1, Message: User/Group >> >> <domain name>/Groups/sysadmin was granted permission for Role >> >> SuperUser on System by admin. >> >> 2014-08-13 16:10:40,963 INFO >> >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand] >> >> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Running command: >> >> AddSystemPermissionCommand internal: false. Entities affected : ID: >> >> aaa00000-0000-0000-0000-123456789aaa Type: System, ID: >> >> aaa00000-0000-0000-0000-123456789aaa Type: System >> >> 2014-08-13 16:10:40,979 INFO >> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> >> (org.ovirt.thread.pool-4-thread-26) [b42abcb] Correlation ID: b42abcb, >> >> Call Stack: null, Custom Event ID: -1, Message: User/Group <domain >> >> name>/Groups/sysadmin was granted permission for Role PowerUserRole on >> >> System by admin. >> >> 2014-08-13 16:20:53,891 INFO >> >> [org.ovirt.engine.core.bll.AddUserCommand] (ajp-/127.0.0.1:8702-4) >> >> [58e00be1] Running command: AddUserCommand internal: false. Entities >> >> affected : ID: aaa00000-0000-0000-0000-123456789aaa Type: System >> >> 2014-08-13 16:20:53,919 INFO >> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> >> (ajp-/127.0.0.1:8702-4) [58e00be1] Correlation ID: 58e00be1, Call >> >> Stack: null, Custom Event ID: -1, Message: User 'pmarino' was added >> >> successfully to the system. >> >> 2014-08-13 16:35:52,202 INFO >> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> >> (ajp-/127.0.0.1:8702-10) Correlation ID: null, Call Stack: null, >> >> Custom Event ID: -1, Message: User pmarino failed to log in. >> >> 2014-08-13 16:35:52,202 WARN >> >> [org.ovirt.engine.core.bll.LoginAdminUserCommand] >> >> (ajp-/127.0.0.1:8702-10) CanDoAction of action LoginAdminUser failed. >> >> Reasons:USER_NOT_AUTHORIZED_TO_PERFORM_ACTION >> >> 2014-08-13 16:39:48,048 INFO >> >> [org.ovirt.engine.core.bll.AddSystemPermissionCommand] >> >> (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Running command: >> >> AddSystemPermissionCommand internal: false. Entities affected : ID: >> >> aaa00000-0000-0000-0000-123456789aaa Type: System >> >> 2014-08-13 16:39:48,069 INFO >> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> >> (org.ovirt.thread.pool-4-thread-31) [5ba3c874] Correlation ID: >> >> 5ba3c874, Call Stack: null, Custom Event ID: -1, Message: User/Group >> >> pmarino was granted permission for Role SuperUser on System by admin. >> >> 2014-08-13 16:40:43,357 INFO >> >> [org.ovirt.engine.core.dal.dbbroker.auditloghandling.AuditLogDirector] >> >> (ajp-/127.0.0.1:8702-1) Correlation ID: null, Call Stack: null, Custom >> >> Event ID: -1, Message: User pmarino logged in. >> >> >> >> " >> >> >> >> On Mon, Aug 11, 2014 at 1:41 PM, Yair Zaslavsky <yzasl...@redhat.com> >> >> wrote: >> >> > >> >> > >> >> > ----- Original Message ----- >> >> >> From: "Yair Zaslavsky" <yzasl...@redhat.com> >> >> >> To: "Itamar Heim" <ih...@redhat.com> >> >> >> Cc: users@ovirt.org >> >> >> Sent: Monday, August 11, 2014 8:13:53 PM >> >> >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> >> >> >> >> I have checked the codebase of 3.3 - >> >> >> the "active" field is used for presentation purpose only. >> >> > >> >> > Presentation wise only - means that it is not used for our permissions >> >> > calculation , for example. >> >> > >> >> >> Alon has addressed our plans for this in his previous comments. >> >> >> I hope this clarifies more.. >> >> >> >> >> >> Yair >> >> >> >> >> >> >> >> >> ----- Original Message ----- >> >> >> > From: "Itamar Heim" <ih...@redhat.com> >> >> >> > To: "Alon Bar-Lev" <alo...@redhat.com>, "Paul Robert Marino" >> >> >> > <prmari...@gmail.com> >> >> >> > Cc: users@ovirt.org >> >> >> > Sent: Sunday, August 10, 2014 11:54:05 PM >> >> >> > Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> >> > >> >> >> > On 08/10/2014 10:50 PM, Alon Bar-Lev wrote: >> >> >> > > >> >> >> > > >> >> >> > > ----- Original Message ----- >> >> >> > >> From: "Paul Robert Marino" <prmari...@gmail.com> >> >> >> > >> To: "Alon Bar-Lev" <alo...@redhat.com> >> >> >> > >> Cc: "Maurice James" <mja...@media-node.com>, users@ovirt.org >> >> >> > >> Sent: Sunday, August 10, 2014 10:43:14 PM >> >> >> > >> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> >> > >> >> >> >> > >> Sorry for my delayed response to this >> >> >> > >> >> >> >> > >> I am using ovirt 3.3. >> >> >> > >> I am using Kerberos 5, and all of the DNS requirements are in >> >> >> > >> place. >> >> >> > >> Finally 389 server is the upstream project for RHDS and one of the >> >> >> > >> upstream projects for IPA. >> >> >> > >> So I chose to set it as RHDS because its an identical match. >> >> >> > >> >> >> >> > >> User authentication works just fine my problem is adding roles to >> >> >> > >> groups. >> >> >> > >> I can assign a role to a group but the group always shows an >> >> >> > >> inactive >> >> >> > >> status; however if I assign a role directly to to a user it works >> >> >> > >> fine. >> >> >> > >> In addition if I drill down into a user it knows what groups in >> >> >> > >> the >> >> >> > >> 389 server the user is a member of. >> >> >> > >> >> >> >> > >> finally I can't see any error in the logs when adding a role to a >> >> >> > >> group >> >> >> > >> >> >> >> > > >> >> >> > > Please open a bug, I am unsure that it will be addressed before >> >> >> > > 3.5, >> >> >> > > as >> >> >> > > we >> >> >> > > have done major rework for the authentication and authorization to >> >> >> > > make >> >> >> > > it >> >> >> > > much more versatile. Even if there will be a fix it will be >> >> >> > > provided >> >> >> > > to >> >> >> > > 3.4.z. >> >> >> > > >> >> >> > > It will be best if you want to test this scenario in 3.5 release >> >> >> > > candidate >> >> >> > > and the new ldap provider, so we can address the issue before 3.5 >> >> >> > > release >> >> >> > > if exists. >> >> >> > > >> >> >> > >> >> >> > could also be one of these fixed in 3.4: >> >> >> > 3.4.0 - Bug 1065615 - When adding a user that belongs to a group, it >> >> >> > does not inherit the group permissions >> >> >> > 3.4.1 - Bug 1069562 - When assigning permissions to user that belongs >> >> >> > to >> >> >> > a group indirectly, it does not inherit the group permissions >> >> >> > >> >> >> > >> >> >> >> > >> >> >> >> > >> On Sat, Aug 9, 2014 at 2:33 AM, Alon Bar-Lev <alo...@redhat.com> >> >> >> > >> wrote: >> >> >> > >>> >> >> >> > >>> >> >> >> > >>> ----- Original Message ----- >> >> >> > >>>> From: "Maurice James" <mja...@media-node.com> >> >> >> > >>>> To: "Alon Bar-Lev" <alo...@redhat.com> >> >> >> > >>>> Cc: "Itamar Heim" <ih...@redhat.com>, users@ovirt.org >> >> >> > >>>> Sent: Saturday, August 9, 2014 3:47:04 AM >> >> >> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> >> > >>>> >> >> >> > >>>> Does this still require the use of kerberos? Will 389-ds work on >> >> >> > >>>> its >> >> >> > >>>> own? >> >> >> > >>> >> >> >> > >>> In 3.5 we introduced pure ldap support[1], obsoleting the >> >> >> > >>> kerberos/ldap >> >> >> > >>> mix. >> >> >> > >>> >> >> >> > >>> It will be great to receive feedback[2]. >> >> >> > >>> >> >> >> > >>> 389ds is not supported directly, I think it is similar to IPA as >> >> >> > >>> it >> >> >> > >>> uses >> >> >> > >>> 389. Maybe I should rename the profile of ipa to 389 if it works >> >> >> > >>> properly. >> >> >> > >>> >> >> >> > >>> Regards, >> >> >> > >>> Alon >> >> >> > >>> >> >> >> > >>> [1] >> >> >> > >>> http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=master >> >> >> > >>> [2] >> >> >> > >>> http://lists.ovirt.org/pipermail/devel/2014-August/008367.html >> >> >> > >>> >> >> >> > >>>> >> >> >> > >>>> ----- Original Message ----- >> >> >> > >>>> From: "Alon Bar-Lev" <alo...@redhat.com> >> >> >> > >>>> To: "Itamar Heim" <ih...@redhat.com> >> >> >> > >>>> Cc: users@ovirt.org >> >> >> > >>>> Sent: Friday, August 8, 2014 3:45:07 PM >> >> >> > >>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive groups >> >> >> > >>>> >> >> >> > >>>> >> >> >> > >>>> >> >> >> > >>>> ----- Original Message ----- >> >> >> > >>>>> From: "Itamar Heim" <ih...@redhat.com> >> >> >> > >>>>> To: "Paul Robert Marino" <prmari...@gmail.com>, users@ovirt.org >> >> >> > >>>>> Sent: Friday, August 8, 2014 10:37:11 PM >> >> >> > >>>>> Subject: Re: [ovirt-users] ovirt with 389 server inactive >> >> >> > >>>>> groups >> >> >> > >>>>> >> >> >> > >>>>> On 08/07/2014 07:06 PM, Paul Robert Marino wrote: >> >> >> > >>>>>> I have ovirt engine running and connected to a 389 server with >> >> >> > >>>>>> the >> >> >> > >>>>>> memberof plugin enabled and working properly. >> >> >> > >>>>>> >> >> >> > >>>>>> I can add users and assign them to roles without any issues. >> >> >> > >>>>>> >> >> >> > >>>>>> when I look at a user I can see all the LDAP groups they are a >> >> >> > >>>>>> member >> >> >> > >>>>>> of. >> >> >> > >>>>>> >> >> >> > >>>>>> when I run engine-manage-domains -action=validate it tells me >> >> >> > >>>>>> the >> >> >> > >>>>>> domain is valid. >> >> >> > >>>>>> >> >> >> > >>>>>> here is my problem when I try to assign a role to an LDAP >> >> >> > >>>>>> group >> >> >> > >>>>>> it >> >> >> > >>>>>> looks like it works but in the general tab when under the >> >> >> > >>>>>> group >> >> >> > >>>>>> it >> >> >> > >>>>>> tells me the status is Inactive. >> >> >> > >>>>>> >> >> >> > >>>>>> dose any one know how to enable the group? >> >> >> > >>>>>> _______________________________________________ >> >> >> > >>>>>> Users mailing list >> >> >> > >>>>>> Users@ovirt.org >> >> >> > >>>>>> http://lists.ovirt.org/mailman/listinfo/users >> >> >> > >>>>>> >> >> >> > >>>>> >> >> >> > >>>>> 3.4 or new 3.5 Generic LDAP provider? >> >> >> > >>>> >> >> >> > >>>> >> >> >> > >>>> On case this is 3.5 it is known issue, all groups will be seen >> >> >> > >>>> as >> >> >> > >>>> inactive, >> >> >> > >>>> this field will probably be removed from UI, as groups are no >> >> >> > >>>> longer >> >> >> > >>>> fetched >> >> >> > >>>> periodically. >> >> >> > >>>> This field is totally ignored. >> >> >> > >>>> >> >> >> > >>>> Alon >> >> >> > >>>> _______________________________________________ >> >> >> > >>>> Users mailing list >> >> >> > >>>> Users@ovirt.org >> >> >> > >>>> http://lists.ovirt.org/mailman/listinfo/users >> >> >> > >>>> >> >> >> > >>> _______________________________________________ >> >> >> > >>> Users mailing list >> >> >> > >>> Users@ovirt.org >> >> >> > >>> http://lists.ovirt.org/mailman/listinfo/users >> >> >> > >> >> >> >> > > _______________________________________________ >> >> >> > > Users mailing list >> >> >> > > Users@ovirt.org >> >> >> > > http://lists.ovirt.org/mailman/listinfo/users >> >> >> > > >> >> >> > >> >> >> > _______________________________________________ >> >> >> > Users mailing list >> >> >> > Users@ovirt.org >> >> >> > http://lists.ovirt.org/mailman/listinfo/users >> >> >> > >> >> >> _______________________________________________ >> >> >> Users mailing list >> >> >> Users@ovirt.org >> >> >> http://lists.ovirt.org/mailman/listinfo/users >> >> >> >> >> > _______________________________________________ >> >> > Users mailing list >> >> > Users@ovirt.org >> >> > http://lists.ovirt.org/mailman/listinfo/users >> >> >> _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
