Hello, I'm running oVirt Engine, OpenLDAP and BIND on same machine. and running oVirt host (hypervisor) on another machine. I tried to configure OpenLDAP using ovirt-engine-extension-aaa-ldap, but No LDAP users can search and add from Web Admin Portal.
CentOS release 6.5 (Final) ovirt-engine.noarch 3.5.0-0.0.master.20140821064931.gitb794d66.el6 ovirt-engine-extension-aaa-ldap.noarch 0.0.0-0.0.master.20140904095149.gitc7bd415.el6 openldap-clients.x86_64 2.4.23-34.el6_5.1 openldap-servers.x86_64 2.4.23-34.el6_5.1 cyrus-sasl-gssapi.x86_64 2.1.23-13.el6_3.1 bind.x86_64 32:9.8.2-0.23.rc1.el6_5.1 My setup procedures: ------------------------------------------------------------------------------- # yum -y install openldap-servers openldap-clients # yum -y install cyrus-sasl-gssapi ------------------------------------------------------------------------------- # rm -rf /etc/openldap/slapd.d # rm -rf /var/lib/ldap/* ------------------------------------------------------------------------------- (Copy slapd.conf template) # cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf ------------------------------------------------------------------------------- # vi /etc/openldap/slapd.conf ....(snip).... # remove comment out moduleload memberof.la ....(snip).... # modify value by dn.exact="cn=Manager,dc=rxc05271,dc=com" read ....(snip).... # add next two lines right under "database definitions" authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=Manager,dc=rxc05271,dc=com" ....(snip).... # modify value suffix "dc=rxc05271,dc=com" ....(snip).... # modify value rootdn "cn=Manager,dc=rxc05271,dc=com" ....(snip).... # remove comment out rootpw secret ....(snip).... # add next line to end of the file overlay memberof loglevel 4 ------------------------------------------------------------------------------- (Enabling SSL/TLS) # vi /etc/sysconfig/ldap SLAPD_LDAPS=yes ------------------------------------------------------------------------------- (Enabling OpenLDAP log output) # echo "local4.* /var/log/ldap.log" > /etc/rsyslog.d/ldaplog.conf # service rsyslog restart ------------------------------------------------------------------------------- # service slapd start # chkconfig slapd on ------------------------------------------------------------------------------- # vi ldapconfig.ldif dn: dc=rxc05271,dc=com objectClass: dcObject objectClass: organization dc: rxc05271 o: RXC05271 dn: ou=Groups,dc=rxc05271,dc=com objectclass: organizationalUnit ou: Groups dn: ou=Users,dc=rxc05271,dc=com objectclass: organizationalUnit ou: Users dn: uid=tani,ou=Users,dc=rxc05271,dc=com objectclass: inetOrgPerson objectclass: uidObject uid: tani cn: Tani givenName: Fumihide mail: t...@rxc05271.com sn: 0 dn: cn=Power-Users,ou=Groups,dc=rxc05271,dc=com objectclass: groupOfNames cn: Power-Users member: uid=tani,ou=Users,dc=rxc05271,dc=com ------------------------------------------------------------------------------- # ldapadd -x -D "cn=Manager,dc=rxc05271,dc=com" -w secret -f ldapconfig.ldif ------------------------------------------------------------------------------- # vi setsasl.ldif replace: olcSaslSecProps olcSaslSecProps: noanonymous,noplain,minssf=1 - ------------------------------------------------------------------------------- # ldapmodify -x -D "cn=Manager,dc=rxc05271,dc=com" -w secret -f setsasl.ldif ------------------------------------------------------------------------------- # ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=tani)" -b dc=rxc05271,dc=com memberOf SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 version: 1 dn: uid=tani,ou=Users,dc=rxc05271,dc=com memberOf: cn=Power-Users,ou=Groups,dc=rxc05271,dc=com ------------------------------------------------------------------------------- # yum install ovirt-engine-extension-aaa-ldap ------------------------------------------------------------------------------- # vi /etc/ovirt-engine/extensions.d/authn-company.properties ovirt.engine.extension.name = authn-company ovirt.engine.extension.bindings.method = jbossmodule ovirt.engine.extension.binding.jbossmodule.module = org.ovirt.engine-extensions.aaa.ldap ovirt.engine.extension.binding.jbossmodule.class = org.ovirt.engineextensions.aaa.ldap.AuthnExtension ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn ovirt.engine.aaa.authn.profile.name = rxc05271.com ovirt.engine.aaa.authn.authz.plugin = authz-company config.profile.file.1 = /etc/ovirt-engine/aaa/rxc05271.properties ------------------------------------------------------------------------------- # vi /etc/ovirt-engine/aaa/rxc05271.properties include = <openldap.properties> vars.user = cn=Manager,dc=rxc05271,dc=com vars.password = 12345678 vars.server = ldap.rxc05271.com pool.default.ssl.startTLS = true pool.default.ssl.truststore.file = /etc/openldap/certs/ldap.jks pool.default.ssl.truststore.password = 12345678 pool.default.serverset.single.server = ${global:vars.server} pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} ------------------------------------------------------------------------------- (Add DNS records) # vi /var/named/rxc05271.com.db (snip) ldap IN A 192.168.0.5 _ldap._tcp.rxc05271.com. IN SRV 10 0 389 ovirt.rxc05271.com. # vi /var/named/0.168.192.in-addr.arpa.db (snip) 5 IN PTR ldap.rxc05271.com. # service named restart ------------------------------------------------------------------------------- # service ovirt-engine restart ------------------------------------------------------------------------------- (ldap.log outputs after ovirt-engine restart) [root@ovirt ~]# cat /var/log/ldap.log Sep 21 14:33:20 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:20 ovirt slapd[19276]: connection_get(18) Sep 21 14:33:20 ovirt slapd[19276]: connection_get(17) Sep 21 14:33:20 ovirt slapd[19276]: connection_get(19) Sep 21 14:33:20 ovirt slapd[19276]: connection_get(20) Sep 21 14:33:20 ovirt slapd[19276]: connection_get(21) Sep 21 14:33:20 ovirt slapd[19276]: connection_get(23) Sep 21 14:33:20 ovirt slapd[19276]: connection_get(22) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037 Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:25 ovirt slapd[19276]: ==> bdb_bind: dn: cn=Manager,dc=rxc05271,dc=com Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17) Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037 Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(17) Sep 21 14:33:25 ovirt slapd[19276]: ==> bdb_bind: dn: cn=Manager,dc=rxc05271,dc=com Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18) Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037 Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(18) Sep 21 14:33:25 ovirt slapd[19276]: ==> bdb_bind: dn: cn=Manager,dc=rxc05271,dc=com Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19) Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037 Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(19) Sep 21 14:33:25 ovirt slapd[19276]: ==> bdb_bind: dn: cn=Manager,dc=rxc05271,dc=com Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:25 ovirt slapd[19276]: connection_get(15) Sep 21 14:33:25 ovirt slapd[19276]: SRCH "" 0 0 Sep 21 14:33:25 ovirt slapd[19276]: 1 0 0 Sep 21 14:33:25 ovirt slapd[19276]: filter: (objectClass=*) Sep 21 14:33:25 ovirt slapd[19276]: attrs: Sep 21 14:33:25 ovirt slapd[19276]: * Sep 21 14:33:25 ovirt slapd[19276]: + Sep 21 14:33:25 ovirt slapd[19276]: altServer Sep 21 14:33:25 ovirt slapd[19276]: changelog Sep 21 14:33:25 ovirt slapd[19276]: firstChangeNumber Sep 21 14:33:25 ovirt slapd[19276]: lastChangeNumber Sep 21 14:33:25 ovirt slapd[19276]: lastPurgedChangeNumber Sep 21 14:33:25 ovirt slapd[19276]: namingContexts Sep 21 14:33:25 ovirt slapd[19276]: subschemaSubentry Sep 21 14:33:25 ovirt slapd[19276]: supportedAuthPasswordSchemes Sep 21 14:33:25 ovirt slapd[19276]: supportedControl Sep 21 14:33:25 ovirt slapd[19276]: supportedExtension Sep 21 14:33:25 ovirt slapd[19276]: supportedFeatures Sep 21 14:33:25 ovirt slapd[19276]: supportedLDAPVersion Sep 21 14:33:25 ovirt slapd[19276]: supportedSASLMechanisms Sep 21 14:33:25 ovirt slapd[19276]: vendorName Sep 21 14:33:25 ovirt slapd[19276]: vendorVersion Sep 21 14:33:25 ovirt slapd[19276]: Sep 21 14:33:25 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:25 ovirt slapd[19276]: connection_get(20) Sep 21 14:33:25 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037 Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20) Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21) Sep 21 14:33:26 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037 Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(21) Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22) Sep 21 14:33:26 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037 Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(22) Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23) Sep 21 14:33:26 ovirt slapd[19276]: do_extended: oid=1.3.6.1.4.1.1466.20037 Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(23) Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(20) Sep 21 14:33:26 ovirt slapd[19276]: SRCH "" 0 0 Sep 21 14:33:26 ovirt slapd[19276]: 1 0 0 Sep 21 14:33:26 ovirt slapd[19276]: filter: (objectClass=*) Sep 21 14:33:26 ovirt slapd[19276]: attrs: Sep 21 14:33:26 ovirt slapd[19276]: * Sep 21 14:33:26 ovirt slapd[19276]: + Sep 21 14:33:26 ovirt slapd[19276]: altServer Sep 21 14:33:26 ovirt slapd[19276]: changelog Sep 21 14:33:26 ovirt slapd[19276]: firstChangeNumber Sep 21 14:33:26 ovirt slapd[19276]: lastChangeNumber Sep 21 14:33:26 ovirt slapd[19276]: lastPurgedChangeNumber Sep 21 14:33:26 ovirt slapd[19276]: namingContexts Sep 21 14:33:26 ovirt slapd[19276]: subschemaSubentry Sep 21 14:33:26 ovirt slapd[19276]: supportedAuthPasswordSchemes Sep 21 14:33:26 ovirt slapd[19276]: supportedControl Sep 21 14:33:26 ovirt slapd[19276]: supportedExtension Sep 21 14:33:26 ovirt slapd[19276]: supportedFeatures Sep 21 14:33:26 ovirt slapd[19276]: supportedLDAPVersion Sep 21 14:33:26 ovirt slapd[19276]: supportedSASLMechanisms Sep 21 14:33:26 ovirt slapd[19276]: vendorName Sep 21 14:33:26 ovirt slapd[19276]: vendorVersion Sep 21 14:33:26 ovirt slapd[19276]: Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" Sep 21 14:33:26 ovirt slapd[19276]: connection_get(17) Sep 21 14:33:26 ovirt slapd[19276]: connection_get(17) Sep 21 14:33:26 ovirt slapd[19276]: SRCH "" 0 0 Sep 21 14:33:26 ovirt slapd[19276]: 0 0 0 Sep 21 14:33:26 ovirt slapd[19276]: filter: (&(objectClass=*)) Sep 21 14:33:26 ovirt slapd[19276]: attrs: Sep 21 14:33:26 ovirt slapd[19276]: namingContexts Sep 21 14:33:26 ovirt slapd[19276]: Sep 21 14:33:26 ovirt slapd[19276]: send_ldap_result: err=0 matched="" text="" ------------------------------------------------------------------------------- (engine.log outputs after ovirt-engine restart) # cat /var/log/ovirt-engine/engine.log | grep extensions 2014-09-21 14:33:25,591 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-15) Creating LDAP pool 'authz' for 'authn-company' 2014-09-21 14:33:25,962 INFO [org.ovirt.engineextensions.aaa.ldap.Framework] (MSC service thread 1-15) Creating LDAP pool 'authn' for 'authn-company' 2014-09-21 14:33:26,195 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-15) Start of enabled extensions list 2014-09-21 14:33:26,196 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-15) Instance name: 'builtin-authn-internal', Extension name: 'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2014-09-21 14:33:26,196 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-15) Instance name: 'authn-company', Extension name: 'aaa.ldap.authn', Version: '0.0.0_master', Notes: 'Display name: ovirt-engine-extension-aaa-ldap-0.0.0-0.0.master.20140904095149.gitc7bd415.el6', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: '/etc/ovirt-engine/extensions.d/authn-company.properties', Initialized: 'true' 2014-09-21 14:33:26,197 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-15) Instance name: 'internal', Extension name: 'Internal Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2014-09-21 14:33:26,197 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-15) End of enabled extensions list ------------------------------------------------------------------------------- I could not find out any erros in engine.log as well as ldap.log. And I can not search add ldap users from Web Admin Portal. Click "Users" tab, then click "Add". I can select "internal (internal)" only on [Add Users and Groups] in "Search" field. I do not know where the cause is. I'm missing another settings required? Thanks, Fumihide Tani _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users