When I give "superuser" permission then able to login and its taking too long time to login. Pls suggest any thing needs to be dome ?
On Wed, Sep 23, 2015 at 1:07 PM, Ondra Machacek <omach...@redhat.com> wrote: > Should work well, strange. > The 'warn' message you sent was unsuccessfull login to webadmin as I can > see 'LoginAdminUserCommand', in UserPortal it's 'LoginUserCommand'. > Please try to assign UserRole to some vm to another user in domain if it > will work properly, if not please open bz. > > > On 09/23/2015 09:29 AM, Budur Nagaraju wrote: > > yeah facing issues while logging to the user portal. > > On Wed, Sep 23, 2015 at 12:54 PM, Ondra Machacek <omach...@redhat.com> > wrote: > >> With UserRole you can only login to UserPortal, not webadmin. Do you have >> this issue when you try to login to UserPortal? >> >> >> On 09/23/2015 09:22 AM, Budur Nagaraju wrote: >> >> Provided the "user role" permissions still same issue >> >> On Wed, Sep 23, 2015 at 12:48 PM, Ondra Machacek < <omach...@redhat.com> >> omach...@redhat.com> wrote: >> >>> Hi, >>> >>> your user nbud...@abc.net doesn't have appropriate permissions to login. >>> First you need to login as 'admin@internal' and assign him some >>> permissions, then you will be able to login. >>> >>> Ondra >>> >>> >>> On 09/23/2015 09:15 AM, Budur Nagaraju wrote: >>> >>> HI All, >>> >>> After rectifying this able to search the domain in the users in UI, >>> but unable to login getting the below error , >>> >>> >>> 2015-09-23 12:41:47,482 WARN >>> [org.ovirt.engine.core.bll.aaa.LoginAdminUserCommand] >>> (ajp--127.0.0.1-8702-3) CanDoAction of action LoginAdminUser failed for >>> user <nbud...@abc.net>nbud...@abc.net. Reasons: >>> USER_NOT_AUTHORIZED_TO_PERFORM_ACTION >>> >>> Thanks, >>> Nagaraju >>> >>> >>> >>> >>> >>> On Wed, Sep 23, 2015 at 12:13 PM, Ondra Machacek < <omach...@redhat.com> >>> omach...@redhat.com> wrote: >>> >>>> Hi, >>>> >>>> as Alon already said, you have trailing space in your configuration >>>> >>>> 'my.abc.net ' <-- space at the end >>>> >>>> Please remove this space and try again. >>>> >>>> Ondra >>>> >>>> >>>> On 09/23/2015 05:35 AM, Budur Nagaraju wrote: >>>> >>>> HI Alon, >>>> >>>> Tried all the options but no luck , >>>> >>>> I have copied the logs in the pastebin below is the link , warning >>>> message is that unable to resolve the DNS ,let me know any help would I get >>>> . >>>> >>>> <http://pastebin.com/7qN9QnHK>http://pastebin.com/7qN9QnHK >>>> >>>> Thanks, >>>> Nagaraju >>>> >>>> >>>> On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger < >>>> <daniel.helgenber...@m-box.de>daniel.helgenber...@m-box.de> wrote: >>>> >>>>> Hello Budur, >>>>> >>>>> I've done this recently. Alon, no offense, but the docs are not quite >>>>> strait forward... >>>>> >>>>> Requirements: >>>>> - LDAP server (obviously) - called here ldap.mydomain.com >>>>> - LDAP bind account - called here <l...@mydomain.com> >>>>> l...@mydomain.com, password 'Passw@rd' >>>>> - At least one existing account in ladp, called <u...@mydomain.com> >>>>> u...@mydomain.com >>>>> >>>>> Please note, the most common issue will be DNS. >>>>> >>>>> I'll describe in short what steps need to be taken. All this needs to >>>>> be done on your engine host. In the end this was quite easy :) >>>>> >>>>> 1. Install the packages: ovirt-engine-extension-aaa-ldap and >>>>> openldap-clients (these are only for testing your setup) >>>>> 2. Test if ldap is working in general. (The extension uses the global >>>>> catalog at least for AD, this was news to me): >>>>> # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap:// >>>>> ldap.mydomain.com:3268/ -x \ >>>>> -D ' <l...@mydomain.com>l...@mydomain.com' -w Passw@rd -b '' >>>>> '(userPrincipalName=u...@mydomian.com)' cn userPrincipalName >>>>> >>>>> If this command does not return details of the user, do debug your >>>>> ldap and continue once this works. Example: >>>>> >>>>> # extended LDIF >>>>> # >>>>> # LDAPv3 >>>>> # base <> with scope subtree >>>>> # filter: (userPrincipalName= <u...@mydomain.com>u...@mydomain.com) >>>>> # requesting: cn userPrincipalName >>>>> # with pagedResults control: size=1024 >>>>> # >>>>> >>>>> # Some Name, some-ou, mydomain.com >>>>> dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com >>>>> cn: Some Name >>>>> userPrincipalName: <u...@mydomain.com>u...@mydomain.com >>>>> >>>>> # search result >>>>> search: 2 >>>>> result: 0 Success >>>>> control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA= >>>>> pagedresults: cookie= >>>>> >>>>> # numResponses: 2 >>>>> # numEntries: 1 >>>>> >>>>> >>>>> 3. Copy the examples as mentioned from the readme. >>>>> 4. You only need to modify >>>>> /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is. >>>>> 5. There, set: >>>>> >>>>> vars.domain = ldap.mydomain.com >>>>> vars.user = ldap@${global:vars.domain} >>>>> vars.password = Passw@rd >>>>> >>>>> 6. Restart ovirt engine service >>>>> 7. Log in as admin@einternal and add user rights and roles from the >>>>> new provider >>>>> >>>>> Hope this helps. >>>>> >>>>> On 22.09.2015 16 <22.09.2015%2016>:46, Budur Nagaraju wrote: >>>>> > >>>>> > below are the three files which I have modified. >>>>> > >>>>> > >>>>> > [root@cstlb2 extensions.d]# cat profile1-authn.properties >>>>> > ovirt.engine.extension.name < <http://ovirt.engine.extension.name> >>>>> http://ovirt.engine.extension.name> = cloudspin-authn >>>>> > ovirt.engine.extension.bindings.method = jbossmodule >>>>> > ovirt.engine.extension.binding.jbossmodule.module = >>>>> > org.ovirt.engine-extensions.aaa.ldap >>>>> > ovirt.engine.extension.binding.jbossmodule.class = >>>>> > org.ovirt.engineextensions.aaa.ldap.AuthnExtension >>>>> > ovirt.engine.extension.provides = >>>>> org.ovirt.engine.api.extensions.aaa.Authn >>>>> > ovirt.engine.aaa.authn.profile.name < >>>>> <http://ovirt.engine.aaa.authn.profile.name> >>>>> http://ovirt.engine.aaa.authn.profile.name> >>>>> > = cloudspin >>>>> > ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth >>>>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties >>>>> > >>>>> > >>>>> > [root@cstlb2 extensions.d]# ls >>>>> > profile1-authn.properties profile1-authz.properties >>>>> > [root@cstlb2 extensions.d]# cat profile1-authz.properties >>>>> > ovirt.engine.extension.name < <http://ovirt.engine.extension.name> >>>>> http://ovirt.engine.extension.name> = cloudspin-authz >>>>> > ovirt.engine.extension.bindings.method = jbossmodule >>>>> > ovirt.engine.extension.binding.jbossmodule.module = >>>>> > org.ovirt.engine-extensions.aaa.ldap >>>>> > ovirt.engine.extension.binding.jbossmodule.class = >>>>> > org.ovirt.engineextensions.aaa.ldap.AuthzExtension >>>>> > ovirt.engine.extension.provides = >>>>> org.ovirt.engine.api.extensions.aaa.Authz >>>>> > config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties >>>>> > [root@cstlb2 extensions.d]# >>>>> > >>>>> > >>>>> > >>>>> > [root@cstlb2 aaa]# pwd >>>>> > /etc/ovirt-engine/aaa >>>>> > [root@cstlb2 aaa]# ls >>>>> > ldap1.properties >>>>> > [root@cstlb2 aaa]# cat ldap1.properties >>>>> > # >>>>> > # Select one >>>>> > # >>>>> > include = <openldap.properties> >>>>> > #include = <389ds.properties> >>>>> > #include = <rhds.properties> >>>>> > #include = <ipa.properties> >>>>> > #include = <iplanet.properties> >>>>> > #include = <rfc2307.properties> >>>>> > #include = <rfc2307-openldap.properties> >>>>> > >>>>> > # >>>>> > # Server >>>>> > # >>>>> > vars.server = my.abc.net < <http://my.abc.net>http://my.abc.net> >>>>> > >>>>> > # >>>>> > # Search user and its password. >>>>> > # >>>>> > vars.user = >>>>> > >>>>> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net >>>>> > vars.password = company >>>>> > >>>>> > pool.default.serverset.single.server = ${global:vars.server} >>>>> > pool.default.auth.simple.bindDN = ${global:vars.user} >>>>> > pool.default.auth.simple.password = ${global:vars.password} >>>>> > >>>>> > # Create keystore, import certificate chain and uncomment >>>>> > # if using ssl/tls. >>>>> > #pool.default.ssl.startTLS = true >>>>> > #pool.default.ssl.truststore.file = >>>>> ${local:_basedir}/${global:vars.server}.jks >>>>> > #pool.default.ssl.truststore.password = changeit >>>>> > [root@cstlb2 aaa]# >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev < <alo...@redhat.com> >>>>> alo...@redhat.com >>>>> > <mailto: <alo...@redhat.com>alo...@redhat.com>> wrote: >>>>> > >>>>> > >>>>> > >>>>> > ----- Original Message ----- >>>>> > > From: "Budur Nagaraju" < <nbud...@gmail.com>nbud...@gmail.com >>>>> <mailto: <nbud...@gmail.com>nbud...@gmail.com>> >>>>> > > To: "Alon Bar-Lev" < <alo...@redhat.com>alo...@redhat.com >>>>> <mailto: <alo...@redhat.com>alo...@redhat.com>> >>>>> > > <Cc:users@ovirt.org>Cc:users@ovirt.org <mailto: >>>>> <users@ovirt.org>users@ovirt.org> >>>>> > > Sent: Tuesday, September 22, 2015 5:35:16 PM >>>>> > > Subject: Re: [ovirt-users] LDAP Authentication >>>>> > > >>>>> > > its too complicated ,you have any script or video ? >>>>> > >>>>> > in 3.6 we have a setup script. >>>>> > for now: >>>>> > >>>>> > cp -r /usr/share/ovirt-engine/examples/simple/. >>>>> /etc/ovirt-engine/ >>>>> > >>>>> > this is written in the README. >>>>> > >>>>> > then customize files at /etc/ovirt-engine/extnesions.d/* >>>>> > /etc/ovirt-engine/aaa/* to match your setup >>>>> > >>>>> > > >>>>> > > >>>>> > > On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev < >>>>> <alo...@redhat.com>alo...@redhat.com <mailto: <alo...@redhat.com> >>>>> alo...@redhat.com>> wrote: >>>>> > > >>>>> > > > >>>>> > > > >>>>> > > > ----- Original Message ----- >>>>> > > > > From: "Budur Nagaraju" < <nbud...@gmail.com> >>>>> nbud...@gmail.com <mailto: <nbud...@gmail.com>nbud...@gmail.com>> >>>>> > > > > To: "Alon Bar-Lev" < <alo...@redhat.com>alo...@redhat.com >>>>> <mailto: <alo...@redhat.com>alo...@redhat.com>> >>>>> > > > > <Cc:users@ovirt.org>Cc:users@ovirt.org <mailto: >>>>> <users@ovirt.org>users@ovirt.org> >>>>> > > > > Sent: Tuesday, September 22, 2015 5:24:36 PM >>>>> > > > > Subject: Re: [ovirt-users] LDAP Authentication >>>>> > > > > >>>>> > > > > HI Alon, >>>>> > > > > >>>>> > > > > Below is the configuration which I have done ,but unable >>>>> to search the >>>>> > > > > users in UI >>>>> > > > > can you pls help me ? >>>>> > > > >>>>> > > > you need three files, see the >>>>> > > > /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple >>>>> > > > >>>>> > > > > >>>>> > > > > >>>>> > > > > [root@cstlb2 aaa]# cat ldap1.properties >>>>> > > > > # >>>>> > > > > # Select one >>>>> > > > > # >>>>> > > > > include = <openldap.properties> >>>>> > > > > #include = <389ds.properties> >>>>> > > > > #include = <rhds.properties> >>>>> > > > > #include = <ipa.properties> >>>>> > > > > #include = <iplanet.properties> >>>>> > > > > #include = <rfc2307.properties> >>>>> > > > > #include = <rfc2307-openldap.properties> >>>>> > > > > >>>>> > > > > # >>>>> > > > > # Server >>>>> > > > > # >>>>> > > > > vars.server =my.abc.net < <http://my.abc.net> >>>>> http://my.abc.net> >>>>> > > > > >>>>> > > > > # >>>>> > > > > # Search user and its password. >>>>> > > > > # >>>>> > > > > vars.user = >>>>> > > > > >>>>> > > > >>>>> uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net >>>>> > > > > vars.password = company1 >>>>> > > > > >>>>> > > > > pool.default.serverset.single.server = >>>>> ${global:vars.server} >>>>> > > > > pool.default.auth.simple.bindDN = ${global:vars.user} >>>>> > > > > pool.default.auth.simple.password = ${global:vars.password} >>>>> > > > > >>>>> > > > > # Create keystore, import certificate chain and uncomment >>>>> > > > > # if using ssl/tls. >>>>> > > > > #pool.default.ssl.startTLS = true >>>>> > > > > #pool.default.ssl.truststore.file = >>>>> > > > > ${local:_basedir}/${global:vars.server}.jks >>>>> > > > > #pool.default.ssl.truststore.password = changeit >>>>> > > > > [root@cstlb2 aaa]# >>>>> > > > > >>>>> > > > > >>>>> > > > > >>>>> > > > > On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev < >>>>> <alo...@redhat.com>alo...@redhat.com <mailto: <alo...@redhat.com> >>>>> alo...@redhat.com>> wrote: >>>>> > > > > >>>>> > > > > > >>>>> > > > > > >>>>> > > > > > ----- Original Message ----- >>>>> > > > > > > From: "Budur Nagaraju" < <nbud...@gmail.com> >>>>> nbud...@gmail.com <mailto: <nbud...@gmail.com>nbud...@gmail.com>> >>>>> > > > > > > <To:users@ovirt.org>To:users@ovirt.org <mailto: >>>>> <users@ovirt.org>users@ovirt.org> >>>>> > > > > > > Sent: Tuesday, September 22, 2015 4:34:46 PM >>>>> > > > > > > Subject: [ovirt-users] LDAP Authentication >>>>> > > > > > > >>>>> > > > > > > HI All, >>>>> > > > > > > >>>>> > > > > > > Can someone help me in configuring LDAP authentication >>>>> for Ovirt ? >>>>> > > > > > >>>>> > > > > > Please review: >>>>> > > > > > <http://www.ovirt.org/Features/AAA> >>>>> http://www.ovirt.org/Features/AAA >>>>> > > > > > >>>>> > > > > > >>>>> > > > >>>>> <https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0> >>>>> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0 >>>>> > > > > > >>>>> > > > > >>>>> > > > >>>>> > > >>>>> > >>>>> > >>>>> >>>>> -- >>>>> Daniel Helgenberger >>>>> m box bewegtbild GmbH >>>>> >>>>> P: +49/30/2408781-22 >>>>> F: +49/30/2408781-10 >>>>> >>>>> ACKERSTR. 19 >>>>> D-10115 BERLIN >>>>> >>>>> >>>>> <http://www.m-box.de>www.m-box.de <http://www.monkeymen.tv> >>>>> www.monkeymen.tv >>>>> >>>>> Geschäftsführer: Martin Retschitzegger / Michaela Göllner >>>>> Handeslregister: Amtsgericht Charlottenburg / HRB 112767 >>>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Users mailing >>>> listUsers@ovirt.orghttp://lists.ovirt.org/mailman/listinfo/users >>>> >>>> >>>> >>> >>> >> >> > >
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users