Try giving your user system permissions as a superuser and see if it goes away.
I wouldn't leave it like that, but it will help isolate your issue. I don't think you have an ldap issue... the log entry is telling you that user has no permissions >The user callum@Biomedical Research Computing is not authorized to perform login On Mon, Jun 11, 2018 at 6:23 AM, Callum Smith <cal...@well.ox.ac.uk> wrote: > Dear Donny, > > No, though the user shows the permissions inherited from the Everyone > group: > > Regards, > Callum > > -- > > Callum Smith > Research Computing Core > Wellcome Trust Centre for Human Genetics > University of Oxford > e. cal...@well.ox.ac.uk > > On 11 Jun 2018, at 11:21, Donny Davis <do...@fortnebula.com> wrote: > > Just a shot in the dark, but after you setup ldap did you go in as the > default admin and give an ldap account permissions? > > On Mon, Jun 11, 2018 at 6:04 AM, Callum Smith <cal...@well.ox.ac.uk> > wrote: > >> Dear All, >> >> Could this be as our LDAP is fairly short on attributes? >> >> 2018-06-11 11:00:52,856+01 INFO >> [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] >> (default task-5) [5dff9eb0] Running command: CreateUserSessionCommand >> internal: false. >> 2018-06-11 11:00:52,884+01 ERROR [org.ovirt.engine.core.dal.dbb >> roker.auditloghandling.AuditLogDirector] (default task-5) [5dff9eb0] >> EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research >> Computing connecting from '--ipaddr--' failed to log in<UNKNOWN>. >> 2018-06-11 11:00:52,884+01 ERROR >> [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] >> (default task-5) [] The user callum@Biomedical Research Computing is not >> authorized to perform login >> >> I note that a number of variables are included in this action, but which >> are required and which are optional is the question: >> >> https://github.com/oVirt/ovirt-engine/blob/master/backend/ >> manager/modules/aaa/src/main/java/org/ovirt/engine/core/ >> aaa/servlet/SsoPostLoginServlet.java#L88 >> >> Regards, >> Callum >> >> -- >> >> Callum Smith >> Research Computing Core >> Wellcome Trust Centre for Human Genetics >> University of Oxford >> e. cal...@well.ox.ac.uk >> >> On 11 Jun 2018, at 09:35, Callum Smith <cal...@well.ox.ac.uk> wrote: >> >> What would be the next step to help solve this issue? All users >> authenticating through LDAP get "This user is not authorised to perform >> authentication". >> >> Regards, >> Callum >> >> -- >> >> Callum Smith >> Research Computing Core >> Wellcome Trust Centre for Human Genetics >> University of Oxford >> e. cal...@well.ox.ac.uk >> >> On 5 Jun 2018, at 11:42, Callum Smith <cal...@well.ox.ac.uk> wrote: >> >> Ok I spoke too soon, I have resolved the groups, but authentication still >> isn't working for LDAP users, same error as before (114). >> >> Regards, >> Callum >> >> -- >> >> Callum Smith >> Research Computing Core >> Wellcome Trust Centre for Human Genetics >> University of Oxford >> e. cal...@well.ox.ac.uk >> >> On 5 Jun 2018, at 10:14, Callum Smith <cal...@well.ox.ac.uk> wrote: >> >> Dear Ondra, all, >> >> Managed to solve this once i got my head around the properties file. >> Conceptually the problem is that users are typically not a member of their >> primary group in a POSIX scenario, and their primary group is set by the >> gidNumber of the user's record, with additional group memberships specified >> by memberUid entries against a posixGroup entry. >> >> search.rfc2307-resolve-groups-memberUid.search-request.filter = >> &(objectClass=posixGroup)(|(memberUid=${seq:_rfc2307_uid_enc >> oded})(gidNumber=${seq:_rfc2307_gid_encoded})) >> >> search.rfc2307-resolve-principal-uid.search-request.attributes = uid, >> gidNumber >> >> sequence.bmrc-resolve-groups.010.description = set dn >> sequence.bmrc-resolve-groups.010.type = var-set >> sequence.bmrc-resolve-groups.010.var-set.variable = _rfc2307_dn >> sequence.bmrc-resolve-groups.010.var-set.value = ${seq:dn} >> sequence.bmrc-resolve-groups.010.description = resolve uid >> sequence.bmrc-resolve-groups.020.type = fetch-record >> sequence.bmrc-resolve-groups.020.fetch-record.search = >> rfc2307-resolve-principal-uid >> sequence.bmrc-resolve-groups.020.fetch-record.map.uid.name = _rfc2307_uid >> sequence.bmrc-resolve-groups.030.description = resolve gid >> sequence.bmrc-resolve-groups.030.type = fetch-record >> sequence.bmrc-resolve-groups.030.fetch-record.search = >> rfc2307-resolve-principal-uid >> sequence.bmrc-resolve-groups.030.fetch-record.map.gidNumber.name >> <http://sequence.bmrc-resolve-groups.030.fetch-record.map.gidnumber.name/> >> = _rfc2307_gid >> sequence.bmrc-resolve-groups.040.description = query groups >> sequence.bmrc-resolve-groups.040.type = search-open >> sequence.bmrc-resolve-groups.040.search-open.search = >> rfc2307-resolve-groups-memberUid >> sequence.bmrc-resolve-groups.040.search-open.variable = >> queryRFC2307ByMemberUid >> >> sequence.rfc2307-resolve-groups.020.call.name = bmrc-resolve-groups >> >> >> Regards, >> Callum >> >> -- >> >> Callum Smith >> Research Computing Core >> Wellcome Trust Centre for Human Genetics >> University of Oxford >> e. cal...@well.ox.ac.uk >> >> On 4 Jun 2018, at 15:07, Callum Smith <cal...@well.ox.ac.uk> wrote: >> >> Dear Ondra, >> >> I went for openldap-rfc2307 as that best describes our ldap setup. The >> issue seems to be that the gidNumber is set, but users are not a member of >> their primary group within the LDAP. So, user's gidNumber represents >> primary group and posixGroup membership (memberUid) represents their >> secondary groups. What's the best way to approach this (fix the filters on >> oVirt end or change the LDAP? This is a question of what is most compliant >> with standards really). >> >> Regards, >> Callum >> >> -- >> >> Callum Smith >> Research Computing Core >> Wellcome Trust Centre for Human Genetics >> University of Oxford >> e. cal...@well.ox.ac.uk >> >> On 29 May 2018, at 11:29, Ondra Machacek <omach...@redhat.com> wrote: >> >> What's you LDAP and what profile did you choose? This looks like you have >> chosen incorect profile during setup. Are you sure you arent using posix >> group and using non-posix aaa profile? Sharing a debug log of >> ovirt-engine-extensions-tool would be helpfull. >> >> >> On Fri, May 25, 2018, 10:04 AM Callum Smith <cal...@well.ox.ac.uk> wrote: >> >>> Dear All, >>> >>> I'm having problems getting LDAP running, login works, but I'm getting >>> "user is not authorised to perform login" - this is even if i specify the >>> UserRole specifically to the LDAP group the user is in. >>> >>> 2018-05-25 08:56:16,212+01 INFO >>> [org.ovirt.engine.core.sso.utils.AuthenticationUtils] >>> (default task-23) [] User callum@Biomedical Research Computing >>> successfully logged in with scopes: ovirt-app-admin ovirt-app-api >>> ovirt-app-portal ovirt-ext=auth:sequence-priority=~ >>> ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search >>> ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate >>> ovirt-ext=token:password-access >>> 2018-05-25 08:56:16,391+01 INFO >>> [org.ovirt.engine.core.bll.aaa.CreateUserSessionCommand] >>> (default task-25) [63e60fe9] Running command: CreateUserSessionCommand >>> internal: false. >>> 2018-05-25 08:56:16,430+01 ERROR [org.ovirt.engine.core.dal.dbb >>> roker.auditloghandling.AuditLogDirector] (default task-25) [63e60fe9] >>> EVENT_ID: USER_VDC_LOGIN_FAILED(114), User callum@Biomedical Research >>> Computing connecting from '192.168.65.254' failed to log in<UNKNOWN>. >>> 2018-05-25 08:56:16,430+01 ERROR >>> [org.ovirt.engine.core.aaa.servlet.SsoPostLoginServlet] >>> (default task-25) [] The user callum@Biomedical Research Computing is >>> not authorized to perform login >>> >>> >>> on a side note: is it possible to assign permissions to all members of >>> an LDAP tree where they dont have a common group membership? >>> >>> Regards, >>> Callum >>> >>> -- >>> >>> Callum Smith >>> Research Computing Core >>> Wellcome Trust Centre for Human Genetics >>> University of Oxford >>> e. cal...@well.ox.ac.uk >>> >>> _______________________________________________ >>> Users mailing list -- users@ovirt.org >>> To unsubscribe send an email to users-le...@ovirt.org >>> >> >> _______________________________________________ >> Users mailing list -- users@ovirt.org >> To unsubscribe send an email to users-le...@ovirt.org >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> oVirt Code of Conduct: https://www.ovirt.org/communit >> y/about/community-guidelines/ >> List Archives: https://lists.ovirt.org/archiv >> es/list/users@ovirt.org/message/NAEUHLW3YMYAP6L44RRS5MCLRU2OTXPZ/ >> >> >> _______________________________________________ >> Users mailing list -- users@ovirt.org >> To unsubscribe send an email to users-le...@ovirt.org >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> oVirt Code of Conduct: https://www.ovirt.org/communit >> y/about/community-guidelines/ >> List Archives: https://lists.ovirt.org/archiv >> es/list/users@ovirt.org/message/2WR4PGLW4Z4PM2UOVN4YZUJHSBRYVMOJ/ >> >> >> _______________________________________________ >> Users mailing list -- users@ovirt.org >> To unsubscribe send an email to users-le...@ovirt.org >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> oVirt Code of Conduct: https://www.ovirt.org/communit >> y/about/community-guidelines/ >> List Archives: https://lists.ovirt.org/archiv >> es/list/users@ovirt.org/message/O7DLMLFEBHLNCE2VCCCNNOXXGGERKAKZ/ >> >> >> _______________________________________________ >> Users mailing list -- users@ovirt.org >> To unsubscribe send an email to users-le...@ovirt.org >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> oVirt Code of Conduct: https://www.ovirt.org/communit >> y/about/community-guidelines/ >> List Archives: https://lists.ovirt.org/archiv >> es/list/users@ovirt.org/message/BNZ5KRXOYYRFZCQIQQU6IJVDNNBDVZSF/ >> >> >> >> _______________________________________________ >> Users mailing list -- users@ovirt.org >> To unsubscribe send an email to users-le...@ovirt.org >> Privacy Statement: https://www.ovirt.org/site/privacy-policy/ >> oVirt Code of Conduct: https://www.ovirt.org/communit >> y/about/community-guidelines/ >> List Archives: https://lists.ovirt.org/archiv >> es/list/users@ovirt.org/message/EOWAPL6ZQE63S3732NQRH5YVJC26CQDR/ >> >> > >
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/RQF34RCN76KI7P76MACKNC3YT54NKKG7/