Description of problem: After running ovirt-engine-extension-aaa-ldap-setup and checking the Login option at the end, it is not clear if it succeeds or fails. Here is what it prints to the screen: ~~~ 2016-04-01 23:48:05 INFO ======================================================================== 2016-04-01 23:48:05 INFO ============================== Execution =============================== 2016-04-01 23:48:05 INFO ======================================================================== 2016-04-01 23:48:05 INFO Profile='rhev-ipa.usersys.redhat.com' authn='rhev-ipa.usersys.redhat.com-authn' authz='rhev-ipa.usersys.redhat.com-authz' mapping='null' 2016-04-01 23:48:05 INFO API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS user='admin' 2016-04-01 23:48:05 INFO API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=SUCCESS 2016-04-01 23:48:05 INFO --- Begin AuthRecord --- 2016-04-01 23:48:05 INFO AAA_AUTHN_AUTH_RECORD_PRINCIPAL: admin 2016-04-01 23:48:05 INFO --- End AuthRecord --- 2016-04-01 23:48:05 INFO API: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='admin' 2016-04-01 23:48:05 INFO API: <--Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD status=SUCCESS 2016-04-01 23:48:05 INFO --- Begin PrincipalRecord --- 2016-04-01 23:48:05 INFO AAA_AUTHZ_PRINCIPAL_PRINCIPAL: admin 2016-04-01 23:48:05 INFO AAA_AUTHZ_PRINCIPAL_LAST_NAME: Administrator 2016-04-01 23:48:05 INFO AAA_LDAP_UNBOUNDID_DN: uid=admin,cn=users,cn=accounts,dc=rhev-ipa,dc=usersys,dc=redhat,dc=com 2016-04-01 23:48:05 INFO AAA_AUTHZ_PRINCIPAL_NAMESPACE: dc=rhev-ipa,dc=usersys,dc=redhat,dc=com 2016-04-01 23:48:05 INFO AAA_AUTHZ_PRINCIPAL_ID: e9193bfe-848a-11e4-9aa0-001a4a0ab071 2016-04-01 23:48:05 INFO AAA_AUTHZ_PRINCIPAL_NAME: admin 2016-04-01 23:48:05 INFO --- Begin GroupRecord --- 2016-04-01 23:48:05 INFO AAA_AUTHZ_GROUP_DISPLAY_NAME: Account administrators group 2016-04-01 23:48:05 INFO AAA_AUTHZ_GROUP_ID: e922a2b6-848a-11e4-98df-001a4a0ab071 2016-04-01 23:48:05 INFO AAA_AUTHZ_GROUP_NAMESPACE: dc=rhev-ipa,dc=usersys,dc=redhat,dc=com 2016-04-01 23:48:05 INFO AAA_LDAP_UNBOUNDID_DN: cn=admins,cn=groups,cn=accounts,dc=rhev-ipa,dc=usersys,dc=redhat,dc=com 2016-04-01 23:48:05 INFO AAA_AUTHZ_GROUP_NAME: admins 2016-04-01 23:48:05 INFO --- End GroupRecord --- 2016-04-01 23:48:05 INFO --- Begin GroupRecord --- 2016-04-01 23:48:05 INFO AAA_AUTHZ_GROUP_DISPLAY_NAME: Trusts administrators group 2016-04-01 23:48:05 INFO AAA_AUTHZ_GROUP_ID: b622afd6-848b-11e4-9fa4-001a4a0ab071 2016-04-01 23:48:05 INFO AAA_AUTHZ_GROUP_NAMESPACE: dc=rhev-ipa,dc=usersys,dc=redhat,dc=com 2016-04-01 23:48:05 INFO AAA_LDAP_UNBOUNDID_DN: cn=trust admins,cn=groups,cn=accounts,dc=rhev-ipa,dc=usersys,dc=redhat,dc=com 2016-04-01 23:48:05 INFO AAA_AUTHZ_GROUP_NAME: trust admins 2016-04-01 23:48:05 INFO --- End GroupRecord --- 2016-04-01 23:48:05 INFO --- End PrincipalRecord --- Please make sure that user details are correct, and group membership meets expectations. Search for PrincipalRecord and GroupRecord titles Abort if output is incorrect Select test sequence to execute (Done, Abort, Login, Search) [Abort]: ~~~ Version-Release number of selected component (if applicable): 3.6.3 How reproducible: Always? Steps to Reproduce: 1. Run ovirt-engine-extension-aaa-ldap-setup. 2. At the very last step choose "Login" to test the tool. 3. Provide an existing user and correct password. Actual results: What I showed above. Expected results: If it succeeded, it should print so to the screen. Additional info: In another run, the Login command failed and gave me the following output: ~~~ 2016-03-28 16:52:58 INFO ======================================================================== 2016-03-28 16:52:58 INFO ============================== Execution =============================== 2016-03-28 16:52:58 INFO ======================================================================== 2016-03-28 16:52:58 INFO Profile='rhev-ipa.usersys.redhat.com' authn='rhev-ipa.usersys.redhat.com-authn' authz='rhev-ipa.usersys.redhat.com-authz' mapping='null' 2016-03-28 16:52:58 INFO API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS user='rhevadminipa' 2016-03-28 16:52:58 INFO API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS result=CREDENTIALS_INVALID 2016-03-28 16:52:58 SEVERE Authn.Result code is: CREDENTIALS_INVALID [ ERROR ] Sequence failed ~~~ So that I believe my current output is successful, but no way to know that. Please add a message for a dummy users like me to the tool.
Same for the search: ~~~ 2016-04-02 00:17:59 INFO ======================================================================== 2016-04-02 00:17:59 INFO ============================== Execution =============================== 2016-04-02 00:17:59 INFO ======================================================================== 2016-04-02 00:17:59 INFO --- Begin QueryFilterRecord --- 2016-04-02 00:17:59 INFO AAA_AUTHZ_QUERY_FILTER_OPERATOR: 102 2016-04-02 00:17:59 INFO AAA_AUTHZ_QUERY_ENTITY: AAA_AUTHZ_QUERY_ENTITY_PRINCIPAL[1695cd36-4656-474f-b7bc-4466e12634e4] 2016-04-02 00:17:59 INFO --- Begin QueryFilterRecord --- 2016-04-02 00:17:59 INFO AAA_AUTHZ_QUERY_FILTER_OPERATOR: 0 2016-04-02 00:17:59 INFO AAA_AUTHZ_QUERY_FILTER_KEY: Extkey[name=AAA_AUTHZ_PRINCIPAL_NAME;type=class java.lang.String;uuid=AAA_AUTHZ_PRINCIPAL_NAME[a0df5bcc-6ead-40a2-8565-2f5cc8773bdd];] 2016-04-02 00:17:59 INFO AAA_AUTHZ_PRINCIPAL_NAME: admin 2016-04-02 00:17:59 INFO --- End QueryFilterRecord --- 2016-04-02 00:17:59 INFO --- End QueryFilterRecord --- 2016-04-02 00:17:59 INFO API: -->Authz.InvokeCommands.QUERY_OPEN namespace='dc=rhev-ipa,dc=usersys,dc=redhat,dc=com' 2016-04-02 00:17:59 INFO API: <--Authz.InvokeCommands.QUERY_OPEN 2016-04-02 00:17:59 INFO API: -->Authz.InvokeCommands.QUERY_EXECUTE 2016-04-02 00:17:59 INFO API: <--Authz.InvokeCommands.QUERY_EXECUTE count=1 2016-04-02 00:17:59 INFO --- Begin PrincipalRecord --- 2016-04-02 00:17:59 INFO AAA_AUTHZ_PRINCIPAL_PRINCIPAL: admin 2016-04-02 00:17:59 INFO AAA_AUTHZ_PRINCIPAL_LAST_NAME: Administrator 2016-04-02 00:17:59 INFO AAA_LDAP_UNBOUNDID_DN: uid=admin,cn=users,cn=accounts,dc=rhev-ipa,dc=usersys,dc=redhat,dc=com 2016-04-02 00:17:59 INFO AAA_AUTHZ_PRINCIPAL_NAMESPACE: dc=rhev-ipa,dc=usersys,dc=redhat,dc=com 2016-04-02 00:17:59 INFO AAA_AUTHZ_PRINCIPAL_ID: e9193bfe-848a-11e4-9aa0-001a4a0ab071 2016-04-02 00:17:59 INFO AAA_AUTHZ_PRINCIPAL_NAME: admin 2016-04-02 00:17:59 INFO --- End PrincipalRecord --- 2016-04-02 00:17:59 INFO API: -->Authz.InvokeCommands.QUERY_EXECUTE 2016-04-02 00:17:59 INFO API: <--Authz.InvokeCommands.QUERY_EXECUTE count=END 2016-04-02 00:17:59 INFO API: -->Authz.InvokeCommands.QUERY_CLOSE 2016-04-02 00:17:59 INFO API: <--Authz.InvokeCommands.QUERY_CLOSE Please make sure that entity details are correct, and depending type of query that group membership meets expectations. Search for PrincipalRecord and GroupRecord titles Abort if output is incorrect Select test sequence to execute (Done, Abort, Login, Search) [Abort]: ~~~
It is too late now. I am sorry. I can see now, that it maybe possible to see from the output that it succeeded. Still, make the message more clear, could make it more beneficial to the end user. Something like: "Login/Search for user XXX succeeded. Please check the output. Abort, if incorrect."
Hi, so here are existing outputs: 1. If you make a mistake during LDAP configuration phase, error is shown to user immediately, error line starts with [ERROR] string, for example: [ ERROR ] Cannot authenticate using 'cn=xxx': {'info': '80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} 2. If you try to test your configuration using Login sequence and some error is raised, following error line is displayed at the end of the output: [ ERROR ] Sequence failed and user can find out more details about the error at the output, for example: 2016-04-05 17:36:09 SEVERE Unexpected comma or semicolon found at the end of the DN string. 2. If you try to test your configuration using Login sequence and everything is OK, following lines are displayed at the end of the output: Please make sure that user details are correct, and group membership meets expectations. Search for PrincipalRecord and GroupRecord titles Abort if output is incorrect So important lines that user needs to investigate are: 2016-04-05 17:48:05 INFO --- Begin PrincipalRecord --- 2016-04-05 17:48:05 INFO AAA_AUTHZ_PRINCIPAL_PRINCIPAL: jdoe.lab.eng.brq.redhat.com 2016-04-05 17:48:05 INFO AAA_AUTHZ_PRINCIPAL_LAST_NAME: Doe 2016-04-05 17:48:05 INFO AAA_LDAP_UNBOUNDID_DN: CN=jdoe,CN=Users,DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com 2016-04-05 17:48:05 INFO AAA_AUTHZ_PRINCIPAL_NAMESPACE: DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com 2016-04-05 17:48:05 INFO AAA_AUTHZ_PRINCIPAL_ID: U6bgs8k2PUOIeElc3YEJqw== 2016-04-05 17:48:05 INFO AAA_AUTHZ_PRINCIPAL_DISPLAY_NAME: John Doe 2016-04-05 17:48:05 INFO AAA_AUTHZ_PRINCIPAL_NAME: jdoe 2016-04-05 17:48:05 INFO AAA_AUTHZ_PRINCIPAL_FIRST_NAME: John 2016-04-05 17:48:05 INFO --- Begin GroupRecord --- 2016-04-05 17:48:05 INFO AAA_AUTHZ_GROUP_ID: ATzN0KJU7kmcIKiuqfpR6g== 2016-04-05 17:48:05 INFO AAA_AUTHZ_GROUP_NAMESPACE: DC=ad-w2k12r2p,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com 2016-04-05 17:48:05 INFO AAA_LDAP_UNBOUNDID_DN: CN=jdoe-group-2,CN=Users,DC=ad-w2k12r2p,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com 2016-04-05 17:48:05 INFO AAA_AUTHZ_GROUP_NAME: jdoe-group-2 2016-04-05 17:48:05 INFO --- End GroupRecord --- 2016-04-05 17:48:05 INFO --- Begin GroupRecord --- 2016-04-05 17:48:05 INFO AAA_AUTHZ_GROUP_ID: g5rAkbKXtE6JQ2g9TL5ZcA== 2016-04-05 17:48:05 INFO AAA_AUTHZ_GROUP_NAMESPACE: DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com 2016-04-05 17:48:05 INFO AAA_LDAP_UNBOUNDID_DN: CN=jdoe-group-1,CN=Users,DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com 2016-04-05 17:48:05 INFO AAA_AUTHZ_GROUP_NAME: jdoe-group-1 2016-04-05 17:48:05 INFO --- End GroupRecord --- 2016-04-05 17:48:05 INFO --- End PrincipalRecord --- But even if no error was raised during Login phase you need to manually check the output as they may be some logical error (for example that groups that user is member of are not returned) 3. If you try to test you configuration using Search sequence and some error is raised, following error line is displayed at the end of the output: [ ERROR ] Sequence failed and user can find out more details about the error at the output. 4. If you try to test your configuration using Search sequence and everything is OK, following lines are displayed at the end of the output: Please make sure that entity details are correct, and depending type of query that group membership meets expectations. Search for PrincipalRecord and GroupRecord titles Abort if output is incorrect Important lines that user needs to investigate are the same as in step 2. But even if no error was raised during Login phase you need to manually check the output as they may be some logical error (for example that groups that user is member of are not returned) Unfortunately whole LDAP configuration can be so complex and can include so many differencies among customers setup, that IMO we cannot simplify it even more. But feel free to suggest some improvements we can make to setup tool.
Hi Martin, Thank you for the detailed explanation. It would be definitely beneficial for us in further troubleshooting. However, I think, you did not understand my point when opening this bug. I am saying, based on my experience working with multiple customers, the success message should be more obvious to identify a successful Login/Search command on behalf of the tool. I suggest the following message: "Login/Search for user XXX succeeded. Please confirm the output. Abort, if incorrect." or: "[SUCCESS] please confirm the output for additional details. Abort if incorrect." However, I must tell you, most of the user would not go and check it unless something would go wrong. (that's why I also don't really like the fact that the logs are going to /tmp, but this is another story.)
(In reply to Marina from comment #4) > Hi Martin, > > Thank you for the detailed explanation. It would be definitely beneficial > for us in further troubleshooting. > However, I think, you did not understand my point when opening this bug. > > I am saying, based on my experience working with multiple customers, the > success message should be more obvious to identify a successful Login/Search > command on behalf of the tool. I suggest the following message: > > "Login/Search for user XXX succeeded. > Please confirm the output. Abort, if incorrect." OK, we will try to change result messages of both sequence to be more user friendly, but as I said before even if there's no error in sequence execution, user should investigate the results, because for example: 1. For login sequence user could be authenticated successfully, but group resolution may not be correct (there's is no way how to detect this automatically) 2. For search sequence we could find different user, group or not found anything at all (and we don't know if user made error during input or his LDAP setup is so different from defaults that he cannot use the tool, but he needs to manually customize profile properties files) > > or: > "[SUCCESS] please confirm the output for additional details. Abort if > incorrect." > > However, I must tell you, most of the user would not go and check it unless > something would go wrong. (that's why I also don't really like the fact that > the logs are going to /tmp, but this is another story.) The reason why everything goes to /tmp is simple: until you specify Done, no configuration is saved to /etc/ovirt-engine, everything is in memory only. On the other hand user can specify Done -> new ldap profile configuration is saved, but it's not loaded by engine until engine service restart. So he can continue testing generated configuration using ovirt-engine-extensions-tool (that's exactly what setup tool executes for Login/Search tests) and doing manual changes to the profile configuration until everything works as expected. For now targeting to 4.0, once we agree to exact changed that needs to be done, we can retarget to 3.6.z
So here are my suggestions how to make output more understandable: I. Login sequence a. If login sequence was executed without errors, following lines will be displayed at the end of tool output: [ INFO ] Sequence executed successfully Please make sure that user details are correct and group membership meets expectations (search for PrincipalRecord and GroupRecord titles). Abort if output is incorrect. Select test sequence to execute (Done, Abort, Login, Search) [Abort]: b. If errors were raised during login sequence, following lines will be displayed at the end of tool output: [ ERROR ] Sequence failed Please investigate details of the failure (search for lines containing SEVERE log level). Select test sequence to execute (Done, Abort, Login, Search) [Abort]: II. Search sequence a. If search sequence was executed without errors, following lines will be displayed at the end of tool output: [ INFO ] Sequence executed successfully Please make sure that entity details are correct and, depending on the type of the query, that group membership meets expectations (search for PrincipalRecord and GroupRecord titles). Abort if output is incorrect. Select test sequence to execute (Done, Abort, Login, Search) [Abort]: b. If errors were raised during search sequence, following lines will be displayed at the end of tool output: [ ERROR ] Sequence failed Please investigate details of the failure (search for lines containing SEVERE log level). Select test sequence to execute (Done, Abort, Login, Search) [Abort]: Marina, it this output understandable enough?
This is beautiful! Thank you.
Fix will be included in ovirt-engine-extension-aaa-ldap-1.2.0-0.2.el7ev
Verified with: ovirt-engine-extension-aaa-ldap-setup-1.2.0-1.el7.noarch ON SUCCESS: [ INFO ] Login sequence executed successfully Please make sure that user details are correct and group membership meets expectations (search for PrincipalRecord and GroupRecord titles). Abort if output is incorrect. ON FAILURE: [ ERROR ] Login sequence failed Please investigate details of the failure (search for lines containing SEVERE log level).
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-1749.html