Bug 1472747 - Error while trying to authenticate ovirt-provider-ovn against Active Directory
Error while trying to authenticate ovirt-provider-ovn against Active Directory
Product: ovirt-provider-ovn
Classification: oVirt
Component: provider (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ovirt-4.2.0
: ---
Assigned To: Dominik Holler
Depends On:
Blocks: 1539551 1445172
  Show dependency treegraph
Reported: 2017-07-19 06:39 EDT by Mor
Modified: 2018-01-29 02:59 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
You can authenticate ovirt-provider-ovn against Active Directory. To authenticate via user/password set ovirt-admin-user-name=<admin_username> in /etc/ovirt-provider-ovn/conf.d and and use <admin_username>@<ad_domain>@<auth_profile> when defining the external provider in the Manager. To authenticate with an active directory group, set the following in /etc/ovirt-provider-ovn/conf.d: [AUTH] auth-plugin=auth.plugins.ovirt:AuthorizationByGroup [OVIRT] ovirt-admin-role-id=def00005-0000-0000-0000-def000000005 ovirt-admin-group-attribute-name=AAA_AUTHZ_GROUP_NAME;java.lang.String;0eebe54f-b429-44f3-aa80-4704cbb16835 and use <admin_username>@<ad_domain>@<auth_profile> when defining the external provider in the Manager.
Story Points: ---
Clone Of:
Last Closed: 2017-12-20 06:44:45 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Network
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑4.2+

Attachments (Terms of Use)
logs and authentication configs (572.58 KB, application/x-gzip)
2017-07-19 06:39 EDT, Mor
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 80086 master POST Improve README for Authentication LDAP/Active Directory 2017-08-29 07:02 EDT

  None (edit)
Description Mor 2017-07-19 06:39:20 EDT
Created attachment 1300961 [details]
logs and authentication configs

Description of problem:
I am unable to configure ovirt-provider-ovn to work with the default ovirt-engine-extension-aaa-ldap-setup wizard 
configuration for Active Directory.

Version-Release number of selected component (if applicable):
oVirt Engine Version: 4.2.0-0.0.master.20170716152706.gitf7bf90f.el7.centos

How reproducible:

Steps to Reproduce:
1. Run ovirt-engine-extension-aaa-ldap-setup.
2. Choose 'Active Directory' for LDAP implementation.
3. Input the AD FQDN server address.
4. Input the user DN in the search user DN question.
5. Choose "Login" action to test the connection and make sure it passes successfully.
6. Configure the relevant settings on ovirt-provider-ovn.conf configuration:

ovirt-admin-group-attribute-value=<AD group name>

Actual results:
ovirt-provider-ovn throws a 'Forbidden' exception in the log:
2017-07-18 14:54:03,178   Starting new HTTPS connection (1): network-ge-2.scl.lab.tlv.redhat.com
2017-07-18 14:54:03,732   "POST /ovirt-engine/sso/oauth/token HTTP/1.1" 200 236
2017-07-18 14:54:03,736   Response code: 200
2017-07-18 14:54:03,736   Response body: {"access": {"token": {"id": "btoka97bF1H5FfA_W7jI6Ha1Fh02IDB0h7f_6bAgzl4N1jsIiCoKGR2wntC4ZcXUNnCy8sfdWi2pRDfg16kA6w"}, "serviceCatalog": [{"endpoints_links": [], "endpoin
ts": [{"adminURL": "http://localhost:9696/v2.0/networks", "region": "RegionOne", "id": "00000000000000000000000000000001", "internalURL": "http://localhost:9696/v2.0/networks", "publicURL": "http://localhost:969
6/v2.0/networks"}], "type": "network", "name": "neutron"}, {"endpoints_links": [], "endpoints": [{"adminURL": "http://localhost:35357/v2.0/tokens", "region": "RegionOne", "publicURL": "http://localhost:35357/v2.
0/tokens", "internalURL": "http://localhost:35357/v2.0/tokens", "id": "00000000000000000000000000000002"}], "type": "identity", "name": "keystone"}]}}
2017-07-18 14:54:03,799   Request: GET : /v2.0/
2017-07-18 14:54:03,802   Starting new HTTPS connection (1): network-ge-2.scl.lab.tlv.redhat.com
2017-07-18 14:54:03,851   "POST /ovirt-engine/sso/oauth/token-info HTTP/1.1" 200 386
2017-07-18 14:54:03,854   token_info: {u'user_id': u'ovn_admin@ad-w2k12r2.rhev.lab.eng.brq.redhat.com@ovn-auth-test', u'client_id': None, u'token_type': u'bearer', u'exp': u'9223372036854775807', u'active': True
, u'scope': u'ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access', u'ovirt': [u'java.util.HashMap', {u'first_na
me': u'ovn_admin', u'last_name': None, u'version': u'0', u'namespace': u'DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com', u'principal_id': u'+xDgGJUUGkOx3cnyfgg3OA==', u'group_ids': [u'java.util.Arr
ayList', []], u'capability_credentials_change': False, u'email': None}]}
2017-07-18 14:54:03,854   
Traceback (most recent call last):
  File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 108, in _handle_request
    method, key, id, content)
  File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 53, in handle_request
    self._get_response_handler(method, key), content, id
  File "/usr/share/ovirt-provider-ovn/handlers/neutron.py", line 40, in call_response_handler
    raise Forbidden()

Expected results:
Should work as exepcted.
Comment 1 Dan Kenigsberg 2017-07-27 05:11:54 EDT
authentication via username/password works.

authentication via group membership still needs to be understood.
Comment 2 Mor 2017-07-30 06:20:10 EDT
I found authentication via group to be working correctly.

The username format was wrong. For Active Directory we need to use the following username format: <admin_username>@<ad_domain>@<auth_profile> when saving the settings in the provider window.

I used the following ovirt-provider-ovn.conf settings:



This scenario needs to be documented. I think that it is better to add additional setting for authentication profile in the conf file, so username <user>@<domain> will be accepted.
Comment 3 Mor 2017-08-17 09:23:09 EDT
Patch is not merged it.
Comment 4 Mor 2017-08-17 09:23:29 EDT
Patch is not merged yet
Comment 5 Mor 2017-09-05 06:16:09 EDT
Verified on:
Comment 6 Sandro Bonazzola 2017-12-20 06:44:45 EST
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.