Created attachment 1300961 [details] logs and authentication configs Description of problem: I am unable to configure ovirt-provider-ovn to work with the default ovirt-engine-extension-aaa-ldap-setup wizard configuration for Active Directory. Version-Release number of selected component (if applicable): oVirt Engine Version: 4.2.0-0.0.master.20170716152706.gitf7bf90f.el7.centos How reproducible: 100% Steps to Reproduce: 1. Run ovirt-engine-extension-aaa-ldap-setup. 2. Choose 'Active Directory' for LDAP implementation. 3. Input the AD FQDN server address. 4. Input the user DN in the search user DN question. 5. Choose "Login" action to test the connection and make sure it passes successfully. 6. Configure the relevant settings on ovirt-provider-ovn.conf configuration: [AUTH] auth-plugin=auth.plugins.ovirt:AuthorizationByGroup [OVIRT] ovirt-admin-role-id=def00005-0000-0000-0000-def000000005 ovirt-admin-group-attribute-name=AAA_AUTHZ_GROUP_NAME;java.lang.String;0eebe54f-b429-44f3-aa80-4704cbb16835 ovirt-admin-group-attribute-value=<AD group name> Actual results: ovirt-provider-ovn throws a 'Forbidden' exception in the log: 2017-07-18 14:54:03,178 Starting new HTTPS connection (1): network-ge-2.scl.lab.tlv.redhat.com 2017-07-18 14:54:03,732 "POST /ovirt-engine/sso/oauth/token HTTP/1.1" 200 236 2017-07-18 14:54:03,736 Response code: 200 2017-07-18 14:54:03,736 Response body: {"access": {"token": {"id": "btoka97bF1H5FfA_W7jI6Ha1Fh02IDB0h7f_6bAgzl4N1jsIiCoKGR2wntC4ZcXUNnCy8sfdWi2pRDfg16kA6w"}, "serviceCatalog": [{"endpoints_links": [], "endpoin ts": [{"adminURL": "http://localhost:9696/v2.0/networks", "region": "RegionOne", "id": "00000000000000000000000000000001", "internalURL": "http://localhost:9696/v2.0/networks", "publicURL": "http://localhost:969 6/v2.0/networks"}], "type": "network", "name": "neutron"}, {"endpoints_links": [], "endpoints": [{"adminURL": "http://localhost:35357/v2.0/tokens", "region": "RegionOne", "publicURL": "http://localhost:35357/v2. 0/tokens", "internalURL": "http://localhost:35357/v2.0/tokens", "id": "00000000000000000000000000000002"}], "type": "identity", "name": "keystone"}]}} 2017-07-18 14:54:03,799 Request: GET : /v2.0/ 2017-07-18 14:54:03,802 Starting new HTTPS connection (1): network-ge-2.scl.lab.tlv.redhat.com 2017-07-18 14:54:03,851 "POST /ovirt-engine/sso/oauth/token-info HTTP/1.1" 200 386 2017-07-18 14:54:03,854 token_info: {u'user_id': u'ovn_admin.lab.eng.brq.redhat.com@ovn-auth-test', u'client_id': None, u'token_type': u'bearer', u'exp': u'9223372036854775807', u'active': True , u'scope': u'ovirt-app-api ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access', u'ovirt': [u'java.util.HashMap', {u'first_na me': u'ovn_admin', u'last_name': None, u'version': u'0', u'namespace': u'DC=ad-w2k12r2,DC=rhev,DC=lab,DC=eng,DC=brq,DC=redhat,DC=com', u'principal_id': u'+xDgGJUUGkOx3cnyfgg3OA==', u'group_ids': [u'java.util.Arr ayList', []], u'capability_credentials_change': False, u'email': None}]} 2017-07-18 14:54:03,854 Traceback (most recent call last): File "/usr/share/ovirt-provider-ovn/handlers/base_handler.py", line 108, in _handle_request method, key, id, content) File "/usr/share/ovirt-provider-ovn/handlers/selecting_handler.py", line 53, in handle_request self._get_response_handler(method, key), content, id File "/usr/share/ovirt-provider-ovn/handlers/neutron.py", line 40, in call_response_handler raise Forbidden() Forbidden Expected results: Should work as exepcted.
authentication via username/password works. authentication via group membership still needs to be understood.
I found authentication via group to be working correctly. The username format was wrong. For Active Directory we need to use the following username format: <admin_username>@<ad_domain>@<auth_profile> when saving the settings in the provider window. I used the following ovirt-provider-ovn.conf settings: [AUTH] auth-plugin=auth.plugins.ovirt:AuthorizationByGroup [OVIRT] ovirt-admin-role-id=def00005-0000-0000-0000-def000000005 ovirt-admin-group-attribute-name=AAA_AUTHZ_GROUP_NAME;java.lang.String;0eebe54f-b429-44f3-aa80-4704cbb16835 ovirt-admin-group-attribute-value=ovn_admins This scenario needs to be documented. I think that it is better to add additional setting for authentication profile in the conf file, so username <user>@<domain> will be accepted.
Patch is not merged it.
Patch is not merged yet
Verified on: ovirt-provider-ovn-1.1-2.20170901074127.gitaaaa5fa.el7.centos.noarch
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017. Since the problem described in this bug report should be resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.