[ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
Hello, I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. Starting up ovrit-engine the extension manager fails to properly load the service that handles Kerberos/LDAP. engine.log: ... 2014-11-10 11:29:25,106 INFO [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (MSC service thread 1-10) Start initializing ExecutionMessageDirector 2014-11-10 11:29:25,108 INFO [org.ovirt.engine.core.dal.job.ExecutionMessageDirector] (MSC service thread 1-10) Finished initializing ExecutionMessageDirector 2014-11-10 11:29:25,145 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Loading extension 'builtin-authn-internal' 2014-11-10 11:29:25,146 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Extension 'builtin-authn-internal' loaded 2014-11-10 11:29:25,148 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Loading extension 'internal' 2014-11-10 11:29:25,150 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Extension 'internal' loaded 2014-11-10 11:29:25,154 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Loading extension 'builtin-authn-EXAMPLE.ORG' 2014-11-10 11:29:25,215 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Extension 'builtin-authn-EXAMPLE.ORG' loaded 2014-11-10 11:29:25,218 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Loading extension 'EXAMPLE.ORG' 2014-11-10 11:29:25,264 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Extension 'EXAMPLE.ORG' loaded 2014-11-10 11:29:25,265 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Initializing extension 'EXAMPLE.ORG' 2014-11-10 11:29:25,265 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Extension 'EXAMPLE.ORG' initialized 2014-11-10 11:29:25,266 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Initializing extension 'builtin-authn-internal' 2014-11-10 11:29:25,266 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Extension 'builtin-authn-internal' initialized 2014-11-10 11:29:25,267 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Initializing extension 'builtin-authn-EXAMPLE.ORG' 2014-11-10 11:29:25,267 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Extension 'builtin-authn-EXAMPLE.ORG' initialized 2014-11-10 11:29:25,268 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Initializing extension 'internal' 2014-11-10 11:29:25,268 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Extension 'internal' initialized 2014-11-10 11:29:25,268 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Start of enabled extensions list 2014-11-10 11:29:25,269 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Instance name: 'EXAMPLE.ORG', Extension name: 'Kerberos/Ldap Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2014-11-10 11:29:25,270 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Instance name: 'builtin-authn-internal', Extension name: 'Internal Authn (Built-in)', Version: 'N/A', Notes: '', License: 'AS L 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2014-11-10 11:29:25,270 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Instance name: 'builtin-authn-EXAMPLE.ORG', Extension name: 'Kerberos/Ldap Authn (Built-in)', Version: 'N/A', Notes: '', Licen se: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2014-11-10 11:29:25,271 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) Instance name: 'internal', Extension name: 'Internal Authz (Built-in)', Version: 'N/A', Notes: '', License: 'ASL 2.0', Home: 'http://www.ovirt.org', Author 'The oVirt Project', Build interface Version: '0', File: 'N/A', Initialized: 'true' 2014-11-10 11:29:25,272 INFO [org.ovirt.engine.core.extensions.mgr.ExtensionsManager] (MSC service thread 1-10) End of enabled extensions list 2014-11-10 11:29:25,404 INFO [org.ovirt.engine.core.bll.aaa.DbUserCacheManager] (MSC service thread 1-10) Start initializing DbUserCacheManager 2014-11-10 11:29:25,405 INFO [org.ovirt.engine.core.bll.aaa.DbUserCacheManager] (MSC service thread 1-10) Finished initializing DbUserCacheManager 2014-11-10 11:29:25,41
[ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
Hi, just tried it too. I was not successfull to reproduce, but the problem is that the domain part of LDAPSecurityAuthentication is uppercase as Cameron wrote. In 3.4 it is OK when it's upper case - everything works OK, but in 3.5 it's not. I checked differences and something like this would be enough, Yair? diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExte index f5ab28d..ccaf04a 100644 --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java @@ -240,7 +240,7 @@ public class EngineExtensionsManager extends ExtensionsManager { ) ); } -if (nameValue[0].equals(domain)) { +if (nameValue[0].equalsIgnoreCase(domain)) { result = nameValue[1]; break; } Ondra - Original Message - > From: "Alon Bar-Lev" > To: "Cameron Christensen" , "Yair > Zaslavsky" > Cc: users at ovirt.org > Sent: Monday, November 17, 2014 11:48:15 PM > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA > > > > - Original Message - > > From: "Cameron Christensen" > > To: "Alon Bar-Lev" > > Cc: users at ovirt.org > > Sent: Monday, November 17, 2014 11:43:34 PM > > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to > > IPA > > > > > > > > On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote: > > > > > > ----- Original Message - > > > > From: "Cameron Christensen" > > > > To: users at ovirt.org > > > > Sent: Friday, November 14, 2014 5:39:54 PM > > > > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to > > > > IPA > > > > > > > > Hello, > > > > > > > > I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. > > > > Starting up ovrit-engine the extension manager fails to properly load > > > > the service that handles Kerberos/LDAP. > > > > > > This is probably a bug, can you please execute the following and paste > > > result: > > > > > > # PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from > > > vdc_options where option_name='LDAPSecurityAuthentication'" > > > > > > > option_id |option_name | option_value| version > > ---++---+- > >165 | LDAPSecurityAuthentication | example.org:GSSAPI | general > > > > I replaced my domain name with 'example.org' > > > > I thought it will be empty... and it contains valid value. Yair? No, this is fine actually. > > Any I truly suggest you try out the new provider... Much easier to resolve > any issue, current and future, including easier to debug. > > Alon > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
Hello, is using the new structure AAA (Authentication, Authorization and Accouting) of the oVirt 3.5? -- Ao encaminhar esta mensagem, por favor: 1. Apague o meu e-mail e o meu nome. 2. Apague também os endereços dos amigos antes de reenviar 3. Use Cco ou Bcc para enviar mensagens! Dificulte a disseminação de vírus e spam. ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
- Original Message - > From: "Cameron Christensen" > To: users@ovirt.org > Sent: Friday, November 14, 2014 5:39:54 PM > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA > > Hello, > > I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. > Starting up ovrit-engine the extension manager fails to properly load > the service that handles Kerberos/LDAP. This is probably a bug, can you please execute the following and paste result: # PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from vdc_options where option_name='LDAPSecurityAuthentication'" Replace @PASSWORD@ and probably other parameters based on /etc/ovirt-engine/engine.conf.d/10-setup-database.conf It is probably empty and we should file a bug. If you are interested there is a new ldap provider in 3.5 available in snapshots repository (ovirt-engine-extension-aaa-ldap package), documentation is available here[1], this provider should be simpler and robust as it uses only ldap protocol and is fully customizable. Regards, Alon [1] http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote: > > - Original Message - > > From: "Cameron Christensen" > > To: users@ovirt.org > > Sent: Friday, November 14, 2014 5:39:54 PM > > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA > > > > Hello, > > > > I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. > > Starting up ovrit-engine the extension manager fails to properly load > > the service that handles Kerberos/LDAP. > > This is probably a bug, can you please execute the following and paste result: > > # PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from > vdc_options where option_name='LDAPSecurityAuthentication'" > option_id |option_name | option_value| version ---++---+- 165 | LDAPSecurityAuthentication | example.org:GSSAPI | general I replaced my domain name with 'example.org' Cameron signature.asc Description: This is a digitally signed message part ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
- Original Message - > From: "Cameron Christensen" > To: "Alon Bar-Lev" > Cc: users@ovirt.org > Sent: Monday, November 17, 2014 11:43:34 PM > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA > > > > On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote: > > > > - Original Message - > > > From: "Cameron Christensen" > > > To: users@ovirt.org > > > Sent: Friday, November 14, 2014 5:39:54 PM > > > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA > > > > > > Hello, > > > > > > I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. > > > Starting up ovrit-engine the extension manager fails to properly load > > > the service that handles Kerberos/LDAP. > > > > This is probably a bug, can you please execute the following and paste > > result: > > > > # PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from > > vdc_options where option_name='LDAPSecurityAuthentication'" > > > > option_id |option_name | option_value| version > ---++---+- >165 | LDAPSecurityAuthentication | example.org:GSSAPI | general > > I replaced my domain name with 'example.org' > I thought it will be empty... and it contains valid value. Yair? Any I truly suggest you try out the new provider... Much easier to resolve any issue, current and future, including easier to debug. Alon ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
On Mon, 2014-11-17 at 16:48 -0500, Alon Bar-Lev wrote: > > - Original Message - > > From: "Cameron Christensen" > > To: "Alon Bar-Lev" > > Cc: users@ovirt.org > > Sent: Monday, November 17, 2014 11:43:34 PM > > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to > > IPA > > > > > > > > On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote: > > > > > > - Original Message - > > > > From: "Cameron Christensen" > > > > To: users@ovirt.org > > > > Sent: Friday, November 14, 2014 5:39:54 PM > > > > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to > > > > IPA > > > > > > > > Hello, > > > > > > > > I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. > > > > Starting up ovrit-engine the extension manager fails to properly load > > > > the service that handles Kerberos/LDAP. > > > > > > This is probably a bug, can you please execute the following and paste > > > result: > > > > > > # PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from > > > vdc_options where option_name='LDAPSecurityAuthentication'" > > > > > > > option_id |option_name | option_value| version > > ---++---+- > >165 | LDAPSecurityAuthentication | example.org:GSSAPI | general > > > > I replaced my domain name with 'example.org' > > > > I thought it will be empty... and it contains valid value. Yair? > Looking through the vdc_options table I noticed that many of the LDAP* and Ad* settings use two different spellings for the Kerberos/LDAP domain. One in all upper case letters, EXAMPLE.ORG and one in all lower case, example.org. (I'm guessing this is to handle either spelling of the domain?) I updated LDAPSecurityAuthentication and set the option_value to use both the upper case and lower case domain name, 'EXAMPLE.ORG:GSSAPI,example.org:GSSAPI'. select * from vdc_options where option_name = 'LDAPSecurityAuthentication'; option_id |option_name |option_value | version ---++-+- 165 | LDAPSecurityAuthentication | EXAMPLE.ORG:GSSAPI,example.org:GSSAPI | general Using both domain names I am able to authenticate, authorize and pull account information from the IPA server once again. Thanks for pointing me at the right location. Cameron signature.asc Description: This is a digitally signed message part ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
- Original Message - > From: "Alon Bar-Lev" > To: "Cameron Christensen" , "Yair > Zaslavsky" > Cc: users@ovirt.org > Sent: Monday, November 17, 2014 11:48:15 PM > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA > > > > - Original Message - > > From: "Cameron Christensen" > > To: "Alon Bar-Lev" > > Cc: users@ovirt.org > > Sent: Monday, November 17, 2014 11:43:34 PM > > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to > > IPA > > > > > > > > On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote: > > > > > > - Original Message ----- > > > > From: "Cameron Christensen" > > > > To: users@ovirt.org > > > > Sent: Friday, November 14, 2014 5:39:54 PM > > > > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to > > > > IPA > > > > > > > > Hello, > > > > > > > > I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. > > > > Starting up ovrit-engine the extension manager fails to properly load > > > > the service that handles Kerberos/LDAP. > > > > > > This is probably a bug, can you please execute the following and paste > > > result: > > > > > > # PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from > > > vdc_options where option_name='LDAPSecurityAuthentication'" > > > > > > > option_id |option_name | option_value| version > > ---++---+- > >165 | LDAPSecurityAuthentication | example.org:GSSAPI | general > > > > I replaced my domain name with 'example.org' > > > > I thought it will be empty... and it contains valid value. Yair? No, this is fine actually. > > Any I truly suggest you try out the new provider... Much easier to resolve > any issue, current and future, including easier to debug. > > Alon > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
- Original Message - > From: "Cameron Christensen" > To: "Alon Bar-Lev" > Cc: "Yair Zaslavsky" , users@ovirt.org > Sent: Tuesday, November 18, 2014 6:21:18 PM > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA > > On Mon, 2014-11-17 at 16:48 -0500, Alon Bar-Lev wrote: > > > > - Original Message - > > > From: "Cameron Christensen" > > > To: "Alon Bar-Lev" > > > Cc: users@ovirt.org > > > Sent: Monday, November 17, 2014 11:43:34 PM > > > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to > > > IPA > > > > > > > > > > > > On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote: > > > > > > > > ----- Original Message ----- > > > > > From: "Cameron Christensen" > > > > > To: users@ovirt.org > > > > > Sent: Friday, November 14, 2014 5:39:54 PM > > > > > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to > > > > > IPA > > > > > > > > > > Hello, > > > > > > > > > > I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. > > > > > Starting up ovrit-engine the extension manager fails to properly load > > > > > the service that handles Kerberos/LDAP. > > > > > > > > This is probably a bug, can you please execute the following and paste > > > > result: > > > > > > > > # PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from > > > > vdc_options where option_name='LDAPSecurityAuthentication'" > > > > > > > > > > option_id |option_name | option_value| version > > > ---++---+- > > >165 | LDAPSecurityAuthentication | example.org:GSSAPI | general > > > > > > I replaced my domain name with 'example.org' > > > > > > > I thought it will be empty... and it contains valid value. Yair? > > > Looking through the vdc_options table I noticed that many of the LDAP* > and Ad* settings use two different spellings for the Kerberos/LDAP > domain. One in all upper case letters, EXAMPLE.ORG and one in all lower > case, example.org. (I'm guessing this is to handle either spelling of > the domain?) > > I updated LDAPSecurityAuthentication and set the option_value to use > both the upper case and lower case domain name, > 'EXAMPLE.ORG:GSSAPI,example.org:GSSAPI'. > > select * from vdc_options where option_name = > 'LDAPSecurityAuthentication'; > option_id |option_name |option_value > | version > ---++-+- >165 | LDAPSecurityAuthentication | > EXAMPLE.ORG:GSSAPI,example.org:GSSAPI | general Just so we can continue to investigate - if u would like to get your ldap and kerberos SRV records , to which domain will you send them in your setup? dig SRV _ldap._tcp.EXAMPLE.ORG or dig SRV _ldap._tcp.example.org? same goes to _kerberos._tcp.example.org and _kerberos._tcp.EXAMPLE.ORG Cheers, Yair > > Using both domain names I am able to authenticate, authorize and pull > account information from the IPA server once again. > > Thanks for pointing me at the right location. > > Cameron > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA
- Original Message - > From: "Ondra Machacek" > To: "Yair Zaslavsky" > Cc: "cameron christensen" , "Alon Bar-Lev" > , users@ovirt.org > Sent: Thursday, November 20, 2014 6:09:53 PM > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to IPA > > Hi, > > just tried it too. > I was not successfull to reproduce, but the problem is that > the domain part of LDAPSecurityAuthentication is uppercase > as Cameron wrote. > > In 3.4 it is OK when it's upper case - everything works OK, > but in 3.5 it's not. > > I checked differences and something like this would be enough, Yair? > > diff --git > a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java > b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExte > index f5ab28d..ccaf04a 100644 > --- > a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java > +++ > b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/extensionsmgr/EngineExtensionsManager.java > @@ -240,7 +240,7 @@ public class EngineExtensionsManager extends > ExtensionsManager { > ) > ); > } > -if (nameValue[0].equals(domain)) { > +if (nameValue[0].equalsIgnoreCase(domain)) { > result = nameValue[1]; > break; > } > > > Ondra Looks fine, but please email me in private a testing environment where I can check that. Thanks! P.S: Another option worth trying is simply remove and add the domain, but hey, if you're already in 3.5, and removed the domain, why not use he generic ldap provider? > > > - Original Message - > > From: "Alon Bar-Lev" > > To: "Cameron Christensen" , "Yair > > Zaslavsky" > > Cc: users at ovirt.org > > Sent: Monday, November 17, 2014 11:48:15 PM > > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to > > IPA > > > > > > > > - Original Message - > > > From: "Cameron Christensen" > > > To: "Alon Bar-Lev" > > > Cc: users at ovirt.org > > > Sent: Monday, November 17, 2014 11:43:34 PM > > > Subject: Re: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to > > > IPA > > > > > > > > > > > > On Mon, 2014-11-17 at 14:39 -0500, Alon Bar-Lev wrote: > > > > > > > > - Original Message - > > > > > From: "Cameron Christensen" > > > > > To: users at ovirt.org > > > > > Sent: Friday, November 14, 2014 5:39:54 PM > > > > > Subject: [ovirt-users] Upgrade to Ovirt 3.5.0 Authentication Fails to > > > > > IPA > > > > > > > > > > Hello, > > > > > > > > > > I upgraded to ovirt 3.5.0 and can no longer authenticate to IPA. > > > > > Starting up ovrit-engine the extension manager fails to properly load > > > > > the service that handles Kerberos/LDAP. > > > > > > > > This is probably a bug, can you please execute the following and paste > > > > result: > > > > > > > > # PGPASSWORD="@PASSWORD@" psql -U engine -d engine -c "select * from > > > > vdc_options where option_name='LDAPSecurityAuthentication'" > > > > > > > > > > option_id |option_name | option_value| version > > > ---++---+- > > >165 | LDAPSecurityAuthentication | example.org:GSSAPI | general > > > > > > I replaced my domain name with 'example.org' > > > > > > > I thought it will be empty... and it contains valid value. Yair? > > No, this is fine actually. > > > > > Any I truly suggest you try out the new provider... Much easier to resolve > > any issue, current and future, including easier to debug. > > > > Alon > > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users