----- Original Message ----- > From: "Mitja Mihelič" <mitja.mihe...@arnes.si> > To: "Alon Bar-Lev" <alo...@redhat.com> > Cc: "Ondra Machacek" <omach...@redhat.com>, users@ovirt.org > Sent: Friday, June 19, 2015 4:54:32 PM > Subject: Re: [ovirt-users] LDAP bind DN generation problem > > > On 19. 06. 2015 12:44, Alon Bar-Lev wrote: > > > > ----- Original Message ----- > >> From: "Mitja Mihelič" <mitja.mihe...@arnes.si> > >> To: "Ondra Machacek" <omach...@redhat.com>, users@ovirt.org > >> Sent: Friday, June 19, 2015 1:39:14 PM > >> Subject: Re: [ovirt-users] LDAP bind DN generation problem > >> > >> On 18/06/15 14:49, Ondra Machacek wrote: > >> > >> > >> On 06/18/2015 02:07 PM, Mitja Mihelič wrote: > >> > >> > >> Hi! > >> Hi > >> > >> > >> > >> We just upgaded oVirt from 3.4 to 3.5 and now users cannot select the LDAP > >> domain on the login screen. Only internal is available. > >> Our LDAP server is actually a 389DS instance and we are using for > >> authentication in oVirt without Kerberos. The existing setup has worked > >> since the days of 3.2. > >> > >> When we try to validate the domain, we get > >> [root@brda ~]# engine-manage-domains validate > >> Error: Cannot authenticate user ovirt to domain guest.arnes.si, details: > >> [LDAP: error code 32 - No Such Object]; nested exception is > >> javax.naming.AuthenticationException: [LDAP: error code 32 - No Such > >> Object] > >> Failure while testing domain guest.arnes.si. Details: Cannot authenticate > >> user to LDAP server. > >> > >> The LDAP log reports > >> [18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND > >> dn="uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si" method=128 version=3 > >> As you can see there is a comma missing before "dc=guest,dc=arnes,dc=si". > >> > >> Before the upgrade the bind DN was generated properly as > >> [18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND > >> dn="uid=ovirt,ou=People,dc=arnes,dc=si" method=128 version=3 > >> > >> So what is your search user's DN ? > >> Is it: > >> dn="uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si" > >> > >> or > >> > >> dn="uid=ovirt,ou=People,dc=arnes,dc=si" > >> > >> Is it possible for you to try if different user works fine? > >> Because user with very similar DN works for me just OK. > >> At the time of posting I did not notice the difference, thanks for the > >> spot. > >> The correct DN is dn="uid=ovirt,ou=People,dc=arnes,dc=si". > >> Although that means that after upgrading to 3.5 the DN for the search user > >> is > >> formatted differently when issuing an LDAP bind request. > >> > >> In the end we noticed that the AAA part of oVirt was reworked in 3.5. We > >> deleted the old LDAP domain, that we manually inserted into the database > >> back in 3.2 days. Then we added LDAP as an authentication source as per > >> AAA > >> instructions, which we found a bit vague. The README on github for the AAA > >> extension provided most of the information. > >> > >> We also found that the format of external_id in the users table had been > >> changed from fdfc627c-d875-11e0-90f0-83df133b58cc to > >> fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not log in. > >> Instead additional users were created with this new format external_id, a > >> namespace with "dc=arnes,dc=si" and a new user_id. > >> We manually deleted the faux users, updated the external_id to the new > >> format > >> and added a namespace entry for existing users. > >> That worked for us. > > the conversion tool should have taken care of all these. have you tried to > > use it? > Sorry, no. We didn't know of its existence then. Can you provide a link > to its page?
https://github.com/machacekondra/ovirt-engine-kerbldap-migration > > > >> Kind regards, Mitja > >> > >> > >> > >> > >> > >> > >> This looks like a bug. > >> Is there a quick fix we can do to fix this typo? > >> > >> We are also interested in knowing what is the correct way in 3.5 to add a > >> domain that uses an LDAP server for its authentication source without > >> Kerberos. > >> > >> Please see following links: > >> * > >> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD > >> * > >> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD > >> * http://www.ovirt.org/Features/AAA * > >> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD > >> * > >> https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6 > >> * https://github.com/machacekondra/ovirt-engine-kerbldap-migration > >> > >> > >> > >> > >> Kind regards, Mitja > >> -- > >> -- > >> Mitja Mihelič > >> ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia > >> tel: +386 1 479 8800, fax: +386 1 479 88 99 > >> > >> > >> _______________________________________________ > >> Users mailing list Users@ovirt.org > >> http://lists.ovirt.org/mailman/listinfo/users > >> > >> > >> > >> _______________________________________________ > >> Users mailing list > >> Users@ovirt.org > >> http://lists.ovirt.org/mailman/listinfo/users > >> > > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users