<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Dec 10, 2014 at 9:25 PM, Alon Bar-Lev <span dir="ltr"><<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class=""><br>
<br>
</span>2014-12-10 19:03:16,554 ERROR [org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread 1-1) [ovirt-engine-extension-aaa-ldap.authn::ldap1-authn] Cannot initialize LDAP framework, deferring initialization. Error: no such object<br>
<br>
This is interesting I never saw this error, can I ask you to enable debug?<br>
<br>
Edit:<br>
/usr/share/ovirt-engine/services/ovirt-engine/<a href="http://ovirt-engine.xml.in" target="_blank">ovirt-engine.xml.in</a><br>
<br>
Add the following before the <root-logger> line:<br>
<logger category="org.ovirt.engineextensions.aaa.ldap"><br>
<level name="ALL"/><br>
</logger><br>
<br>
Also in 3.5.0 you need to modify file-handler level to ALL instead of INFO<br>
<file-handler name="ENGINE" autoflush="true"><br>
<level name="ALL"/><br>
<br>
Then restart engine and we should see lots of messages within engine.log.<br>
<br>
Thanks!<br>
<span class=""><font color="#888888">Alon<br>
</font></span></blockquote></div><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Hi,</div><div class="gmail_extra">if you want I send it to you... but I have understood....</div><div class="gmail_extra">I didn't change the domain parameters, leaving inside the file /etc/ovirt-engine/aaa/ldap1.properties</div><div class="gmail_extra">dc=company,dc=com<br></div><div class="gmail_extra">and changing only the "uid=..." part ;-)</div><div class="gmail_extra"><br></div><div class="gmail_extra">In fact inside IPA log files I see this:</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra">[10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line 1296]: Not handled (could not search for BIND dn uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such object)</div><div class="gmail_extra">[10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32</div><div class="gmail_extra">[10/Dec/2014:22:01:54 +0100] ipalockout_preop - [file ipa_lockout.c, line 749]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32</div><div class="gmail_extra">[10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line 1296]: Not handled (could not search for BIND dn uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such object)</div><div class="gmail_extra">[10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line 503]: Failed to retrieve entry "uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32</div><div><br></div><div><br></div><div>After putting correct values</div><div>dc=localdomain,dc=local<br></div><div>and restarting the engine (without debug symbols)</div><div><br></div><div>all is ok and I can both search users and groups in ldap1 and connect to the engine webadmin portal with apparently correct privileges (only limited tests done).</div><div><br></div><div>Thanks and sorry for misundersanding...</div><div>two questions:</div><div>1) What about the legacy still working?</div><div><br></div><div>2) I see that the connection with ldap apparently is through 389 port and so in unencrypted mode.</div><div>What should I configure to enable ldaps:// connection mode as this is sensitive information?</div><div><br></div><div>Possibly these lines in ldap1.properties?</div><div><br></div><div><div># Create keystore, import certificate chain and uncomment</div><div># if using ssl/tls.</div><div>#pool.default.ssl.startTLS = true</div><div>#pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks</div><div>#pool.default.ssl.truststore.password = changeit</div></div><div><br></div><div>but how to use and where to put eventually the IPA certificate?</div><div>Do I have to convert IPA ca.crt into some other format?</div><div><br></div><div>Gianluca</div></div></div>