<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 18/06/15 14:49, Ondra Machacek wrote:<br>
<blockquote cite="mid:5582BE75.2000003@redhat.com" type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
On 06/18/2015 02:07 PM, Mitja Mihelič wrote:<br>
<blockquote cite="mid:5582B49B.6000803@arnes.si" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=utf-8">
<font size="-1">Hi!<br>
</font></blockquote>
<font size="-1">Hi</font><br>
<blockquote cite="mid:5582B49B.6000803@arnes.si" type="cite"><font
size="-1"> <br>
We just upgaded oVirt from 3.4 to 3.5 and now users cannot
select the LDAP domain on the login screen. Only internal is
available.<br>
Our LDAP server is actually a 389DS instance and we are using
for authentication in oVirt without Kerberos. The existing
setup has worked since the days of 3.2.<br>
<br>
When we try to validate the domain, we get<br>
[root@brda ~]# engine-manage-domains validate<br>
Error: Cannot authenticate user ovirt to domain
guest.arnes.si, details: [LDAP: error code 32 - No Such
Object]; nested exception is
javax.naming.AuthenticationException: [LDAP: error code 32 -
No Such Object]<br>
Failure while testing domain guest.arnes.si. Details: Cannot
authenticate user to LDAP server.<br>
<br>
The LDAP log reports<br>
[18/Jun/2015:13:52:38 +0200] conn=3 op=0 BIND
dn="uid=ovirt,ou=Peopledc=guest,dc=arnes,dc=si" method=128
version=3<br>
As you can see there is a comma missing before
"dc=guest,dc=arnes,dc=si".<br>
<br>
Before the upgrade the bind DN was generated properly as<br>
[18/Jun/2015:12:42:45 +0200] conn=10219 op=0 BIND
dn="uid=ovirt,ou=People,dc=arnes,dc=si" method=128 version=3<br>
</font></blockquote>
<br>
So what is your search user's DN ?<br>
Is it:<br>
<font size="-1">dn="uid=ovirt,ou=People,dc=guest,dc=arnes,dc=si"<br>
<br>
</font>or<br>
<br>
<font size="-1">dn="uid=ovirt,ou=People,dc=arnes,dc=si"<br>
</font><br>
Is it possible for you to try if different user works fine?<br>
Because user with very similar DN works for me just OK.<br>
</blockquote>
At the time of posting I did not notice the difference, thanks for
the spot. The correct DN is dn="uid=ovirt,ou=People,dc=arnes,dc=si".<br>
Although that means that after upgrading to 3.5 the DN for the
search user is formatted differently when issuing an LDAP bind
request.<br>
<br>
In the end we noticed that the AAA part of oVirt was reworked in
3.5. We deleted the old LDAP domain, that we manually inserted into
the database back in 3.2 days. Then we added LDAP as an
authentication source as per AAA instructions, which we found a bit
vague. The README on github for the AAA extension provided most of
the information.<br>
<br>
We also found that the format of external_id in the users table had
been changed from fdfc627c-d875-11e0-90f0-83df133b58cc to
fdfc627c-d87511e0-90f083df-133b58cc. So naturally users could not
log in. Instead additional users were created with this new format
external_id, a namespace with "dc=arnes,dc=si" and a new user_id.<br>
We manually deleted the faux users, updated the external_id to the
new format and added a namespace entry for existing users.<br>
That worked for us.<br>
<br>
Kind regards, Mitja<br>
<blockquote cite="mid:5582BE75.2000003@redhat.com" type="cite"> <br>
<blockquote cite="mid:5582B49B.6000803@arnes.si" type="cite"><font
size="-1"> <br>
This looks like a bug.<br>
Is there a quick fix we can do to fix this typo?<br>
<br>
We are also interested in knowing what is the correct way in
3.5 to add a domain that uses an LDAP server for its
authentication source without Kerberos.<br>
</font></blockquote>
<br>
Please see following links:<br>
<pre wrap="">* <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD</a>
* <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README.profile;hb=HEAD</a>
* <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.ovirt.org/Features/AAA">http://www.ovirt.org/Features/AAA</a>
* <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=tree;f=examples;hb=HEAD</a>
* <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l6</a>
* <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://github.com/machacekondra/ovirt-engine-kerbldap-migration">https://github.com/machacekondra/ovirt-engine-kerbldap-migration</a>
</pre>
<br>
<blockquote cite="mid:5582B49B.6000803@arnes.si" type="cite"><font
size="-1"> <br>
Kind regards, Mitja<br>
</font>
<pre class="moz-signature" cols="72">--
--
Mitja Mihelič
ARNES, Tehnološki park 18, p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 8800, fax: +386 1 479 88 99</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>