<div dir="ltr">Below is the result I Got when I run the command  ldapsearch<br><br>[root@cstlb2 ~]# ldapsearch -E pr=1024/noprompt -H ldap://<a href="http://172.21.0.15:389">172.21.0.15:389</a> -x -D &#39;<a href="mailto:nbudoor@abc.net">nbudoor@abc.net</a>&#39; -w company1<br># extended LDIF<br>#<br># LDAPv3<br># base &lt;&gt; (default) with scope subtree<br># filter: (objectclass=*)<br># requesting: ALL<br># with pagedResults control: size=1024<br>#<br><br># search result<br>search: 2<br>result: 32 No such object<br>text: 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best <br> match of:<br>        &#39;&#39;<br><br><br># numResponses: 1<br>[root@cstlb2 ~]# <br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 23, 2015 at 9:05 AM, Budur Nagaraju <span dir="ltr">&lt;<a href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>HI Alon,<br><br></div>Tried all the options but no luck ,<br><br></div>I have copied the logs in the pastebin  below is the link , warning message is that unable to resolve the DNS ,let me know any help would I get .<br><br><a href="http://pastebin.com/7qN9QnHK" target="_blank">http://pastebin.com/7qN9QnHK</a><br><br></div>Thanks,<br></div>Nagaraju<br><br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 22, 2015 at 8:44 PM, Daniel Helgenberger <span dir="ltr">&lt;<a href="mailto:daniel.helgenberger@m-box.de" target="_blank">daniel.helgenberger@m-box.de</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello Budur,<br>
<br>
I&#39;ve done this recently. Alon, no offense, but the docs are not quite strait forward...<br>
<br>
Requirements:<br>
 - LDAP server (obviously) - called here <a href="http://ldap.mydomain.com" rel="noreferrer" target="_blank">ldap.mydomain.com</a><br>
 - LDAP bind account - called here <a href="mailto:ldap@mydomain.com" target="_blank">ldap@mydomain.com</a>, password &#39;Passw@rd&#39;<br>
 - At least one existing account in ladp, called <a href="mailto:user@mydomain.com" target="_blank">user@mydomain.com</a><br>
<br>
Please note, the most common issue will be DNS.<br>
<br>
I&#39;ll describe in short what steps need to be taken. All this needs to be done on your engine host. In the end this was quite easy :)<br>
<br>
1. Install the packages: ovirt-engine-extension-aaa-ldap and openldap-clients (these are only for testing your setup)<br>
2. Test if ldap is working in general. (The extension uses the global catalog at least for AD, this was news to me):<br>
  # ldapsearch -E pr=1024/noprompt -o ldif-wrap=no -H ldap://<a href="http://ldap.mydomain.com:3268/" rel="noreferrer" target="_blank">ldap.mydomain.com:3268/</a> -x \<br>
      -D &#39;<a href="mailto:ldap@mydomain.com" target="_blank">ldap@mydomain.com</a>&#39; -w Passw@rd -b &#39;&#39;  &#39;(userPrincipalName=<a href="mailto:user@mydomian.com" target="_blank">user@mydomian.com</a>)&#39; cn userPrincipalName<br>
<br>
  If this command does not return details of the user, do debug your ldap and continue once this works. Example:<br>
<br>
# extended LDIF<br>
#<br>
# LDAPv3<br>
# base &lt;&gt; with scope subtree<br>
# filter: (userPrincipalName=<a href="mailto:user@mydomain.com" target="_blank">user@mydomain.com</a>)<br>
# requesting: cn userPrincipalName<br>
# with pagedResults control: size=1024<br>
#<br>
<br>
# Some Name, some-ou, <a href="http://mydomain.com" rel="noreferrer" target="_blank">mydomain.com</a><br>
dn: CN=Some Name,OU=some-ou,DC=mydomain,DC=com<br>
cn: Some Name<br>
userPrincipalName: <a href="mailto:user@mydomain.com" target="_blank">user@mydomain.com</a><br>
<br>
# search result<br>
search: 2<br>
result: 0 Success<br>
control: 1.2.840.113556.1.4.319 false MIQXGSGSGSgEABAA=<br>
pagedresults: cookie=<br>
<br>
# numResponses: 2<br>
# numEntries: 1<br>
<br>
<br>
3. Copy the examples as mentioned from the readme.<br>
4. You only need to modify /etc/ovirt-engine/aaa/int.m-box.de.properties; leave the rest as is.<br>
5. There, set:<br>
<br>
  vars.domain = <a href="http://ldap.mydomain.com" rel="noreferrer" target="_blank">ldap.mydomain.com</a><br>
  vars.user = ldap@${global:vars.domain}<br>
  vars.password = Passw@rd<br>
<br>
6. Restart ovirt engine service<br>
7. Log in as admin@einternal and add user rights and roles from the new provider<br>
<br>
Hope this helps.<br>
<span><br>
On <a href="tel:22.09.2015%2016" value="+12209201516" target="_blank">22.09.2015 16</a>:46, Budur Nagaraju wrote:<br>
&gt;<br>
&gt; below are the three files which I have modified.<br>
&gt;<br>
&gt;<br>
&gt; [root@cstlb2 extensions.d]# cat profile1-authn.properties<br>
</span>&gt; <a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> &lt;<a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">http://ovirt.engine.extension.name</a>&gt; = cloudspin-authn<br>
<span>&gt; ovirt.engine.extension.bindings.method = jbossmodule<br>
&gt; ovirt.engine.extension.binding.jbossmodule.module =<br>
&gt; org.ovirt.engine-extensions.aaa.ldap<br>
&gt; ovirt.engine.extension.binding.jbossmodule.class =<br>
&gt; org.ovirt.engineextensions.aaa.ldap.AuthnExtension<br>
&gt; ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authn<br>
</span>&gt; <a href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">ovirt.engine.aaa.authn.profile.name</a> &lt;<a href="http://ovirt.engine.aaa.authn.profile.name" rel="noreferrer" target="_blank">http://ovirt.engine.aaa.authn.profile.name</a>&gt;<br>
<span>&gt; = cloudspin<br>
&gt; ovirt.engine.aaa.authn.authz.plugin = cloudspin-auth<br>
&gt; config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties<br>
&gt;<br>
&gt;<br>
&gt; [root@cstlb2 extensions.d]# ls<br>
&gt; profile1-authn.properties  profile1-authz.properties<br>
&gt; [root@cstlb2 extensions.d]# cat profile1-authz.properties<br>
</span>&gt; <a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">ovirt.engine.extension.name</a> &lt;<a href="http://ovirt.engine.extension.name" rel="noreferrer" target="_blank">http://ovirt.engine.extension.name</a>&gt; = cloudspin-authz<br>
<div><div>&gt; ovirt.engine.extension.bindings.method = jbossmodule<br>
&gt; ovirt.engine.extension.binding.jbossmodule.module =<br>
&gt; org.ovirt.engine-extensions.aaa.ldap<br>
&gt; ovirt.engine.extension.binding.jbossmodule.class =<br>
&gt; org.ovirt.engineextensions.aaa.ldap.AuthzExtension<br>
&gt; ovirt.engine.extension.provides = org.ovirt.engine.api.extensions.aaa.Authz<br>
&gt; config.profile.file.1 = /etc/ovirt-engine/aaa/ldap1.properties<br>
&gt; [root@cstlb2 extensions.d]#<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; [root@cstlb2 aaa]# pwd<br>
&gt; /etc/ovirt-engine/aaa<br>
&gt; [root@cstlb2 aaa]# ls<br>
&gt; ldap1.properties<br>
&gt; [root@cstlb2 aaa]# cat ldap1.properties<br>
&gt; #<br>
&gt; # Select one<br>
&gt; #<br>
&gt; include = &lt;openldap.properties&gt;<br>
&gt; #include = &lt;389ds.properties&gt;<br>
&gt; #include = &lt;rhds.properties&gt;<br>
&gt; #include = &lt;ipa.properties&gt;<br>
&gt; #include = &lt;iplanet.properties&gt;<br>
&gt; #include = &lt;rfc2307.properties&gt;<br>
&gt; #include = &lt;rfc2307-openldap.properties&gt;<br>
&gt;<br>
&gt; #<br>
&gt; # Server<br>
&gt; #<br>
</div></div>&gt; vars.server = <a href="http://my.abc.net" rel="noreferrer" target="_blank">my.abc.net</a> &lt;<a href="http://my.abc.net" rel="noreferrer" target="_blank">http://my.abc.net</a>&gt;<br>
<span>&gt;<br>
&gt; #<br>
&gt; # Search user and its password.<br>
&gt; #<br>
&gt; vars.user =<br>
&gt; uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=nbudoor,dc=net<br>
&gt; vars.password = company<br>
&gt;<br>
&gt; pool.default.serverset.single.server = ${global:vars.server}<br>
&gt; pool.default.auth.simple.bindDN = ${global:vars.user}<br>
&gt; pool.default.auth.simple.password = ${global:vars.password}<br>
&gt;<br>
&gt; # Create keystore, import certificate chain and uncomment<br>
&gt; # if using ssl/tls.<br>
&gt; #pool.default.ssl.startTLS = true<br>
&gt; #pool.default.ssl.truststore.file = ${local:_basedir}/${global:vars.server}.jks<br>
&gt; #pool.default.ssl.truststore.password = changeit<br>
&gt; [root@cstlb2 aaa]#<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; On Tue, Sep 22, 2015 at 8:07 PM, Alon Bar-Lev &lt;<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a><br>
</span><span>&gt; &lt;mailto:<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>&gt;&gt; wrote:<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;     ----- Original Message -----<br>
</span><span>&gt;     &gt; From: &quot;Budur Nagaraju&quot; &lt;<a href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a> &lt;mailto:<a href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a>&gt;&gt;<br>
&gt;     &gt; To: &quot;Alon Bar-Lev&quot; &lt;<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a> &lt;mailto:<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>&gt;&gt;<br>
&gt;     &gt; <a href="mailto:Cc%3Ausers@ovirt.org" target="_blank">Cc:users@ovirt.org</a> &lt;mailto:<a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>&gt;<br>
&gt;     &gt; Sent: Tuesday, September 22, 2015 5:35:16 PM<br>
&gt;     &gt; Subject: Re: [ovirt-users] LDAP Authentication<br>
&gt;     &gt;<br>
&gt;     &gt; its too complicated ,you have any script or video ?<br>
&gt;<br>
&gt;     in 3.6 we have a setup script.<br>
&gt;     for now:<br>
&gt;<br>
&gt;     cp -r /usr/share/ovirt-engine/examples/simple/. /etc/ovirt-engine/<br>
&gt;<br>
&gt;     this is written in the README.<br>
&gt;<br>
&gt;     then customize files at /etc/ovirt-engine/extnesions.d/*<br>
&gt;     /etc/ovirt-engine/aaa/* to match your setup<br>
&gt;<br>
&gt;     &gt;<br>
&gt;     &gt;<br>
</span><span>&gt;     &gt; On Tue, Sep 22, 2015 at 8:00 PM, Alon Bar-Lev &lt;<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a> &lt;mailto:<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>&gt;&gt; wrote:<br>
&gt;     &gt;<br>
&gt;     &gt; &gt;<br>
&gt;     &gt; &gt;<br>
&gt;     &gt; &gt; ----- Original Message -----<br>
</span><div><div>&gt;     &gt; &gt; &gt; From: &quot;Budur Nagaraju&quot; &lt;<a href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a> &lt;mailto:<a href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a>&gt;&gt;<br>
&gt;     &gt; &gt; &gt; To: &quot;Alon Bar-Lev&quot; &lt;<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a> &lt;mailto:<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>&gt;&gt;<br>
&gt;     &gt; &gt; &gt; <a href="mailto:Cc%3Ausers@ovirt.org" target="_blank">Cc:users@ovirt.org</a> &lt;mailto:<a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>&gt;<br>
&gt;     &gt; &gt; &gt; Sent: Tuesday, September 22, 2015 5:24:36 PM<br>
&gt;     &gt; &gt; &gt; Subject: Re: [ovirt-users] LDAP Authentication<br>
&gt;     &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt; HI Alon,<br>
&gt;     &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt; Below is the configuration which I have done ,but unable to search the<br>
&gt;     &gt; &gt; &gt; users in UI<br>
&gt;     &gt; &gt; &gt; can you pls help me ?<br>
&gt;     &gt; &gt;<br>
&gt;     &gt; &gt; you need three files, see the<br>
&gt;     &gt; &gt; /usr/share/ovirt-engine-extension-aaa-ldap/examples/simple<br>
&gt;     &gt; &gt;<br>
&gt;     &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt; [root@cstlb2 aaa]# cat ldap1.properties<br>
&gt;     &gt; &gt; &gt; #<br>
&gt;     &gt; &gt; &gt; # Select one<br>
&gt;     &gt; &gt; &gt; #<br>
&gt;     &gt; &gt; &gt; include = &lt;openldap.properties&gt;<br>
&gt;     &gt; &gt; &gt; #include = &lt;389ds.properties&gt;<br>
&gt;     &gt; &gt; &gt; #include = &lt;rhds.properties&gt;<br>
&gt;     &gt; &gt; &gt; #include = &lt;ipa.properties&gt;<br>
&gt;     &gt; &gt; &gt; #include = &lt;iplanet.properties&gt;<br>
&gt;     &gt; &gt; &gt; #include = &lt;rfc2307.properties&gt;<br>
&gt;     &gt; &gt; &gt; #include = &lt;rfc2307-openldap.properties&gt;<br>
&gt;     &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt; #<br>
&gt;     &gt; &gt; &gt; # Server<br>
&gt;     &gt; &gt; &gt; #<br>
</div></div>&gt;     &gt; &gt; &gt; vars.server =<a href="http://my.abc.net" rel="noreferrer" target="_blank">my.abc.net</a> &lt;<a href="http://my.abc.net" rel="noreferrer" target="_blank">http://my.abc.net</a>&gt;<br>
<span>&gt;     &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt; #<br>
&gt;     &gt; &gt; &gt; # Search user and its password.<br>
&gt;     &gt; &gt; &gt; #<br>
&gt;     &gt; &gt; &gt; vars.user =<br>
&gt;     &gt; &gt; &gt;<br>
&gt;     &gt; &gt; uid=search,cn=nbudoor,cn=Departments,cn=Corporate,cn=Bangalore,cn=users,dc=abc,dc=net<br>
&gt;     &gt; &gt; &gt; vars.password = company1<br>
&gt;     &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt; pool.default.serverset.single.server = ${global:vars.server}<br>
&gt;     &gt; &gt; &gt; pool.default.auth.simple.bindDN = ${global:vars.user}<br>
&gt;     &gt; &gt; &gt; pool.default.auth.simple.password = ${global:vars.password}<br>
&gt;     &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt; # Create keystore, import certificate chain and uncomment<br>
&gt;     &gt; &gt; &gt; # if using ssl/tls.<br>
&gt;     &gt; &gt; &gt; #pool.default.ssl.startTLS = true<br>
&gt;     &gt; &gt; &gt; #pool.default.ssl.truststore.file =<br>
&gt;     &gt; &gt; &gt; ${local:_basedir}/${global:vars.server}.jks<br>
&gt;     &gt; &gt; &gt; #pool.default.ssl.truststore.password = changeit<br>
&gt;     &gt; &gt; &gt; [root@cstlb2 aaa]#<br>
&gt;     &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt;<br>
</span><span>&gt;     &gt; &gt; &gt; On Tue, Sep 22, 2015 at 7:25 PM, Alon Bar-Lev &lt;<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a> &lt;mailto:<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>&gt;&gt; wrote:<br>
&gt;     &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt; &gt; ----- Original Message -----<br>
</span><span>&gt;     &gt; &gt; &gt; &gt; &gt; From: &quot;Budur Nagaraju&quot; &lt;<a href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a> &lt;mailto:<a href="mailto:nbudoor@gmail.com" target="_blank">nbudoor@gmail.com</a>&gt;&gt;<br>
&gt;     &gt; &gt; &gt; &gt; &gt; <a href="mailto:To%3Ausers@ovirt.org" target="_blank">To:users@ovirt.org</a> &lt;mailto:<a href="mailto:users@ovirt.org" target="_blank">users@ovirt.org</a>&gt;<br>
&gt;     &gt; &gt; &gt; &gt; &gt; Sent: Tuesday, September 22, 2015 4:34:46 PM<br>
&gt;     &gt; &gt; &gt; &gt; &gt; Subject: [ovirt-users] LDAP Authentication<br>
&gt;     &gt; &gt; &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt; &gt; &gt; HI All,<br>
&gt;     &gt; &gt; &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt; &gt; &gt; Can someone help me in configuring LDAP authentication for Ovirt ?<br>
&gt;     &gt; &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt; &gt; Please review:<br>
&gt;     &gt; &gt; &gt; &gt;<a href="http://www.ovirt.org/Features/AAA" rel="noreferrer" target="_blank">http://www.ovirt.org/Features/AAA</a><br>
&gt;     &gt; &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt; &gt;<br>
&gt;     &gt; &gt;<a href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0" rel="noreferrer" target="_blank">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=ovirt-engine-extension-aaa-ldap-1.0</a><br>
&gt;     &gt; &gt; &gt; &gt;<br>
&gt;     &gt; &gt; &gt;<br>
&gt;     &gt; &gt;<br>
&gt;     &gt;<br>
&gt;<br>
&gt;<br>
<br>
</span>--<br>
Daniel Helgenberger<br>
m box bewegtbild GmbH<br>
<br>
P: +49/30/2408781-22<br>
F: +49/30/2408781-10<br>
<br>
ACKERSTR. 19<br>
D-10115 BERLIN<br>
<br>
<br>
<a href="http://www.m-box.de" rel="noreferrer" target="_blank">www.m-box.de</a>  <a href="http://www.monkeymen.tv" rel="noreferrer" target="_blank">www.monkeymen.tv</a><br>
<br>
Geschäftsführer: Martin Retschitzegger / Michaela Göllner<br>
Handeslregister: Amtsgericht Charlottenburg / HRB 112767<br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>