<div dir="ltr"><div>I use Freeipa without issue on AAA Ldap.... <br><br></div>Here is a simple write up that may help you understand how aaa ldap works. This is out dated, so don't just copy and paste.... however it will help you get the gist<br><br><a href="https://ipv6cloud.wordpress.com/2014/12/16/ovirt-simple-ldap-aaa/">https://ipv6cloud.wordpress.com/2014/12/16/ovirt-simple-ldap-aaa/</a><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 22, 2016 at 2:08 PM, Justin Bushey <span dir="ltr"><<a href="mailto:jbushey@inforelay.com" target="_blank">jbushey@inforelay.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Ondra,<div><br></div><div>Thanks again. You've definitely saved me from spending too much time going down a bunny hole.</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>-- Justin</div></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 22, 2016 at 4:35 AM, Ondra Machacek <span dir="ltr"><<a href="mailto:omachace@redhat.com" target="_blank">omachace@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
the best thing you can do is to migrate to new AAA ldap[1],<br>
as anyway you will have to do so in 4.0, as manage-domains<br>
will be removed, so I think better invest time to migration,<br>
then to searching for root cause. We will be happy to help<br>
you with migration. You can also try migration tool[2].<br>
<br>
Ondra<br>
<br>
[1] <a href="https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README" rel="noreferrer" target="_blank">https://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README</a><br>
[2] <a href="https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases" rel="noreferrer" target="_blank">https://github.com/machacekondra/ovirt-engine-kerbldap-migration/releases</a><div><div><br>
<br>
On 01/22/2016 09:37 AM, Justin Bushey wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>
Hello,<br>
<br>
I just wanted to see if anyone else has seen issues with using FreeIPA<br>
as an authentication domain with oVirt 3.6.1. Specifically, I'm seeing<br>
extremely slow performance when authenticating as an IPA user, between<br>
5-10 minutes to get logged into the UI. On the KDC side I'm seeing<br>
ticket requests from the oVirt host, which succeed and are repeated.<br>
Eventually authentication succeeds to the Web UI.<br>
<br>
The IPA domain was added using `engine-manage-domains` with the IPA<br>
provider option. I could configure direct LDAP authentication if<br>
absolutely need be, but this is really bugging me.<br>
<br>
Google hasn't turned up any similar issues so I wanted to check if<br>
anyone else has seen anything like this. I can post logs tomorrow if<br>
anyone wants to assist me in troubleshooting ;)<br>
<br>
Thanks,<br>
<br>
Justin Bushey<br>
InfoRelay Online Systems, Inc.<br>
<br>
<br></div></div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
<br>
</blockquote>
</blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">Donny Davis<br><br></div></div>
</div>