On Wed, Dec 10, 2014 at 9:25 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
2014-12-10 19:03:16,554 ERROR
[org.ovirt.engineextensions.aaa.ldap.AuthnExtension] (MSC service thread
1-1) [ovirt-engine-extension-aaa-ldap.authn::ldap1-authn] Cannot initialize
LDAP framework, deferring initialization. Error: no such object
This is interesting I never saw this error, can I ask you to enable debug?
Edit:
/usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in
Add the following before the <root-logger> line:
<logger category="org.ovirt.engineextensions.aaa.ldap">
<level name="ALL"/>
</logger>
Also in 3.5.0 you need to modify file-handler level to ALL instead of INFO
<file-handler name="ENGINE" autoflush="true">
<level name="ALL"/>
Then restart engine and we should see lots of messages within engine.log.
Thanks!
Alon
Hi,
if you want I send it to you... but I have understood....
I didn't change the domain parameters, leaving inside the
file /etc/ovirt-engine/aaa/ldap1.properties
dc=company,dc=com
and changing only the "uid=..." part ;-)
In fact inside IPA log files I see this:
[10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line
1296]: Not handled (could not search for BIND dn
uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such
object)
[10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line
503]: Failed to retrieve entry
"uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32
[10/Dec/2014:22:01:54 +0100] ipalockout_preop - [file ipa_lockout.c, line
749]: Failed to retrieve entry
"uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32
[10/Dec/2014:22:01:54 +0100] ipapwd_pre_bind_otp - [file prepost.c, line
1296]: Not handled (could not search for BIND dn
uid=vadmin,cn=users,cn=accounts,dc=company,dc=com - error 32 : No such
object)
[10/Dec/2014:22:01:54 +0100] ipalockout_postop - [file ipa_lockout.c, line
503]: Failed to retrieve entry
"uid=vadmin,cn=users,cn=accounts,dc=company,dc=com": 32
After putting correct values
dc=localdomain,dc=local
and restarting the engine (without debug symbols)
all is ok and I can both search users and groups in ldap1 and connect to
the engine webadmin portal with apparently correct privileges (only limited
tests done).
Thanks and sorry for misundersanding...
two questions:
1) What about the legacy still working?
2) I see that the connection with ldap apparently is through 389 port and
so in unencrypted mode.
What should I configure to enable ldaps:// connection mode as this is
sensitive information?
Possibly these lines in ldap1.properties?
# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
#pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.server}.jks
#pool.default.ssl.truststore.password = changeit
but how to use and where to put eventually the IPA certificate?
Do I have to convert IPA ca.crt into some other format?
Gianluca