I had a similar issue, my LDAP guy said oVirt engine was asking for uidObject which our ldap didn't provide and gave me this config addition to make to the /etc/ovirt-engine/aaa/MY.DOMAIN.properties file so it would use inetOrgPerson instead # override default ldap filter. defaults found at # https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/prof... sequence.openldap-init-vars.040.var-set.value = (objectClass=inetOrgPerson)(${seq:simple_attrsUserName}=*) On Tue, Sep 3, 2019 at 10:10 AM Rick A <racevedo(a)lenovo.com&gt; wrote:

Can you please share the debug log from the ovirt-engine-extensions-test-tool? On 04/09/2019 18:23, Rick A wrote: > thanks for the reply. That doesn't seem to work for me either. Strange part is if apply the settings anyway and I use a wildcard "*" in ovirt when searching for users, it lists users in a specific OU only even though it's set to search DC=domain,DC=com > _______________________________________________ > Users mailing list -- users(a)ovirt.org > To unsubscribe send an email to users-leave(a)ovirt.org > Privacy Statement: https://www.ovirt.org/site/privacy-policy/ > oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ > List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/LFWJ4MGBF2R... >

I finally got this to work so I'm posting what I did in case it may help someone else in the future. Hopefully the format of this site won't make it hard to read. - Thanks to Edward Berger who got me to the right direction and providing this link: https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/prof... - Also Thanks to Ondra Machacek for advising to use the ovirt-engine-extensions-tool All changes are made on /etc/ovirt-engine/aaa/MYDOMAIN.com.properties - Once I added this line: sequence.openldap-init-vars.040.var-set.value = (objectClass=Person)(${seq:simple_attrsUserName}=*) - I was getting this error: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='null' 2019-09-06 10:50:18,837-04 SEVERE Cannot locate principal 'null' - So then I changed the Principal map from "uid" to "cn" by adding this line: attrmap.map-principal-record.attr.PrincipalRecord_PRINCIPAL.map = cn - After that, it pulled the user principal name, but then when trying to add a user in the web interface, it would fail with this error: ERROR: null value in column "external_id" violates not-null constraint - So I mapped the PrincipalRecord_ID to the user mail attribute figuring that would be fine since emails are mostly unique anyway,by adding the following line: attrmap.map-principal-record.attr.PrincipalRecord_ID.map = mail My configuration: /etc/ovirt-engine/aaa/MYDOMAIN.com.properties include = <openldap.properties> vars.server = SERVERNAME.MYDOMAIN.com vars.user = LDAPuser(a)MYDOMAIN.com vars.password = USER PASSWORD pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.serverset.type = single pool.default.serverset.single.server = ${global:vars.server} attrmap.map-principal-record.attr.PrincipalRecord_PRINCIPAL.map = cn attrmap.map-principal-record.attr.PrincipalRecord_ID.map = mail sequence.openldap-init-vars.010.description = set base dn sequence.openldap-init-vars.010.type = var-set sequence.openldap-init-vars.010.var-set.variable = simple_attrsBaseDN sequence.openldap-init-vars.010.var-set.value = DC=MYDOMAIN,DC=com sequence.openldap-init-vars.020.var-set.value = cn sequence.openldap-init-vars.040.var-set.value = (objectClass=Person)(${seq:simple_attrsUserName}=*)