I had a similar issue, my LDAP guy said oVirt engine was asking for uidObject which our ldap didn't provide and gave me this config addition to make to the /etc/ovirt-engine/aaa/MY.DOMAIN.properties file so it would use inetOrgPerson instead # override default ldap filter. defaults found at # https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/profile... sequence.openldap-init-vars.040.var-set.value = (objectClass=inetOrgPerson)(${seq:simple_attrsUserName}=*) On Tue, Sep 3, 2019 at 10:10 AM Rick A <racevedo@lenovo.com> wrote:

Trying to get oVirt to use LDAP for user authentication. It seems to bind, but when I test it (Login Flow and Search) before applying the settings, I get the message below (I can confirm the credentials ARE valid). I also tried to set it up manually and still get the same result. I'm using the same information on Bugzilla and it works fine. I've seen similar threads here but without much answers. Anyone have any good links or docs I can view to get this set up?

oVirt Node Version: 4.3.3.6-1.el7

API: <--Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS profile=' mydomain.com' result=CREDENTIALS_INVALID _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-leave@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/C4ZQYTRO3WVIB6...

I finally got this to work so I'm posting what I did in case it may help someone else in the future. Hopefully the format of this site won't make it hard to read. - Thanks to Edward Berger who got me to the right direction and providing this link: https://github.com/oVirt/ovirt-engine-extension-aaa-ldap/blob/master/profile... - Also Thanks to Ondra Machacek for advising to use the ovirt-engine-extensions-tool All changes are made on /etc/ovirt-engine/aaa/MYDOMAIN.com.properties - Once I added this line: sequence.openldap-init-vars.040.var-set.value = (objectClass=Person)(${seq:simple_attrsUserName}=*) - I was getting this error: -->Authz.InvokeCommands.FETCH_PRINCIPAL_RECORD principal='null' 2019-09-06 10:50:18,837-04 SEVERE Cannot locate principal 'null' - So then I changed the Principal map from "uid" to "cn" by adding this line: attrmap.map-principal-record.attr.PrincipalRecord_PRINCIPAL.map = cn - After that, it pulled the user principal name, but then when trying to add a user in the web interface, it would fail with this error: ERROR: null value in column "external_id" violates not-null constraint - So I mapped the PrincipalRecord_ID to the user mail attribute figuring that would be fine since emails are mostly unique anyway,by adding the following line: attrmap.map-principal-record.attr.PrincipalRecord_ID.map = mail My configuration: /etc/ovirt-engine/aaa/MYDOMAIN.com.properties include = <openldap.properties> vars.server = SERVERNAME.MYDOMAIN.com vars.user = LDAPuser@MYDOMAIN.com vars.password = USER PASSWORD pool.default.auth.simple.bindDN = ${global:vars.user} pool.default.auth.simple.password = ${global:vars.password} pool.default.serverset.type = single pool.default.serverset.single.server = ${global:vars.server} attrmap.map-principal-record.attr.PrincipalRecord_PRINCIPAL.map = cn attrmap.map-principal-record.attr.PrincipalRecord_ID.map = mail sequence.openldap-init-vars.010.description = set base dn sequence.openldap-init-vars.010.type = var-set sequence.openldap-init-vars.010.var-set.variable = simple_attrsBaseDN sequence.openldap-init-vars.010.var-set.value = DC=MYDOMAIN,DC=com sequence.openldap-init-vars.020.var-set.value = cn sequence.openldap-init-vars.040.var-set.value = (objectClass=Person)(${seq:simple_attrsUserName}=*)